Chat now with support
Chat with Support

Preparing Migration 8.15 - System Requirements and Access Rights

Migration Manager Console Migration to Microsoft Office 365 License Server Migration Manager Database Servers Migration Manager Agent Servers Statistics Portal Server Resource Updating Manager Resource Updating Wizards Processed Platforms Additional Environment Security Configuration Ports Used by General Migration Manager Components Ports Used by Migration Manager for Exchange Components Ports Used by Migration Manager for Active Directory Components Ports Used by Resource Updating Manager Accounts Required for Migration Manager Operation Accounts Used by the Directory Synchronization Agent Source Accounts Used by Migration Manager for Exchange Agents Target Accounts Used by Migration Manager for Exchange Agents Agent Host Account Used by Legacy Migration Manager for Exchange Agents Agent Host Account Used by Migration Agent for Exchange (MAgE) Accounts Used for Migrating to Microsoft Office 365 Accounts Used by RUM Agent Service Accounts Used by RUM Controller Service Account Used by Statistics Collection Agent Service Accounts Used by Statistics Portal Accounts Accounts and Rights Required for Active Directory Migration Tasks Accounts and Rights Required for Exchange Migration Tasks Using the Exchange Processing Wizard with Exchange 2010 or later Appendix. How to Set the Required Permissions for Active Directory Migration

Accounts Required for Migration Manager Operation

Migration Manager account

Description Where Specified Rights and Permissions

The account under which the administrator is logged on when Migration Manager is started.

This account is used to connect to ADAM/AD LDS and open the migration project. (The appropriate users should be delegated rights within the project to open and work with the project).

At administrator's logon

Membership in the local Administrators group on the console machine.

If there are cluster servers in the source or target Exchange organizations, the Migration Manager account must:

  • Be a member of the local Administrators group on each cluster node.
  • Have Full Control rights over the cluster.

ADAM/AD LDS administrative account

Description Where Specified Rights and Permissions

Is used to connect to ADAM/AD LDS and create a new migration project.

During ADAM/AD LDS instance installation. Later, when you first start Migration Manager, specify this account in the Open Project Wizard.

After ADAM/AD LDS instance installation, this account is granted Full Control rights over the whole ADAM/AD LDS instance.

The user who creates the project is automatically granted Full Control rights in the project and can later delegate rights within the project to other users.

Note: Delegated users will have rights only within the ADAM/AD LDS project partition, but no rights to manage the ADAM/AD LDS instance.

SQL configuration database account

Description Where Specified Rights and Permissions

Is used to:

  • Create the SQL configuration database when a migration project is created
  • Access the SQL configuration database
In the Open Project Wizard Database Creator role on the SQL server where the configuration database will be created

NOTE: Database creator server role is required only if project database has not been created and you are planning to create it. In case the project database has been created, server role dbcreator is no longer required. Database role db_owner is enough to work with existing project database. You can grant this permission directly to the SQL configuration database account, or through the security group that can also be used for Agent Host accounts.

Auxiliary account

Description Where Specified Rights and Permissions

Is used by different Migration Manager components to retrieve information from ADAM/AD LDS

During Migration Manager setup, or in the Open Project Wizard

Membership in the local Administrators group on the console machine.

Important notes: This account must not be changed during migration. Account password must not expire or be changed during migration.

Accounts Used by the Directory Synchronization Agent

The following accounts are used by the Directory Synchronization Agent (DSA) to connect to the domains.

TIP: The DSA account permissions provided below are high level permissions that can be easily and quickly granted. However, if they are too elevated and thus cannot be granted in your environment , take a look at minimum required permissions for DSA accounts in Migration Manager for Active Directory Granular Account Permissions.

Source Active Directory Synchronization account

Description Where Specified Rights and Permissions

Is used:

  • By the DSA to connect to the source Active Directory domain
  • By the Mail Source Agent (MSA) to perform mailbox switch (related to Migration Manager for Exchange)
You specify this account when you create and configure a domain pair.

Membership in the Administrators group.

You can use account that is not a member of Administrators group in case Preinstalled Service feature is configured and enabled.

Target Active Directory Synchronization account

Description Where Specified Rights and Permissions

Is used:

  • By the DSA to connect to the target Active Directory domain
  • By the Mail Source Agent (MSA) to perform mailbox switch (related to Migration Manager for Exchange)
You specify this account when you create and configure a domain pair.

Membership in the Administrators group.

You can use account that is not a member of Administrators group in case Preinstalled Service feature is configured and enabled.

Source Accounts Used by Migration Manager for Exchange Agents

NOTE: Each computer on which Migration Manager for Exchange agents run must have DCOM Access and Launch permissions. These permissions are acquired by the agent through server's local Administrators group membership.

Accounts for Source Exchange 2003 Server

Exchange account

Used To Where Specified Rights and Permissions
  • Work with source Exchange mailboxes and public folders (used by the Mail Source Agent, Public Folder Source Agent, and Public Folder Target Agent)
  • Mail-enable the newly-created public folders(used by the public folder agents only: Public Folder Source Agent and Public Folder Target Agent)
  • Synchronize Calendar information (used by the Calendar Synchronization Agent)
  • Synchronize free/busy data (optional) (used by the Free/Busy Synchronization Agent)
  • Switch mailboxes
On the General>Connection page of the source Exchange server Properties in the Migration Manager Console
  • Membership in the local Administrators group on all source Exchange servers involved in the migration. If a server is a domain controller, the account should be added to the domain local Administrators group of the domain.
  • Full Control permission on the organizational units (OUs) (and their child objects) where the source synchronized objects are located.
  • Full Control permission on source Exchange 2003 servers (including the Send As and Receive As permissions).
  • Full Control permission on the Microsoft Exchange System Objects organizational unit in all domains in which source Exchange 2003 servers involved in public folder synchronization reside.
  • Modify public folder replica list permission, Modify public folder deleted item retention permission, and Modify public folder quotas permission on the administrative groups where the source Exchange 2003 servers involved in public folder synchronization reside

Active Directory account

Used To Where Specified Rights and Permissions

Work with the source Active Directory

On the General>Associateddomain controller page of the source Exchange server Properties in the Migration Manager Console
  • Read access to the source domain
NOTE: If migration is performed in the child domain, ensure that Active Directory account has the Read access to the parent (root) domain as well.

To learn how to grant rights and permissions required for this account, refer to the Exchange 2003 Environment Preparation document.

Related Documents