Cross Forest Migration in Exchange 2013

Active Directory Forests

Active Directory is basically a collection of users, resources, services that are known as Objects. Active Directory is installed on a Server in network which is called as Domain Controller. The Objects in AD are categorized as:

Basically, a Forest is the largest container in the Active Directory. To get a clear idea of what it is, we need to understand some basic terminologies related to it.

  • Domain: In general, a domain is an area that has some defined control or authority. In case of Active Directory, a logical group of computers is called as Windows Server Domain. It is represented by triangle.
  • Tree: It is a collection of one or more domains in Active Directory where the domains share a relationship likes that of a child and parent. All the domains in a tree share same namespace. The parent domain is called "Forest Root" while the others are called "Child Domain".
  • Organizational Unit: This is the smallest container object of Active Directory. It is a container that comprises of resources sharing same security or administrative guidelines. Small containers within a domain that hold AD objects like computers, printers, or other resources are called Organizational Unit (OU). This proves helpful in scenarios when a small administration of small group has to be assigned to someone.
  • Forest: A forest can be better called as boundary of Active Directory which is a collection of trees. For domains and forest to communicate with each other or to use each other's resources, it is important that a trust between them is built up.


Types of Forests Trust:
Trust Type Transitivity Direction Description
Parent and Child Transitive Two-Way By default, when a child domain is added into the tree, a parent-child relationship between them is created.
Tree Root Transitive Two-Way A relationship maintained between the roots of two different trees in a forest is called tree root trust.
External Non- Transitive One-Way This type of trust helps to access resources of Windows NT4.0 or any other older Windows Server domain.
Realm Non- Transitive One-way or Two Way This kind of trust can help to share resources between two non-Windows domain.
Cross- Forest Transitive Two Way A relationship created between two different forests in order to share their resources.
Shortcut Non- Transitive One-way A shortcut trust created between domains of different trees help to access resources of domains in less time.

Suppose there are two domains where Domain A is trusted domain and Domain B is trusting domain. In a Two-Way Trust, it means B gives authentication to A to access its resources and A authenticates B to access its resources. Similarly, in One-Way Trust, A can access resources of B while B cannot access resources of A.


Create Two-Way Transitive Trusts Between AD forests

Step 1 ) Open "Active Directory Domains and Trusts". From the console-tree, select the domain with which trust relationship has to be established. Right-click on it and select "Properties"

Step2 ) Click on the "Trust" tab and choose "New Trust". A new wizard will get opened.

Step3 ) Provide "Domain Name Server" or "Network Basic Input/output System" of the domain and click "Next"

Step 4 ) Click on "Forest Trust" and hit the "Next" button

Step 5 ) Since we want to create a two way trust relationship between different forests, select "Two-Way" and hit "Next"

Step6 ) Click on "Both this domain and the specified domain" option and click "Next" to continue.

Step 7 ) Provide administrator details about the target domain (username and the password) and click "Next".

Step8 ) Choose "Forest-Wide Authentication" and hit "Next"

Step9) On the Outgoing Trust confirmation window, choose "Yes" and click "Next"

Step10) In Incoming Trust confirmation wizard, choose "Yes" and continue by clicking "Next"

Step11) You can notice that incoming and outgoing trust have been created. Click on Properties button.

Step12) Under General tab, click on "Validate" button to verify the trusts. A wizard named Active Directory Domain Services will get opened.

Step13) Provide username and password for target domain

Step14) A message regarding trusts activation will pop up on screen.


Exchange Server 2013 Cross Forest Migration

In Exchange 2013, the New-MoveRequest and New-MigrationBatch cmdlets are used to peform Exchange cross forest migration. These cmdlets give a mode to transfer mailboxes from one forest to another. This means, cross forest migration is supported in Exchange 2013 using these cmdlets. In order to move mailboxes between two Active Directory forests, it is important that mail users are available in target AD with minimum set of AD attributes.

The Prepare-MoveRequest.ps1 script shared in upcoming section helps to migrate mailboxes from Exchange 2013 forest to different forest of Exchange 2013. This script copies AD attributes from source forest to target forest and uses Update-Recipient cmdlet for converting the objects of target AD into mail-enabled users.

"For general tasks in Exchange Server, one or more cmdlets at a time are run. Nevertheless, there are time when these tasks are to be automated. Exchange Management Shell uses scripting language based on .NET framework. This kind of scripting language is used by other shells also. Using Shell, an administrator is free to create simple to complex scripts. You can add loops, conditions, flow control, assign variables and do much more by using scripts."

Download Prepare-MoveRequest.ps1 script and run it using PowerShell on target Exchange 2013 Server. This script will help to copy attributes of AD of source Server to target Server forest. Use the Get-Credential cmdlet to assign authentication to remote forest domain controller. When this cmdlet is run, username and password will be asked.

To get details about remote forest and the local forest, run the commands mentioned below:

For parameters LocalForestCredential and RemoteForestCredential in the script, run the following command: