Chat now with support
Chat with Support

Migrator for Notes to Exchange 4.16 - Pre-Migration Planning Guide

About the Migrator for Notes to Exchange documentation Introduction Critical considerations Other strategic planning issues Appendix A: Known limitations of the migration process

Microsoft Exchange / AD environment configuration (proprietary Exchange target)

This section applies only if you are migrating to a proprietary Exchange target. If you are migrating to a hosted Exchange, skip ahead to Account permissions for migration to Office 365.

Using one account for both purposes results in conflicting mailbox permissions that prevents MNE from being able to access the exchange mailboxes when migrating mailbox data.

An AD admin account is configured for access to Active Directory containers and objects, corresponding to Migrator for Notes to Exchange’s AD Information screens. This must be a domain user account with full access to the target OU. If the contacts will be merged with existing Active Directory user objects, the account must have full control of the OUs/containers where the AD user objects currently reside. This ensures Migrator for Notes to Exchange has sufficient access to properly join to the merged user objects, and prevents the creation of duplicate contacts.

To set AD container permissions in Exchange:

... where <alias> is the AD account to which you are granting access.

To configure for more than 1000 OUs in AD

LDAP policy can be configured to accommodate more than 1000 OUs in Active Directory, by adjusting the max items returned by ADSI interface. See these Microsoft links for LDAP Policies.

If AD is configured for a resource forest and a user forest

In the resource forest, Migrator for Notes to Exchange requires the standard permissions cited above. In the user forest, Migrator for Notes to Exchange requires an account with read permissions to the AD, such as a domain user. Migrator for Notes to Exchange makes no changes to the user forest; it only performs searches.

A Exchange account is configured to provide Exchange credentials from Migrator for Notes to Exchange, corresponding to Migrator for Notes to Exchange’s Exchange Information screens, and must be configured with Receive As rights to each mailbox store.

To set Receive As rights in Exchange 2010 or later, for all mail stores, use the following PowerShell command (in one continuous line):

get-mailboxdatabase | add-adpermission -user <username> -extendedrights receive-as

IMPORTANT: Ensure that the Exchange account is not added to any administrative groups that have been explicitly denied access to the mail stores. These groups include Enterprise Admins, Domain Admins, and the Organization Management role. If the Exchange account is added to any of these groups, MNE will be prevented from connecting to the target mailboxes during the migration.

Account permissions for migration to Office 365

This section applies only if you are migrating to Microsoft’s Office 365. If you are migrating to a proprietary Exchange, see the preceding section for those configuration requirements.

Administrator Role

Migrator for Notes to Exchange performs many administrative tasks, including creating new user accounts, resetting passwords, granting and revoking permissions, etc. To ensure that the Migration Administration account has the required access rights, assign the Migration Administration account to the Office 365 Global Administrator role.

Migration to Office 365
via MS AD sync

The local AD server must have Exchange 2019 (RTM), Exchange 2016 (RTM), Exchange 2013 (RTM or SP1), or Exchange 2010 (SP1) schema extensions.

Migration from an
MSP-hosted Notes source

The Managed Service Provider must provide the Notes ID file, manager access to all mailboxes in scope for the migration, and reader access to the NAB.

SQL server configuration

SQL bulk import directory

The SQL bulk import directory (specified in the SQL Server Configuration screen of Notes Migration Manager) must be accessible to all migration servers, and to the user that the SQL Server will run as.

Account permissions

Both Windows Authentication and SQL Authentication are supported.

When using Windows Authentication, the Windows user logged in to the migration server must be assigned the dbcreator server role in order to create the database and tables. The bulkadmin server role is also required in order to perform database bulk import using the specified bulk import directory.
When using SQL Authentication, the SQL user must be granted the server roles dbcreator and bulkadmin in order to perform required database operations using the specified bulk import directory.

MNE uses the bulk import directory to substantially improve program performance when importing data from the Domino directory. Permissions must be set so that the SQL Server can read and write to this directory.

NOTE: Once the NME40DB database is created and tables populated, the dbcreator server role assigned to either the Windows user or SQL user is no longer required. The db_owner role is sufficient and is automatically granted to the Windows or SQL user when NME40DB is created.

Migrator for Notes to Exchange admin migration server(s) configuration

User account permissions

When you install the Migrator for Notes to Exchange software on the migration server, you have the option to run the Prerequisite Checker. In order to run this utility, the account used to log in to the migration server must be a member of the Microsoft Organization Management role group.

Language

Migrator for Notes to Exchange requires the English-language edition OS/PowerShell on the admin workstation.

For all supported Windows servers

Data Execution Prevention (DEP) must be disabled in Windows system settings.

Locale

Upon migration, standard mail folders assume the names of their corresponding Outlook folders in the language associated with the Windows Locale setting of the admin’s migration server.

Parallel workstations

To accelerate large-scale migrations, Migrator for Notes to Exchange may be run on multiple migration servers running in parallel.

Order of installation

A migration requires a combination of tools developed by different vendors, all installed on a single admin workstation. The combination can cause compatibility problems on some machines. To minimize these conflicts, Quest recommends you install the applications (per specifications noted below) in this order:

1. Notes client
2. Outlook client
3. Windows Management Framework or MS PowerShell

Workstation hardware

Must be a separate machine from the Exchange server, but a member of the same domain as AD and Exchange.

May be a virtual machine, but a dedicated physical machine will likely yield better migration performance.

Required for all destination Exchange target types, including Office 365

Must have a directory with write/execute permissions for the Administrator components of the Quest software, and must have a directory with read/execute permissions for the user components of the software.

The 32-bit edition (only) of Outlook 2019, 2016, 2013 or 2010. The Outlook client must also conform to Microsoft's version requirements for the applicable Exchange target version. Outlook 2010 is not supported by Office 365 or Exchange 2019. See the Exchange Server supportability matrix for more details.

The MAPI DLLs required to perform a migration must be those that are part of Outlook, not the downloadable Exchange "server" MAPI.

Prior to running any Migrator for Notes to Exchange admin application: Any antivirus software must be configured to not scan the Migrator for Notes to Exchange program files directory or %temp% directory, or may be simply turned off, but may be restored after the program runs. If an antivirus scan misinterprets an Migrator for Notes to Exchange temporary file as a threat, it will try to "clean" the file, which will generate an error when the Migrator for Notes to Exchange program call fails.

On the Migrator for Notes to Exchange server as the Administrator, launch Windows PowerShell (x86) on 64-bit OS or Windows PowerShell on 32-bit OS and execute this command:

Required for all on-premises target types

For MAPI access: Use PowerShell to set the RCAMaxConcurrency throttle policy value high enough to handle the number of migration threads (across all MNE Servers) that will be connecting to any Exchange server at any point in time. If migrating to Exchange 2010, ensure that the following throttle policy values are set to 100:

For EWS access: Use PowerShell to set the EWSMaxConcurrency throttle policy value high enough to handle the number of migration threads (across all MNE Servers) that will be connecting to any Exchange server at any point in time.

For O365 target,
inbound (O365 to Migrator for Notes to Exchange)

No inbound ports are required.

For O365 target,
outbound (Migrator for Notes to Exchange to O365)

443 – PowerShell
443 – Outlook (RPC over HTTP/Outlook Anywhere)
80 – Autodiscover
443 - Autodiscover

These should be open from source to *, since Microsoft often changes the IPs of their servers.

For Exchange 2019, Exchange 2016, or Exchange 2013 target:

443 to MBX server - mail migration
80 & 443 to CAS server - autodiscover
3268 to GC - AD searches
389 to DC - AD writes
443 to CAS server - powershell
1352 to Domino - mail migration, directory extraction

For Exchange 2010 target:

80 & 443 & MAPI* to CAS server - autodiscover
3268 to GC - AD searches
389 to DC - AD writes
80 & 443 to CAS server - powershell
1352 to Domino - mail migration, directory extraction
1433 to SQL - SQL

*MAPI uses RPC, which is covered in this Microsoft technote.

Related Documents