Active Directory Migration 2003 to 2008 R2

A few years ago in a past life I performed an Active Directory migration from a 2003 functional level to 2008 R2 with ADMT 3.2 accompanied by an Exchange 2007 to 2010 migration. The only problem I ran into was that the old X500 addresses for the mailboxes aren’t migrated to the new mail system. The cached auto-complete email addresses in Outlook use the X500 address for internal emails which caused internal to internal email to fail. Once the auto-complete addresses were wiped out everything was fine and Outlook began creating new auto-complete data with correct X500 data. It’s a good thing I saved my documentation otherwise I wouldn’t be able to post this incredibly exciting information. Domain migrations are so fun! :roll:

Best Practices for Performing Computer Migrations

Applies to: Active Directory Migration Tool 3.1 (ADMT 3.1) and ADMT 3.2

•             Perform regular backups of domain controllers in both the source and target domains throughout the course of the migrations. If you are migrating computers that contain file shares to perform security translation, we recommend that you also back up those computers throughout the migration.

•             Verify that workstations and member servers have restarted immediately after you join them to the target domain. The Active Directory Migration Tool (ADMT) automates the restart of workstations and member servers, but you use the Minutes before computers restart after wizard completion option in the Computer Migration Wizard to select the amount of time that passes before the computer is restarted. Computers that do not restart after migration are in an indeterminate state.

•             Communicate to end users that their computers must be connected to the network at the time that their computer is scheduled to be migrated.

Best Practices for Rolling Back a Migration

Applies to: Active Directory Migration Tool 3.1 (ADMT 3.1) and ADMT 3.2

•             Roll back user and group accounts that have been migrated between forests by enabling the accounts in the source domain (if they were disabled during the migration), verifying that the accounts have access to resources in the source domain, and then verifying that logon scripts and user profiles work as configured in the source domain.

•             Roll back resources that have been migrated between forests by changing the domain membership of servers and workstations and then restarting them. Log on to the resources in the source domain to ensure that the resources are accessible.

•             Roll back accounts and resources that have been migrated within a forest by migrating the objects back from the target domain to the source domain. Accounts and resources that are migrated within a forest are moved and not copied. Therefore, they do not continue to exist in the source domain.

Decrypt files that have been encrypted by means of Encrypting File System (EFS). Failure to decrypt encrypted files will result in loss of access to encrypted files after migration. Be sure to communicate to end users that they must decrypt any encrypted files or they will lose access to those files.

Tip: Check out my repository of PowerShell scripts, including a few Exchange PowerShell scripts such as Prepare-MoveRequest.ps1.

Exchange 2010 Installation Prerequisites:

Run Powershell elevated as administrator and run:

Import-Module ServerManager
Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Desktop-Experience -Restart

LDIFDE (ServerManagerCmd –i RSAT-ADDS)

Start mode for NetTcpPortSharing service needs to be automatic

sc config NetTcpPortSharing start= auto

2007 Office System Converter: Microsoft Filter Pack

.NET Framework 3.5 (add feature through server manager)

IIS prerequisites

Internet Information Service (IIS).
– World Wide Web service (W3SVC)
– Additional sub roles of W3SVC:
IIS 7 Basic Authentication
IIS 7 Windows Authentication
IIS 7 Digest Authentication
IIS 7 .NET Extensibility
IIS 7 Dynamic Content Compression
IIS 7 Static Content Compression
IIS 7 .NET Extensibility
IIS 6 Metabase Compatibility
IIS 6 Management Console
Web Server (IIS) Tools
– HTTP Activation
– Windows Process Activation Service Process Model

Use a text editor to enable the MRSProxy service

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the “Text editor” entry in the Client Access Permissions topic.

On the remote Client Access server without SP2, open the following file with a text editor such as Notepad:

<Exchange Installation Path>\V14\ClientAccess\ExchWeb\EWS\web.config

Locate the following section in the Web.config file:

<!-- Mailbox Replication Proxy Service configuration -->
 DataImportTimeout="00:01:00" />

Change the value of IsEnabled to “true“.

Save and close the Web.config file.

If the server does have SP2, use the new cmdlet:

Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -MRSProxyEnabled $true -MRSProxyMaxConnections 50

1.) in the IIS management console verify that there are entries for *.svc in the “Handler Mappings” property of the Default Site

if not you need to register WCF in IIS (%windir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe -i)  and iisreset

Step 1 – Preparing Source and Target Domains

  1. Create a two-way external forest trust between SourceDomain.int and TargetDomain.int
  2. To migrate computers running Windows Server 2008, Windows Server 2003, Windows Vista (without Service Pack 1), Windows XP, and Microsoft Windows 2000 (using ADMT 3.1) to a target domain with domain controllers running Windows Server 2008 R2 or Windows Server 2008, first set the following registry key on the target domain controllers:

Registry path: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

Registry value: AllowNT4Crypto


Data: 1

  1. Enable auditing for success and failures for account management in your default domain controllers policy in the source and target domain (Computer configuration|Windows settings|Security settings|Local policies|Audit policy|Audit account management)
  2. Create a GPO in the source domain (SourceDomain.int) in advance to enable the File and Printer Sharing exception on all computer objects (clients and servers)
  3. With the same GPO we can add the TargetDomain.int domain admins to the local administrators on every client and server to help facilitate migrating the computer accounts
    1. Computer Configuration|Windows Settings|Security Settings|Restricted Groups
    2. Right click, Add Group, enter “TargetDomain\Domain Admins”
    3. On the next screen under ‘This group is a member of:’ click Add and type Administrators
    4. Make sure Security Filtering on this GPO is set for Authenticated Users
  4. Create new GPO in target domain (TargetDomain.int) to set the default logon domain (when user and computer accounts are migrated they still point to old domain at logon)
    1. Server 08/Vista/Win7: Set the group policy in ‘Computer Configuration|Policies|Administrative Templates|System|Logon’ called “Assign a default domain for logon” to “TargetDomain.int”
    2. Server 2000/2003/WinXP: Create the following VBscript and assign it to the computer startup script group policy:
Dim sDomName
 Set oWshShell = CreateObject("WScript.Shell")
 oWshShell.RegWrite "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName", sDomName
  1. Install SQL Server 2005 Express SP3 x64 on target domain controller or member server on which you plan to install ADMT
  2. Install ADMT 3.2 on target domain controller or member server (add source domain admin account into target local administrators group using:

 net localgroup administrators /add <source\admin> then login as source domain admin on target ADMT box to migrate computer accounts/translate security for local objects)

  1. Create encryption key on server with ADMT installed for PES:
admt key /option:create /sourcedomain:<SourceDomain> /keyfile:<KeyFilePath> /keypassword:{<password>|*}
  1. Install PES 3.1 (Password Export Service) on source domain controller for password migration and provide encryption key generated from ADMT machine
  2. If we ever need to grant users in the TargetDomain.int domain access to resources left in the SourceDomain.int domain, disable SID filtering manually for both sides of the trust:
netdom trust source.net /domain:target.net /quarantine:no /usero:admin /passwordo:xxx
netdom trust target.net /domain:source.net /quarantine:no /usero:admin /passwordo:xxx
  1. Recreate the OU structure on the target domain to your liking

Step 2 – More preparation using Prepare-MoveRequest.ps1

Prepare-MoveRequest prepares the AD target object and synchronizes the required attributes for cross-forest moves to work. In order to run New-MoveRequest cmdlet to move a mailbox from an Exchange 2003/2007/2010 source forest to an Exchange 2010 target forest, the target forest must contain a valid MEU account with the set of AD attributes that this script creates (legacyExchangeDN, mail, mailnickname, msExchmailboxGuid, proxyAddresses, X500, targetAddress, userAccountControl, userprincipalName).

ADMT transfers Exchange attributes (e.g. homeMDB, homeMTA, showInAddressBook, msExch*) which make the target user look like a legacy mailbox in the target domain. This leaves the target account in an invalid state (e.g. homeMDB still points to the old forest) which is unexpected for the PrepareMoveRequest.ps1 script. To prevent this, exclude Exchange attributes from ADMT except proxyAddresses.

Export a list of all user email addresses in the California and Pittsburgh OU (or break it into region) using dsquery which we can pipe to Prepare-MoveRequest.

dsquery * "ou=Pittsburgh,ou=CompanyName,dc=SourceDomain,dc=int" -filter "(&(objectCategory=person)(objectClass=user)(mail=*))" -attr mail displayname -limit 0 > email_addresses.csv && dsquery * "ou=California,ou=CompanyName,dc=SourceDomain,dc=int" -filter "(&(objectCategory=person)(objectClass=user)(mail=*))" -attr mail displayname -limit 0 >> email_addresses.csv

Open the file in Excel and use the Text to Columns function. Remove everything except the email addresses. Change row 1 from “mail” to “Indentity” so it looks like this:





Copy that file to the target Exchange server and run the Prepare-MoveRequest script in EMS.

$RemoteCredentials = Get-Credential
 $LocalCredentials = Get-Credential
Import-Csv email_addresses.csv | .\Prepare-MoveRequest.ps1 -RemoteForestDomainController SourceDC.SourceDomain.int -RemoteForestCredential $RemoteCredentials -LocalForestDomainController TargetDC.TargetDomain.int -LocalForestCredential $LocalCredentials -TargetMailUserOU "OU=MEU,OU=TargetDomain,DC=TargetDomain,DC=int" -Verbose -UseLocalObject -OverWriteLocalObject

That should create all users contained in the list as MEU accounts in the TargetDomain.int domain under the MEU OU.

Step 3 – Active Directory Migration Tool

On the machine running ADMT in the target domain, migrate objects in this sequence:

1. Service Accounts (does not actually migrate, identifies the account)

2. Security Groups (Exclude Exch attributes)

3. Distribution Groups (Include Exch attributes)

4. Users (Exclude Exch attributes, except proxyAddresses)

5. Computer Accounts

After running ADMT it forces the user to change their passwords in the target domain. If we decide this is unnecessary we can dsmod the accounts in a single OU in one batch.

dsquery * "ou=MEU,ou=TargetDomain,dc=TargetDomain,dc=int" -filter "(&(objectCategory=person)(objectClass=user)(mail=*))" | dsmod user -mustchpwd no

Step 4 – Mailbox Migration


dsquery * "ou=Pittsburgh,ou=CompanyName,dc=SourceDomain,dc=int" -filter "(&(objectCategory=person)(objectClass=user)(mail=*))" -attr mail displayname -limit 0 > PGH_email_addresses.csv


$RemoteCredentials = Get-Credential
 $LocalCredentials = Get-Credential
Import-Csv PGH_email_addresses.csv | .\Prepare-MoveRequest.ps1 -RemoteForestDomainController SourceDC.SourceDomain.int -RemoteForestCredential $RemoteCredentials -LocalForestDomainController TargetDC.TargetDomain.int -LocalForestCredential $LocalCredentials -TargetMailUserOU "OU=Users,OU=Pittsburgh,OU=TargetDomain,DC=TargetDomain,DC=int" -Verbose -UseLocalObject -OverWriteLocalObject


dsquery * "ou=MEU,ou=Users,ou=Pittsburgh,ou=TargetDomain,dc=TargetDomain,dc=int" -filter "(&(objectCategory=person)(objectClass=user))" | dsmod user -mustchpwd no


dsquery * "ou=California,ou=CompanyName,dc=SourceDomain,dc=int" -filter "(&(objectCategory=person)(objectClass=user)(mail=*))" -attr mail displayname -limit 0 > CA_email_addresses.csv


$RemoteCredentials = Get-Credential
$LocalCredentials = Get-Credential

Import-Csv CA_email_addresses.csv | .\Prepare-MoveRequest.ps1 -RemoteForestDomainController SourceDC.SourceDomain.int -RemoteForestCredential $RemoteCredentials -LocalForestDomainController TargetDC.TargetDomain.int -LocalForestCredential $LocalCredentials -TargetMailUserOU "OU=MEU,OU=Users,OU=California,OU=TargetDomain,DC=TargetDomain,DC=int" -Verbose


dsquery * "ou=MEU,ou=Users,ou=California,ou=TargetDomain,dc=TargetDomain,dc=int" -filter "(&(objectCategory=person)(objectClass=user))" | dsmod user -mustchpwd no
dsquery * "ou=Users,ou=Clients,ou=TargetDomain,dc=TargetDomain,dc=int" -filter "(&(objectCategory=person)(objectClass=user))" -limit 0 | dsmod user -mustchpwd no -canchpwd no -pwdneverexpires yes


$RemoteCredentials = Get-Credential
New-MoveRequest -Identity 'test@TargetDomain.net' -TargetDatabase "Mailbox Database 1 (A-M)"  -RemoteHostName 'OldMailServer.SourceDomain.int' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'TargetDomain.net'


$RemoteCredentials = Get-Credential
Import-Csv A-M.csv | New-MoveRequest -Identity 'test@TargetDomain.net' -TargetDatabase "Mailbox Database 1 (A-M)"  -RemoteHostName 'OldMailServer.SourceDomain.int' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'TargetDomain.net'


$RemoteCredentials = Get-Credential
New-MoveRequest -Identity 'cleister@TargetDomain.net' -Remote -TargetDatabase "Mailbox Database 2 (N-Z)"  -RemoteHostName 'OldMailServer.SourceDomain.int' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'TargetDomain.net'


Import-Csv N-Z.csv | New-MoveRequest -Remote -TargetDatabase "Mailbox Database 2 (N-Z)"  -RemoteHostName 'OldMailServer.SourceDomain.int' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'TargetDomain.net'


Import-Csv A-M.csv | New-MoveRequest -Remote -TargetDatabase "Mailbox Database 1 (A-M)"  -RemoteHostName 'OldMailServer.SourceDomain.int' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'TargetDomain.net'


Import-Csv N-Z-2.csv | New-MoveRequest -Remote -TargetDatabase "Mailbox Database 2 (N-Z)"  -RemoteHostName 'OldMailServer.SourceDomain.int' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'TargetDomain.net'


New-MoveRequest -Identity JAccount@TargetDomain.net -Remote -TargetDatabase "System Mailbox Database"  -RemoteHostName 'OldMailServer.SourceDomain.int' -RemoteCredential $RemoteCredentials -TargetDeliveryDomain 'TargetDomain.net'
Disqus Comments Loading...
All Rights ReservedRegular Version