Chatta subito con l'assistenza
Chat con il supporto

Migrator for Notes to Exchange 4.16.3 - Pre-Migration Planning Guide

About the Migrator for Notes to Exchange documentation Introduction Critical considerations Other strategic planning issues Appendix A: Known limitations of the migration process

Microsoft Exchange/AD environment configuration (on-premises Exchange)

This section applies only if you are migrating to a proprietary (on-premises) Exchange target. If you are migrating to hosted Exchange Online, skip to Account permissions for migration to Microsoft 365.

For an on-premises target, an Active Directory administrative account that is a member of the Exchange Organization Management role group must be configured with remote PowerShell enabled.

In the Notes Migrator Manager, you can automatically grant the required permissions to the specified Active Directory account. If you use the Automatically grant permissions option, MNE delegates Full Control permissions to the root of the target OUs and the permissions are inherited by all OUs, even the OUs that are added after initial configuration.

For either an on-premises or Microsoft 365 target with using the Microsoft AD synchronization tool, the account must be a domain user account with full access to the target Organizational Unit (OU). If contacts are to be merged with existing Active Directory user objects, the account must have full control of the OUs/containers in which the AD user objects and contacts currently reside. This ensures that MNE has sufficient access to properly join to the merged user objects and prevents the creation of duplicate contacts.

Alternately, you could manually grant the permissions. To manually set AD container permissions in Exchange:

To configure more than 1000 Organizational Units (OUs) in AD

An LDAP policy can be configured to accommodate more than 1000 OUs in Active Directory by adjusting the maximum items returned by the ADSI interface. See these Microsoft links for LDAP Policies.

If AD is configured for a resource forest and a user forest

In a resource forest, Migrator for Notes to Exchange (MNE) requires the standard permissions as described. In a user forest, MNE requires an account with read permissions to AD such as a domain user. MNE makes no changes to the user forest; it only performs searches.

An Exchange account must be configured to provide Exchange credentials from MNE that correspond to the MNE Exchange Information screens and must have Receive-As rights for each mailbox store.

To automatically grant Receive-As rights, you can select the Automatically grant permissions check box in the Exchange Server configuration screen. MNE grants permissions on the database container and the permissions are inherited by all databases, even the databases that are added after initial configuration.

To manually set Receive-As rights in on-premises Exchange for all mail stores, use the following PowerShell command (in one continuous line):

get-mailboxdatabase | add-adpermission -user <username> -extendedrights receive-as

IMPORTANT: Ensure that the Exchange account is not added to any administrative groups that have been explicitly denied access to the mail stores. These groups include Enterprise Admins, Domain Admins, and the Organization Management role.

If the Exchange account is added to any of these groups, MNE is prevented from connecting to the target mailboxes during the migration.

Account permissions for migration to Microsoft 365

This section applies if you are migrating to Microsoft 365. If you are migrating to on-premises Exchange, see the preceding sections for configuration requirements.

The Migration Administration account must have Full Access permission on the target mailbox during migration.

To automatically grant Full Access rights to the MNE Admin User (or to the assigned Admin Pool Account) to access the target mailboxes during migration, you can select the Automatically grant permissions check box in the Exchange Server Configuration screen. However, the recommended method is to manually grant permissions before migration as described in the following bullet.

Administrator Role

Migrator for Notes to Exchange performs many administrative tasks including creating new user accounts, resetting passwords, granting and revoking permissions, etc. To ensure that the Migration Administration account has the required access rights, assign the Migration Administration account to the Microsoft 365 Global Administrator role.

Migration to Microsoft 365
via Microsoft AD sync

The local AD server must have Exchange 2019 (RTM), Exchange 2016 (RTM), Exchange 2013 (RTM or SP1), or Exchange 2010 (SP1) schema extensions.

Migration from an
MSP-hosted Notes source

The Managed Service Provider must provide the Notes ID file, manager access to all mailboxes in scope for the migration, and reader access to the NAB.

For Microsoft 365 Multi-Geo tenants, the Administrator accounts used for migration must be in the same geographical region as the target mailboxes to avoid permission access issues due to GDPR compliance requirements.

 

SQL server configuration

SQL bulk import directory

The SQL bulk import directory (specified in the SQL Server Configuration screen of Notes Migration Manager) must be accessible to all migration servers and to the user that the SQL Server will “run as”.

Account permissions

Both Windows Authentication and SQL Authentication are supported.

When using Windows Authentication, the Windows user logged in to the migration server must be assigned the dbcreator server role to create the database and tables. The bulkadmin server role is also required to perform database bulk import using the specified bulk import directory.
When using SQL Authentication, the SQL user must be granted the server roles dbcreator and bulkadmin to perform required database operations using the specified bulk import directory.

MNE uses the bulk import directory to improve program performance when importing data from the Domino directory. Permissions must be set so that the SQL Server can read and write to this directory.

NOTE: Once the NME40DB database is created and the tables are populated, the dbcreator server role assigned to either the Windows user or SQL user is no longer required. The db_owner role is sufficient and is automatically granted to the Windows or SQL user when NME40DB is created.

Migrator for Notes to Exchange admin migration server configuration

User account permissions

When you install Migrator for Notes to Exchange on the migration server, you have the option to run the Prerequisite Checker. To run this utility, the account used to log in to the migration server must be a member of the Microsoft Organization Management role group.

Language

Migrator for Notes to Exchange requires the English-language edition OS/PowerShell on the admin workstation.

For all supported Windows servers

Data Execution Prevention (DEP) must be disabled in Windows system settings.

Locale

Upon migration, standard mail folders assume the names of their corresponding Outlook folders in the language associated with the Windows Locale setting of the admin migration server.

Parallel workstations

To accelerate large-scale migrations, Migrator for Notes to Exchange can be run on multiple migration servers running in parallel.

Order of installation

A migration requires a combination of tools developed by different vendors, all installed on a single admin workstation. The combination can cause compatibility problems on some computers. To minimize these conflicts, Quest recommends you install the applications (per specifications noted) in the following order:

1. Notes client

2. Outlook client

3. Windows Management Framework or MS PowerShell

Workstation hardware

Must be a separate machine from the Exchange server but a member of the same domain as AD and Exchange.

Can be a virtual machine, but a dedicated physical machine will likely yield better migration performance.

Required for all destination Exchange target types including Microsoft 365

Must have a directory with write/run permissions for the Administrator components of the MNE software and must have a directory with read/run permissions for the user components of the software.

The 32-bit edition (only) of Outlook 2019, 2016, 2013 or 2010. The Outlook client must also conform to the Microsoft version requirements for the applicable Exchange target version. Outlook 2010 is not supported by Microsoft 365 or Exchange 2019. See the Exchange Server supportability matrix for details.

The MAPI DLLs required to perform a migration must be those that are part of Outlook, not the downloadable Exchange "server" MAPI.

Before running any MNE admin application: Antivirus software must be configured to not scan the MNE program files directory or %temp% directory, or can be temporarily turned off and restarted after the program runs. If an antivirus scan misinterprets an Migrator for Notes to Exchange temporary file as a threat, it will try to "clean" the file, which generates an error when the MNE program call fails.

On the MNE server as the Administrator, launch Windows PowerShell (x86) on 64-bit OS or Windows PowerShell on 32-bit OS and run this command:

Required for all on-premises target types

For MAPI access: Use PowerShell to set the RCAMaxConcurrency throttle policy value high enough to handle the number of migration threads (across all MNE servers) that will be connecting to any Exchange server at any point. If you are migrating to Exchange 2010, ensure that the following throttle policy values are set to 100:

For EWS access: Use PowerShell to set the EWSMaxConcurrency throttle policy value high enough to handle the number of migration threads (across all MNE Servers) that will be connecting to any Exchange server at any point in time.

For Microsoft 365 target, inbound
(Microsoft 365 to Migrator for Notes to Exchange)

No inbound ports are required.

For Microsoft 365 target, outbound
(Migrator for Notes to Exchange to Microsoft 365)

443 – PowerShell
443 – Outlook (RPC over HTTP/Outlook Anywhere)
80 – Autodiscover
443 - Autodiscover

The ports should be open from source to * since Microsoft often changes the IPs of their servers.

For Exchange 2019, Exchange 2016, or Exchange 2013 target:

443 to MBX server - mail migration
80 & 443 to CAS server - autodiscover
3268 to GC - AD searches
389 to DC - AD writes
443 to CAS server - powershell
1352 to Domino - mail migration, directory extraction

For Exchange 2010 target:

80 & 443 & MAPI* to CAS server - autodiscover
3268 to GC - AD searches
389 to DC - AD writes
80 & 443 to CAS server - powershell
1352 to Domino - mail migration, directory extraction
1433 to SQL - SQL

*MAPI uses RPC, which is covered in this Microsoft technote.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione