Saturday, April 7, 2012

Cross-Forest mailbox move changes in Exchange 2010

There’s quite a few changes coming to a cross forest mailbox moves in Exchange 2010.  Well for one, in Exchange 2007, you would use Move-Mailbox.  In Exchange 2010, you would use New-MoveRequest.  The way these two cmdlets work in regards to cross forest mailbox moves is significant. Why?  Read on…
In Exchange 2007, when you did a Move-Mailbox to another forest, that cmdlet would be doing some checks against your target environment to see if this user exists.  What’s the algorithm you ask?  IT’S A SECRET!  No really, it is.  It’s not really documented anywhere.  But thanks to Dmitri Gavrilov from Microsoft, the algorithm is:

  • Match on objectSID – First try masterAccountSID then try objectSID and sidHistory
  • Match on source LegacyExchangeDN – look for an x500:LegacyExchangeDN in target directory
  • Match proxyaddresses – look for any smtp addresses in the proxyaddresses attribute that exist in the source proxyaddresses attribute
As you can see, there’s a lot of methods in which you can use.  Some may consider this bad and some may consider it good.  For Exchange 2010, Microsoft wanted to simplify the lookup process.  So instead of searching the target forest for any of the above attributes, New-MoveRequest will look for only one attribute only; msExchMailboxGuid.  Unlike Exchange 2007, the entire process for Exchange 2010 and exactly how you do this with Exchange 2010 will be fully documented. I consider this to be excellent news!
Some organizations will want to utilize ILM to bring over mail disabled users into the target forest so that New-MoveRequest will find the mail disabled user and use mail disabled user to associate a linked mailbox.  In this case, you will also want to bring over the msExchMasterAccountSid attribute which is required for linked mailboxes.
Thanks to Ian Lui from Microsoft, he provided the recommended attributes for bringing over a mail user:
  • altRecipient
  • deliverAndRedirect
  • mail
  • mailNickname
  • msExchMailboxGUID
  • proxyAddresses (in addition to sync source mailbox proxyAddresses, synchronized legacyExchangeDN of the source mailbox as X500 address in the ProxyAddresses attribute of the target mail user. The logic is the same when the target object is a contact.)
  • publicDelegates
  • msExchHideFromAddressLists
  • msExchMasterAccountSid  (needed for linked mailbox)
  • msExchRecipientDisplayType  (Assume the source mailbox is a user mailbox; for linked mailbox, value is equivalent to *unsigned* 0xC0000006; for regular mailbox, value is equivalent to *unsigned* 0×80000006)
  • msExchRecipientTypeDetails (MailUser = 0×80,    // 128)
    TargetAddress (synchronize the PrimarySMTPAddress of the source mailbox as the TargetAddress of the target mail user. The logic is the same when the target object is a contact.)
  • SAMAccountName
  • userAccountControl (Disabled User Account – ACCOUNTDISABLE | NORMAL_ACCOUNT; 0×202)
You can also bring over any other attributes such as givenName, SN, etc at your discretion.
Now keep in mind, that if you are going to be migrating with a tool such as ADMT, QMM, etc. you will want to make sure the tool brings over the above attributes so when you do a New-MoveRequest, it will successfully find the target user and associate the mailbox with that migrated user.  But if you are in a resource forest scenario, that’s where you’d want to bring the user over as a mail disabled account with the msExchMasterAccountSid attribute as noted above.
Now what about companies that don’t have ILM and aren’t going to be using ADMT either?  Well, Move-Mailbox would create the mail disabled user if it found no user in the target forest with the appropriate attributes.  New-MoveRequest will NOT do this.  One reason is Microsoft wanted to reduce the complexity with Move-Mailbox.  They wanted to simplify the attribute that is used, the algorithm, and wanted to separate the AD provisioning task to another process.  Because of this, Microsoft is working on another separate tool/script that will provide the provisioning process for this exact task which reduces replication delay with the Move-Mailbox among other things.
At first, I was skeptical about all this.  Why remove functionality that was built-into the Move-Mailbox cmdlet already?  After taking an objective look at the reasoning of how complex Move-Mailbox was across forests before, and why simplifying the attribute used as well as separating AD provisioning to Exchange provisioning helps simplify the cross-forest mailbox moves and possible failures due to replication delay if you’re using the cmdlet to create mail disabled user accounts, you will understand the reasoning behind this.
Post a Comment