How to migrate a LOCAL user account to another domain

Rebuild the profile, it is the cleanest method, which involves NOT brining over any uneeded folders, which could have settings linked to the other domain.

Email/Docs/Favorites/etc.... Dont just blanket copy a profile from a domain user to another domain user.....

If you need help getting specifics, thats no problem. Id rather help you with that......

There are things luike USMT which help to script the process, but you will benefit in the long run from a clean profile build.....

You might want to check out  Active Directory Migration Tool or ADMT. It can automate moves of this type to a large degree, but there is some initial investment in setting the whole thing up so it only makes sense for batch of moves involving multiple users and machines.

JuusoConnecta, that is pretty succinct if i do say so!

a couple questions then:
1. what is the convention when using credentials in the powershell? e.g would i type:
"RemoteCredential Administrator [password]"? i am not sure about that.

does this effect the original mailbox, will it continue working while and after the migration has happened?

thanks.

To answer your question:

You need to supply credentials of an user account who has domain rights (like the built in administrator account), in order to have the rights to get all the attributes of a user and create the user in the new domain (that what the script does among other things)

you can try in Exchange Manamgent Shell just by typing: $localcredentials = Get-Credential
Now a windows will open asking for a username and password, here typ in domain\user account and the password for that account

When you supply your credentials in Exchange management shell its only for the "powershell session" those credentials are valid, in other words if you close down EMS and start it up again you will need to supply new credentials.


##does this effect the original mailbox, will it continue working while and after the migration has happened?##

-The original mailbox will be gone and moved to the new exchange server and is fully functional
-Once you've run the script against a user and migrated his mailbox, the users mail attributes will show like an "external contacts"
It's a bit diffucult to explain the graphic view, I suggest you try to migrate and see for yourself =).

Feel free to ask any more questions and Ill try answering,

cheers!

Thanks JuusoConnecta, very helpful i will try this on a test account and see how it goes.

Lets me know how it goes!

cheers

Hmm, may have done something bad....

when trying to create a 2 way trust i am only given the option to creat a Realm Trust or a Trust with a Windows Domain, is this correct?
in the guide i am reading (link posted below), it says that if 'Forest Trust' option is missing i need to double check my DNS forwarders and my domain function levels.

i can say with confidence that the function levels of the 2 forests are very different, one is 2003 and the other is 2008R2, i am not sure what it means about DNS forwarders either, i know what they are but i am not sure what i am supposed to check.

Please can you shed some light on this?

thanks.
 
https://www.experts-exchange.com/questions/23805633/How-to-setup-domain-trust-between-Windows-2008-and-2003-server.html
it mentions at

Catomax

See the technet article instead: http://technet.microsoft.com/en-us/library/cc778851(WS.10).aspx

also some info: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/57dd9ec2-a888-4e0a-a8f4-f6707e72c051

Forgive me for not giving you better instructions at the moment I am leaving work just about now, will check on this tomorrow

Thanks JuusoConnecta,

I read through these last night and tried to find the answer to what i was looking for, and they have dispelled one worry which was that i had messed it up. I know now that it is possible, but i cant figure out what or where I am supposed to put in the DNS entries.
I will keep looking but your input has been invaluable so far so would be much appreciated.

thanks.

Each domain needs to be able to resolve AD resources of the other domain, thusforth trusts must be created between the two Root Servers in each Forest.

Regarding your DNS, this is what you should do:
On both domains open your DNS server snap-in -> Right mouse click the server name and click properties -> click on forwarders tab -> select new button and add the domain of your trusted domain (domainA.local for example) -> In the forwarding IP box at the bottom add the ip address of your DNS server on domainA.local.
Do the exact same procedure in the other domain aswell. After this youll need some time to let the DNS server to synch.

Ill post two links here as well for additional guidance, since at the moment im unable to provide any attachments of what it should look like.

https://www.experts-exchange.com/questions/21480321/How-can-I-Backup-the-DNS-and-Restore-it.html

https://www.experts-exchange.com/questions/23581718/DNS-configuration-help-forest-trust.html?sfQueryTermInfo=1+10+30+dn+trust+two+wai

JuusoConnecta,

I am running into a small problem, i am getting an Error that says "Error looking up local OU, Error Msg: Cannot find specified OU or Container: OU=Users,DC=xxxx,DC=com"

the user is definitely to be moved to the Users folder, am i missing something?

thanks.

When are you receving this message is it when your running the script?

If yes, you will need to specify your own OU in your active directory (the active directory in your new domain)

yep, when i run the script.

what do you mean by specify my own OU?

When running the preparemoverequest.ps1 and the command line afterwards:

At the end -TargetMailUserOU, you need to specify an OU in your active directory (the active directory in your new domain), this is where the user account will be created /replicated to

for example, in one of my cross-forest migrations this was the ou path where I wanted the accounts to be created / replicated:
-TargetMailUserOU "OU=Stockholm,OU=Accounts,OU=Users,DC=InternalDomainName,DC=dom"
With the Stockholm OU (Organizational Unit) being the "last / depeest" where I wanted my users

Jusso,

I think i see the problem, the Users folder is a container instead of an Organizational Unit in AD. I cannot find the code for replacing "OU=Users" with "[Container]=Users". is there such a thing or am i barking up the wrong tree?

thanks

Catomax,

I have only moved users to OU:s, I have basic / good powershell skills.

Can you try use the syntax CN=ContainerName ? and see if it works,
(have never defined ad object container in powershell script before)

cheers

Thanks Juuso, i tried using CN and still get the same error, i am a little confused as when i go through the script you gave me (which i am very grateful for!) it all makes sense, if i use OU or CN it comes up with the same message "Error Looking up local OU...Cannot Find Specified OU or Container: [OU/CN],DC=xxx,DC=com at C:\preparemoverequest\prepare-MoveRequest.ps1:1097 Char:14"

should i be trying to run the PS1 from another location? the User container is at the most basic level and has not been edited since creation so i cant see why this would not work?

sorry to be a pain, this has been so helpful!

thanks.

i know, i will attach an image of the error just so you can see if i have made some really obvious mistake, you say you have basic/good powershell skills - i have none!

thanks
Moverequest-Error.pdf

No worries, this is no pain at all!
First I can assure that the script is working fine, I located the line 1097 char:14 and it is only an error message in the script, which it will provide if the parameters in the script are not corresponded properly.

I think there is an error in your command at the end.
Can you create a new OU in your AD and target that one instead, so the end syntax would be: -TargetMailUserOU "OU=NewOU,OU=Users,DC=InternalDomainName,DC=dom"

(You should use the OU and not the CN, I think I missunderstood your previous comment regarding this)


One question also, do you have any subdomains ? If Yes, your exchange server is most likely installed on the root domain (or in some cases the subdomain), if your planning to migrate the users to a ou in a subdomain you need to define the whole subdomain.
example: if your internal domain name is contoso.com and you want o migrate the users to a subdomain called office, the syntax would be
DC=office,DC=contoso,DC=com


(Just another note, this all must be the internal domain names. Example: if you have a domain called contoso.com but the actual internal name is contoso.local then the command should be: "DC=contoso,DC=local")

Keep me posted! cheers!

ok, but my question would then be, is that ok to do with exchange installed and running?

there are already some users in the container Users and it is where they are put by default when i add a new account in exchange.

ok, but my question would then be, is that ok to do with exchange installed and running? <-- didnt quiet understand what you meant by this, sorry...


You can create like I mentioned a OU then just move the users to the container that you want after they have been migrated,

cheers

Ah!
ok, cool, i was just concerned with if i created an OU then in the future Exchange is trying to access things in the other Container. that is cool, i will try that and let you know what happens! BTW whether this gets done or not the points are all yours, i just have more questions!

Keep on asking, and ill keep on trying to answer =],

It does not really matter, because exchange mailboxes are located inside the exchange server they simply needs to get attached to an AD object, for example and most cases, a user account.

YEAH!!!!

ok, 1 mailbox ready to move!!!

you Rock!

Great work!

now run the following in EMS: New-MoveRequest -Identity firstname.lastname -RemoteLegacy -TargetDatabase "Mailbox Database Name" -RemoteGlobalCatalog DomainControllerNameInRemoteForest -RemoteCredential $RemoteCredentials -TargetDeliveryDomain "yourdomain.com"

When you run this you will get some warnings, you can ignore these since the script will automatically try add the newly created user account to the same Security Groups and Distribution Lists as the user account in the old domain (if they have the same name),

After you've run this you can go to Exchange Management Console -> recipient configuration -> Move Requests and see the status of the mailboxes that are being moved. Also if you click on them you can see the % left of the mailbox move.

just a quickie, what effect does this have on the original mailbox as a whole?

If i understand correctly it will remove the users mailbox from the original server, but will the whole Mailbox (ie all the other users) be affected at all?

I am running this on a mail server that is in very high use, and don't to suddenly find out that while this is happening all other users mailboxes will be stopped.

also,

with the first line in which there is '-identity firstname.lastname' am i adding the users name into there?

the 'mailbox Database name', is that the name of the mailbox database on the new server? (it is Mailbox Database 071xxxxx38, would that be what i enter into the command or just the long number?

thanks

##just a quickie, what effect does this have on the original mailbox as a whole?##
No affect, users mailbox is migrated from one exchange to the other exchange server with all of its mailbox attributes



##If i understand correctly it will remove the users mailbox from the original server, but will the whole Mailbox (ie all the other users) be affected at all?##

You understood it correctly. A connection that will break is that if a user have rights to another users mailbox (send as, send on behalf of or full mailbox rights, this will be breaking since at one point a user will be in Forest A and nother user will be in Forest B, during this time the connection regarding mailbox rights will be broken, however once the other user is migrated, and this due to the script, mailbox rights will be stored)



##I am running this on a mail server that is in very high use, and don't to suddenly find out that while this is happening all other users mailboxes will be stopped.##

An affect that will impact intermittent users is something called the .NK2 file (which is a cachning file located on respective users client computer, which outlook uses), once users have been migrated and will try sending mails to each other (internally) they might receive a "Undeliverble" Message. This because, as you know when you start typing a new message and once you start entering a name in the "To" field one or several names pops up (this is from the nk2 cachning file), when they choose the name from that file, intermittently some users may receive "Undeliverable" message. To resolve this issue user will need to choose the name from Global Address List (only once) and it will be recached onto the nk2 file (Also NOTE this will only affect users sending mails to other users within your organization)



##with the first line in which there is '-identity firstname.lastname' am i adding the users name into there?##

Yes



##the 'mailbox Database name', is that the name of the mailbox database on the new server? (it is Mailbox Database 071xxxxx38, would that be what i enter into the command or just the long number?##

Yes (also remember the "" before and after the mailbox database name=] )

awesome answer! thanks very much!

attempting now!!....

hmm, it is coming up with an error saying that the user object could not be found on the DC, i have looked myself and I can't find it either!

"in the last step it finished with saying 1 Mailbox(s) ready to move."

but it does not seem to have created anything in the new DC, should it have? or have i missed a step? i went straight from the last command that we solved today to the one that i am asking questions about now.

thanks.

##When you receive: ""in the last step it finished with saying 1 Mailbox(s) ready to move.""##
It means the user account should have been replicated to the OU that you specified in that command, are you unable to locate it ?


##hmm, it is coming up with an error saying that the user object could not be found on the DC, i have looked myself and I can't find it either!##
When you run: New-MoveRequest -Identity firstname.lastname -RemoteLegacy -TargetDatabase "Mailbox Database Name" -RemoteGlobalCatalog DomainControllerNameInRemoteForest -RemoteCredential $RemoteCredentials -TargetDeliveryDomain "yourdomain.com"
Can you instead of firstname.lastname put firstname.lastname@yourdomain.com


But primarely we need to find the user account where it is located, and it should be in the new Forest since you got the message:
1 Mailbox(s) ready to move.

here is a sudden thought:

the original domain and the new one are completely different. the name is changed, the structure is different, should that make any difference?

It doesnt matter if the structure is different, since we are only targeting certain attributes of the AD object. User name should be the same, but since the domain names are different I think we need to do the following:

-First locate the account that was created when you ran the first command
-Create a new accepted domain in EMC: this needs to be an Authoritative Domain  (E-mail is delivered to a recipient in this Exchange organization), see the screenshot http://www.petri.co.il/images/accepted_domains_1.gif
-Go to Exchange Management Console -> Organization Configuration -> create a new email policy that applies to that OU were the newly user account was created
-add (for now) two email addresses, one that is for your new domain firstname.lastname@yournewdomain.com (you can try running the second command again, if that does not work, add a second email address to the same policy: firstname.lastname@yourolddomain.com)

hope you are following this !

just to throw in a little more confusion (i have not fully studied the last post yet), the 2 domains are connected semi-physically.

we have a firewall for each domain and an ethernet cable linking the 2.

dont know if this will screw things up?

AHA!
ok, i have found the user account, it is in the Test OU (the one i created) it is a mail contact, which i am pretty sure you said it would be at the beginning of this epic thread.

i Tried running the previous thing you said first (changing from first.last to first.last@domain.com) and it did the same, when i used the alias ((firstname)(lastinitial)@domain.com) it encountered one hell of an error!

let me show you, its attached.
New-Moverequest.pdf

Ok,

just trying to go through the steps (not quite following :)

##-First locate the account that was created when you ran the first command## - DONE

##-Create a new accepted domain in EMC: this needs to be an Authoritative Domain  (E-mail is delivered to a recipient in this Exchange organization), see the screenshot http://www.petri.co.il/images/accepted_domains_1.gif## 
should i be creating an authoritative domain of the old domain or just make one up?


##-Go to Exchange Management Console -> Organization Configuration -> create a new email policy that applies to that OU were the newly user account was created##
in exchange 2010 the email policy editor is not here, i am sure i can find it in no time but i am not sure what the policy should do?

##-add (for now) two email addresses, one that is for your new domain firstname.lastname@yournewdomain.com (you can try running the second command again, if that does not work, add a second email address to the same policy: firstname.lastname@yourolddomain.com)##
have not got to this one yet

##hope you are following this !##
er...

Good that you found the user account, but it shouldnt be a mail contact, it should be a user account...

Lets back a bit, when you ran the first command that I supplied and you received the message " 1 mailbox ready to be moved", did you target a user in the "old" domain that was an user account ?

If you create a test user in the old domain with a mailbox and try running the preparemoverequest.ps1 script agains that test user, what happens ?

I want to make sure everything is in order before be go any further..


##just to throw in a little more confusion (i have not fully studied the last post yet), the 2 domains are connected semi-physically.##

They are still two different forests with a two-way trust so you should go good =]

Im about to leave work for today, will look at this later when im home,

You can read a bit more on this at: http://technet.microsoft.com/en-us/library/ee861103.aspx


Cheers!

should i be creating an authoritative domain of the old domain or just make one up?

Create an authoritative domain with the domain name of your new domain.



regarding creating email address policy see the screenshot:

http://www.servolutions.com/images/exchange2007_address_policies.png



In order to create an email policy that applies to users, the actual domain name of the email policy needs to be an accepted domain,


ill take a look at this later!

thanks Juuso!

I have created the email policy but still no avail.

i am sure i targeted the right user, but i will create a test account and see what happens.

thanks.

out of interest BTW, where are you? globally that is.

just thought as we have been talking so much i may as well ask!

just had a thought, the only accounts on the new exchange account that are 'Mail Users' are the ones i created using the script.

all other accounts are User Mailboxes, and the Mail Users are stored in the Mail Contacts section.

just tried changing the script from
"TargetMailUserOU "OU...com""
to
"TargetUserMailboxOU...."

but that did not work.

I created a user on old domain called "Transfer Test" and when i ran the script it did the exact same thing, would not let me put it in the Users OU, saying it could not find it. then when i changed it to go into the temporary OU it worked fine. but the second script has the exact same effects, does not work when using:

"Transfer Test"
"Transfer.Test"
and throws massive error when trying to use
"Transfert" (the naming convention on old and new server)

Confused.com!

Im located in Sweden, more specifically in Stockholm.

At the moment I must admit im a bit lost, ive used the script a bunch of times when doing cross-forest migrations and never have this kind of isse =].

When you created transfer test on the old domain and used the script you received an message saying "1 mailbox is ready to move" ?

Also if you locate the temporary OU in the new domain (where you targeted the transfer test account to be replicated), can you take a screenshot of that account (in the new domain),

Soz for the late answer home at the moment and ready to go to  bed, will continue with this tomorrow!

No Problem,

I will give you a screenshot that contains everything. at the bottom of page 1 you can see the command that was run, and at the top is the Exchange Management Console with the Mail Contacts folder open.
on the second page is the AD Users and Computers Window with the 'Test' OU open, you can see the users have been moved into AD as full users but into Exchange as Mail Contacts...
sorry to confuse you so early in the morning!
Everything.pdf

AHHH!!! wait!

i Just noticed this!!!

the first image is the old domain the second is the new, Look at the trust type!

i screwed up!!
could this be the cause of it all?
Trust-Types.pdf

From what I can see your trust looks solid (example: http://thelazydev.com/images/ds/admt-1-trust.jpg)

I would like to proceed the following way:

-delete the mail-contact that was created in EMC
-create the accepted domains that I mentioned (one for your old domain prefix and one for your new domain)
-create an email policy that applies to the testing OU (that email policy should bouth include bouth the old domain email and the new one)

I will explain the more technical details as we go further on, but we will need to primarely get a successfull test migration for the test user first.

Ok, now i have created the policies, but should i change it to be (firstname)(lastinitial) as is in both domains?

they are currently set as you mentioned earlier with being (firstname)(lastname), or is this ok to leave as is?

testing now.

AHAHHAHA!!!!!!


i have found this!!
http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/31af1f7f-4869-4199-9d3f-904e83d0c7d5

i followed the steps and now it has moved Transfer Test from Mail Contacts to the mailbox folder!!!!!

OH YEAH!!!

ok, so you have now successfully replicated the user account and migrated the users mailbox to the new domain ? =]

it seems that way...

I will try moving the original user across now and see what happens...

Catomax, great to hear that you've gotten this working now!

-Furthermore, how many users will you be migrating ?
-Will the new forest domain have its own "public domain name" ? or will it use the same public domain name as the old one ?
-Depending on the above you will need to configure your MX records on your external DNS (if you have not done so already)

Thanks Juuso, that is all taken care of,

it will be a new Public domain name, (well 2 actually) for the larger company i will be transferring about 30-40 accounts, which will be a hell of a job but it looks like it will work nicely!

thank you so much for all your help, is there any way i can contact you in the future (sorry to sound cheeky but you have been the most helpful Expert yet!)

thanks!"

Great news, that all of that have been taken care of already.

You can see my contact information on my profile:
juuso.sillanpaa@techta.se or juuso.sillanpaa@connecta.se

Let me know if theres anything more that I can assist with =]

cheers

Thanks Juuso!

last question then, is it possible to do this and keep the old mailbox active?

No, the mailbox is moved to the new domain.

Once you've done this for a test user, go back to the test users domain account in the old domain and look for the exchange menus under his / hers account. You will see that these menus now have changed to more or less like an "external contact"

fantastic! thanks for all your help!

No Problem,

cheers!