Exchange 2010 Remote Move Request Error
I'm in the process of building a new forest to consolidate my existing AD structure which consists of 2 child domains. I have everything in place and I'm testing moving mailboxes. I have built a temporary Exchange 2010 box in the old AD forest in order to move my existing mailboxes from Exchange 2007 to Exchange 2010 in the new forest. I have no trouble peforming local mailbox moves from 2007 to 2010. But when I attempt to perform a remote-move request I receive the following error:
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
IT TestUser
Failed
Error:
The operation couldn't be performed because object '110ba164-8c5c-4b2d-a9f5-2
Exchange Management Shell command attempted:
'110ba164-8c5c-4b2d-a9f5-2
Elapsed Time: 00:00:00
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
IT TestUser
Failed
Error:
The operation couldn't be performed because object '110ba164-8c5c-4b2d-a9f5-2
Exchange Management Shell command attempted:
'110ba164-8c5c-4b2d-a9f5-2
Elapsed Time: 00:00:00
ASKER
I tried that and received the same error...
OK Verify that the existing Account ( IT TestUser) is valid and active by running this powershell command : Get-User "IT TestUser" |fl *
Also please please ensure that your credentials match and that you have appropriate permissions to move mailbox.
Hilal
Also please please ensure that your credentials match and that you have appropriate permissions to move mailbox.
Hilal
ASKER
Yes on both
As far as I am aware the remove-move will only work if the domains are within the same forest, is this the case?
New-MoveRequest and Prepare-MoveRequest (the script) will work across forests. Doesn't even require a trust. Assuming that's what you meant? :)
I wondered if this was the mailboxGUID or the objectGUID: 110ba164-8c5c-4b2d-a9f5-26
Chris
Move-Mailbox will work across Forest with trust relationship established of course.
Hilal
Hilal
sorry please ignore my comment.
I don't know what I said, in the middle of a crisis, interestingly enough I have a half written article on cross-forest migrations using the move-mailbox so I know it works :(
unsubscribing :)
I don't know what I said, in the middle of a crisis, interestingly enough I have a half written article on cross-forest migrations using the move-mailbox so I know it works :(
unsubscribing :)
ASKER
There is a two-way transitive forest trust in place. The error code I mentioned above is EventID 4 (Source: MSEchange Configuration Cmdlet - Remote Management)
Did you attempt this:
'110ba164-8c5c-4b2d-a9f5-2
Or did it do that for you?
That is, are you providing it with the GUID value or is it finding that by itself?
Chris
ASKER
This is what is in the eventid when i attempt to perform the remote-move request from the EMC on the target Exchange 2010 box
Towards the end of the process in EMC it should show the command it's going to execute for you. Is it possible for you to show us that command? I guess you haven't tried the move using the Shell instead of the Console?
Chris
ASKER
I have not tried using the shell yet. Here is the code from the end of the wizard in the EMC:
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
Test User
Failed
Error:
The operation couldn't be performed because object '2705058e-296b-4c8c-9980-d
Exchange Management Shell command attempted:
'2705058e-296b-4c8c-9980-d
Elapsed Time: 00:00:00
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00
Test User
Failed
Error:
The operation couldn't be performed because object '2705058e-296b-4c8c-9980-d
Exchange Management Shell command attempted:
'2705058e-296b-4c8c-9980-d
Elapsed Time: 00:00:00
Thanks for that, it helps.
Can you run these two in the Exchange Management Shell please?
Get-Mailbox "2705058e-296b-4c8c-9980-d
And:
Get-User "2705058e-296b-4c8c-9980-d
I expect both will fail, however I would like you to confirm that please.
Chris
Can you run these two in the Exchange Management Shell please?
Get-Mailbox "2705058e-296b-4c8c-9980-d
And:
Get-User "2705058e-296b-4c8c-9980-d
I expect both will fail, however I would like you to confirm that please.
Chris
ASKER
it fails in the target forest and succeeds in the source forest
ASKER
At this point I'm tempted just to recreate all the users in the new forest and use Exmerge to move the mailboxes
> it fails in the target forest and succeeds in the source forest
It must succeed in the target forest for this move to work.
You might consider finding Prepare-MoveRequest.ps1 from MS to help you with this. That will copy the attribute it's trying to find to complete this move.
Chris
ASKER
That's what I was just looking at. I will get back to you shortly.
thx
thx
ASKER
I'm a little confused how to run this. Please verify?
I'm running on the target forest Exchange box:
$UserCredentials = Get-Credential .... then am I entering admin creds or the user's creds?
then
[PS] C:\program files\microsoft\exchange server\v14\scripts> /prepare-moverequest.ps1 -identity test.user@blackdiamondonin
I'm running on the target forest Exchange box:
$UserCredentials = Get-Credential .... then am I entering admin creds or the user's creds?
then
[PS] C:\program files\microsoft\exchange server\v14\scripts> /prepare-moverequest.ps1 -identity test.user@blackdiamondonin
ASKER
I've tried entering admin creds and the user's creds i'm trying to move i this is the error i receive:
AuthorizationManager check failed.
At line:1 char:26
+ /prepare-moverequest.ps1 <<<< -identity test.user@blackdiamondonin
blackdiamondonline.us -remoteforestcredential $usercredentials
+ CategoryInfo : NotSpecified: (:) [], PSSecurityException
+ FullyQualifiedErrorId : RuntimeException
AuthorizationManager check failed.
At line:1 char:26
+ /prepare-moverequest.ps1 <<<< -identity test.user@blackdiamondonin
blackdiamondonline.us -remoteforestcredential $usercredentials
+ CategoryInfo : NotSpecified: (:) [], PSSecurityException
+ FullyQualifiedErrorId : RuntimeException
You'll need something with admin credentials in the source forest. You're tried that?
Chris
ASKER
ok i have the script working but I've tried several different user accounts and it's returning:
[PS] E:\Program Files\Microsoft\Exchange Server\V14\Scripts>./Prepa
line.us -RemoteForestDomainControl
tDomainController reknown.orion.blackdiamond
E:\Program Files\Microsoft\Exchange Server\V14\Scripts\Prepare
blackdiamondonline.us in source forest.
At line:1 char:26
+ ./Prepare-MoveRequest.ps1 <<<< -Identity test.user@blackdiamondonli
kdiamond.local -RemoteForestCredential $RemoteCredentials -LocalForestDomainControll
.us -LocalForestCredential $LocalCredentials -LinkedMailUser
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Comma
0 mailbox(s) ready to move.
[PS] E:\Program Files\Microsoft\Exchange Server\V14\Scripts>./Prepa
line.us -RemoteForestDomainControl
tDomainController reknown.orion.blackdiamond
E:\Program Files\Microsoft\Exchange Server\V14\Scripts\Prepare
blackdiamondonline.us in source forest.
At line:1 char:26
+ ./Prepare-MoveRequest.ps1 <<<< -Identity test.user@blackdiamondonli
kdiamond.local -RemoteForestCredential $RemoteCredentials -LocalForestDomainControll
.us -LocalForestCredential $LocalCredentials -LinkedMailUser
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Comma
0 mailbox(s) ready to move.
We can test the request it's making but I suspect we'll get much the same response. test.user definitely exists in the source forest?
Chris
ASKER
yes it does
Lets try it then. You'll need to help this snippet along a bit, but you should copy and paste it into the Exchange shell when you've fixed the values.
This tries to find the user in the source domain based on the address you supplied. If it comes back with something that looks like the user then we'll try something else.
If it doesn't come back with anything at all the address you've giving it isn't working.
Chris
# Modify these:
$Username = "SomeAdminUser"
$Password = "ThePassword"
$RemoteDomainController = "yorktown.blackdiamond.local"
$FindThis = "test.user@blackdiamondonline.us"
# No changes below this point
$SearchRoot = New-Object DirectoryServices.DirectoryEntry(`
"LDAP://$RemoteDomainController", $Username, $Password)
$LdapFilter = "(&(proxyAddresses=*$FindThis))"
$Searcher = New-Object DirectoryServices.DirectorySearcher($SearchRoot, $LdapFilter)
$Searcher.FindAll()
ASKER
Ok i have the command working successfully from the target exchange box now. But when i go to the EMC I dont see any pending move request...
Prepare-MoveRequest? Or New-MoveRequest?
If you've done New-MoveRequest you should be able to run "Get-MoveRequest" to see the current status.
Chris
ASKER
Prepare-MoveRequest
Prepare just puts you in the right place for New-MoveRequest to run. So if you've done Prepare successfully give New-MoveRequest a try for that mailbox. At that point I imagine you'll start to see them in the GUI (or I hope).
Chris
ASKER
OK getting even further now. So successfully performed a local move of the test account in the source forest from the exchange 2007 to 2010. I then ran the prepare-moverequest successfully. I then went to the EMC to preform the actual remote move request through the wizard and it fails. this is the error code returned:
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:51
test2 user
Failed
Error:
Service 'net.tcp://independence.bl
Exception details: MailboxReplicationTransien
Exception details: TimeoutException (80004005): The request channel timed out attempting to send after 00:00:00.0000005. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout.
Exception details: TimeoutException (80004005): The HTTP request to 'https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc' has exceeded the allotted timeout of 00:00:00.0000005. The time allotted to this operation may have been a portion of a longer timeout.
Exchange Management Shell command attempted:
'f72efcf9-4060-4a3e-9299-b
Elapsed Time: 00:00:51
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:51
test2 user
Failed
Error:
Service 'net.tcp://independence.bl
Exception details: MailboxReplicationTransien
Exception details: TimeoutException (80004005): The request channel timed out attempting to send after 00:00:00.0000005. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout.
Exception details: TimeoutException (80004005): The HTTP request to 'https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc' has exceeded the allotted timeout of 00:00:00.0000005. The time allotted to this operation may have been a portion of a longer timeout.
Exchange Management Shell command attempted:
'f72efcf9-4060-4a3e-9299-b
Elapsed Time: 00:00:51
Ah okay, I know exactly what causes that.
Exchange, for some truly well thought out reason, must be able to resolve the remote Exchange server name by name only.
That is, you must be able to do this without having to append the full domain name:
ping remoteexchange
There are a number of ways to fix this one:
1. Add a DNS Suffix Search List that contains the remote domain name
2. Add an entry to Hosts for the remote Exchange Server
3. Configure GlobalNames
1 or 2 will be the easiest and I recommend going for those unless you already use GlobalNames.
After that it "should" work.
Chris
ASKER
This is the new error:
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:53
Test User
Failed
Error:
Service 'net.tcp://independence.bl
Exception details: MailboxReplicationTransien
Exception details: SecurityNegotiationExcepti
Exception details: WebException (80004005): The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Exception details: AuthenticationException (80004005): The remote certificate is invalid according to the validation procedure.
Exchange Management Shell command attempted:
'2705058e-296b-4c8c-9980-d
Elapsed Time: 00:00:53
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:53
Test User
Failed
Error:
Service 'net.tcp://independence.bl
Exception details: MailboxReplicationTransien
Exception details: SecurityNegotiationExcepti
Exception details: WebException (80004005): The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Exception details: AuthenticationException (80004005): The remote certificate is invalid according to the validation procedure.
Exchange Management Shell command attempted:
'2705058e-296b-4c8c-9980-d
Elapsed Time: 00:00:53
That one has an easy explanation:
> Could not establish trust relationship for the SSL/TLS secure channel
The certificate couldn't be verified.
What version of Exchange are you running on the remote system?
You could always use -RemoteLegacy, but you'll have to shift down to the shell to run this I think.
Chris
ASKER
both 2010
You might still try RemoteLegacy. It's clearly having trouble with the certificate you have on the remote system and there doesn't seem to be any obvious way to ignore / bypass that with the current settings.
Chris
ASKER
I have imported my wildcard SSL cert in to both 2010 boxes and have assigned exchange services. I dont understand why I'm still getting this error!!!
ASKER
I thought it might have been that I didnt have a CA installed in the new domain but I did that too and imported my wildcard and owa SSL certs
I still think you should try RemoteLegacy. I realise it's not exactly meant for this scenario but it will bet you past the certificate check.
It's failing because something doesn't match up in the certificate. Either it can't / won't trust the issuer or the name doesn't match.
Chris
ASKER
what is the command?
Something like this:
'2705058e-296b-4c8c-9980-d
Chris
ASKER
so by using this command i won't be able to use the EMC to do the remote move request?
I would suspect not, but I don't run 2010 so can't really tell you much about it's GUI options.
Chris
ASKER
is there anyway i can confirm which cert it's trying to access?
Open this URL and take a look:
https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc
If you use IE / Firefox you should get some kind of option to view the certificate.
Chris
https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc
If you use IE / Firefox you should get some kind of option to view the certificate.
Chris
ASKER
I have a new error for you:
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:01:22
test2 user
Failed
Error:
Service 'net.tcp://saratoga.blackd
Exception details: MailboxReplicationTransien
Exception details: CommunicationException (80004005): An error occurred while making the HTTP request to https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.
Exception details: WebException (80004005): The underlying connection was closed: An unexpected error occurred on a send.
Exception details: IOException (80004005): Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Exception details: SocketException (80004005): An existing connection was forcibly closed by the remote host
Exchange Management Shell command attempted:
'f72efcf9-4060-4a3e-9299-b
Elapsed Time: 00:00:41
Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:01:22
test2 user
Failed
Error:
Service 'net.tcp://saratoga.blackd
Exception details: MailboxReplicationTransien
Exception details: CommunicationException (80004005): An error occurred while making the HTTP request to https://ticonderoga.orion.blackdiamondonline.us/EWS/mrsproxy.svc. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.
Exception details: WebException (80004005): The underlying connection was closed: An unexpected error occurred on a send.
Exception details: IOException (80004005): Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Exception details: SocketException (80004005): An existing connection was forcibly closed by the remote host
Exchange Management Shell command attempted:
'f72efcf9-4060-4a3e-9299-b
Elapsed Time: 00:00:41
ASKER
I switched the ssl cert from one that i purchased solely for owa to my wildcard and this is what i get when i click on the link you sent:
Metadata publishing for this service is currently disabled.
If you have access to the service, you can enable metadata publishing by completing the following steps to modify your web or application configuration file:
1. Create the following service behavior configuration, or add the <serviceMetadata> element to an existing service behavior configuration:
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceTypeBehavio
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
2. Add the behavior configuration to the service:
<service name="MyNamespace.MyServic
Note: the service name must match the configuration name for the service implementation.
3. Add the following endpoint to your service configuration:
<endpoint contract="IMetadataExchang
Note: your service must have an http base address to add this endpoint.
The following is an example service configuration file with metadata publishing enabled:
<configuration>
<system.serviceModel>
<services>
<!-- Note: the service name must match the configuration name for the service implementation. -->
<service name="MyNamespace.MyServic
<!-- Add the following endpoint. -->
<!-- Note: your service must have an http base address to add this endpoint. -->
<endpoint contract="IMetadataExchang
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceTypeBehavio
<!-- Add the following element to your service behavior configuration. -->
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
Metadata publishing for this service is currently disabled.
If you have access to the service, you can enable metadata publishing by completing the following steps to modify your web or application configuration file:
1. Create the following service behavior configuration, or add the <serviceMetadata> element to an existing service behavior configuration:
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceTypeBehavio
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
2. Add the behavior configuration to the service:
<service name="MyNamespace.MyServic
Note: the service name must match the configuration name for the service implementation.
3. Add the following endpoint to your service configuration:
<endpoint contract="IMetadataExchang
Note: your service must have an http base address to add this endpoint.
The following is an example service configuration file with metadata publishing enabled:
<configuration>
<system.serviceModel>
<services>
<!-- Note: the service name must match the configuration name for the service implementation. -->
<service name="MyNamespace.MyServic
<!-- Add the following endpoint. -->
<!-- Note: your service must have an http base address to add this endpoint. -->
<endpoint contract="IMetadataExchang
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceTypeBehavio
<!-- Add the following element to your service behavior configuration. -->
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
ASKER
when i click on the certificate error it states:
Mismatched Address
Mismatched Address
ASKER
I'm trying the legacy mailbox move. So you're saying this should work on 2010 to 2010?
I can't verify, I don't run 2010. But I feel it would be worth a try, you're not having much luck with the certificates and there doesn't seem to be a wide variety of options to control that.
Chris
ASKER
Is there a powershell command to force it to accept the certificate?
I think that is where my problem is. My new forest is now blackdiamond.local and the current is blackdiamondonline.us and that's how my certs are named (owa.blackdiamondonline.us
I think that is where my problem is. My new forest is now blackdiamond.local and the current is blackdiamondonline.us and that's how my certs are named (owa.blackdiamondonline.us
Not according to the documentation for the CmdLet. I checked several times without luck.
Chris
ASKER
What about creating a new blackdiamondonline.us Zone in DNS in the blackdiamond.local forest ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
so is there anyway i can fudge this just to move these mailboxes? It just seems complete insane to me that I've gone through all this and now I'm back to square one by having to use exmerge which was what i was trying to avoid.
RemoteLegacy didn't work? That was my idea of a fudge :)
Chris
ASKER
what about altering the EWS url?
ASKER
I'm ordering a SAN SSL cert. I'll let you know what happens...
ASKER
SAN cert did the trick
Hilal