This section is relevant only for scenarios where migration to or from Exchange 2010 or later is a part of Active Directory migration.
Migration Manager Console
Migration to Microsoft Office 365
Migration Manager for Active Directory (Microsoft Office 365) Console
Migration Manager for Exchange Console
License Server
Migration Manager Database Servers
Active Directory Lightweight Directory Services Server
Migration Manager for Exchange Database Server
Migration Manager Agent Servers
Directory Synchronization Agent Server
Directory Migration Agent Server
Exchange Migration Agents Server
Statistics Portal Server
Resource Updating Manager
Resource Updating Wizards
Active Directory Processing Wizard
Exchange Processing Wizard
SMS Processing Wizard
SQL Processing Wizard
SharePoint Permissions Processing Wizard
Processed Platforms
Active Directory Domain Controllers
Source and Target Exchange Organizations
Exchange Servers
Resource Updating Manager
Systems Management Servers
SQL Servers
SharePoint Servers
Additional Environment Security Configuration
Ports Used by General Migration Manager Components
Ports Used by Migration Manager Console
Ports Used by ADAM/AD LDS Instance
Ports Used by SQL Server
Ports Used by Statistics Portal
Ports Used by Migration Manager for Exchange Components
Ports Used by Migration Manager for Exchange Console
Ports Used by Migration Agent for Exchange (MAgE)
Ports Used by Mail Source Agent (MSA)
Ports Used by Mail Target Agent (MTA)
Ports Used by Public Folder Target Agent (PFTA)
Ports Used by Public Folder Source Agent (PFSA)
Ports Used by Calendar Synchronization Agent (CSA)
Ports Used by Transmission Agent (NTA)
Ports Used by Free/Busy Synchronization Agent (FBSA)
Ports Used by Statistics Collection Agent (SCA)
Ports Used by Migration Attendant for Exchange
Ports Used by Migration Manager for Active Directory Components
Ports Used by Directory Synchronization Agent (DSA)
Ports Used by Migration Manager for Active Directory (Microsoft Office 365) Console
Ports Used by Directory Migration Agent (DMA)
Ports Used by Resource Updating Manager
Accounts Required for Migration Manager Operation
Accounts Used by the Directory Synchronization Agent
Source Accounts Used by Migration Manager for Exchange Agents
Accounts for Source Exchange 2003 Server
Accounts for Source Exchange 2007 Server
Accounts for Source Exchange 2010 Server
Accounts for Source Exchange 2013 Server
Accounts for Source Exchange 2016 Server
Target Accounts Used by Migration Manager for Exchange Agents
Accounts for Target Exchange 2003 Server
Accounts for Target Exchange 2007 Server
Accounts for Target Exchange 2010 Server (Legacy)
Accounts for Target Exchange 2010 Server (MAgE)
Accounts for Target Exchange 2013 Server
Accounts for Target Exchange 2016 Server
Accounts for Target Exchange 2019 Server
Agent Host Account Used by Legacy Migration Manager for Exchange Agents
Agent Host Account Used by Migration Agent for Exchange (MAgE)
Accounts Used for Migrating to Microsoft Office 365
Accounts Required for Migration Manager for Active Directory Operation
Accounts Required for Migration Manager for Exchange Operation
Account Required for Migration Manager to Access Tenant Data
Accounts Used by RUM Agent Service
Accounts Used by RUM Controller Service
Account Used by Statistics Collection Agent Service
Accounts Used by Statistics Portal Accounts
Accounts and Rights Required for Active Directory Migration Tasks
Accounts and Rights Required for Exchange Migration Tasks
Using the Exchange Processing Wizard with Exchange 2010 or later
Appendix. How to Set the Required Permissions for Active Directory Migration
Using the Exchange Processing Wizard with Exchange 2010 or later
Processing Mailboxes and Public Folders
Access to mailboxes and public folders
| Rights and Permissions | Where Specified |
|---|---|
|
The account should be a member of the Domain Admins or Enterprise Admins group (See the note below the table) Alternatively, if you want to avoid granting such broad privileges, make the account a member of the Organization Management and Public Folder Management roles. |
To assign the roles to the account (<User>), run the following commands in the Exchange Management Shell: Add-RoleGroupMember "Organization Management" -Member <User> Add-RoleGroupMember "Public Folder Management" -Member <User> |
Exchange impersonation (step 1)
| Rights and Permissions | Where Specified |
|---|---|
| The ApplicationImpersonation role enables the Exchange processing user account to impersonate other users. |
To enable the account (<User>) to impersonate all users in an organization, run the following in the Exchange Management Shell: New-ManagementRoleAssignment –Name <AssignmentName> -Role ApplicationImpersonation –User <User> See http://msdn.microsoft.com/en-us/library/bb204095.aspx for more details related to enabling Exchange impersonation, such as limiting the scope of users. |
Exchange impersonation (step 2)
| Rights and Permissions | Where Specified |
|---|---|
| In addition to enabling Exchange impersonation for an account, give it the necessary access privileges by granting the ms-Exch-EPI-May-Impersonate extended right. |
To give the account (<User>) the right to impersonate all users on all Client Access Servers, run the following in the Exchange Management Shell: Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User ((Get-User -Identity <User>) | select-object).identity -extendedRight ms-Exch-EPI-Impersonation} To give the account (<User>) permission to impersonate all accounts on all MailboxDatabases, run the following in the Exchange Management Shell: Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User <User> -ExtendedRights ms-Exch-EPI-May-Impersonate} See http://msdn.microsoft.com/en-us/library/bb204095%28EXCHG.80%29.aspx for more details related to granting Exchange impersonation rights, such as narrowing the scope of accounts, servers and databases. |
|
|
IMPORTANT: Since membership in the Domain Admins or Enterprise Admins group denies Send As and Receive As permissions, you cannot continue using single administrative account. In this case it is advised to create separate processing service account. |
Processing Mailbox and Public Folder Contents
| Operation | Rights and Permissions | Where Specified |
|---|---|---|
| Message sending |
Send As extended right. |
Run the following in the Exchange Management Shell: Add-ADPermission "Mailbox" -User <User> -Extendedrights "Send As" |
| Message processing in other users' mailboxes | Full mailbox access rights. |
Run the following in the Exchange Management Shell: Add-MailboxPermission "Mailbox" -User <User> -AccessRights FullAccess |
Appendix. How to Set the Required Permissions for Active Directory Migration
This section will help you to set the permissions that are required by Migration Manager for Active Directory.
Set Administrative Access to Source and Target Domains
Migration Manager for Active Directory requires administrative access to each source and target domain involved in Active Directory migration.
We recommend that you to create a new user account for the migration activities in each source and target domain instead of using an existing one.
To grant the account administrative access to the Active Directory domain, add the account to the domain’s local Administrators group as follows:
- In the Active Directory Users and Computers snap-in, right-click the user and select Properties.
- Go to the Member Of tab and click Add to make the user a member of the domain local Administrators group.
If you have established two-way trusts between each source and target domain or forest trust, you can grant this single account administrative access to each source and target domain. This powerful account must be maintained closely and should be deleted after the project is complete. It is recommended that this account be owned by one individual and one backup individual (or as few individuals as possible).