awilderbeast
asked on
using Move2Mailbox when forests have same name...
hi all,
im following this article
http://msexchangehelp.wordpress.com/2010/03/23/gui-script-for-exchange-2003-to-exchange-2010-cross-forest-move-mailbox/
i have a problem
my source forest is named domain.local and my target forest is named domain.net
so when i put in the credentials the source and target come up for domain.net (the 2010 machine)
i typed in the source credentials manually but i cant type in source mailboxes
anyone have any ideas of what i can do?
THanks
im following this article
http://msexchangehelp.wordpress.com/2010/03/23/gui-script-for-exchange-2003-to-exchange-2010-cross-forest-move-mailbox/
i have a problem
my source forest is named domain.local and my target forest is named domain.net
so when i put in the credentials the source and target come up for domain.net (the 2010 machine)
i typed in the source credentials manually but i cant type in source mailboxes
anyone have any ideas of what i can do?
THanks
ASKER
yeah thats what i did do, no luck :|
i also tried this
New-MoveRequest -Identity 'test@domain.local -RemoteLegacy -TargetDatabase Mailbox Database 123456789 -RemoteGlobalCatalog 'server1.domain.local' -RemoteCredential $Cred -TargetDeliveryDomain 'ex.domain.net'
found it from gooling, that didnt do anything at all :|
cheers
i also tried this
New-MoveRequest -Identity 'test@domain.local -RemoteLegacy -TargetDatabase Mailbox Database 123456789 -RemoteGlobalCatalog 'server1.domain.local' -RemoteCredential $Cred -TargetDeliveryDomain 'ex.domain.net'
found it from gooling, that didnt do anything at all :|
cheers
The NetBIOS name is the same in each case? Did you manage to create a trust between the two domains? Much of Move2Exchange seems to rely on a trust existing.
Chris
ASKER
yeah the netbios is the same they are both "domain" one is domain.local the other domain.net
no havent created a trust, should i?
all i did was add domain.local to domain.net dns
no havent created a trust, should i?
all i did was add domain.local to domain.net dns
It's not explicitly listed as a requirement. It looks like it is if you use Move2Exchange, but not necessarily with New-MoveRequest.
What did New-MoveRequest return? It should have returned something.
Chris
ASKER
it returned >>
thats it didnt do anything other than that
thats it didnt do anything other than that
Oh :)
The command isn't complete then, either you need to hit return once more, or you need to fix the code up a bit. I noticed a few errors in it, but I assumed it was copy / paste based.
This if the fixed-up version:
New-MoveRequest -Identity "test@domain.local" -RemoteLegacy `
-TargetDatabase "Mailbox Database 123456789" `
-RemoteGlobalCatalog "server1.domain.local" `
-RemoteCredential $Cred -TargetDeliveryDomain "ex.domain.net"
You need $Cred first, I guess you've dealt with that? If not, run this first:
$Cred = Get-Credential
That'll be a username and password for the source domain.
The ` characters I've added above allow the command to continue over more than one line, leave them in, or remove them and put it all back on one line.
Chris
ASKER
i got
The operation couldn't be performed because object 'test@domain.local' couldn't be found on 'DC1.domain.net'.
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], ManagementObjectNotFoundEx ception
+ FullyQualifiedErrorId : 4E5084E3,Microsoft.Exchang e.Manageme nt.Recipie ntTasks.Ne wMoveReque st
am i doing something the wrong way round here?
im moving from domain.local to domain.net
cheers
The operation couldn't be performed because object 'test@domain.local' couldn't be found on 'DC1.domain.net'.
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], ManagementObjectNotFoundEx
+ FullyQualifiedErrorId : 4E5084E3,Microsoft.Exchang
am i doing something the wrong way round here?
im moving from domain.local to domain.net
cheers
Hmm yes, that's the mailbox in the target domain, looks like it moves content only.
That's where this step comes in:
http://technet.microsoft.com/en-us/library/ee861103.aspx
The script they use there creates a copy of the user in the new domain (from the source). Then you can use that newly created user with New-MoveRequest to have the data pushed across.
Chris
ASKER
ok i created the user and mailbox on the newdomain
then run
$Cred = Get-Credential
New-MoveRequest -Identity "test@domain.net" -RemoteLegacy `
-TargetDatabase "Mailbox Database 123456" `
-RemoteGlobalCatalog "server01.domain.local" `
-RemoteCredential $Cred -TargetDeliveryDomain "CH-EX.domain.net"
and this came out
You must use the RemoteTargetDatabase parameter for remote push move requests.
+ CategoryInfo : InvalidArgument: (test@domain.net:MailboxOr MailUserId Parameter) [New-
ientTaskException
+ FullyQualifiedErrorId : 132DCDD4,Microsoft.Exchang e.Manageme nt.Recipie ntTasks.Ne wMoveReque st
after that didnt work i did
$UserCredentials = Get-Credential
e:\move\Prepare-MoveReques t.ps1 -Identity test@domain.local`
-RemoteForestDomainControl ler server01.domain.local`
-RemoteForestCredential $UserCredentials
i ran this - like in the article and got this
Source Domain controller unavailable or authentication failed.
At E:\move\Prepare-MoveReques t.ps1:756 char:14
+ throw <<<< "Source Domain controller unavailable or authentication failed."
+ CategoryInfo : OperationStopped: (Source Domain c...ication failed.:String) [],
+ FullyQualifiedErrorId : Source Domain controller unavailable or authentication failed.
i ran both of these on the exchange 2010 server using exchange powershell
and i put the credentials of the 2003 server in for both scripts
any clues?
then run
$Cred = Get-Credential
New-MoveRequest -Identity "test@domain.net" -RemoteLegacy `
-TargetDatabase "Mailbox Database 123456" `
-RemoteGlobalCatalog "server01.domain.local" `
-RemoteCredential $Cred -TargetDeliveryDomain "CH-EX.domain.net"
and this came out
You must use the RemoteTargetDatabase parameter for remote push move requests.
+ CategoryInfo : InvalidArgument: (test@domain.net:MailboxOr
ientTaskException
+ FullyQualifiedErrorId : 132DCDD4,Microsoft.Exchang
after that didnt work i did
$UserCredentials = Get-Credential
e:\move\Prepare-MoveReques
-RemoteForestDomainControl
-RemoteForestCredential $UserCredentials
i ran this - like in the article and got this
Source Domain controller unavailable or authentication failed.
At E:\move\Prepare-MoveReques
+ throw <<<< "Source Domain controller unavailable or authentication failed."
+ CategoryInfo : OperationStopped: (Source Domain c...ication failed.:String) [],
+ FullyQualifiedErrorId : Source Domain controller unavailable or authentication failed.
i ran both of these on the exchange 2010 server using exchange powershell
and i put the credentials of the 2003 server in for both scripts
any clues?
ASKER
oh i also cant create a trust between the old forest and the new forest using either machine to create it
i added dns records for both forests too, wont let me
on domain.net i tried create new trust > domain.local > windows trust > cannot continue
"the new trust wizard cannot contine the specified domain cannot be contacted
Either the domain does not exist, or network or other problems are preventing connection"
i can ping domain.local from dc1.domain.net now dns records are in there and still that doesnt work either
i added dns records for both forests too, wont let me
on domain.net i tried create new trust > domain.local > windows trust > cannot continue
"the new trust wizard cannot contine the specified domain cannot be contacted
Either the domain does not exist, or network or other problems are preventing connection"
i can ping domain.local from dc1.domain.net now dns records are in there and still that doesnt work either
> oh i also cant create a trust between the old forest and the new forest using either
> machine to create it
Didn't think that would work, NetBIOS names need to be unique.
We shouldn't need it though.
Looking at syntax again.
Chris
ASKER
the syntax for which script?
Both :)
I'm surprised this doesn't work:
$UserCredentials = Get-Credential
e:\move\Prepare-MoveReques
-RemoteForestDomainControl
-RemoteForestCredential $UserCredentials
I guess you are able to resolve server01.domain.local to an IP address from the system running that script?
It's quite annoying, I can't see anything wrong with your syntax.
Chris
ASKER
yeah can reslove no probs, can reslove both ways, i created a primary dns zone in each forest so no probs there
when i implement the script above it ask me for credentials twice for some bizare reason
what does this error mean?
You must use the RemoteTargetDatabase parameter for remote push move requests.
+ CategoryInfo : InvalidArgument: (test@domain.net:MailboxOr MailUserId Parameter) [New-
ientTaskException
+ FullyQualifiedErrorId : 132DCDD4,Microsoft.Exchang e.Manageme nt.Recipie ntTasks.Ne wMoveReque st
do i need to edit the code?
when i implement the script above it ask me for credentials twice for some bizare reason
what does this error mean?
You must use the RemoteTargetDatabase parameter for remote push move requests.
+ CategoryInfo : InvalidArgument: (test@domain.net:MailboxOr
ientTaskException
+ FullyQualifiedErrorId : 132DCDD4,Microsoft.Exchang
do i need to edit the code?
> i created a primary dns zone in each forest so no probs there
Primary? Not secondary? If it is Primary, which records did you create in the zone?
> do i need to edit the code?
It thinks you're requesting a push from the new domain back to the old. It's mistaken.
This is the only syntax reference I have:
http://technet.microsoft.com/en-us/library/dd351123.aspx
Note that it has three blocks of code at the top, the syntax for three different ways of running New-MoveRequest. We're trying to use the last of those, which means we must specify these (as you have done):
Identity
RemoteGlobalCatalog
RemoteLegacy
TargetDeliveryDomain
Can you run this and confirm that the command under Syntax matches up with the article I'm looking at?
Get-Help New-MoveRequest
Chris
ASKER
i just created a host record to reslove domain.net/local to the right ip addresses
i just tried to create a secondary it worked, but when i tried to transfer from master i got "refused"
i just tried to create a secondary it worked, but when i tried to transfer from master i got "refused"
[PS] C:\Windows\system32>Get-Help New-MoveRequest
NAME
New-MoveRequest
SYNOPSIS
Use the New-MoveRequest cmdlet to begin the process of an asynchronous mailbox move. You can also check mailbox rea
diness to be moved by using the WhatIf parameter.
SYNTAX
New-MoveRequest -Identity <MailboxOrMailUserIdParameter> [-BadItemLimit <Int32>] [-BatchName <String>] [-Confirm [<
SwitchParameter>]] [-DomainController <Fqdn>] [-IgnoreRuleLimitErrors <SwitchParameter>] [-MRSServer <Fqdn>] [-Prot
ect <SwitchParameter>] [-Suspend <SwitchParameter>] [-SuspendComment <String>] [-SuspendWhenReadyToComplete <Switch
Parameter>] [-TargetDatabase <DatabaseIdParameter>] [-WhatIf [<SwitchParameter>]] [<CommonParameters>]
New-MoveRequest -Identity <MailboxOrMailUserIdParameter> -Remote <SwitchParameter> -RemoteHostName <Fqdn> -TargetDe
liveryDomain <Fqdn> [-BadItemLimit <Int32>] [-BatchName <String>] [-Confirm [<SwitchParameter>]] [-DomainController
<Fqdn>] [-IgnoreRuleLimitErrors <SwitchParameter>] [-MRSServer <Fqdn>] [-Protect <SwitchParameter>] [-RemoteCreden
tial <PSCredential>] [-RemoteGlobalCatalog <Fqdn>] [-RemoteOrganizationName <String>] [-RemoteTargetDatabase <Strin
g>] [-Suspend <SwitchParameter>] [-SuspendComment <String>] [-SuspendWhenReadyToComplete <SwitchParameter>] [-Targe
tDatabase <DatabaseIdParameter>] [-WhatIf [<SwitchParameter>]] [<CommonParameters>]
New-MoveRequest -Identity <MailboxOrMailUserIdParameter> -RemoteGlobalCatalog <Fqdn> -RemoteLegacy <SwitchParameter
> -TargetDeliveryDomain <Fqdn> [-BadItemLimit <Int32>] [-BatchName <String>] [-Confirm [<SwitchParameter>]] [-Domai
nController <Fqdn>] [-IgnoreRuleLimitErrors <SwitchParameter>] [-MRSServer <Fqdn>] [-Protect <SwitchParameter>] [-R
emoteCredential <PSCredential>] [-RemoteTargetDatabase <String>] [-Suspend <SwitchParameter>] [-SuspendComment <Str
ing>] [-SuspendWhenReadyToComplete <SwitchParameter>] [-TargetDatabase <DatabaseIdParameter>] [-WhatIf [<SwitchPara
meter>]] [<CommonParameters>]
DESCRIPTION
You need to be assigned permissions before you can run this cmdlet. Although all parameters for this cmdlet are lis
ted in this topic, you may not have access to some parameters if they're not included in the permissions assigned t
o you. To see what permissions you need, see the "Mailbox move" entry in the Mailbox Permissions topic.
RELATED LINKS
Online Version http://technet.microsoft.com/EN-US/library/c28ca2ce-963f-4676-81c3-cef3c290ee7b(EXCHG.140).aspx
REMARKS
To see the examples, type: "get-help New-MoveRequest -examples".
For more information, type: "get-help New-MoveRequest -detailed".
For technical information, type: "get-help New-MoveRequest -full".
> i just tried to create a secondary it worked, but when i tried to transfer from
> master i got "refused"
You'll need to permit that (by IP Address) on the Primary version of the zone. DNS Console then properties for the zone, then the Zone Transfer tab. Set it to allow transfers to the list, and add the IP of the other server.
Chris
ASKER
yeah did that, still refused :|
got "the server with this ip address is not authorative for the required zone"
got "the server with this ip address is not authorative for the required zone"
heh you must be really enjoying this...
So under allow zone transfers you've got the IP address of the new Secondary server? And if you re-create the Secondary zone you feed it the IP address of the Primary server?
But it still says the server is not authoritative for the zone?
Chris
ASKER
its great! lol
nothings simple though is it! haha
on DC1.domain.net i have created a secondary zone for domain.local and vice vera on server01.domain.local
on dc1 (2008 r2) i have zone transfers set to allow to the following servers and have server01.domain.loal's ip address in there and the FQDN has resloved to SERVER01 (which is correct)
but it says its not authorative to do so so
server01.domain.local is a sbs 2003 box and doesnt come back with any fancy messages like 2008 so that just a big red X with zone not loaded by dns server on it
im stumped :|
nothings simple though is it! haha
on DC1.domain.net i have created a secondary zone for domain.local and vice vera on server01.domain.local
on dc1 (2008 r2) i have zone transfers set to allow to the following servers and have server01.domain.loal's ip address in there and the FQDN has resloved to SERVER01 (which is correct)
but it says its not authorative to do so so
server01.domain.local is a sbs 2003 box and doesnt come back with any fancy messages like 2008 so that just a big red X with zone not loaded by dns server on it
im stumped :|
Lets go with Conditional Forwarders... they're less work :)
Nuke the two Secondary zones you created (one on each side). On each server open the DNS console, select the server and open it's Properties and select the forwarders tab.
The interface differs a bit between the different versions now. It shouldn't be too bad though.
You need to enter the remote domain name, then the remote server IP address beneath that.
Run ipconfig /flushdns on each server then try looking up names again.
Chris
ASKER
conditional forwarders worked, so now we have dns, back to the mailboxes! lol
shall i try any of the scripts again?
shall i try any of the scripts again?
Phew, at least we got one step forward :)
And yes, lets give it a shot, try the Prepare-MoveRequest script?
Do you have a firewall between these two domains? You'll need quite a number of ports open to help it along.
Chris
ASKER
yeah sbs is using ISA 2004
same error, source DC is unavailable or authentication failed
port issue?
cheers
same error, source DC is unavailable or authentication failed
port issue?
cheers
Could well be.
For the Global Catalog you'll need TCP Port 3268 open. I guess you have UDP/TCP Port 53 open for DNS? And possibly TCP Port 389 for LDAP?
Or is it just wide open? :)
You can test with Telnet since we're expecting a TCP connection:
telnet server01.domain.local 3268
If it works you'll get a blank screen, if not you'll get an error message.
Chris
ASKER
whats the command to see open ports again? or will it not matter will have to see through isa?
telnet worked on 3268
53 is open as dns works :)
so 389 that needed?
how do i check 389?
telnet worked on 3268
53 is open as dns works :)
so 389 that needed?
how do i check 389?
ASKER
just thought, ive added the new servers ip range to isa as internal networks, so isa shouldnt be blocking any ports should it?
That I don't know, I don't know very much about ISA I'm afraid, I haven't had to use it for the last 5 years. I can see if I can find someone to help on that aspect if it'll be beneficial?
Chris
ASKER
im not that great on it either, but i think it doesnt block ports internally unless specified, im unsre of that though
found this nifty command
portqry -n server01.domain.local -p udp -e 389
======== End of LDAP query response ========
UDP port 389 is LISTENING
so all the ports where already open, so there must be some other reason its not authenticating or not finding the dc
it asks me for credientials twice though when running that script, which is wierd?
found this nifty command
portqry -n server01.domain.local -p udp -e 389
======== End of LDAP query response ========
UDP port 389 is LISTENING
so all the ports where already open, so there must be some other reason its not authenticating or not finding the dc
it asks me for credientials twice though when running that script, which is wierd?
The prepare script? I haven't got a copy of the script so I couldn't really say what it's up to in there, it is possible it prompts for credentials.
I tell you what, lets try and find the account ourselves. If you could run this in the PowerShell prompt / Exchange management shell please? It'll need a bit of modification, hopefully it's clear what needs changing.
Chris
$LdapFilter "(mail=someemailaddress@domain.local)"
$RemoteDomain = New-Object DirectoryServices.DirectoryEntry(`
"GC://server01.domain.local/DC=domain,DC=local", `
"Domain\SomeUsername", `
"SomePassword")
$Searcher = New-Object DirectoryServices.DirectorySearcher($RemoteDomain, $LdapFilter)
$Searcher.FindAll()
ASKER
heres the prepare script
$UserCredentials = Get-Credential
e:\move\Prepare-MoveReques t.ps1 -Identity test@domain.local`
-RemoteForestDomainControl ler server01.domain.local`
-RemoteForestCredential $UserCredentials
ran that code, on the 2010 server yes? and it was connecting to the 2003 sbs server, thats what it was supposed to do?
the account was any random account, i used test account i created, no admin account needed?
Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server.
"
At line:1 char:18
+ $Searcher.FindAll <<<< ()
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Cheers
$UserCredentials = Get-Credential
e:\move\Prepare-MoveReques
-RemoteForestDomainControl
-RemoteForestCredential $UserCredentials
ran that code, on the 2010 server yes? and it was connecting to the 2003 sbs server, thats what it was supposed to do?
the account was any random account, i used test account i created, no admin account needed?
Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server.
"
At line:1 char:18
+ $Searcher.FindAll <<<< ()
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Cheers
> Exception calling "FindAll" with "0" argument(s): "A referral was returned from the server.
That's interesting, that's a kind of "this doesn't exist here" message. It'll refer back to this part:
$RemoteDomain = New-Object DirectoryServices.Director yEntry(`
"GC://server01.domain.loca l/DC=domai n,DC=local ", `
"Domain\SomeUsername", `
"SomePassword")
We're trying to create a connection to the Global Catalog running on server01, and we're connecting to the naming context DC=domain,DC=local (which would correlate to a domain called domain.local).
> ran that code, on the 2010 server yes? and it was connecting to the 2003 sbs server,
> thats what it was supposed to do? the account was any random account, i used test account
> i created, no admin account needed?
As far as I can see, yes. There's no indication that it needs to be anything else.
Chris
That's interesting, that's a kind of "this doesn't exist here" message. It'll refer back to this part:
$RemoteDomain = New-Object DirectoryServices.Director
"GC://server01.domain.loca
"Domain\SomeUsername", `
"SomePassword")
We're trying to create a connection to the Global Catalog running on server01, and we're connecting to the naming context DC=domain,DC=local (which would correlate to a domain called domain.local).
> ran that code, on the 2010 server yes? and it was connecting to the 2003 sbs server,
> thats what it was supposed to do? the account was any random account, i used test account
> i created, no admin account needed?
As far as I can see, yes. There's no indication that it needs to be anything else.
Chris
ASKER
ok that was my bad, on the dc=domain i forgot to change it to mydomain
ive done that now but still error
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>$Remot eDomain = New-Object DirectoryServices.Director yEntry(`
>> "GC://server01.domain.loca l/DC=domai n,DC=local ", `
>> "DOMAIN\test", `
>> "Password01")
>>
[PS] C:\Windows\system32>$Searc her = New-Object DirectoryServices.Director ySearcher( $RemoteDom ain, $LdapFilter)
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>$Searc her.FindAl l()
An error occurred while enumerating through a collection: The search filter is invalid..
At line:1 char:18
+ $Searcher.FindAll <<<< ()
+ CategoryInfo : InvalidOperation: (System.Director...sultsEn umerator:R esultsEnum erator) [], RuntimeExcep
tion
+ FullyQualifiedErrorId : BadEnumeration
ive done that now but still error
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>$Remot
>> "GC://server01.domain.loca
>> "DOMAIN\test", `
>> "Password01")
>>
[PS] C:\Windows\system32>$Searc
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>$Searc
An error occurred while enumerating through a collection: The search filter is invalid..
At line:1 char:18
+ $Searcher.FindAll <<<< ()
+ CategoryInfo : InvalidOperation: (System.Director...sultsEn
tion
+ FullyQualifiedErrorId : BadEnumeration
I appear to have missed an equals character out:
$LdapFilter = "(mail=someemailaddress@do
That should work a little better :)
Chris
ASKER
ok it doesnt come back with an error now, but it doesnt do anything
i keep pressing enter and nothing
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>$Searc her.FindAl l()
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>
i keep pressing enter and nothing
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>$Searc
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>
That means it ran but completely failed to find anything. Perhaps we should try proxyAddresses in the filter, we're only looking at the Primary Email address right now:
$LdapFilter = "(proxyAddresses=*someemai
We need the * I've added here, proxyAddresses are listed like this:
smtp:someemailaddress@doma
SMTP:primary@domain.com
etc
The rest of the code stays the same. However, the fact that it ran without error does suggest that you can connect and can search.
Do you have a copy of that Prepare script? Are you able to post it (attachment or in a code block)?
Chris
ASKER
do i put
$LdapFilter = "(proxyAddresses=test@doma in.local)"
or
$LdapFilter = "(proxyAddresses=smtp:test @domain.lo cal)"
not quite sure what you mean there
prepare script below
$LdapFilter = "(proxyAddresses=test@doma
or
$LdapFilter = "(proxyAddresses=smtp:test
not quite sure what you mean there
prepare script below
$UserCredentials = Get-Credential
e:\move\Prepare-MoveRequest.ps1 -Identity test@domain.local`
-RemoteForestDomainController server01.domain.local`
-RemoteForestCredential $UserCredentials
Neither :) This one:
$LdapFilter = "(proxyAddresses=*test@dom
I meant the contents of this file e:\move\Prepare-MoveReques
Chris
ASKER
came back with results this time :)
Path Properties
---- ----------
GC://server01.domain.local /CN=test,O U=SBSUsers ,OU=Users, ... {st, adspath, objectguid, textencodedoraddress, displayn...
sorry yeah code below
Path Properties
---- ----------
GC://server01.domain.local
sorry yeah code below
param([parameter(Position=0, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, mandatory=$true)][string]$Identity,
[parameter(Position=1, mandatory=$true)][string]$RemoteForestDomainController,
[parameter(Position=2, mandatory=$true)][Management.Automation.PSCredential]$RemoteForestCredential,
[string]$LocalForestDomainController,
[Management.Automation.PSCredential]$LocalForestCredential,
[string]$TargetMailUserOU='Users',
[string]$MailboxDeliveryDomain,
[switch]$LinkedMailUser,
[switch]$UseLocalObject)
begin
{
# ---------------------------------------------------------------------------------------------------
function findADObject($searchRoot, $filter)
# ---------------------------------------------------------------------------------------------------
{
$searcher = new-object System.DirectoryServices.DirectorySearcher($searchRoot)
$searcher.filter = $filter
$user = $searcher.findall()
if ($user -eq $null -or $user.count -eq 0)
{
return $null
}
elseif ($user.count -gt 1)
{
foreach ($usr in $user)
{
Write-Warning ("Object Found:" + $usr.GetDirectoryEntry().distinguishedName)
}
throw "Multiple objects found in AD."
}
else
{
return $user[0].GetDirectoryEntry()
}
}
# ---------------------------------------------------------------------------------------------------
function checkUserExist ($OU, $filter)
# ---------------------------------------------------------------------------------------------------
{
$searcher = new-object System.DirectoryServices.DirectorySearcher($OU)
$searcher.filter = $filter
$user = $searcher.findone()
if ($user -eq $null -or $user.count -eq 0)
{
return $false
}
else
{
return $true
}
}
# ---------------------------------------------------------------------------------------------------
function copyIfExist ($target, [array]$attriblist, $propertybag)
# ---------------------------------------------------------------------------------------------------
{
foreach($att in $attriblist)
{
if ($propertybag.Contains($att))
{
Write-Verbose "Setting $att to $($propertybag.Item($att))"
[void]($target.Put($att, $propertybag.Item($att).Value))
}
}
}
# ---------------------------------------------------------------------------------------------------
function getEscapedldapFilterStr ([string]$original)
# ---------------------------------------------------------------------------------------------------
{
$escape = $original.replace("\", "\5c")
$escape = $escape.replace("(", "\28").replace(")", "\29")
$escape = $escape.replace("&", "\26").replace("|", "\7c")
$escape = $escape.replace("=", "\3d").replace(">", "\3e")
$escape = $escape.replace("<", "\3c").replace("~", "\7e")
$escape = $escape.replace("*", "\2a").replace("/", "\2f")
return $escape
}
# ---------------------------------------------------------------------------------------------------
function sidToLDAPQuery([byte[]]$sid)
# ---------------------------------------------------------------------------------------------------
{
foreach ($by in $sid)
{
$ret += "\" + $by.tostring("X")
}
return $ret
}
# ---------------------------------------------------------------------------------------------------
function MasterAccountSidIsSelf ( $srcMbxAttributes )
# ---------------------------------------------------------------------------------------------------
{
if ($srcMbxAttributes.Contains("msExchMasterAccountSid"))
{
$master = new-object System.Security.Principal.SecurityIdentifier($srcMbxAttributes.Item("msExchMasterAccountSid").value, 0)
if ($master.IsWellKnown("SelfSid"))
{
return $true
}
}
return $false
}
# ---------------------------------------------------------------------------------------------------
function findLocalObject ($OU, $srcuser)
# ---------------------------------------------------------------------------------------------------
{
$usr = $null
if ($srcuser.properties.Contains("msExchMasterAccountSid") -and -not (MasterAccountSidIsSelf $srcuser.properties))
{
$sourcesid += sidToLDAPQuery $srcuser.properties.Item("msExchMasterAccountSid").Value
$filter = "(| (ObjectSid=$sourcesid) (msExchMasterAccountSid=$sourcesid) )"
$usr = findADObject $OU $filter
}
if ($usr -eq $null)
{
$address = $srcuser.Properties.Item("proxyAddresses")
foreach ($addr in $address)
{
if ($addr.startswith("x500:", "OrdinalIgnoreCase") -or $addr.startswith("smtp:", "OrdinalIgnoreCase"))
{
$addr1 = getEscapedldapFilterStr ($addr.Substring(0,4).toUpper() + $addr.Substring(4))
$addr2 = getEscapedldapFilterStr ($addr.Substring(0,4).toLower() + $addr.Substring(4))
$filterstring += "(proxyAddresses=$addr1) (proxyAddresses=$addr2)"
}
}
$filter = "(| $filterstring)"
$usr = findADObject $OU $filter
}
return $usr
}
# ---------------------------------------------------------------------------------------------------
function generateUniqueSAM ($ou, $srcMbxAttributes)
# ---------------------------------------------------------------------------------------------------
{
$uniquesam = $srcMbxAttributes.Item('samaccountname').Value
$retrycount = 30
if ($uniquesam.Length -lt 20)
{
while ($retrycount -gt 0 -and (checkUserExist $ou "(samAccountName=$(getEscapedldapFilterStr $uniquesam))"))
{
$uniquesam = $srcMbxAttributes.Item("samaccountname").Value + (random)
if ($uniquesam.length -gt 20)
{
$uniquesam = $uniquesam.substring(0,20)
}
$retrycount = $retrycount - 1
}
}
return $uniquesam
}
# ---------------------------------------------------------------------------------------------------
function generateUniqueUPN ($ou, $srcMbxAttributes, $fallbacks)
# ---------------------------------------------------------------------------------------------------
{
if ($srcMbxAttributes.Contains('userPrincipalName'))
{
$uniqueupn = $srcMbxAttributes.Item('userPrincipalName').Value
if ($uniqueupn -match "^(.*)(@.*)$")
{
$postfix = $matches[2]
$prefix = $matches[1]
}
$preferedupn = ,$uniqueupn + $fallbacks
foreach ($upn in $preferedupn)
{
if ($upn -ne $null)
{
if ($upn.contains("@"))
{
$testupn = $upn
}
else
{
$testupn = "$upn$postfix"
}
if ($(checkUserExist $ou "(userPrincipalName=$(getEscapedldapFilterStr $testupn))") -eq $false)
{
return $testupn
}
}
}
#try to use prefered upn, if all unsuitable, generate a new one
while ($(checkUserExist $ou "(userPrincipalName=$(getEscapedldapFilterStr $uniqueupn))"))
{
$uniqueupn = "$prefix$(random)$postfix"
}
}
return $uniqueupn
}
# ---------------------------------------------------------------------------------------------------
function copyMandatoryAttributes ($newuser, $srcAttributes, $localDC)
# ---------------------------------------------------------------------------------------------------
{
$copyAttributes="displayName",
"Mail",
"mailNickName",
"msExchMailboxGuid",
"msExchArchiveGuid",
"msExchUserCulture",
"msExchArchivename",
"proxyAddresses"
$specialAttributes = @{ "msExchRecipientDisplayType"=0x80000006;
"msExchRecipientTypeDetails"=0x80;
"msExchVersion"="44220983382016";
"userAccountControl"=0x202 #ACCOUNTDISABLE | NORMAL_ACCOUNT
}
if ($localDC -ne $null)
{
$specialAttributes["samaccountname"] = generateUniqueSAM $localDC $srcAttributes
$specialAttributes["userPrincipalName"] = generateUniqueUPN $localDC $srcAttributes $newuser.cn,$specialAttributes["samaccountname"]
}
[void](copyIfExist $newuser $copyAttributes $srcAttributes)
foreach($att in $specialAttributes.getenumerator())
{
if ($att.value -ne $null)
{
Write-Verbose "Setting $($att.key) to $($att.value)"
[void]($newuser.put($att.key, $att.value.tostring()))
}
}
}
# ---------------------------------------------------------------------------------------------------
function createMailUserAccount ($localDC, $ou, $srcMbxAttributes)
# ---------------------------------------------------------------------------------------------------
{
try{
$newcn = getEscapedldapFilterStr $srcMbxAttributes.Item("cn").value
$newcn = $newcn.replace(",", "\,")
while ([DirectoryServices.DirectoryEntry]::exists("LDAP://cn=$newcn,$($ou.distinguishedname)"))
{
$newcn = getEscapedldapFilterStr ($srcMbxAttributes.Item('cn').value + (random))
$newcn = $newcn.replace(",", "\,")
}
[void]($newuser = $ou.create("user", "cn=$newcn"))
copyMandatoryAttributes $newuser $srcMbxAttributes $localDC
#additional operations for proxyaddresses and targetaddress
$srcproxys = $srcMbxAttributes.Item("proxyAddresses")
$X500proxyAddr = "x500:" + $srcMbxAttributes.Item("LegacyExchangeDN").value
if ($srcMbxAttributes.Contains("LegacyExchangeDN") -and
-not $srcproxys.tostring().toupper().contains($X500proxyAddr.ToUpper()))
{
Write-Verbose "Appending proxyAddresses with $X500proxyAddr"
[void]($newuser.putex(3, "proxyAddresses", [array]$X500proxyAddr))
}
foreach ($addr in $srcproxys)
{
if ($addr -match "^(SMTP|smtp):.*@(.*)$")
{
#if don't specify authoritative domains, use primary smtp address
if (([string]::IsNullOrEmpty($MailboxDeliveryDomain) -and $addr.startswith("SMTP")) -or
($matches[2] -eq $MailboxDeliveryDomain))
{
Write-Verbose "Setting targetAddress to $addr"
[void]$newuser.put("targetAddress", $addr)
break
}
}
}
[void]($newuser.SetInfo())
return $newuser
}
catch
{
Write-Error "Error creating mailuser CN=$newcn,$($ou.distinguishedname) in local forest or setting its mandatory attributes."
}
return $null
}
# ---------------------------------------------------------------------------------------------------
function copyGalySyncAttributes ($user, $srcMbxAttributes)
# ---------------------------------------------------------------------------------------------------
{
$copyAttributes= "C",
"Co",
"countryCode",
"Company",
"Department",
"facsimileTelephoneNumber",
"givenName",
"homePhone",
"Info",
"Initials",
"L",
"Mobile",
"msExchAssistantName",
"msExchHideFromAddressLists",
"otherHomePhone",
"otherTelephone",
"Pager",
"physicalDeliveryOfficeName",
"postalCode",
"Sn",
"St",
"streetAddress",
"telephoneAssistant",
"telephoneNumber",
"Title"
copyIfExist $user $copyAttributes $srcMbxAttributes
}
# ---------------------------------------------------------------------------------------------------
function copyE2k7OptionalAttributes ($user, $srcMbxAttributes)
# ---------------------------------------------------------------------------------------------------
{
$copyAttributes= #"Cn",
"Comment",
"deletedItemFlags",
"delivContLength",
"departmentNumber",
"Description",
"Division",
"employeeID",
"employeeNumber",
"employeeType",
"homePostalAddress",
"internationalISDNNumber",
"ipPhone",
"Language",
"localeID",
"mAPIRecipient",
"middleName",
"msDS-PhoneticCompanyName",
"msDS-PhoneticDepartment",
"msDS-PhoneticDisplayName",
"msDS-PhoneticFirstName",
"msDS-PhoneticLastName",
"msExchBlockedSendersHash",
"msExchELCExpirySuspensionEnd",
"msExchELCExpirySuspensionStart",
"msExchELCMailboxFlags",
"msExchExternalOOFOptions",
"msExchMessageHygieneFlags",
"msExchMessageHygieneSCLDeleteThreshold",
"msExchMessageHygieneSCLJunkThreshold",
"msExchMessageHygieneSCLQuarantineThreshold",
"msExchMessageHygieneSCLRejectThreshold",
"msExchMDBRulesQuota",
"msExchPoliciesExcluded",
"msExchSafeRecipientsHash",
"msExchSafeSendersHash",
"msExchUMSpokenName",
"O",
"otherFacsimileTelephoneNumber",
"otherIpPhone",
"otherMobile",
"otherPager",
"preferredDeliveryMethod",
"personalPager",
"personalTitle",
"Photo",
"pOPCharacterSet",
"pOPContentFormat",
"postalAddress",
"postOfficeBox",
"primaryInternationalISDNNumber",
"primaryTelexNumber",
"showInAdvancedViewOnly",
"Street",
"terminalServer",
"textEncodedORAddress",
"thumbnailLogo",
"thumbnailPhoto",
"url",
"userCert",
"userCertificate",
"userSMIMECertificate",
"wWWHomePage"
foreach ($i in 1..15)
{
$copyAttributes += "extensionAttribute$i";
}
copyIfExist $user $copyAttributes $srcMbxAttributes
}
# ---------------------------------------------------------------------------------------------------
function findCorrespondingADObject ($targetOU, $DN, $srcDomain)
# ---------------------------------------------------------------------------------------------------
{
$cn = "$DN".substring(0, "$DN".indexof(",DC="))
$srcreferenceobject = $srcDomain.children.find($cn)
$usr = $null
if ($srcreferenceobject -ne $null)
{
if ($srcreferenceobject.Properties.Contains("legacyExchangeDN"))
{
$legexch = getEscapedldapFilterStr $srcreferenceobject.Properties.Item("legacyExchangeDN")
$addrfilter = "(proxyAddresses=x500:$legexch) (proxyAddresses=X500:$legexch)"
}
$address = $srcreferenceobject.Properties.Item("proxyAddresses")
foreach ($addr in $address)
{
if ($addr.startswith("x500:", "OrdinalIgnoreCase"))
{
$addrfilter += "(legacyExchangeDN=$(getEscapedldapFilterStr $addr.substring(5)))"
}
if ($addr.startswith("smtp:", "OrdinalIgnoreCase") -or $addr.startswith("x500:", "OrdinalIgnoreCase"))
{
$addr1 = getEscapedldapFilterStr ($addr.Substring(0,4).toUpper() + $addr.Substring(4))
$addr2 = getEscapedldapFilterStr ($addr.Substring(0,4).toLower() + $addr.Substring(4))
$addrfilter += "(proxyAddresses=$addr1) (proxyAddresses=$addr2)"
}
}
if ([string]::IsNullOrEmpty($addrfilter) -eq $false)
{
$filter = "(| $addrfilter)"
$usr = findADObject $targetOU $filter
if ($usr -eq $null)
{
#user not found, try find the contact
$usr = findADObject $targetOU "(& (objectClass=contact) $filter)"
}
}
return $usr
}
}
# ---------------------------------------------------------------------------------------------------
function setLinkedAttribute ($attribname, $backlinkname, $targetOU, $user, $srcMbxAttributes, $srcDomain)
# ---------------------------------------------------------------------------------------------------
{
if ($srcMbxAttributes.contains($attribname))
{
foreach ($dn in $srcMbxAttributes.item($attribname))
{
try
{
$corobj = findCorrespondingADObject $targetOU $dn $srcDomain
if ($corobj -eq $null)
{
Write-Warning "Cannot find corresponding object for $dn in current forest. `'$attribname`' not set."
}
else
{
Write-Verbose "Setting $attribname to $($corobj.properties.item('distinguishedname'))"
$user.putex(3, $attribname, [array]"$($corobj.properties.item('distinguishedname'))")
}
}
catch
{
Write-Warning "Error updating $($user.distinguishedName) Attribute: $attribname! Attribute Not Set! Error: $($Error[0])"
}
}
}
#find backlink from source MBX, set it on corresponding user in target
if ($srcMbxAttributes.contains($backlinkname))
{
foreach ($dn in $srcMbxAttributes.item($backlinkname))
{
try
{
$corobj = findCorrespondingADObject $targetOU $dn $srcDomain
if ($corobj -eq $null)
{
Write-Warning "Cannot find corresponding object for $dn in current forest. `'$attribname`' not updated."
}
else
{
$corobj.PutEx(3, $attribname, [array]"$($user.properties.item("distinguishedname"))")
$corobj.SetInfo()
Write-Host "Updating $($corobj.distinguishedName) Attribute: $attribname" -ForegroundColor Green
}
}
catch
{
Write-Warning "Error updating $($corobj.distinguishedName) Attribute: $attribname! Attribute Not Set! Error: $($Error[0])"
}
}
}
}
# ---------------------------------------------------------------------------------------------------
function setLinkedAttributes ($targetOU, $user, $srcMbxAttributes, $srcDomain)
# ---------------------------------------------------------------------------------------------------
{
setLinkedAttribute "altRecipient" "altRecipientBL" $targetOU $user $srcMbxAttributes $srcDomain
if ($user.properties.contains("altRecipient") -and $srcMbxAttributes.contains("deliverAndRedirect"))
{
$user.put("deliverAndRedirect", "$($srcMbxAttributes.item('deliverAndRedirect'))".toupper())
}
setLinkedAttribute "Manager" "directReports" $targetOU $user $srcMbxAttributes $srcDomain
setLinkedAttribute "publicDelegates" "publicDelegatesBL" $targetOU $user $srcMbxAttributes $srcDomain
setLinkedAttribute "member" "memberOf" $targetOU $user $srcMbxAttributes $srcDomain
}
# ---------------------------------------------------------------------------------------------------
function copyLinkedMailboxTypeAttributes ($user, $srcMbxAttributes)
# ---------------------------------------------------------------------------------------------------
{
$copyAttributes = @()
$valuedAttributes = @{ }
$accountenable = ($srcMbxAttributes.Item("UserAccountControl").tostring() -band 0x2) -eq 0
if (-not $accountenable -and (MasterAccountSidIsSelf $srcMbxAttributes))
{
$valuedAttributes["msExchRecipientDisplayType"] = $user.properties.Item("msExchRecipientDisplayType").value -bor 2
}
else
{
$valuedAttributes["msExchRecipientDisplayType"] = 0xC0000006
if ($srcMbxAttributes.Contains("msExchMasterAccountSid"))
{
$copyAttributes += "msExchMasterAccountSid"
}
elseif ($srcMbxAttributes.Contains("objectSid"))
{
$valuedAttributes["msExchMasterAccountSid"] = $srcMbxAttributes.Item("objectSid").Value
}
#this can also be done by carefully arrange "msExchMasterAccountSid" and "objectSid"
#in the list, avoid the trouble of nested branching. but it's not worth the maintainence effort
}
[void](copyIfExist $user $copyAttributes $srcMbxAttributes)
foreach($att in $valuedAttributes.getenumerator())
{
Write-Verbose "Setting $($att.key) to $($att.value)"
[void]($user.put($att.key, $att.value))
}
}
# ---------------------------------------------------------------------------------------------------
function copySpecialMailboxTypeAttributes ($user, $srcMbxAttributes)
# ---------------------------------------------------------------------------------------------------
{
#Mailbox Type Constants
$ROOMMAILBOX = 16
$EQUIPMENTMAILBOX = 32
#End Mailbox Type Constants
$copyAttributes = "msExchResourceCapacity",
"msExchResourceDisplay",
"msExchResourceMetaData",
"msExchResourceSearchProperties"
$valuedAttributes = @{ }
if ($srcMbxAttributes.Contains("msExchRecipientTypeDetails"))
{
$typedetail = $user.ConvertLargeIntegerToInt64($srcMbxAttributes.Item("msExchRecipientTypeDetails").Value)
if (($typedetail -band $ROOMMAILBOX) -ne 0)
{
$valuedAttributes["msExchRecipientDisplayType"] = 0x80000706
}
elseif (($typedetail -band $EQUIPMENTMAILBOX) -ne 0)
{
$valuedAttributes["msExchRecipientDisplayType"] = 0x80000806
}
else
{
return
}
[void](copyIfExist $user $copyAttributes $srcMbxAttributes)
foreach($att in $valuedAttributes.getenumerator())
{
Write-Verbose "Setting $($att.key) to $($att.value)"
[void]($newuser.put($att.key, $att.value))
}
}
}
# ---------------------------------------------------------------------------------------------------
function createMEUAndCopyAttrs ($localDC, $localOU, $srcDC, $srcObject)
# ---------------------------------------------------------------------------------------------------
{
$srcAttributes = $srcObject.properties
$newuser = createMailUserAccount $localDC $localOU $srcAttributes
if ($newuser -eq $null)
{
return
}
#mandatory attributes are all set. go with optional attributes
copyGalySyncAttributes $newuser $srcAttributes
copyE2k7OptionalAttributes $newuser $srcAttributes
setLinkedAttributes $localdc $newuser $srcAttributes $srcdc
copySpecialMailboxTypeAttributes $newuser $srcAttributes
if ($LinkedMailUser)
{
copyLinkedMailboxTypeAttributes $newuser $srcAttributes
}
try
{
[void]($newuser.SetInfo())
Update-Recipient $newuser.DistinguishedName.Value @DomainControllerParameterSet
#syncback Legacy Exchange DN
#rebind ad object to retrieve new properties set by Update-Recipient
$newuser.RefreshCache([array]"legacyExchangeDN")
$srcproxys = $srcAttributes.Item("proxyAddresses")
$X500proxyAddr = "x500:" + $newuser.properties.Item("LegacyExchangeDN")
if ($newuser.properties.Contains("LegacyExchangeDN") -and $srcproxys.Contains($X500proxyAddr) -eq $false)
{
Write-Host "Updating source MBX($($srcObject.distinguishedName)) in source forest, appending $X500proxyAddr to proxyAddresses" -ForegroundColor Green
[void]($srcObject.putex(3, "proxyAddresses", [array]$X500proxyAddr))
$srcObject.setinfo()
}
$Global:movecount++
"Preparation for $Identity done."
}
catch
{
Write-Error "failed performing final steps. $($Error[0])"
return
}
}
# ---------------------------------------------------------------------------------------------------
function forceMergeObject ($recipienttype, $localOU, $localusr, $srcObject)
# ---------------------------------------------------------------------------------------------------
{
$copyAttributes = "msExchMailboxGUID",
"msExchArchiveGUID",
"msExchArchiveName"
if ($recipienttype -eq 'MailUser')
{
Write-Verbose "Merging Mailbox properties to local MailUser"
[void](copyIfExist $localusr $copyAttributes $srcObject.properties)
$logindisabled = ($srcObject.userAccountControl.Value -band 0x2) -ne 0 #AccountDisabled
if ($LinkedMailUser -and $logindisabled)
{
copyLinkedMailboxTypeAttributes $localusr $srcObject.properties
}
try
{
[void]($localusr.SetInfo()) # Might get Access Denied.
}
catch
{
Write-Error "Error merging mailbox information with local mailuser: $($localusr.DistinguishedName). Error: $($Error[0])"
return
}
}
elseif ($recipienttype -eq 'MailContact')
{
Write-Verbose "Creating MailUser with same attributes as local MailContact"
$srcMbxAttributes = $srcObject.Properties
$ContactAttributes = $localusr.Properties
$newcn = getEscapedldapFilterStr $srcMbxAttributes.Item("cn").value
$newcn = $newcn.replace(",", "\,")
while ([DirectoryServices.DirectoryEntry]::exists("LDAP://cn=$newcn,$($localou.distinguishedname)"))
{
$newcn = getEscapedldapFilterStr ($srcMbxAttributes.Item('cn').value + (random))
$newcn = $newcn.replace(",", "\,")
}
$newuser = $localOU.create("user", "cn=$newcn")
copyMandatoryAttributes $newuser $ContactAttributes
copyGalySyncAttributes $newuser $ContactAttributes
copyE2k7OptionalAttributes $newuser $ContactAttributes
setLinkedAttributes $localdc $newuser $ContactAttributes $localdc
copySpecialMailboxTypeAttributes $newuser $ContactAttributes
if ($LinkedMailUser)
{
copyLinkedMailboxTypeAttributes $newuser $ContactAttributes
}
[void](copyIfExist $newuser "targetAddress" $ContactAttributes)
foreach ($addr in $srcproxys)
{
if ($addr -match "^(SMTP|smtp):.*@(.*)$")
{
#if don't specify authoritative domains, use primary smtp address
if (([string]::IsNullOrEmpty($MailboxDeliveryDomain) -and $addr.startswith("SMTP")) -or
($matches[2] -eq $MailboxDeliveryDomain))
{
Write-Verbose "Setting targetAddress to $addr"
[void]$newuser.put("targetAddress", $addr)
break
}
}
}
try
{
$localusr.deletetree()
$copyAttributes += "sAMAccountName",
"userPrincipalName"
[void](copyIfExist $newuser $copyAttributes $srcMbxAttributes)
Write-Host -ForegroundColor red "Deleteing $($localusr.distinguishedname)"
[System.Threading.Thread]::Sleep(500)
[void]($newuser.setinfo())
}
catch
{
Write-Error "Error merging recipient infomation. Recipient data unchanged. Error: $($Error[0])"
return
}
}
"Preparation for $Identity done. Local recipient info Merged."
$Global:movecount++
}
#=========================================================================================================
# Initialize code
#=========================================================================================================
$usr = $RemoteForestCredential.UserName
$pwd = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($RemoteForestCredential.Password))
if ($LocalForestCredential -ne $null)
{
$localusr = $LocalForestCredential.UserName
$localpwd = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($LocalForestCredential.Password))
}
$Global:movecount = 0
$srcdc = New-Object DirectoryServices.DirectoryEntry("LDAP://$RemoteForestDomainController", $usr, $pwd)
$DomainControllerParameterSet = @{}
if ($srcdc.guid -eq $null)
{
#guid not present, consider src unavailable
throw "Source Domain controller unavailable or authentication failed."
}
try {
if ($LocalForestCredential -eq $null -and [string]::IsNullorEmpty($LocalForestDomainController))
{
$localdc = [ADSI]""
}
elseif ($LocalForestCredential -ne $null -and $LocalForestDomainController -ne $null)
{
$localdc = New-Object DirectoryServices.DirectoryEntry("LDAP://$LocalForestDomainController", $localusr, $localpwd)
$DomainControllerParameterSet = @{ DomainController=$LocalForestDomainController; Credential=$LocalForestCredential }
}
else
{
throw "LocalForestCredential and LocalForestDomainController need to be specified at the same time"
}
$escapedtargetou = getEscapedldapFilterStr $TargetMailUserOU
$OUfilter = "(& (| (ObjectClass=Container)" +
" (ObjectClass=organizationalUnit))" +
" (| (name=$escapedtargetou)" +
" (distinguishedname=$escapedtargetou)))"
$localOU = findADObject $localdc $OUfilter
if ($localOU -eq $null)
{
throw "Cannot find specified OU or Container: $TargetMailUserOU"
}
}
catch
{
throw "Error looking up local OU, Error Msg: $($Error[0])"
}
}
process
{
$escapedIdentity = getEscapedldapFilterStr $Identity
$filterDN = "(& (objectClass=user)" +
" (distinguishedName=$escapedIdentity))"
$filterParm = "(& (objectClass=user)" +
" ( (| (mailnickname=$escapedIdentity)" +
" (cn=$escapedIdentity)" +
" (proxyAddresses=SMTP:$escapedIdentity)" +
" (proxyAddresses=smtp:$escapedIdentity)" +
" (proxyAddresses=X500:$escapedIdentity)" +
" (proxyAddresses=x500:$escapedIdentity)" +
" (objectGUID=$escapedIdentity)" +
" (displayname=$escapedIdentity))))"
$srcObject = findADObject $srcdc $filterParm
if ($srcObject -eq $null)
{
$srcObject = findADObject $srcdc $filterDN
if ($srcObject -eq $null)
{
Write-Error "Error looking up source MBX $identity in source forest."
return
}
}
if (-not $srcObject.properties.contains("mailNickName") -or -not $srcObject.properties.contains("msExchHomeServerName"))
{
Write-Error "Source Object $($srcObject.distinguishedName) found, but it is not a Mailbox!."
return
}
$accountenable = ($srcObject.properties.Item("UserAccountControl").tostring() -band 0x2) -eq 0
if (-not $accountenable -and -not $srcObject.properties.contains("msExchMasterAccountSid"))
{
Write-Error "Source Mailbox is invalid because it is disabled but did not set msExchMasterAccountSid."
return
}
try
{
$localusr = findLocalObject $localdc $srcObject
}
catch
{
Write-Error "Error processing $identity, Mailbox not ready to move! Error message: $($error[0])"
return
}
if ($localusr -eq $null)
{
#local recipient not exist, source object found, proceed the MEU creation process
createMEUAndCopyAttrs $localdc $localOU $srcDC $srcObject
}
else
{
Write-Verbose "Local ad account with dupplicate proxy addresses found: $($localusr.distinguishedName)"
try
{
$recipienttype = (get-recipient $localusr.distinguishedname.value @DomainControllerParameterSet).RecipientType
if ($recipienttype -eq 'MailUniversalDistributionGroup' -or $recipienttype -eq 'UserMailbox')
{
write-error "Cannot create mail enabled user because an existing mailbox user or mail enabled group already has the same proxy addresses/MasterAccountSid."
}
elseif ($recipienttype -eq 'MailUser' -or $recipienttype -eq 'MailContact')
{
if ($UseLocalObject)
{
forceMergeObject $recipienttype $localOU $localusr $srcObject
}
else
{
write-error ("Cannot create mail enabled user because an existing mail enabled user " +
"or contact already has the same proxy addresses/MasterAccountSid. Please rerun the script with " +
"‘-UseLocalObject’ if you want to convert the existing email enabled user or contact to " +
"a mail enabled user that is ready for online mailbox move.")
}
}
}
catch
{
Write-Error "Found a non mail enabled object with duplicated proxyaddress or Masteraccoutsid: $($localusr.distinguishedName). Error: $($Error[0])"
}
}
}
end
{
Write-Host -ForegroundColor Black -BackgroundColor Green "$movecount mailbox(s) ready to move."
}
Most kind :)
They're doing much the same as we just did to test. Here's the bit of code from the script. Lets give it a try all on it's own? You'll need to fix the server, username and password.
Chris
$RemoteForestDomainController = "server01.domain.local"
$usr = "SomeUsername"
$pwd = "SomePassword"
$srcdc = New-Object DirectoryServices.DirectoryEntry("LDAP://$RemoteForestDomainController", $usr, $pwd)
if ($srcdc.guid -eq $null)
{
#guid not present, consider src unavailable
throw "Source Domain controller unavailable or authentication failed."
}
ASKER
it just printed the script
didnt run anything
didnt run anything
Hmm okay that's annoying, it should have thrown an error if it were to behave in the same way as it does when you try to run it as a script.
This time it will prompt for the username and password, you only need fix the server name. If this works I'll be quite annoyed, we're calling the bit which appears to fail when you run it as a script :)
Chris
$RemoteForestDomainController = "server01.domain.local"
$RemoteForestCredential = $(Get-Credential)
$usr = $RemoteForestCredential.UserName
$pwd = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($RemoteForestCredential.Password))
$srcdc = New-Object DirectoryServices.DirectoryEntry("LDAP://$RemoteForestDomainController", $usr, $pwd)
if ($srcdc.guid -eq $null)
{
#guid not present, consider src unavailable
throw "Source Domain controller unavailable or authentication failed."
}
ASKER
again just prints it
[PS] C:\Windows\system32>$RemoteForestDomainController = "server01.domain.local"
[PS] C:\Windows\system32>$RemoteForestCredential = $(Get-Credential)
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>$usr = $RemoteForestCredential.UserName
[PS] C:\Windows\system32>$pwd = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::Se
cureStringToBSTR($RemoteForestCredential.Password))
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>$srcdc = New-Object DirectoryServices.DirectoryEntry("LDAP://$RemoteForestDomainController",
$usr, $pwd)
[PS] C:\Windows\system32>if ($srcdc.guid -eq $null)
>> {
>> #guid not present, consider src unavailable
>> throw "Source Domain controller unavailable or authentication failed."
>> }
>>
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>
[PS] C:\Windows\system32>
Yet if you run the script using the same credentials it comes back and complains with the same error message as before?
Chris
ASKER
if i run the script with this code
$UserCredentials = Get-Credential
e:\move\Prepare-MoveReques t.ps1 -Identity test@domain.local`
-RemoteForestDomainControl ler server01.domain.local`
-RemoteForestCredential $UserCredentials
i get the below
with the username i tried "test", "DOMAIN\test", "test@domain.local" and same error on all of them
also i get asked for credentials twice everytime too
$UserCredentials = Get-Credential
e:\move\Prepare-MoveReques
-RemoteForestDomainControl
-RemoteForestCredential $UserCredentials
i get the below
with the username i tried "test", "DOMAIN\test", "test@domain.local" and same error on all of them
also i get asked for credentials twice everytime too
[PS] C:\Windows\system32>$UserCredentials = Get-Credential
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
[PS] C:\Windows\system32>e:\move\Prepare-MoveRequest.ps1 -Identity test@domain.local`
cmdlet Prepare-MoveRequest.ps1 at command pipeline position 1
Supply values for the following parameters:
RemoteForestDomainController: -RemoteForestDomainController server01.domain.local`
RemoteForestCredential
Source Domain controller unavailable or authentication failed.
At E:\move\Prepare-MoveRequest.ps1:756 char:14
+ throw <<<< "Source Domain controller unavailable or authentication failed."
+ CategoryInfo : OperationStopped: (Source Domain c...ication failed.:String) [], RuntimeException
+ FullyQualifiedErrorId : Source Domain controller unavailable or authentication failed.
[PS] C:\Windows\system32> -RemoteForestCredential $UserCredentials
Missing expression after unary operator '-'.
At line:1 char:4
+ - <<<< RemoteForestCredential $UserCredentials
+ CategoryInfo : ParserError: (-:String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : MissingExpressionAfterOperator
[PS] C:\Windows\system32>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok looks like that worked a bit :)
[PS] C:\Windows\system32>e:\move\Prepare-MoveRequest.ps1 -Identity test@domain.local -RemoteForestDomainController serve
r01.cworks.local -RemoteForestCredential $UserCredentials
WARNING: Cannot find corresponding object for CN=My Place,OU=Security Groups,OU=MyBusiness,DC=domain,DC=local in
current forest. 'member' not updated.
Updating source MBX(CN=test,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domain,DC=local) in source forest, appending x500:/o=C
onstruction Works/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=test2f153796 to proxyAddresses
createMEUAndCopyAttrs : failed performing final steps. Exception calling "setinfo" with "0" argument(s): "Access is den
ied.
"
At E:\move\Prepare-MoveRequest.ps1:845 char:30
+ createMEUAndCopyAttrs <<<< $localdc $localOU $srcDC $srcObject
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,createMEUAndCopyAttrs
0 mailbox(s) ready to move.
[PS] C:\Windows\system32>
Hey that's looking better :)
Does the account you're using have permission to write to the account in the source directory? That is, are you using an admin account?
Chris
Does the account you're using have permission to write to the account in the source directory? That is, are you using an admin account?
Chris
ASKER
i thought i was supposed to use the account the email address was associated with lol whoops
ill do it with my account...
is this error becuase i have already created the test account on the new exchagne server? shall i delete it?
ill do it with my account...
is this error becuase i have already created the test account on the new exchagne server? shall i delete it?
[PS] C:\Windows\system32>e:\move\Prepare-MoveRequest.ps1 -Identity test@domain.local -RemoteForestDomainController serve
r01.domain.local -RemoteForestCredential $UserCredentials
E:\move\Prepare-MoveRequest.ps1 : Cannot create mail enabled user because an existing mail enabled user or contact alre
ady has the same proxy addresses/MasterAccountSid. Please rerun the script with '-UseLocalObject' if you want to conver
t the existing email enabled user or contact to a mail enabled user that is ready for online mailbox move.
At line:1 char:32
+ e:\move\Prepare-MoveRequest.ps1 <<<< -Identity test@domain.local -RemoteForestDomainController server01.cworks.local
-RemoteForestCredential $UserCredentials
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Prepare-MoveRequest.ps1
0 mailbox(s) ready to move.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
well theres nothing on any of the local accounts yet i just created them for some reason,
i just deleted it and it popped up saying it will be disabled and marked for removal, how can i start that removal now?
cheers
i just deleted it and it popped up saying it will be disabled and marked for removal, how can i start that removal now?
cheers
I'm assuming you're talking about deleting the account from the destination domain and got that when you deleted the mailbox?
The mailbox will be purged after 14 days (if I remember correctly). It won't stop you creating a new mailbox though. Did you delete the account with AD Users and Computers as well?
Chris
ASKER
yeah on the destination domain in exchange, recipent configuation > mailbox and got that it will be marked for removal
can i make it purge?
no i didnt delete if from ad, do i have to delete from AD too?
and when i transfer the mailbox it recreates the users account in AD?
thanks
can i make it purge?
no i didnt delete if from ad, do i have to delete from AD too?
and when i transfer the mailbox it recreates the users account in AD?
thanks
> can i make it purge?
You can if you really need to, but if it appears under Disconnected Mailbox I'd leave it alone. If it doesn't appear there you can force it to by running this in the shell:
Get-MailboxDatabase | Clean-MailboxDatabase
> no i didnt delete if from ad, do i have to delete from AD too?
In theory you don't need to if you're using -UseLocalObject. It'll take the account it finds, overwrite a few settings and carry on creating the mailbox.
> and when i transfer the mailbox it recreates the users account in AD?
It looks like the Prepare script is trying to do that, the mailbox move part expects the account to exist.
Chris
ASKER
ok even though ive deleted the mailbox i can still use -localobject?
well i ran it with -localobject and it worked, i now have 1 mailbox ready to move
now the next step? i run the below?
the credentials are admin creds again?
thanks
well i ran it with -localobject and it worked, i now have 1 mailbox ready to move
now the next step? i run the below?
the credentials are admin creds again?
thanks
New-MoveRequest -Identity "test@domain.net" -RemoteLegacy `
-TargetDatabase "Mailbox Database 123456789" `
-RemoteGlobalCatalog "server01.domain.local" `
-RemoteCredential $Cred -TargetDeliveryDomain "CH-EX.domain.net"
> ok even though ive deleted the mailbox i can still use -localobject?
Yes, it's bothered about the user account, not the mailbox.
> well i ran it with -localobject and it worked, i now have 1 mailbox ready to move
\o/
Yeah, give it a try, it'll be "fun". I suspect the account you use will need access to the mailbox in the source domain, make sure you feed it something with sufficient rights.
Chris
ASKER
thanks
well heres the fun bit lol
looks like it was doing something but im not sure what
ive put the correct settings in yes?
they look right to me anyway
well heres the fun bit lol
looks like it was doing something but im not sure what
ive put the correct settings in yes?
they look right to me anyway
[PS] C:\Windows\system32>$Cred = Get-Credential
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
[PS] C:\Windows\system32>New-MoveRequest -Identity "test@domain.local" -RemoteLegacy `
>> -TargetDatabase "Mailbox Database 0939530914" `
>> -RemoteGlobalCatalog "server01.domain.local" `
>> -RemoteCredential $Cred -TargetDeliveryDomain "CH-EX.cworks.net"
>>
Service 'net.tcp://ch-ex.domain.net/Microsoft.Exchange.MailboxReplicationService' encountered an exception. Error: Mapi
ExceptionNetworkError: Unable to make connection to the server. (hr=0x80004005, ec=2423)
Diagnostic context:
......
Lid: 11672 dwParam: 0x6BA Msg: EEInfo: NumberOfParameters: 0
Lid: 16280 dwParam: 0x6BA Msg: EEInfo: ComputerName: n/a
Lid: 8600 dwParam: 0x6BA Msg: EEInfo: ProcessID: 1932
Lid: 12696 dwParam: 0x6BA Msg: EEInfo: Generation Time: 2010-04-07 10:30:41:76
Lid: 10648 dwParam: 0x6BA Msg: EEInfo: Generating component: 18
Lid: 14744 dwParam: 0x6BA Msg: EEInfo: Status: 11001
Lid: 9624 dwParam: 0x6BA Msg: EEInfo: Detection location: 320
Lid: 13720 dwParam: 0x6BA Msg: EEInfo: Flags: 0
Lid: 11672 dwParam: 0x6BA Msg: EEInfo: NumberOfParameters: 1
Lid: 8856 dwParam: 0x6BA Msg: EEInfo: prm[0]: Unicode string: SERVER01
Lid: 45169 StoreEc: 0x977
Lid: 52465 StoreEc: 0x977
Lid: 60065
Lid: 33777 StoreEc: 0x977
Lid: 59805
Lid: 52209 StoreEc: 0x977
Lid: 19778
Lid: 27970 StoreEc: 0x977
Lid: 17730
Lid: 25922 StoreEc: 0x977
+ CategoryInfo : NotSpecified: (0:Int32) [New-MoveRequest], MailboxReplicationTransientException
+ FullyQualifiedErrorId : 8A678493,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
[PS] C:\Windows\system32>
I suspect that'll be network access. Are you able to ping the Exchange server? Harder to test the port-level part because it'll be negotiating a port using RPC.
Chris
ASKER
yup i can ping server01.domain.local, it all works fine, it must anyway cos the prepare worked?
i did notice this
-RemoteCredential $Cred -TargetDeliveryDomain "CH-EX.domain.net"
it says domain not server so i changed it to
-RemoteCredential $Cred -TargetDeliveryDomain "domain.net"
and still got same error anyway
we checked the ports yesterday too, we were all good
how do i check rpc?
i did notice this
-RemoteCredential $Cred -TargetDeliveryDomain "CH-EX.domain.net"
it says domain not server so i changed it to
-RemoteCredential $Cred -TargetDeliveryDomain "domain.net"
and still got same error anyway
we checked the ports yesterday too, we were all good
how do i check rpc?
> it says domain not server so i changed it to
Yeah, that's the domain name you want for your new Primary Email Address on the target domain, a bit of an odd inclusion if you ask me.
> how do i check rpc?
There's always RPCPing, not so easy to use. Lets see...
Log onto the Exchange server, then run:
netstat -anb -p TCP
We're looking for any services that might be Exchange running on TCP. One of those will be the end-point its decided on for MAPI (it changes each time you reboot). We need to test the connection to that part with Telnet. I bet it works...
Chris
Yeah, that's the domain name you want for your new Primary Email Address on the target domain, a bit of an odd inclusion if you ask me.
> how do i check rpc?
There's always RPCPing, not so easy to use. Lets see...
Log onto the Exchange server, then run:
netstat -anb -p TCP
We're looking for any services that might be Exchange running on TCP. One of those will be the end-point its decided on for MAPI (it changes each time you reboot). We need to test the connection to that part with Telnet. I bet it works...
Chris
ASKER
do i run netstat -anb -p TCP on the 2010 or 2003 box?
on teh 2010 box theres about 15 exchange things in there
so once i find port telnet to that port?
on teh 2010 box theres about 15 exchange things in there
so once i find port telnet to that port?
ASKER
well i ran it on the sbs 2003 box and it sucks! lol
look at what it came out with :|
look at what it came out with :|
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.173.9:2335 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.170.19:1143 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.174.99:61311 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.174.13:51650 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.172.2:1103 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.170.2:38483 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.173.6:1116 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.170.13:49883 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.170.23:1195 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.170.17:1157 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.170.2:1927 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.170.16:49477 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.170.17:1168 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.170.14:1124 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1026 192.168.174.98:49548 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:1290 192.168.170.2:2258 ESTABLISHED 4324
Can not obtain ownership information
TCP 192.168.170.2:1302 192.168.170.2:2258 ESTABLISHED 4528
Can not obtain ownership information
TCP 192.168.170.2:1335 192.168.170.2:2258 ESTABLISHED 6104
Can not obtain ownership information
TCP 192.168.170.2:1470 192.168.170.2:2258 ESTABLISHED 6104
Can not obtain ownership information
TCP 192.168.170.2:1477 192.168.170.2:2258 ESTABLISHED 4664
Can not obtain ownership information
TCP 192.168.170.2:1482 192.168.170.2:2258 ESTABLISHED 4664
Can not obtain ownership information
TCP 192.168.170.2:1488 192.168.170.2:2258 ESTABLISHED 4664
Can not obtain ownership information
TCP 192.168.170.2:1489 192.168.170.2:2258 ESTABLISHED 4664
Can not obtain ownership information
TCP 192.168.170.2:1774 192.168.170.2:691 ESTABLISHED 7392
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.174.15:49277 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.174.98:49544 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.170.14:1143 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.170.13:49885 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.173.6:1541 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.172.2:1106 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.173.9:2341 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.173.4:1201 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.174.19:1217 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.170.16:53092 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.172.9:4669 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.170.19:1146 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.170.23:1199 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.170.11:1915 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.170.17:1160 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.170.18:49618 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.174.99:62248 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.174.12:56010 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1791 192.168.174.13:52812 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1793 192.168.170.2:691 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:1807 192.168.170.2:691 ESTABLISHED 1988
Can not obtain ownership information
TCP 192.168.170.2:1927 192.168.170.2:1026 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:2011 192.168.170.2:691 ESTABLISHED 2412
Can not obtain ownership information
TCP 192.168.170.2:2131 192.168.170.2:1026 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:2161 192.168.170.2:27431 ESTABLISHED 1480
Can not obtain ownership information
TCP 192.168.170.2:2258 192.168.170.2:1477 ESTABLISHED 2976
Can not obtain ownership information
TCP 192.168.170.2:2258 192.168.170.2:1290 ESTABLISHED 2976
Can not obtain ownership information
TCP 192.168.170.2:2258 192.168.170.2:1335 ESTABLISHED 2976
Can not obtain ownership information
TCP 192.168.170.2:2258 192.168.170.2:1482 ESTABLISHED 2976
Can not obtain ownership information
TCP 192.168.170.2:2258 192.168.170.2:1488 ESTABLISHED 2976
Can not obtain ownership information
TCP 192.168.170.2:2258 192.168.170.2:1470 ESTABLISHED 2976
Can not obtain ownership information
TCP 192.168.170.2:2258 192.168.170.2:1302 ESTABLISHED 2976
Can not obtain ownership information
TCP 192.168.170.2:2258 192.168.170.2:38490 ESTABLISHED 2976
Can not obtain ownership information
TCP 192.168.170.2:2258 192.168.170.2:1489 ESTABLISHED 2976
Can not obtain ownership information
TCP 192.168.170.2:2794 192.168.170.11:1921 ESTABLISHED 2916
Can not obtain ownership information
TCP 192.168.170.2:2794 192.168.170.18:49654 ESTABLISHED 2916
Can not obtain ownership information
TCP 192.168.170.2:3268 192.168.170.2:32498 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:3268 192.168.170.2:30230 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:3268 192.168.170.2:30240 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:3268 192.168.170.2:31415 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:3268 192.168.170.2:30877 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:3268 192.168.170.2:32640 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:3268 192.168.170.2:37237 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:3268 192.168.170.2:30231 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:3268 192.168.170.2:30229 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:3268 192.168.170.2:37495 ESTABLISHED 544
Can not obtain ownership information
TCP 192.168.170.2:3389 192.168.174.99:52411 ESTABLISHED 5632
Can not obtain ownership information
TCP 192.168.170.2:8080 192.168.170.17:2480 ESTABLISHED 6740
Can not obtain ownership information
TCP 192.168.170.2:8080 192.168.170.19:1518 ESTABLISHED 6740
Can not obtain ownership information
TCP 192.168.170.2:8815 192.168.170.2:1026 ESTABLISHED 3300
Can not obtain ownership information
TCP 192.168.170.2:13000 192.168.174.2:1637 ESTABLISHED 3120
Can not obtain ownership information
TCP 192.168.170.2:13000 192.168.173.3:3110 ESTABLISHED 3120
Can not obtain ownership information
TCP 192.168.170.2:27431 192.168.170.2:2161 ESTABLISHED 1492
Can not obtain ownership information
TCP 192.168.170.2:30216 192.168.170.2:389 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:30217 192.168.170.2:389 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:30218 192.168.170.2:389 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:30219 192.168.170.2:389 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:30220 192.168.170.2:389 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:30221 192.168.170.2:389 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:30223 192.168.170.2:389 ESTABLISHED 2412
Can not obtain ownership information
TCP 192.168.170.2:30224 192.168.170.2:389 ESTABLISHED 2412
Can not obtain ownership information
TCP 192.168.170.2:30225 192.168.170.2:389 ESTABLISHED 2412
Can not obtain ownership information
TCP 192.168.170.2:30226 192.168.170.2:389 ESTABLISHED 2412
Can not obtain ownership information
TCP 192.168.170.2:30227 192.168.170.2:389 ESTABLISHED 2412
Can not obtain ownership information
TCP 192.168.170.2:30229 192.168.170.2:3268 ESTABLISHED 7392
Can not obtain ownership information
TCP 192.168.170.2:30230 192.168.170.2:3268 ESTABLISHED 2412
Can not obtain ownership information
TCP 192.168.170.2:30231 192.168.170.2:3268 ESTABLISHED 1988
Can not obtain ownership information
TCP 192.168.170.2:30232 192.168.170.2:389 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:30233 192.168.170.2:389 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:30234 192.168.170.2:389 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:30235 192.168.170.2:389 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:30237 192.168.170.2:389 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:30240 192.168.170.2:3268 ESTABLISHED 7368
Can not obtain ownership information
TCP 192.168.170.2:30302 192.168.170.2:389 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:30306 192.168.170.2:389 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:30310 192.168.170.2:389 ESTABLISHED 3300
Can not obtain ownership information
TCP 192.168.170.2:30362 192.168.170.2:389 ESTABLISHED 7392
Can not obtain ownership information
TCP 192.168.170.2:30835 192.168.170.2:389 ESTABLISHED 1988
Can not obtain ownership information
TCP 192.168.170.2:30877 192.168.170.2:3268 ESTABLISHED 2412
Can not obtain ownership information
TCP 192.168.170.2:31214 192.168.170.2:389 ESTABLISHED 2412
Can not obtain ownership information
TCP 192.168.170.2:31415 192.168.170.2:3268 ESTABLISHED 2412
Can not obtain ownership information
TCP 192.168.170.2:32498 192.168.170.2:3268 ESTABLISHED 2412
Can not obtain ownership information
TCP 192.168.170.2:32640 192.168.170.2:3268 ESTABLISHED 2412
Can not obtain ownership information
TCP 192.168.170.2:35426 192.168.170.2:389 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:35983 192.168.170.2:1026 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:37237 192.168.170.2:3268 ESTABLISHED 6544
Can not obtain ownership information
TCP 192.168.170.2:37495 192.168.170.2:3268 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:38165 192.168.170.2:389 ESTABLISHED 5264
Can not obtain ownership information
TCP 192.168.170.2:38359 192.168.170.2:389 ESTABLISHED 6544
Can not obtain ownership information
TCP 192.168.170.2:38380 192.168.170.2:80 ESTABLISHED 6544
Can not obtain ownership information
TCP 192.168.170.2:38395 192.168.170.2:80 ESTABLISHED 6544
Can not obtain ownership information
TCP 192.168.170.2:38428 192.168.170.2:80 ESTABLISHED 6544
Can not obtain ownership information
TCP 192.168.170.2:38442 192.168.170.2:80 ESTABLISHED 6544
Can not obtain ownership information
TCP 192.168.1.2:38452 85.17.72.66:80 ESTABLISHED 6740
Can not obtain ownership information
TCP 192.168.170.2:38483 192.168.170.2:1026 ESTABLISHED 1956
Can not obtain ownership information
TCP 192.168.170.2:38490 192.168.170.2:2258 ESTABLISHED 6104
Can not obtain ownership information
TCP 192.168.170.2:38501 192.168.170.2:443 ESTABLISHED 6740
Can not obtain ownership information
TCP 192.168.170.2:389 192.168.101.2:12636 FIN_WAIT_2 544
Can not obtain ownership information
TCP 127.0.0.1:16736 127.0.0.1:389 CLOSE_WAIT 1748
Can not obtain ownership information
TCP 192.168.170.2:1731 192.168.170.2:389 CLOSE_WAIT 5264
Can not obtain ownership information
TCP 192.168.170.2:1755 192.168.170.2:389 CLOSE_WAIT 5264
Can not obtain ownership information
TCP 192.168.170.2:1757 192.168.170.2:389 CLOSE_WAIT 5264
Can not obtain ownership information
TCP 192.168.170.2:1758 192.168.170.2:389 CLOSE_WAIT 5264
Can not obtain ownership information
TCP 192.168.170.2:1759 192.168.170.2:389 CLOSE_WAIT 5264
Can not obtain ownership information
TCP 192.168.170.2:1760 192.168.170.2:3268 CLOSE_WAIT 5264
Can not obtain ownership information
TCP 192.168.170.2:1761 192.168.170.2:3268 CLOSE_WAIT 5264
Can not obtain ownership information
TCP 192.168.170.2:2088 192.168.170.2:389 CLOSE_WAIT 988
Can not obtain ownership information
TCP 192.168.170.2:30236 192.168.170.2:389 CLOSE_WAIT 5264
Can not obtain ownership information
TCP 192.168.170.2:33100 192.168.170.2:389 CLOSE_WAIT 7368
Can not obtain ownership information
TCP 192.168.170.2:33944 192.168.170.2:389 CLOSE_WAIT 5264
Can not obtain ownership information
TCP 192.168.170.2:35519 192.168.170.2:389 CLOSE_WAIT 6412
Can not obtain ownership information
TCP 192.168.170.2:35540 192.168.170.2:389 CLOSE_WAIT 6412
Can not obtain ownership information
TCP 192.168.170.2:35594 192.168.170.2:389 CLOSE_WAIT 6544
Can not obtain ownership information
TCP 192.168.1.2:38196 216.239.59.104:80 CLOSE_WAIT 6740
Can not obtain ownership information
TCP 192.168.1.2:38245 209.235.144.9:80 CLOSE_WAIT 6740
Can not obtain ownership information
TCP 192.168.170.2:44981 192.168.170.2:389 CLOSE_WAIT 988
Can not obtain ownership information
TCP 192.168.170.2:56156 192.168.170.2:3268 CLOSE_WAIT 5264
Can not obtain ownership information
TCP 192.168.170.2:389 192.168.170.14:1453 TIME_WAIT 0
TCP 192.168.170.2:389 192.168.170.2:38488 TIME_WAIT 0
TCP 192.168.170.2:389 192.168.170.2:38493 TIME_WAIT 0
TCP 192.168.170.2:389 192.168.170.14:1452 TIME_WAIT 0
TCP 192.168.170.2:389 192.168.170.14:1451 TIME_WAIT 0
TCP 192.168.170.2:389 192.168.170.14:1447 TIME_WAIT 0
TCP 192.168.170.2:389 192.168.170.2:38492 TIME_WAIT 0
TCP 192.168.170.2:389 192.168.170.2:38487 TIME_WAIT 0
TCP 192.168.170.2:389 192.168.170.2:38486 TIME_WAIT 0
TCP 192.168.170.2:389 192.168.170.2:38485 TIME_WAIT 0
TCP 192.168.170.2:389 192.168.170.14:1446 TIME_WAIT 0
TCP 192.168.170.2:38434 192.168.170.2:2258 TIME_WAIT 0
TCP 192.168.170.2:38480 192.168.170.2:135 TIME_WAIT 0
TCP 192.168.170.2:38481 192.168.170.2:1026 TIME_WAIT 0
TCP 192.168.170.2:38482 192.168.170.2:135 TIME_WAIT 0
C:\WINDOWS>
2003 box, we're trying to find out what it's trying to connect to.
And yeah, trying to see if it'll connect to that.
There are other ways to see the same, WireShark (a packet sniffer) would let us find out.
Chris
Bleh that's no fun.
Fancy playing with WireShark instead? :)
Chris
ASKER
can do, im not great with it though, ill jsut download it to this machine
just point me the right way :)
i bet this is the longest question youve ever helped with?
just point me the right way :)
i bet this is the longest question youve ever helped with?
It's getting there, has potential :) But not quite there yet, a few have run over 200 comments :)
Chris
ASKER
ok i have wireshark on server01.cworks.local now
how do i set it up to listen for specific data or shall i just run a capture and look for what?
not really sure how to use this thing
CHeers
how do i set it up to listen for specific data or shall i just run a capture and look for what?
not really sure how to use this thing
CHeers
Keep it simple, start a capture, then add this filter (display filter):
ip.addr == WhateverIPServer01Uses
Now we should only see traffic between the 2010 server and the old SBS server. Once that's done, run the New-MoveRequest part and see what traffic it passes. We're especially interested in things that go to Server01 where it gets no reply at all.
Chris
ASKER
ok i have captured and can see some data going between domain.net and domain.local now
its mostly LDAP and TCP but dont know how to see the port numbers on it
where do i find tcp port info?
its mostly LDAP and TCP but dont know how to see the port numbers on it
where do i find tcp port info?
ASKER
oh right i see it now
in info theres a fair few ports
12363
12630
39703
39707
39708
39713
39714
theres two frames at the end that are highlighted red that have ports 12630 and 12636 on too
this info any good?
in info theres a fair few ports
12363
12630
39703
39707
39708
39713
39714
theres two frames at the end that are highlighted red that have ports 12630 and 12636 on too
this info any good?
Can you show me source and destination ports for each?
If you look in the top pane I'd be interested in seeing Source, Destination and Info. For Info, feel free to discard anything after (and including) Seq=, I only want the port names / numbers it quotes there and the flag ([ACK], [FIN], etc).
Chris
ASKER
the source ports are above
12363
12630
39703
39707
39708
39713
39714
and the destination was ldap on them all and if the source was ldap the destination was msft-gc 3268 or ldap
12363
12630
39703
39707
39708
39713
39714
and the destination was ldap on them all and if the source was ldap the destination was msft-gc 3268 or ldap
Hmm okay, I expected it to try and connect to the Exchange server, that's when you ran New-MoveRequest right?
Chris
ASKER
yeah thats what came out when i ran new-moverequest
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
adding the upn suffix seems to have worked
DisplayName Status TotalMailboxSize TotalArchiveSize PercentComplete
----------- ------ ---------------- ---------------- ---------------
test Queued 34.42 KB (35,244 bytes) 0
how do i see progress?
DisplayName Status TotalMailboxSize TotalArchiveSize PercentComplete
----------- ------ ---------------- ---------------- ---------------
test Queued 34.42 KB (35,244 bytes) 0
how do i see progress?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
it worked :D
now youve helped me enough for this question
im going to open another question
how do i get external emails to this exchange server, can you help with that?
cheers
now youve helped me enough for this question
im going to open another question
how do i get external emails to this exchange server, can you help with that?
cheers
ASKER
thanks
Try entering credentials in the User Principal Name format? user@domain.local and user@domain.net.
HTH
Chris