Friday, March 9, 2012

AD and Exchange Forest Migration (Part I)

I’m currently in the middle of a big and relatively complex forest migration.  I’ve found that while there’s a ton of documentation on the subject, a lot of it is way too complex for 90% of engagements and the rest is very spotty.  Thus I’ve set out to document my processes in a simple and to the point way, keeping in mind that this is what works for me, in this specific client’s environment.  Caveat Emptor.

Current Environment

Source:

The source domain is a standalone forest, with a two-way forest trust to the target domain.

Source Domain Name:  olddomain.local
Domain Functional Level: Windows Server 2008 R2 domain level
Mode: Native
Forest Level: Windows Server 2008 R2 domain level
SMTP Address Space: company.com

Target:

The target domain is a child domain contained in a existing forest.

Target Domain Name: newdomain.local
Domain Functional Level: Windows Server 2008 R2 domain level
Mode: Native
Forest Level: Windows Server 2008 R2 domain level
SMTP Address Space: company.com

High-Level Overview

  1. Clean up source domain by deleting unused accounts, mailboxes etc.
  2. Setting up Name Resolution (DNS) to allow us to create a trust
  3. Create a Two-Way Forest Trust between the source and target domains
  4. Enable SID History and disable SID Filtering
  5. Install the Active Directory Migration Tool (ADMT)
  6. Install the ADMT Password Export Server (PES)
  7. Use Prepare-MoveRequest.ps1 to create Mail Enabled Users (MEU’s) in the target domain
  8. Configure Exchange servers in the source and target domains to operate within a shared address space
  9. Use ADMT to migrate user accounts to the target domain
  10. Use ADMT to re-ACL resources
  11. Use ADMT to migrate computer accounts to the target domain
  12. Move mailboxes to the Exchange server in the target domain
  13. Decommission source Exchange server
  14. Use ADMT to remove old ACL’s from resources
  15. Use ADMT to migrate servers to the target domain
  16. Decommission old servers, domain and forest

I will use the next series of blog posts to document all the above steps in detail.  As I said, I have been unable to find a single authoritative source for the process, so I aim to make my life easier the next time I’m faced with this challenge.  Hopefully I also save someone else some time and effort.

I want to conclude by saying that even though my documentation might suit your environment to a T, it is imperative that you lab the living daylights out of your processes.  Also, make sure you understand what each step does, and have a rollback procedure in place.