Примечание
Для доступа к этой странице требуется авторизация. Вы можете попробовать войти или изменить каталоги.
Для доступа к этой странице требуется авторизация. Вы можете попробовать изменить каталоги.
One my friend reached me today asking for some help on migration project. They are using Quest to help customer to AD/Exchange migration and stuck on the huge effort for system preparation. I think Quest should already have provided tool to help get permission ready rapidly, while from project execution aspect, a proved check-list may make you more comfortable, especially when customer would like to know what changes you make to their environment.
This is the quick check-list I personally consolidated in past projects, just try it.
**Only proved on migration from Exchange Server 2003 to 2010**
Domain Preparation |
Source Domain Controller (xxx.com) |
|
Domain Controller Host Name |
|
AD Site |
|
Domain Controller IP Address |
|
IP Setting: DNS Servers |
|
IP Setting: WINS Server |
|
Domain Controller Operating system |
|
Domain Controller Roles |
|
Domain Functional Level |
|
Forest Functional Level |
|
DNS Setting: List all avaialable domain zones: |
|
DNS Setting: Conditional Forwarders |
|
DNS Setting: Conditional Forwarders Target |
|
Zone Transfer (Only transfer to specified IP address) |
|
Create Second Zone |
|
Second Zone Resolve Success |
|
DNS FQDN Name Ping Test (on Source SPOC DCs - xxx) |
|
FQDN Name Ping Result |
|
NetBIOS Name Resolution |
|
NetBIOS Name Ping Result |
|
Windows Server Support Tools Installed |
|
Firewall turned-off for all client PCs1. turn "Security Center" through group policy2. disable Windows Firewall service through group policy |
|
enable GC Replication and Index for service attributes: |
|
adminDisplayName |
|
extensionAttribute15 |
|
Target Domain Controller (xxx.com) |
|
Domain Controller Host Name |
|
AD Site |
|
Domain Controller IP Address |
|
IP Setting: DNS Servers |
|
IP Setting: WINS Server |
|
Domain Controller Operating system |
|
Domain Controller Roles |
|
Domain Functional Level |
|
Forest Functional Level |
|
DNS Setting: List all avaialable domain zones: |
|
DNS Setting: Conditional Forwarders |
|
DNS Setting: Conditional Forwarders Target |
|
DNS FQDN Name Ping Test (on Target SPOC DCs - xxx) |
|
FQDN Name Ping Result |
|
NetBIOS Name Resolution |
|
NetBIOS Name Ping Result |
|
Windows Server Support Tools Installed |
|
Firewall turned-off for all client PCs1. turn "Security Center" through group policy2. disable Windows Firewall service through group policy |
|
enable GC Replication and Index for service attributes: |
|
adminDisplayName |
|
extensionAttribute15 |
|
|
Trust |
Two-way Trust Done |
|
Disable SID filteringNetdom trust johndemo.local /domain:rogertech.local /quarantine:No /usero:administrator /passwordo:Passw0rd |
|
|
Account Preparation |
Single Administrative Account |
|
Source Domain Account Preparation |
|
built-in Administrators group on source DC |
|
Full Control on Domain partition via ADSIEdit |
|
Read on Configuration partition via ADSIEdit |
|
Administrators group on all exchange servers, and other involved application servers |
|
Full Control permission on the OUs where the source synchronized objects are located. |
|
Full Control permission on source Exchange2003 servers HKEY_CURRENT_USER\Software\Microsoft\Exchange\ExAdminValue name: ShowSecurityPageData Type: REG_DWORDValue data: 1 |
|
Full Control permission on the Microsoft Exchange System Objects OU |
|
Modify public folder replica list, Modify public folder deleted item retention, and Modify public folder quotas permission on the ESM administrative groups |
|
Group Policy to add <your single administrative account> to local administrators group in all clients1. Create one Domain Local security group names as QMMAdminGroup in Target domain2. Add <your single administrative account> into QMMAdminGroup3. Modify default domain policy (or create a new one) to add this QMMAdminGroup into Administrators group on all clients |
|
Target Domain Account Preparation |
|
built-in Administrators group on target DC |
|
Full Control on Domain partition via ADSIEdit |
|
Read on Configuration partition via ADSIEdit |
|
Full Control on Exchange organization via ADSIEditCN=<ExchangeOrganizationName>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<...>,DC=<...> |
|
Full Control permission on the OUs where the target synchronized objects are located. |
|
Full Control permission on the Microsoft Exchange System Objects OU |
|
Full Control permission on each mailbox database and associated public folder databaseGet-Mailbox | Add-MailboxPermission -User <your single administrative account> -AccessRights FullAccessGet-MailboxDatabase | Add-ADPermission -User <your single administrative account> -AccessRights GenericAll -ExtendedRights Receive-As,Send-AsGet-PublicFolderDatabase | Add-ADPermission -User <your single administrative account> -AccessRights GenericAll -ExtendedRights Receive-As,Send-As |
|
Organization Management group membership for target Exchange Server 2010 |
|
Public Folder Management group membership for target Exchange Server 2010 |
|
Recipient Management group membership for target Exchange Server 2010 |
|
Administrators group on all exchange servers, and other involved application servers |
|
ApplicationImpersonation role on target Exchange Server 2010New-ManagementRoleAssignment –Name QMMAppImpersonation -Role ApplicationImpersonation –User <your single administrative account> |
|
ms-Exch-EPI-May-Impersonate extended rightGet-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User ((Get-User -Identity qmmadmin) | select-object).identity -extendedRight ms-Exch-EPI-Impersonation} Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <your single administrative account> -ExtendedRights ms-Exch-EPI-May-Impersonate} Get-PublicFolderDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <your single administrative account> -ExtendedRights ms-Exch-EPI-May-Impersonate} |
|
Group Policy to add <your single administrative account> to local administrators group in all clients1. Create one Domain Local security group names as QMMAdminGroup in Target domain2. Add <your single administrative account> into QMMAdminGroup3. Modify default domain policy (or create a new one) to add this QMMAdminGroup into Administrators group on all clients |
|
|
|
QMM Console (xxx) |
|
Grant "Log on as a service" right to <your single administrative account> via local security policy |
|
Verify <your single administrative account> belongs to Administrators group membership |
|
|
Exchange Server Preparation |
Source Exchange Server - 2003 |
|
Exchange Server Name |
|
Exchange Server IP Address |
|
IP Setting: DNS Servers |
|
IP Settings: WINS Server |
|
Existing Accepted Domains |
|
Email Redirection Target Domain SMTP namespaces |
|
mail route SMTP name space |
|
Smart Host Address |
|
Mailbox Access and Email Flow Verification |
|
Default Source Domain -> Default Target Domain |
|
Default Source omain -> Email Redirection Target SMTP name space |
|
Offline Address Book Downloading Availability |
|
Create a temp Storage Group for synced mailbox-enabled objects |
|
Exchange Server |
|
Storage Group name |
|
Enable "circular logging" for this storage group |
|
Mailbox Store name |
|
Full Backup Done |
|
Create "Aelita EMW Recycle Bin" Public Folder |
|
Creating Administrator Mailboxes for Public Folder, Free/Busy and Calendar Synchronization |
|
Specifying displayName Value for source EX2K3 mailbox database via ADSIEdit1. Locate CN=First Storage Group,CN=InformationStore,CN=EX2K3,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Mail,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<…>,DC=<…>2. copy adminDisplayName value to displayName field. |
|
Firewall turned-off |
|
Target Exchange Server - 2010 |
|
Exchange Server Name |
|
Exchange Server IP Address |
|
IP Setting: DNS Servers |
|
IP Settings: WINS Server |
|
Accepted Domains |
|
Existing Accepted Domains (Related) |
|
Email Redirection Target Domain SMTP namespaces |
|
Email Address Policies |
|
Remote Domains |
|
Add email redirection Source Domain SMTP namespace |
|
Send Connector |
|
mail route SMTP name space |
|
Smart Host Address |
|
Create Target Mailbox Database for migration |
|
Database Name |
|
Mount Availability |
|
Limit Configuration Matching with policy |
|
Public Folder Database Association |
|
Offline Address Book Association |
|
Default Receive Connector permission group -> Anonymous |
|
Mailbox Access and Email Flow Verification |
|
Default Target Domain -> Default Source Domain |
|
Default Target Domain -> Email Redirection Source SMTP name space |
|
Offline Address Book Downloading |
|
Full Backup Done |
|
Create "Aelita EMW Recycle Bin" Public Folder |
|
Creating Administrator Mailboxes for Public Folder, Free/Busy and Calendar Synchronization |
|
Creating Custom Throttling PoliciesNew-ThrottlingPolicy QMMExAccountThrottlingPolicySet-ThrottlingPolicy QMMExAccountThrottlingPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $nullSet-ThrottlingPolicyAssociation -Identity <your single administrative account> -ThrottlingPolicy QMMExAccountThrottlingPolicy |
|
Installing the Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1, and Restart Server |
|
Disable RPC Encryption on Target Exchange 2010 ServersSet-RpcClientAccess –Server EX2010.rogertech.local –EncryptionRequired $false |
|
firewall turned-off |
|
|
QMM Console Preparation |
Firewall turned-off |
|
Installing the Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1, and Restart Server |
|
Double check <your single administrative account> is in local Administrators group |
|
|
Originally posted at "https://blogs.technet.com/b/rogerliu".