Solution for migration scenario with Quest QMM for Exchange and Autodiscover Exchange 2007/2010

In every Exchange interorg migration project where the Quest Migration Manager is used, there are different migration scenarios available. One requirement during a (Exchange 2007 to Exchange 2010) interorg migration project was that the source mailboxenabled account must still be able to use the autodiscover functionality of Exchange 2007/2010 after the mailbox is switched from the source Exchange 2007 organization to the target Exchange 2010 environment. However after the mailbox is switched to the target environment the account is still active in the source forest for a while and thus will get via the autodiscover functionality the source Exchange autodiscover settings. This means that the user will get an Outlook profile which points to the already switched mailbox in the source Exchange organization and therefor the user will not receive any E-mails at all.

Because the customer requirement for this scenario to work correctly was high, the project team decided to make the following configuration steps in order to bring the correct autodiscover functionality to mailbox switched users with an active account in the source forest.

The Exchange cmd-let “Export-AutodiscoverConfig” is available to export the autodiscover settings from an Exchange organization to a different forest, e.g. user forest. Via the following Exchange Management commands the settings from the target Exchange forest will be exported to the source forest. Once you have entered the credentials, please note the user for the target forest must be a member of the Enterprise Admins group. First step is to enter the target credentials:

$targetcredentials = get-credential

The following command will do the export of the autodiscover settings:

Export-AutoDiscoverConfig -TargetForestDomainController DomainController -MultipleExchangeDeployments $true -TargetForestCredential $targetcredentials

No message is returned. However we can look in ADSIEdit into the configuration naming context of the source forest to verify the exported SCP object. In ADSIEdit go to the configuration naming context. Open the properties of “CN=Microsoft Exchange Autodiscover” and choose properties.

The autodiscover information is exported to the source forest where Exchange 2007 is installed.

When we look at the security settings of the imported SCP object you can see the following security settings.

With the original security settings all users not only the mailbox switched users would receive the SCP configuration from the target Exchange organization. This is not wanted and therefore we have to remove the “Authenticated Users” setting and replace it with an already created security group named “Migrated".

Now the exported SCP object can only be read from the security group “Migrated”. This means all mailbox switched users must be a member of the security group “Migrated”. This can be easily achieved by querying the Quest database through a scheduled script.

Scenario computer is a member of target forest: In case the computer account is already a member of the target forest and the mailbox switched user is still active in the source forest, the user will get the SCP settings from the target forest which is fine in this scenario. But this means that a user who is not already mailbox switched using a computer which is joined to the target forest will also get the wrong autodiscover settings (here the user will get the target information). This can be solved in a similar way. Just export the autodiscover settings from source to target, remove the authenticated users from the SCP object as before and add a (domain local) security group with read permissions to the exported SCP object. Add all users from the source forest to this group which are not yet mailbox switched. Now every user from the source forest which is not yet mailbox switched but using a computer which is already migrated to the target forest will receive the autodiscover settings from the source Exchange organization.

Please note that the original SCP configuration will never be deleted or overwritten by the described process. The original SCP configuration can be found under the following location:

CN=<Exchange Server>,CN=Autodiscover,CN=Protocols,CN=<Exchange Server>,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<Exchange Organisation>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Root-Domain

Comments

  • Anonymous
    March 13, 2013
    In regards to your scenario the latter one, where the users workstation has been switched from source to target and he is still accessing the unswitched mailbox in the source.  Is the following command correct and is it run on the Target exchange environment? Export-AutoDiscoverConfig -SourceForestDomainController DomainController -MultipleExchangeDeployments $true -SourceForestCredential $targetcredentials Regards

  • Anonymous
    March 13, 2013
    Revised question: In regards to your scenario the latter one, where the users workstation has been switched from source to target and he is still accessing the unswitched mailbox in the source.  Is the following command correct and is it run on the Source Exchange environment to export the SCP from Source > Target? Export-AutoDiscoverConfig -TargetForestDomainController DomainController -MultipleExchangeDeployments $true -TargetForestCredential $targettcredentials

  • Anonymous
    February 10, 2015
    small remark - if you have firewalls between both forests (It happens), you need LDAP ports opened...