Exchange 2010 Remote Move Request Error

I'm in the process of building a new forest to consolidate my existing AD structure which consists of 2 child domains.  I have everything in place and I'm testing moving mailboxes.  I have built a temporary Exchange 2010 box in the old AD forest in order to move my existing mailboxes from Exchange 2007 to Exchange 2010 in the new forest.  I have no trouble peforming local mailbox moves from 2007 to 2010.  But when I attempt to perform a remote-move request I receive the following error:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00


IT TestUser
Failed

Error:
The operation couldn't be performed because object '110ba164-8c5c-4b2d-a9f5-26699a592f67' couldn't be found on 'DC01.DOMAIN.LOCAL'.

Exchange Management Shell command attempted:
'110ba164-8c5c-4b2d-a9f5-26699a592f67' | New-MoveRequest -RemoteHostName 'hornet.orion.blackdiamondonline.us' -Remote -RemoteCredential 'System.Management.Automation.PSCredential' -TargetDeliveryDomain 'blackdiamondonline.us'

Elapsed Time: 00:00:00

LVL 1
NiplesAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

It's not DNS you've got to worry about, it's the name on the certificate vs the name it's using to access the service.

The certificate came up with a mismatch when you accessed it using the URL it posts didn't it?

Your wildcard will account for one label, but not two (so it's fine with something.blackdiamondonline.us but not server.something.blackdiamondonline.us). It's part of why certificates with Subject Alternate Names are preferable for Exchange system deployments.

Chris
0
 
Hilal1924Commented:
Using ADMT, Move this Account (IT TestUser) to the new forest first. Only then can you move the mailboxes across.

Hilal
0
 
NiplesAuthor Commented:
I tried that and received the same error...
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
Hilal1924Commented:
OK Verify that the existing Account ( IT TestUser) is valid and active by running this powershell command : Get-User "IT TestUser" |fl *

Also please please ensure that your credentials match and that you have appropriate permissions to move mailbox.

Hilal
0
 
NiplesAuthor Commented:
Yes on both
0
 
Glen KnightCommented:
As far as I am aware the remove-move will only work if the domains are within the same forest, is this the case?
0
 
Chris DentPowerShell DeveloperCommented:

New-MoveRequest and Prepare-MoveRequest (the script) will work across forests. Doesn't even require a trust. Assuming that's what you meant? :)

I wondered if this was the mailboxGUID or the objectGUID: 110ba164-8c5c-4b2d-a9f5-26699a592f67. And for that matter, I wondered where that value came from in the snippet above.

Chris
0
 
Hilal1924Commented:
Move-Mailbox will work across Forest with trust relationship established of course.

Hilal
0
 
Glen KnightCommented:
sorry please ignore my comment.
I don't know what I said, in the middle of a crisis, interestingly enough I have a half written article on cross-forest migrations using the move-mailbox so I know it works :(

unsubscribing :)
0
 
NiplesAuthor Commented:
There is a two-way transitive forest trust in place.  The error code I mentioned above is EventID 4 (Source: MSEchange Configuration Cmdlet - Remote Management)
0
 
Chris DentPowerShell DeveloperCommented:

Did you attempt this:

'110ba164-8c5c-4b2d-a9f5-26699a592f67' | New-MoveRequest

Or did it do that for you?

That is, are you providing it with the GUID value or is it finding that by itself?

Chris
0
 
NiplesAuthor Commented:
This is what is in the eventid when i attempt to perform the remote-move request from the EMC on the target Exchange 2010 box
0
 
Chris DentPowerShell DeveloperCommented:

Towards the end of the process in EMC it should show the command it's going to execute for you. Is it possible for you to show us that command? I guess you haven't tried the move using the Shell instead of the Console?

Chris
0
 
NiplesAuthor Commented:
I have not tried using the shell yet.  Here is the code from the end of the wizard in the EMC:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00


Test User
Failed

Error:
The operation couldn't be performed because object '2705058e-296b-4c8c-9980-d324c08908b2' couldn't be found on 'LEXINGTON.BLACKDIAMOND.LOCAL'.

Exchange Management Shell command attempted:
'2705058e-296b-4c8c-9980-d324c08908b2' | New-MoveRequest -RemoteHostName 'ticonderoga.orion.blackdiamondonline.us' -Remote -RemoteCredential 'System.Management.Automation.PSCredential' -TargetDeliveryDomain 'blackdiamondonline.us'

Elapsed Time: 00:00:00

0
 
Chris DentPowerShell DeveloperCommented:
Thanks for that, it helps.

Can you run these two in the Exchange Management Shell please?

Get-Mailbox "2705058e-296b-4c8c-9980-d324c08908b2"

And:

Get-User "2705058e-296b-4c8c-9980-d324c08908b2"

I expect both will fail, however I would like you to confirm that please.

Chris
0
 
NiplesAuthor Commented:
it fails in the target forest and succeeds in the source forest
0
 
NiplesAuthor Commented:
At this point I'm tempted just to recreate all the users in the new forest and use Exmerge to move the mailboxes
0
 
Chris DentPowerShell DeveloperCommented:

> it fails in the target forest and succeeds in the source forest

It must succeed in the target forest for this move to work.

You might consider finding Prepare-MoveRequest.ps1 from MS to help you with this. That will copy the attribute it's trying to find to complete this move.

Chris
0
 
NiplesAuthor Commented:
That's what I was just looking at.  I will get back to you shortly.
thx
0
 
NiplesAuthor Commented:
I'm a little confused how to run this.  Please verify?
I'm running on the target forest Exchange box:
$UserCredentials = Get-Credential ....  then am I entering admin creds or the user's creds?
then
[PS] C:\program files\microsoft\exchange server\v14\scripts> /prepare-moverequest.ps1 -identity test.user@blackdiamondonine.us -remoteforestdomaincontroller reknown.orion.blackdiamondonline.us -remoteforestcredential $usercredentials .............. This is the source forest info
0
 
NiplesAuthor Commented:
I've tried entering admin creds and the user's creds i'm trying to move i this is the error i receive:

AuthorizationManager check failed.
At line:1 char:26
+  /prepare-moverequest.ps1 <<<<  -identity test.user@blackdiamondonine.us -remoteforestdomaincontroller reknown.orion.
blackdiamondonline.us -remoteforestcredential $usercredentials
    + CategoryInfo          : NotSpecified: (:) [], PSSecurityException
    + FullyQualifiedErrorId : RuntimeException
0
 
Chris DentPowerShell DeveloperCommented:

You'll need something with admin credentials in the source forest. You're tried that?

Chris
0
 
NiplesAuthor Commented:
ok i have the script working but I've tried several different user accounts and it's returning:

[PS] E:\Program Files\Microsoft\Exchange Server\V14\Scripts>./Prepare-MoveRequest.ps1 -Identity test.user@blackdiamondon
line.us -RemoteForestDomainController yorktown.blackdiamond.local -RemoteForestCredential $RemoteCredentials -LocalFores
tDomainController reknown.orion.blackdiamondonline.us -LocalForestCredential $LocalCredentials -LinkedMailUser
E:\Program Files\Microsoft\Exchange Server\V14\Scripts\Prepare-MoveRequest.ps1 : Error looking up source MBX test.user@
blackdiamondonline.us in source forest.
At line:1 char:26
+ ./Prepare-MoveRequest.ps1 <<<<  -Identity test.user@blackdiamondonline.us -RemoteForestDomainController yorktown.blac
kdiamond.local -RemoteForestCredential $RemoteCredentials -LocalForestDomainController reknown.orion.blackdiamondonline
.us -LocalForestCredential $LocalCredentials -LinkedMailUser
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Prepare-MoveRequest.ps1

0 mailbox(s) ready to move.
0
 
Chris DentPowerShell DeveloperCommented:

We can test the request it's making but I suspect we'll get much the same response. test.user definitely exists in the source forest?

Chris
0
 
NiplesAuthor Commented:
yes it does
0
 
Chris DentPowerShell DeveloperCommented:

Lets try it then. You'll need to help this snippet along a bit, but you should copy and paste it into the Exchange shell when you've fixed the values.

This tries to find the user in the source domain based on the address you supplied. If it comes back with something that looks like the user then we'll try something else.

If it doesn't come back with anything at all the address you've giving it isn't working.

Chris
# Modify these:
$Username = "SomeAdminUser"
$Password = "ThePassword"
$RemoteDomainController = "yorktown.blackdiamond.local"
$FindThis = "test.user@blackdiamondonline.us"

# No changes below this point
$SearchRoot = New-Object DirectoryServices.DirectoryEntry(`
  "LDAP://$RemoteDomainController", $Username, $Password)
$LdapFilter = "(&(proxyAddresses=*$FindThis))"
$Searcher = New-Object DirectoryServices.DirectorySearcher($SearchRoot, $LdapFilter)
$Searcher.FindAll()

Open in new window

0
 
NiplesAuthor Commented:
Ok i have the command working successfully from the target exchange box now.  But when i go to the EMC I dont see any pending move request...
0
 
Chris DentPowerShell DeveloperCommented:

Prepare-MoveRequest? Or New-MoveRequest?

If you've done New-MoveRequest you should be able to run "Get-MoveRequest" to see the current status.

Chris
0
 
NiplesAuthor Commented:
Prepare-MoveRequest
0
 
Chris DentPowerShell DeveloperCommented:

Prepare just puts you in the right place for New-MoveRequest to run. So if you've done Prepare successfully give New-MoveRequest a try for that mailbox. At that point I imagine you'll start to see them in the GUI (or I hope).

Chris
0
 
NiplesAuthor Commented:
OK getting even further now.  So successfully performed a local move of the test account in the source forest from the exchange 2007 to 2010.  I then ran the prepare-moverequest successfully.  I then went to the EMC to preform the actual remote move request through the wizard and it fails.  this is the error code returned:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:51


test2 user
Failed

Error:
Service 'net.tcp://independence.blackdiamond.local/Microsoft.Exchange.MailboxReplicationService' encountered an exception. Error: The call to 'https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc' timed out. Error details: The request channel timed out attempting to send after 00:00:00.0000005. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. --> The HTTP request to 'https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc' has exceeded the allotted timeout of 00:00:00.0000005. The time allotted to this operation may have been a portion of a longer timeout.

Exception details: MailboxReplicationTransientException (80040401): The call to 'https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc' timed out. Error details: The request channel timed out attempting to send after 00:00:00.0000005. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. --> The HTTP request to 'https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc' has exceeded the allotted timeout of 00:00:00.0000005. The time allotted to this operation may have been a portion of a longer timeout.

Exception details: TimeoutException (80004005): The request channel timed out attempting to send after 00:00:00.0000005. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout.

Exception details: TimeoutException (80004005): The HTTP request to 'https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc' has exceeded the allotted timeout of 00:00:00.0000005. The time allotted to this operation may have been a portion of a longer timeout.

Exchange Management Shell command attempted:
'f72efcf9-4060-4a3e-9299-b305504987c6' | New-MoveRequest -RemoteHostName 'ticonderoga.orion.blackdiamondonline.us' -Remote -TargetDeliveryDomain 'blackdiamondonline.us'

Elapsed Time: 00:00:51

0
 
Chris DentPowerShell DeveloperCommented:

Ah okay, I know exactly what causes that.

Exchange, for some truly well thought out reason, must be able to resolve the remote Exchange server name by name only.

That is, you must be able to do this without having to append the full domain name:

ping remoteexchange

There are a number of ways to fix this one:

1. Add a DNS Suffix Search List that contains the remote domain name
2. Add an entry to Hosts for the remote Exchange Server
3. Configure GlobalNames

1 or 2 will be the easiest and I recommend going for those unless you already use GlobalNames.

After that it "should" work.

Chris
0
 
NiplesAuthor Commented:
This is the new error:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:53


Test User
Failed

Error:
Service 'net.tcp://independence.blackdiamond.local/Microsoft.Exchange.MailboxReplicationService' encountered an exception. Error: The call to 'https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc' failed. Error details: Could not establish trust relationship for the SSL/TLS secure channel with authority 'ticonderoga.orion.blackdiamondonline.us'. --> The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --> The remote certificate is invalid according to the validation procedure..

Exception details: MailboxReplicationTransientException (80004005): The call to 'https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc' failed. Error details: Could not establish trust relationship for the SSL/TLS secure channel with authority 'ticonderoga.orion.blackdiamondonline.us'. --> The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --> The remote certificate is invalid according to the validation procedure..

Exception details: SecurityNegotiationException (80004005): Could not establish trust relationship for the SSL/TLS secure channel with authority 'ticonderoga.orion.blackdiamondonline.us'.

Exception details: WebException (80004005): The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Exception details: AuthenticationException (80004005): The remote certificate is invalid according to the validation procedure.

Exchange Management Shell command attempted:
'2705058e-296b-4c8c-9980-d324c08908b2' | New-MoveRequest -RemoteHostName 'ticonderoga.orion.blackdiamondonline.us' -Remote -RemoteCredential 'System.Management.Automation.PSCredential' -TargetDeliveryDomain 'blackdiamondonline.us'

Elapsed Time: 00:00:53

0
 
Chris DentPowerShell DeveloperCommented:

That one has an easy explanation:

> Could not establish trust relationship for the SSL/TLS secure channel

The certificate couldn't be verified.

What version of Exchange are you running on the remote system?

You could always use -RemoteLegacy, but you'll have to shift down to the shell to run this I think.

Chris
0
 
NiplesAuthor Commented:
both 2010
0
 
Chris DentPowerShell DeveloperCommented:

You might still try RemoteLegacy. It's clearly having trouble with the certificate you have on the remote system and there doesn't seem to be any obvious way to ignore / bypass that with the current settings.

Chris
0
 
NiplesAuthor Commented:
I have imported my wildcard SSL cert in to both 2010 boxes and have assigned exchange services.  I dont understand why I'm still getting this error!!!
0
 
NiplesAuthor Commented:
I thought it might have been that I didnt have a CA installed in the new domain but I did that too and imported my wildcard and owa SSL certs
0
 
Chris DentPowerShell DeveloperCommented:

I still think you should try RemoteLegacy. I realise it's not exactly meant for this scenario but it will bet you past the certificate check.

It's failing because something doesn't match up in the certificate. Either it can't / won't trust the issuer or the name doesn't match.

Chris
0
 
NiplesAuthor Commented:
what is the command?
0
 
Chris DentPowerShell DeveloperCommented:

Something like this:

'2705058e-296b-4c8c-9980-d324c08908b2' | New-MoveRequest -RemoteGlobalCatalog "SomeGlobalCatalog" -RemoteLegacy -TargetDeliveryDomain  'blackdiamondonline.us' -RemoteCredential $(Get-Credential)

Chris
0
 
NiplesAuthor Commented:
so by using this command i won't be able to use the EMC to do the remote move request?
0
 
Chris DentPowerShell DeveloperCommented:

I would suspect not, but I don't run 2010 so can't really tell you much about it's GUI options.

Chris
0
 
NiplesAuthor Commented:
is there anyway i can confirm which cert it's trying to access?
0
 
Chris DentPowerShell DeveloperCommented:
Open this URL and take a look:

https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc

If you use IE / Firefox you should get some kind of option to view the certificate.

Chris
0
 
NiplesAuthor Commented:
I have a new error for you:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:01:22


test2 user
Failed

Error:
Service 'net.tcp://saratoga.blackdiamond.local/Microsoft.Exchange.MailboxReplicationService' encountered an exception. Error: The call to 'https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc' failed. Error details: An error occurred while making the HTTP request to https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. --> The underlying connection was closed: An unexpected error occurred on a send. --> Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. --> An existing connection was forcibly closed by the remote host.

Exception details: MailboxReplicationTransientException (80004005): The call to 'https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc' failed. Error details: An error occurred while making the HTTP request to https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. --> The underlying connection was closed: An unexpected error occurred on a send. --> Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. --> An existing connection was forcibly closed by the remote host.

Exception details: CommunicationException (80004005): An error occurred while making the HTTP request to https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.

Exception details: WebException (80004005): The underlying connection was closed: An unexpected error occurred on a send.

Exception details: IOException (80004005): Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.

Exception details: SocketException (80004005): An existing connection was forcibly closed by the remote host

Exchange Management Shell command attempted:
'f72efcf9-4060-4a3e-9299-b305504987c6' | New-MoveRequest -RemoteHostName 'ticonderoga.orion.blackdiamondonline.us' -Remote -RemoteCredential 'System.Management.Automation.PSCredential' -TargetDeliveryDomain 'blackdiamondonline.us'

Elapsed Time: 00:00:41

0
 
NiplesAuthor Commented:
I switched the ssl cert from one that i purchased solely for owa to my wildcard and this is what i get when i click on the link you sent:

Metadata publishing for this service is currently disabled.

If you have access to the service, you can enable metadata publishing by completing the following steps to modify your web or application configuration file:

1. Create the following service behavior configuration, or add the <serviceMetadata> element to an existing service behavior configuration:

<behaviors>
    <serviceBehaviors>
        <behavior name="MyServiceTypeBehaviors" >
            <serviceMetadata httpGetEnabled="true" />
        </behavior>
    </serviceBehaviors>
</behaviors>

2. Add the behavior configuration to the service:

<service name="MyNamespace.MyServiceType" behaviorConfiguration="MyServiceTypeBehaviors" >

Note: the service name must match the configuration name for the service implementation.

3. Add the following endpoint to your service configuration:

<endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />

Note: your service must have an http base address to add this endpoint.

The following is an example service configuration file with metadata publishing enabled:

<configuration>
    <system.serviceModel>
 
        <services>
            <!-- Note: the service name must match the configuration name for the service implementation. -->
            <service name="MyNamespace.MyServiceType" behaviorConfiguration="MyServiceTypeBehaviors" >
                <!-- Add the following endpoint.  -->
                <!-- Note: your service must have an http base address to add this endpoint. -->
                <endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />
            </service>
        </services>
 
        <behaviors>
            <serviceBehaviors>
                <behavior name="MyServiceTypeBehaviors" >
                    <!-- Add the following element to your service behavior configuration. -->
                    <serviceMetadata httpGetEnabled="true" />
                </behavior>
            </serviceBehaviors>
        </behaviors>
 
    </system.serviceModel>
</configuration>

0
 
NiplesAuthor Commented:
when i click on the certificate error it states:

Mismatched Address



0
 
NiplesAuthor Commented:
I'm trying the legacy mailbox move.  So you're saying this should work on 2010 to 2010?
0
 
Chris DentPowerShell DeveloperCommented:

I can't verify, I don't run 2010. But I feel it would be worth a try, you're not having much luck with the certificates and there doesn't seem to be a wide variety of options to control that.

Chris
0
 
NiplesAuthor Commented:
Is there a powershell command to force it to accept the certificate?

 I think that is where my problem is.  My new forest is now blackdiamond.local and the current is blackdiamondonline.us and that's how my certs are named (owa.blackdiamondonline.us / *.blackdiamondonline.us)  I've tried both and you've seen the results above
0
 
Chris DentPowerShell DeveloperCommented:

Not according to the documentation for the CmdLet. I checked several times without luck.

Chris
0
 
NiplesAuthor Commented:
What about creating a new blackdiamondonline.us Zone in DNS in the blackdiamond.local forest  ?
0
 
NiplesAuthor Commented:
so is there anyway i can fudge this just to move these mailboxes?  It just seems complete insane to me that I've gone through all this and now I'm back to square one by having to use exmerge which was what i was trying to avoid.
0
 
Chris DentPowerShell DeveloperCommented:

RemoteLegacy didn't work? That was my idea of a fudge :)

Chris
0
 
NiplesAuthor Commented:
what about altering the EWS url?
0
 
NiplesAuthor Commented:
I'm ordering a SAN SSL cert.  I'll let you know what happens...
0
 
NiplesAuthor Commented:
SAN cert did the trick
0
All Courses

From novice to tech pro — start learning today.