RSS Subscription 168 Posts and 2,769 Comments

Archive for June, 2009

Cross-Forest Mailbox Move Changes in Exchange 2010

There’s quite a few changes coming to a cross forest mailbox moves in Exchange 2010.  Well for one, in Exchange 2007, you would use Move-Mailbox.  In Exchange 2010, you would use New-MoveRequest.  The way these two cmdlets work in regards to cross forest mailbox moves is significant. Why?  Read on…

In Exchange 2007, when you did a Move-Mailbox to another forest, that cmdlet would be doing some checks against your target environment to see if this user exists.  What’s the algorithm you ask?  IT’S A SECRET!  No really, it is.  It’s not really documented anywhere.  But thanks to Dmitri Gavrilov from Microsoft, the algorithm is:

  • Match on objectSID – First try masterAccountSID then try objectSID and sidHistory
  • Match on source LegacyExchangeDN – look for an x500:LegacyExchangeDN in target directory
  • Match proxyaddresses – look for any smtp addresses in the proxyaddresses attribute that exist in the source proxyaddresses attribute

As you can see, there’s a lot of methods in which you can use.  Some may consider this bad and some may consider it good.  For Exchange 2010, Microsoft wanted to simplify the lookup process.  So instead of searching the target forest for any of the above attributes, New-MoveRequest will look for only one attribute only; msExchMailboxGuid.  Unlike Exchange 2007, the entire process for Exchange 2010 and exactly how you do this with Exchange 2010 will be fully documented. I consider this to be excellent news!

Some organizations will want to utilize ILM to bring over mail disabled users into the target forest so that New-MoveRequest will find the mail disabled user and use mail disabled user to associate a linked mailbox.  In this case, you will also want to bring over the msExchMasterAccountSid attribute which is required for linked mailboxes.

Thanks to Ian Lui from Microsoft, he provided the recommended attributes for bringing over a mail user:

  • altRecipient
  • deliverAndRedirect
  • mail
  • mailNickname
  • msExchMailboxGUID
  • proxyAddresses (in addition to sync source mailbox proxyAddresses, synchronized legacyExchangeDN of the source mailbox as X500 address in the ProxyAddresses attribute of the target mail user. The logic is the same when the target object is a contact.)
  • publicDelegates
  • msExchHideFromAddressLists
  • msExchMasterAccountSid  (needed for linked mailbox)
  • msExchRecipientDisplayType  (Assume the source mailbox is a user mailbox; for linked mailbox, value is equivalent to *unsigned* 0xC0000006; for regular mailbox, value is equivalent to *unsigned* 0x80000006)
  • msExchRecipientTypeDetails (MailUser = 0x80,    // 128)
    TargetAddress (synchronize the PrimarySMTPAddress of the source mailbox as the TargetAddress of the target mail user. The logic is the same when the target object is a contact.)
  • SAMAccountName
  • userAccountControl (Disabled User Account – ACCOUNTDISABLE | NORMAL_ACCOUNT; 0x202)

You can also bring over any other attributes such as givenName, SN, etc at your discretion.

Now keep in mind, that if you are going to be migrating with a tool such as ADMT, QMM, etc. you will want to make sure the tool brings over the above attributes so when you do a New-MoveRequest, it will successfully find the target user and associate the mailbox with that migrated user.  But if you are in a resource forest scenario, that’s where you’d want to bring the user over as a mail disabled account with the msExchMasterAccountSid attribute as noted above.

Now what about companies that don’t have ILM and aren’t going to be using ADMT either?  Well, Move-Mailbox would create the mail disabled user if it found no user in the target forest with the appropriate attributes.  New-MoveRequest will NOT do this.  One reason is Microsoft wanted to reduce the complexity with Move-Mailbox.  They wanted to simplify the attribute that is used, the algorithm, and wanted to separate the AD provisioning task to another process.  Because of this, Microsoft is working on another separate tool/script that will provide the provisioning process for this exact task which reduces replication delay with the Move-Mailbox among other things.

At first, I was skeptical about all this.  Why remove functionality that was built-into the Move-Mailbox cmdlet already?  After taking an objective look at the reasoning of how complex Move-Mailbox was across forests before, and why simplifying the attribute used as well as separating AD provisioning to Exchange provisioning helps simplify the cross-forest mailbox moves and possible failures due to replication delay if you’re using the cmdlet to create mail disabled user accounts, you will understand the reasoning behind this.

Microsoft has yet to release the actual documentation on this or the script, but I wanted to give people a heads up on what’s to come.  I will update this post as those things get released.  A big thanks goes out to Dmitri Gavrilov and Ian Lui for providing a lot of the information that you see above.

Update (12/25/2009) – The Microsoft documentation has been updated on what mandatory and optional attributes are required for running New-MoveRequest for Cross-Forest migrations.  You can view that here.  This article also has documentation on ILM syncing as well as using a script.  As of 12/25/2009, this information is in the document but there is no link as the script/ILM information is still unavailable.  Keep checking back at the linked to article as the script and ILM information will eventually be published.

Update (02/04/2010) – As Geoff has stated in the comments, the script I have mentioned in the 12/25/2009 update has been published.

Update (02/18/2010) – A fellow MVP, Johan Veldhuis, has let me know that he had some issues running the above script that is mentioned.  A fellow coworker of his has created his own VBscript that will do the same thing that Microsoft’s script would.  If you run into an issue with the script, try this script.  For information on the migration scenario and the script, please go here for Part 1 and here for Part 2.

Share

Create Pool – Run on OCS or SQL Server?

The guidance around where to create your pool and why can be quite confusing.

If you look at the OCS R1 requirements for deploying an Enterprise Pool, it tells you the following:

  • If you are using a 32-bit version of SQL Server, log on to your Office Communications Server Back-end Database server as a member of the Domain Admins group.
  • If you are using a 64-bit version of SQL Server, create the pool by using a computer with a 32-bit processor, such as the computer that you plan to use as the Front End Server. Log on to the 32-bit processor computer as a member of RTCUniversalServerAdmins and Domain Admins group and with user rights to create and modify SQL Server databases.

If you look at the OCS R2 requirements for deploying an Enterprise Pool, it tells you the following:

  • If you are using a 64-bit version of SQL Server, log on to your Office Communications Server Back-end Database as a member of RTCUniversalServerAdmins and DomainAdmins group.
  • If you are using a 32-bit version of SQL Server, create the pool by using the computer that you plan to use as the Front End Server. Log on to this computer as a member of RTCUniversalServerAdmins and Domain Admins group and with user rights to create and modify SQL Server databases.

As you can see, it’s a complete 180 between R1 and R2.  To make it easier to digest, here’s an easier format to see what you should do:

OCS R1 with SQL 32-bit – Create Pool on SQL
OCS R1 with SQL 64-bit – Create pool on OCS FE

OCS R2 with SQL 32-bit – Create Pool on OCS FE
OCS R2 with SQL 64-bit – Create Pool on SQL

The reason why it’s a complete 180 is because Microsoft wants you to run the installer on the native platform of the installer.  OCS R1 is 32-bit so you always want to run the installer on a 32-bit machine.  OCS R2 is 64-bit so you always want to run the installer on a 64-bit machine.

But the million dollar question is, is it really necessary to run it from the Backend?  Does that mean you have to insert your OCS CD, install .Net Framework, Visual C++, etc….  Well, you could, but you  can use LCSCMD to configure your pool instead.  LCSCMD is on your CD and you can just open a cmd prompt, navigate to your cd-rom, and run the LCSCMD command with the appropriate settings to configure your pool without needing to install at the tools the installer GUI would require.  LCSCMD would also bypass the requirement from running the installer on the same processor platform (x86/x64.) You can refer to the following article here for information on how to use LCSCMD to create an Enterprise Pool.

But, that doesn’t really explain why it is recommended running it on the Backend. After talking with Ken Alverson from Microsoft about this, I learned a few things.  The reason they recommend to create the pool on the SQL Server is to minimize the possibility of firewall/permissions from interfering.  The Create Pool requires access to both SQL as well as WMI.  You can technically open up all the ports to SQL as well as WMI and run Configure Your Pool from your OCS Server.  This is what I did but instead of opening it completely, I  ran Network Monitor to determine what ports to open.  You could also disable your Windows Firewall on your SQL Server to ensure access to your SQL Server.  Never disable the firewall service on Server 2008 as this disrupts proper communication.  Either turn the firewall off or go into the advanced firewall in the administrative tools and open everything up.

So in short, you have the following options with OCS R2:

  1. Turn off firewall on SQL (don’t disable firewall service) and install from OCS Server (lowers security but easiest to do.)  After the pool is created, you can re-enable your firewall as long as you follow the OCS documentation (installation guide for Enterprise Edition) and open the necessary ports.)
  2. Allow SQL Ports and WMI to traverse SQL Firewall (more secure than #1 but less easy to do)
  3. Run Create Pool from SQL Server via the GUI Installer (more secure than #1 and #2 but not an option I like due to it installing GUI prerequisites)
  4. Run Create Pool from LCSCMD via the CD which will install a SQL prerequisite I believe (most secure option but requires knowledge of the LCSCMD command.)  You can refer to the following article here for information on how to use LCSCMD to create an Enterprise Pool.

I would appreciate if readers can make a quick comment on what method you use.

Share