This document is intended for network administrators, consultants, analysts, Exchange architects, and any other IT professionals who are considering migrating Active Directory or Exchange using Quest Migration Manager.
All migration scenarios described in this document assume that:
- Trusts are established between each source and target domain involved in the Active Directory or Exchange data migration.
- SIDHistory is added to migrated accounts and used during the whole co-existence period to ensure that users will have the same access to resources when they start using their target accounts.
If you cannot establish trusts or use SIDHistory due to your corporate policy or other reasons contact Quest Professional Services for a custom migration scenario designed for your specific environment.
Environment Assessment, Planning, and Testing
Environment Assessment and Planning
The first step in migration is to assess your environment and design an appropriate migration plan. The following tools can help:
- Quest MessageStats—Reports on the current Exchange environment and assists with planning migration activities to the target Exchange organization. For more information, visit www.quest.com/messagestats/.
- Quest Reporter—Reports on the current Active Directory environment and assists with planning migration activities in the target Active Directory forest or domain. For more information, visit https://quest.com/products/reporter/.
The related topics detail our best practice recommendations for environment assessment and planning:
Why Use Trusts?
We recommend that you establish two-way external trusts between each source and target domain that will participate in migration.
If the forest functional level in both source and target forests is set to Windows 2003 or higher, you can establish forest trust between the forest root domains.
Trusts make it possible to resolve objects’ security identifiers (SIDs), which in turn helps to distinguish objects and enable you to check whether everything is going right. Trusts also help provide co-existence of the source and target environments during the migration process, including uninterrupted access to the resources for both switched users and users not yet switched.
NOTE: Remember that external trusts between Active Directory domains that belong to different Active Directory forests are not transitive. You should establish trusts between each source Active Directory domain and target Active Directory domain individually.
If Trusts Are Not Established
When deciding whether to establish trusts, remember that if no trusts are established, the following restrictions apply:
- You will not be able to use a single administrative account for migration.
- You will have to switch users and resources at the same time. This means that when a user starts using its target account (normally, when the user's workstation is moved to the target domain), all resources must be updated, so that the target user has the same access to the resources as the corresponding source user.
- When working with remote Exchange servers, console establishes net use connections automatically; thus no trusts between the console machine where Migration Manager is installed and all Exchange servers where the synchronization agents are installed are needed. However if a net use connection between the console machine and remote Exchange server was already established using different account, you may need to manage this connection manually.
- The computer on which Migration Manager is installed must be a member of the domain in which Windows 2000 or Windows Server 2003-based Exchange cluster servers reside. If you have Windows 2000 or Windows Server 2003-based cluster servers in both the source and target domains, you need trusts to be established between the domains.
- If you migrate Exchange first and set the source user’s account to be the Associated External Account for the corresponding Exchange mailbox, users will not be able to log on to the target mailboxes with their source accounts.
- Users will have to specify the target security account when they are switched to the target server. Because there are no trusts, their source accounts will not have permissions for the target mailboxes.
The migration scenarios described in the Basic Migration Steps topic assume that trusts are established between the source and the target domains.