Setting Up the Target Active Directory Synchronization Account
This section describes how to set the required permissions for the Target Active Directory Synchronization Account. This account is used by:
- The Directory Synchronization Agent (DSA) to access the target Active Directory domain
- The Migration Agent for Exchange (MAgE) to perform mailbox switch
The required privilege level for the Target Active Directory Synchronization Account is membership in the Domain Admins group of the target domain.
Caution: If for some reason you cannot grant such privileges to the Target Active Directory Synchronization Account, then refer to the System Requirements and Access Rights document for the list of minimal required permissions.
To grant the necessary permission to the Target Active Directory Synchronization Account, perform the following:
- On the target domain controller in the Active Directory Users and Computers snap-in, click Users, then in the right pane right-click Domain Admins and click Properties.
- Go to the Members tab, click Add and select the Target Active Directory Synchronization Account (in our example, QMM_Trg_DSA).
- Close the dialog boxes by clicking OK.
Setting Up the Target Exchange Account
This section describes how to set the required permissions for the Target Exchange Account used by Migration Manager for Exchange agents. This account is used for the following:
- Working with target Exchange mailboxes and public folders (used by Migration Agent for Exchange, Public Folder Source Agent, and Public Folder Target Agent)
- Making the newly-created public folders mail-enabled (used by the public folder agents only: Public Folder Source Agent and Public Folder Target Agent)
- Moving mailboxes
Mailbox and Calendar Synchronization
The following permissions are required for target Exchange account used by Migration Agent for Exchange during mailbox or calendar synchronization:
TIP: The Read permission for the Microsoft Exchange container is required only if you plan to add the target Exchange organization using the Add Target Organization Wizard under this account.
Public Folder Synchronization
The following permissions are required for target Exchange account used by PFSA and PFTA during public folder synchronization:
- Membership in the local Administrators group on all target Exchange servers involved in the migration. If a server is a domain controller, the account should be added to the domain local Administrators group of the domain.
- The Mail Enabled Public Folders management role
- Permissions to process public folders involved in the migration by granting Full Control permission on mailbox databases where those public folders reside.
- Permission to log on to public folder administrator mailbox by granting Full Control on it.
Note: Exchange account used for public folder synchronization must be mailbox-enabled to be able obtaining target public folder hierarchy.
To set up the Target Exchange Account, perform the steps described in the related subtopics.
NOTE: Note that the steps are given only as an example of a possible Target Exchange Account setup.
Changing the Default Exchange Account
Changing Default Exchange Account
The default Exchange Account (initially displayed on the Connection page of the Exchange server Properties) is set when you add the source or target organization to the migration project (see the Registering Source and Target Organizations section of the Migration Manager for Exchange User Guide for details). If necessary, you can change the default Exchange Account by clicking Modify on the General | Connection page in the properties of the corresponding server in the Migration Manager for Exchange Console.
To go on using the default Exchange Account for Exchange migration, grant the permissions required for Exchange migration to this account (see the next steps).
Granting Read Access to Active Directory Domain
To grant this permission to an account, complete the following steps:
- In the Active Directory Users and Computers snap-in, right-click the domain name, and then click Properties.
- On the Security tab, click Add and select the account.
- Select the account, and then check the Allow box for the Read permission in the Permissions box.
- Click the Advanced button. In the Advanced Security Settings dialog box, select the account you specified on step 2, and click Edit.
- In the Permission Entry dialog box, select This object and all descendant (child) objects from the Apply to drop-down list.
- Close the dialog boxes by clicking OK.