Priasft Migratin Suite Setup Backgrund The Priasft Migratin Suite fr Exchange is a pwerful and easy slutin fr Exchange-t-Exchange and Exchange-t-Office365 migratins. One f the first tasks prir t migratin is the deplyment and setup f ne r mre migratin hsts. This dcument serves t prvide cncise instructins fr successful setup f the sftware. The PMSE uses several different prtcls t cmmunicate with yur surce and target envirnments, as fllws: LDAP Depending n ptins, the tls will attempt t read, write, and create bjects in the surce and target dmains Understanding permissins is critical t success and is nearly 90% f ur supprt cases MAPI Remte PwerShell This is an RPC based prtcl. It is recmmended t read abut RPC here: This uses WinRM which is pre-installed n Windws 7 and 2008 Server HTTP and HTTPS WinRM uses this as well as the Priasft tls. Our tls reprt annymus statistics, migratin errrs, and licensing details t ur Azure based backend. Yu can pt-ut f this, but is generally discuraged. Windws Netwrking (UNC files paths, RPC, etc.) The migratin hst needs t be able t cmmunicate using these prtcls withut hindrance. Any blcks in these prtcls will likely cause migratin failures. Requirements & Recmmendatins There are several requirements and recmmendatins t cnsider t successfully migrate mailbxes using the PMSE. Hst Requirements Hardware Minimum Priasft recmmends cnfiguring a machine with at least 4 GB f RAM and 4 CPUs (cres r prcessrs) and a mdern hard disk with at least 40 GB f free space. Althugh the sftware technically can run with less, it will likely increase the verall time t migrate. The migratin sftware is nt disk intensive, but des use lcal disk fr temprary strage during the migratin. Fr perfrmance cnsideratins, an increase in RAM and CPU cunt always yields gd results. PHONE WEB Priasft Inc., Tempe, AZ 480-656-7402 www.priasft.cm
2 Physical vs. Virtual machines Priasft des nt have a requirement fr physical r virtual machines. Many custmers successfully migrate n virtual machines. Hwever, fr cases where the speed f the migratin is imprtant, physical machines will ut-perfrm a VM. Nte that if yu d chse t use a VM, the fllwing guidelines shuld be fllwed: Dedicate the netwrk adapter in the VM t a physical netwrk adapter, if pssible; therwise prvide sme level f islatin such that the VM s adapter will have 100% access t the physical layer. Dedicate matching physical RAM t the VM. Sme VM slutins allw an n demand memry mdel in which physical RAM is reallcated based n need. This hinders perfrmance f the migratin sftware inside the VM. Cnfigure the VM with clsely matched physical CPU t virtual CPU assignments and set the migratin VM t have 100% utilizatin f the physical CPU(s). Nte that if yu are cncerned abut perfrmance, yu will be better ff making a physical machine with fewer CPUs than a VM with many. In current VM slutins, a multi-prcessr VM desn t have a cncept f a multi-cre CPU. A VM cnfigured with 4 CPUs is emulating a physical machine with 4 distinct CPUs (versus mdern single CPUs with 4 cres). This means that if the physical architecture is 2 2-cre CPUs, all 4 virtual CPUs will run n ONE f the 2 physical CPUs. VM cnfiguratin is prving t be as much f an art as a technlgy and depends n the use and purpse f the VM. Default settings are ften less than ideal fr a migratin hst D nt duplicate a VM after yu have installed licenses n the hst. In either case (physical/virtual), increasing RAM and CPU cunt allws fr mre mailbxes t migrate simultaneusly. Higher migratin cncurrency equates t a shrter the verall duratin f the migratin. Operating System and Cre Cmpnents The migratin hst must be Win7, Win8, Win8.1, Server2008-R2, 2012, 2012R2. Win10 and Server2016 are nt supprted. If yu are migrating t Exchange 2007, it is abslutely REQUIRED t use a 32-bit perating system fr the migratin hst (this requirement is due t a dependency n the Exchange 2007 32bit management tls; it is NOT pssible t install the 32bit tls n a 64bit hst, such is a limitatin frm Micrsft). All ther versins f exchange (5.5, 2000, 2003, 2010, 2013, and 2016) can use a 64bit OS (recmmended) fr the migratin hst. NOTE: Migratins t r frm Office365 REQUIRE the use f a 64bit OS. The migratin hst shuld have the latest patches and updates frm Micrsft prir t installing the sftware and has the fllwing additinal sftware requirements fr all versins f Exchange: 5.5 thru current, including Office365: - Micrsft.NET Framewrk 3.5.1 (and latest service packs) - Micrsft.NET Framewrk 4.0 (and latest service packs) - Micrsft Outlk Use 2003 fr Exchange 5.5 r Exchange 2000 (surce r target) Use 2010-32bit fr all ther versins f Exchange (nte: 64bit utlk will nt wrk). Outlk 2013/2016 will NOT wrk n the migratin hst fr migratins nr will the Exchange Server MAPI libraries These Outlk versins are nly requirements fr the migratin hst, nt fr end-users. - Exchange 2007 32-bit Management Tls (required nly when Exchange 2007 is the destinatin fr mailbxes) - If the target versin f Exchange is 2000/2003 AND yu need t migrate mailbx permissins (full-access permissins fr shared mailbxes) r desire t use the Assciated External Accunt feature, yu must install the Exchange 2003 System Manager n the migratin hst. Assciated External Accunt is used fr a Resurce Frest in which users will cntinue t lgn t their current dmain, but their mailbx will exist in an external dmain and frest.
3 We als recmmend dwnlading the very useful MFCMAPI tl t use when trubleshting MAPI issues and t gain access t migrated mailbxes withut needing t rll back the changes. Yu can dwnlad the tl here: http://mfcmapi.cdeplex.cm Dmain Membership The migratin hst shuld be a member f the target dmain where the target Exchange Servers are lcated. This is a lgical requirement. In mst cases it is preferable t have the migratin hst(s) physically lcated in the surce data-center fr perfrmance reasns (there are many peratins in the migratin that are nn-data peratins and having thse ccur lcal t the surce reduces the verall time f the migratin). Nte: If the migratin hst will physically exist in an IP netwrk that is different than the target yu must cnfigure yur target envirnment's AD Sites/Subnets t include this remte netwrk. Many f Micrsft's tls and APIs require prper AD site cnfiguratins. A cmmn scenari that exhibits this need is when the surce envirnment is cnnected t the target by a WAN r VPN. Many times the surce envirnment is separate frm the target and des nt have IP subnets listed in the target's AD. Review this Micrsft article fr mre detailed infrmatin: Understanding Sites and Subnets (TECHNET) Recmmended Cnfiguratin Changes The migratin hst shuld be treated as a dedicated and stand-alne cmputer specific t the migratin. It is better t use the term appliance than server when referring t the migratin hst as such classificatin may make it easier t deply in tightly cntrlled envirnments and change cntrl patterns. Adding ther rles, services, r sftware packages can destabilize the hst, interfere with the Priasft tls, r hinder perfrmance. The fllwing is a list f recmmended cnfiguratin settings fr the hst t ensure its cnsistency thrughut the migratin. Treat each migratin hst as a purpse-built appliance in yur data-center versus a user desktp. Hwever, avid ver securing this machine as such a practice will likely create issues and/r bttlenecks Create the hst frm a default install f the OS. Avid using standard images as thse ften have settings that are cunter t perfrmance and usability f the migratin. Turn ff User Accunt Cntrl (UAC). Exclude frm Grup Plicy This is recmmended because a cmputer plicy can implement things like firewalls and anti-virus sftware that can interfere with the migratin. Furthermre, grup plicy bjects are ften managed withut cnsideratin t specific machines with specific purpses. We have seen many cases where migratins execute successfully, but midway thrugh the prcess, issues ccur because f a change t a grup plicy. Disable virus scanners n the migratin hst Disable autmatic updates Mst cmmnly, the Micrsft Windws Update service Less cmmnly, 3 rd party updaters Nte that even n windws server 2008, windws update is enabled by default Yu dn t want this machine t autmatically rebt in the middle f a migratin! Remve all cached credentials Cached credentials verride ther credentials yu may use and can cause unexpected results. If cached credentials are needed, Priasft Supprt will guide yu thru the setup and use f such. Cached credentials can be reviewed by running this cmmand frm Start -> Run: rundll32.exe keymgr.dll, KRShwKeyMgr
4 Set windws perfrmance t Prgrams with regards t prcess scheduling (FYI: Windws Server defaults t Backgrund services ) Install the Priasft prducts n a lcal drive (versus sme netwrk drive). Netwrking Recmmendatins Leave IPv6 enabled We have recently seen many custmers uncheck the bx fr IPv6 n their netwrk adapters. Unfrtunately, it is nt enugh t uncheck the bx. There is als a registry setting that must be emplyed and a rebt fllwing such t prperly disable IPv6. There is n harm t having IPv6 enabled n the migratin hst, and fr simplicity we recmmend leaving it enabled. Use a static IP We have seen custmers have migratin prblems due t changes in DHCP scpes which cause the migratin cmputer t receive a new IP address and ultimately place them in a different AD site than befre. It s best t avid this situatin by using a static IP. Use static DNS Suffixes The migratin cmputer shuld have static DNS suffixes added fr each target and surce dmain. List the surce dmain s DNS suffixes first, fllwed by the target dmains. Be sure t include base dmains if yu have them (e.g. Exchange is in crp.cmpany.cm and there is an empty rt f cmpany.cm; add bth with the mre specific dmains at the tp) Use static DNS servers Ideally, the DNS servers used shuld be servers in the target frest that have frwarders t the surce frest. If yur DNS servers d nt have frwarders, yu shuld add the DNS servers fr yur surce frest in yur IPv4 cnfiguratin Enable NetBIOS ver TCP MAPI (and sme windws functins like SID t Username lkups) still uses RPC and NetBIOS t cmmunicate. Disable lcal firewall sftware Disable (r remve, if pssible) any virtual machine netwrk adapters These are usually seen n physical machines that have a VM slutin installed lcally (like VMware hst) If this hst is itself a VM, yu shuld nly have a single netwrk adapter When migrating t r frm Office365, use Priasft Endpint Testing Tl t validate that GeDNS is prviding the nearest Micrsft endpint. Nt using the nearest Micrsft endpint will slw dwn the migratin. Netwrk latency (due t distance) is the biggest influencer t migratin speed. If the testing tl reprts a better endpint, a CNAME recrd shuld be created n the lcal DNS servers (hst files shuld NOT be used).
5 Netwrk Name Reslutin Priasft's slutins (and many f Micrsft's APIs ) rely n prper name reslutin. The fllwing 3 tests shuld be run n each migratin hs t fr each exchange server (CAS/HTS/MBX) and dmain cntrllers in the surce and target invlved in the migratin. In additin, if the target is Exchange 2010, these tests shuld be run frm each Exchange server as well. This is due t the fact that PwerShell cmmands are run lcally n the Exchange server via Remte PwerShell (aka WinRM). The exchange servers must be able t reslve servers in the surce envirnment. 1. Nslkup server_shrt_name a. Success shuld reprt the IP address(es) and the FQDN f the server b. Shrt name is imprtant c. Failure typically means that DNS suffix is missing fr the dmain f the server d. Failure culd als mean imprper DNS setup review DNS server (as seen frm ipcnfig /all) 2. NBTSTAT a ip.address.returned.frm.nslkup a. Success shuld shw a NetBIOS name table with a '<00>GROUP' recrd matching the expected dmain b. IP address is imprtant t avid 'cached' lkups c. IP address lkup als causes an RPC cnnectint theip which helps validatethatrpc cmmunicatin is wrkingpr perly t thatspecific hst d. Failure here typically means that NetBIOS is nt enabled I. Nt enabled n the migratin cmputer OR II. Nt enabled n the server check bth e. Failure can als mean an issuewith DNS (r WINS if installed and available) f. MAPIis an RPC based prtcl and relies heavily n NetBIOS reslutin 3. Net view \\server_shrt_name (this might fail with 'Access Denied' which is OK; any ther errr result is a prblem). a. Success shuld shw 'Shared resurces at \\server_shrt_name' and a listing f shares (if any) b. This tests that Net BIOS reslutin actually wrks c. This test als helps identify the server type: III. DCs will reprt a NETLOGON share IV. Mailbx Servers (NOTCAS/HTS) will shw an Address Share V. CAS-nly/HTS-nly servers will shw n shares (by default) d. Odd r unexpected results here can be indicative f an issue cntact us if yu have an unexpected result Access and Permissins In rder t migrate successfully, specific permissins t resurces have t be cnfigured. The Setup Tasks later in this dcument prvide a detailed, step-by-step prcess fr cnfiguring permissins in the surce and target envirnments. There are 2 main categries f permissins that are cvered by the Setup Tasks: Mailbx Cntent Active Directry
6 Mailbx Cntent Per missins Access t mailbx cntent uses the afrementined MAPI prtcl (which is RPC based, even when using Outlk Anywhere). The nature f this type f cnnectin is that authenticatin t resurces (e.g. mailbxes) is based ff f the currently lgged in user (r matching Cached Credentials). Cnsider further that by design the migratin f a mailbx is dne by cnnecting t the surce mailbx AND the target mailbx simultaneusly. Priasft circumvents issues in this pattern with exclusive technlgy that allws discrete in-line authenticatin per mailbx. This remves the necessity t have a trust r cached credentials (Windws Credential Manager) fr accessing data. The Priasft tls will prmpt fr MAPI credentials and will ptinally allw fr encrypted strage f these credentials fr re-use. Additinally, and differently than Outlk, Priasft attempts t access a user's mailbx with a flag that requests "Admin Privileges" t the mailbx. In rder t pen a mailbx with this privilege, ne must cnnect t a mailbx nrmally first, then "jump" t the requested mailbx with the "Admin" flag. Priasft's apprach t this is t cnnect t a System Mailbx (see Exchange Special Mailbxes) first, then "jump" t the user's mailbx frm there. Every Exchange database has a crrespnding System Mailbx. If the System Mailbx is missing, migratins frm r t the mailbx's database will nt succeed. Accessing a mailbx using "Admin Privileges" allws the migratin applicatin t access ALL cntent f a user's mailbx, regardless f any flder-level security a user r ther admin may have placed n a flder. This als prvides a slight perfrmance imprvement ver ther peratins since nrmal user checks are bypassed. Frm a permissins standpint this means that the accunt used t authenticate the lgn must be able t lgn and pen System Mailbxes. It is fr this reasn that yu cannt just apply permissins t end user mailbxes but must apply inheriting permissins in the Exchange system. Secndly, the ability t "jump" t anther mailbx and request "Admin Privileges" als requires specific permissins. The permissins that allw this behavir are, respectively, Receive-As (fr mailbx access) and Administer Infrmatin Stre (fr jumping with Admin Privileges). There are nly 4 Active Directry bject types in the Micrsft Exchange Cnfiguratin Hierarchy fr which these 2 permissins can be applied: The Exchange Organizatin bject (LDAP bject class: msexchorganizatincntainer) This is the Tp-Mst bject at which yu can apply the required permissins. It is recmmended t apply permissins here and allw them t inherit t all sub bjects s that changes t the envirnment (new database fr instance) will autmatically be accessible t the migratin applicatins. An Administrative Grup (LDAP bject class: msexchadmingrup) Nte that as f Exchange 2007, the ability t create multiple administrative grups was remved. There structural elements still exist and there is nly a single admin grup. Yu will nt see Administrative Grups except frm an LDAP editr like ADSIEDIT in exchange 2007 r later This bject can inherit permissins frm the Organizatin bject. An Exchange Server (LDAP bject class: msexchexchangeserver) This bject can inherit permissins frm the Administrative Grup r Organizatin bject. Nte that Ex2010 and later d nt have databases as children f a server. Applying permissin at a server level will als require permissins at a database level. An Exchange Database (LDAP bject class: msexchprivatemdb) Nte that as f Exchange 2010, databases are n lnger sub-bjects under a server This means that applying permissins at a server level will nt inherit t a database and thus cannt be used effectively fr permissins. Typical Exchange 2010 Cnfig Hierarchy
7 Given these 4 bjects types, it shuld be understd the imprtance f AD permissin inheritance and the effect f such. Priasft has, ver time, encuntered envirnments in which inheritance is blcked at ne r mre lcatins in the Exchange bject hierarchy (in the Cnfiguratin partitin f AD). After applying permissins as utlined in the Setup Tasks belw, yu shuld validate that the applied permissin have indeed inherited t the database(s) t which r frm which yu will migrate. It is an abslute requirement that the apprpriate permissins be evidenced n the databases that will be invlved in the migratin. If, upn inspectin, yu find that the migratin accunt is nt listed n a database, yu may have sme level f permissin inheritance being blcked by a parent (r parent's parent, etc.) cntainer. A cmmn mistake that makes it appear as if there is blcked inheritance is when the specific accunt is nt set t cascade dwn t subbjects. Often (depending n the versin and service pack f Windws) the default when adding a new accunt t the security f an bject in AD is set t "This bject nly". After adding an accunt, yu shuld review the accunt's inheritance frm the "Advanced" ptins in the standard windws security dialg and ensure that an apprpriate setting is chsen that causes the accunt (and it permissins) t flw dwn t all sub-bjects. Ntice the difference in the "Apply t:" ptin in the fllwing tw dialgs: Incrrect "Apply T: Crrect "Apply T:" In rder fr the permissins given t admin@migratinserveraccunt.cm (as referenced in the abve dialg) t be applied t the necessary databases (and mailbxes n the database), yu must ensure that the crrect "Apply t:" setting is used.
8 Lastly, please avid setting permissins t the Exchange bjects listed abve using grups. Althugh frm a technical standpint such will wrk, there is increased risk f changes t the grup fr which yu, as a migratin admin r architect, may nt receive ntificatin r the chance t evaluate the impact. It is very imprtant t nte the fact that it nly takes a single DENY permissin n a grup t cause migratin prblems; in Active Directry, DENY permissins verride allw permissins, even if yu explicitly assign an allw permissin n an bject. Furthermre, the DENY is true fr ANY GROUP yu are a member f, whether directly r indirectly (remember that grups can be members f ther grups and s n). Active Directry Permissins In additin t mailbx cntent, Priasft als handles the apprpriate aspects fr which Active Directry play a rle. Fr instance, an AD user bject has many prperties that identify the mailbx database t which the user is assciated and hlds all the user's email addresses (including the primary SMTP address). The migratr will cllect certain prperties frm the surce AD user bject and merge r cpy them t the target AD user bject. These peratins prvide the highest level f pst-migratin transparency t yur end users. Additinally, the migratr will make changes t bjects in the surce directry in rder t remve that mailbx frm use; this prevents a user frm making changes t the mailbx after it's been migrated and prevents ther frm sending mail t the ld mailbx. Als, based n an ptin, the migratr can create a frwarding bject in the surce directry t prvide a cnsistent Address Bk t thse wh have nt migrated. The migratr als needs permissin t create a new cntainer named Priasft in the surce and target directry. This cntainer will be lcated in the Cnfiguratin partitin f AD at the fllwing path: Cnfiguratin Services Micrsft Exchange [Yur Exchange Org Name] Priasft This cntainer prvides a Read+Write lcatin in AD fr the Priasft tls. This allws synchrnizatin f cnfiguratin infrmatin between instances f Priasft s tls and between instances running n multiple hsts.
9 As such, these require certain access t the surce and target directry. Tpically, the migratr and many f the ther Priasft tls require the fllwing ability: LDAP Search peratins, bth against Dmain Cntrllers and Glbal Catalgs Object binding, in rder t read r write attributes Object creatin In the surce AD, we may need t create Cntacts t frward mail In the target AD, we may need t create a new user accunt Object mdificatin (related t bject binding) Object deletin In the surce AD, during rllback, we attempt t delete the frwarding cntact In the target AD, we attempt t purge ld Dry-Run bjects If yu analyze these abilities, yu can quickly see that we need READ, WRITE, CREATE, DELETE, and SEARCH permissins. As such, the easiest and mst recgnizable way t grant these permissins is by using an accunt that is a member f the Dmain Admins (r Enterprise Admins fr multi-dmain frests) grup. Often, and especially during a merger/acquisitin cnslidatin, the initial reactin t this request is high resistance. The intent f this sectin f the dcument is t prvide the necessary justificatin fr this level f permissin. It shuld als be nted that althugh the tls may use an accunt with high level permissins, nne f Priasft's tls prvide a "backdr" t any dangerus management rutines (e.g. yu cannt delete a user accunt using Priasft's tls). Priasft fully understands the imprtance f security and the risks assciated with Dmain Admin permissins which are why ur migratin tls d nt prvide AD r Exchange Management capabilities. As nted abve, under the Mailbx Permissins sectin, yu are welcme t experiment with mre granular permissins, but nte that Priasft prvides limited supprt fr such and attempting t "ver secure" the envirnment will likely cause prject milestnes t slip and increase the prject length.
10 Setup Priasft has prvided a setup wizard t cnfigure service accunts t be used by the migratin tls. The setup wizard is a detailed, guided tl that will explain each step and prvide cnfirmatin befre cntinuing. The setup wizard is fund after installing the Priasft Migratin Suite as a Start Menu shrtcut with the name: Priasft Migratin Setup Utility The use f this wizard prvide many benefits, bth fr security prtectin and cmpatibility. While it is pssible t cnfigure the accunts manually, supprt is prvided when the setup tl is used. Frm a security pint f view, the setup wizard prvide the fllwing advantages ver manually built accunts: The accunts created are named using Dmain specific details and thus culd nt be guessed by an attacker. This prtects the service accunts frm being re-used fr means ther than the intended purpse. The accunts are initially created in the built-in Users cntainer in AD. The Users cntainer is nt an Organizatin Unit and as such is excluded frm GPOs that are built t inherit dwn thrugh a cntainer structure. This prtects the service accunts frm accidentally being added r remved frm grups, r permissins being adjusted by a GPO in such a way as t interfere with a migratin. The passwrds created are extremely cmplex and are calculated frm Dmain specific details, such that nly smene already with sufficient access t the dmain wuld even have a chance f determining the passwrd. Furthermre, Priasft is nt able t reverse engineer the passwrd withut access t the dmain. This level f security ensures that highly privileged service accunts cannt be used fr alternate purpses and since n persn will r can knw the passwrd, is actually mre security than a manually built accunt. The setup wizard will request the use f a highly privileged accunt t be used during the setup, but NO ABILITY t save the credentials f this accunt is prvided. This prtects an enterprise by nt caching credentials fr a knwn admin accunt. The accunts created by the setup tl are stred in Priasft encrypted credential stre, n the migratin hst. The Priasft tls can nly use the data after successfully accessing the dmain (in rder t recalculate the service accunt passwrd). As such, Priasft s credential stre is highly secure and prvides enterprise level prtectins nt seen in ther tls: The stred credentials can ONLY be used by Priasft s tls. Other tls, like AD Users and Cmputers, Pwershell, and scripts cannt use the Priasft credential stre. Priasft s tls, by design, d nt prvide any administratin functins neither purpsely nr accidentally and thus the credentials cannt be used in ways nt intended. There are n abilities t delete r mdify bjects thru any dialg r scripting prvide by the Priasft Migratin Suite. The stred credentials can be cpied frm n migratin hst t anther, hwever because the passwrds and usernames f the accunts are dmain specific, they cannt be used t access dmains frm which they were nt cnfigured. This remves a security hle fund in ther tls where a credential used in a test envirnment r ther system is cpied and pasted and reused in a prductin envirnment. Administratrs d NOT lse cntrl ver access t the envirnment. At any time an administratr can disable any if the Priasft created service accunts t blck access. The setup wizard, in additin t creating the service accunts required fr migratin, als sets prper permissins n Exchange databases, thrttling plicies (where apprpriate), and Office 365 Tenants. The gal and purpse f the setup wizard is t ensure that all aspects f envirnment cnfiguratin are cmpleted and validated thereby ensuring that the first executin f a migratin des nt face permissins r envirnmental cnfiguratin headaches. The setup wizard must be run nce fr EACH surce and/r target envirnment that will participate in the migratin.
11 The Setup Wizard 1. Start Menu Item Envirnment Setup (n-premises) 1. Welcme Screen
12 2. Versin Selectin Nte that this wizard must be run nce fr EACH surce and target envirnment. 3. Envirnment Master Credentials This page requires the use f a highly privileged accunt (Dmain r Enterprise Admin) and is used t create the service accunts and t set the permissins n them. This accunt is nt stred and cannt be saved in the Priasft tls. In a multi-dmain frest, this accunt will ften need t be an Enterprise Admin accunt as it is likely that the Exchange server bjects are in a rt dmain but user accunts are in a child dmain. Additinally, in a multi-dmain envirnment, the Dmain Cntrller used here shuld be fr the dmain with user accunts. If multiple user dmains exist, this wizard will need t be run nce fr each user dmain. The Enable Web Request buttn will cause a dynamic web server (with a randm prt) t be created with which a remte administratr can pass the credentials back t the hst withut having t lgn directly t the migratin hst. The credentials are sent back t the hst using RSA 128bit encryptin in rder t prtect the credential. This feature further enhances the security f the system since a key-lgger r ther tl wuld be unaware f the data cming in t the applicatin. Once the credential is received, the web service is trn dwn and unavailable.
13 4. Create LDAP Accunt This page will create r update a dmain specific accunt used fr accessing and wrking with Active Directry bjects. The accunt name will start with: PS-LDAP-SA. The characters after the prefix are data specific t the dmain. 5. Dmain Cntrller selectin. This page requires the selectin f ne r mre DCs (using the left-mst checkbx clumn) t be cached in the Priasft credential stre. When running ther Priasft tls, ne can simply brwse the credential stre fr the selected server(s) and select it fr use. The chice f DC shuld be preferentially be thse that are in the same AD site as the Exchange servers, if pssible.
14 6. Priasft Cnfiguratin Cntainer The Priasft migratin suite uses a cntainer named Priasft in AD t stre cnfiguratin details used by Priasft tls. The cntainer is stred as a child f the Exchange Org bject in the Cnfiguratin partitin f AD. This is the nly cntainer fr which the service accunts will have write access all ther bjects in the Cnfiguratin partitin are accessible nly with read and search permissins. 7. MAPI Accunt This page will create the service accunt used t access mailbxes and public flders in the surce envirnment. The accunt name will be specific t the dmain and its name will start with: PS-MAPI-SA.
15 8. Exchange Versins This page shws the versins f Exchange server fund in Active Directry. One shuld select the versins f Exchange t/frm which mailbxes will be migrated. Additinally, if there are public flders t be migrated, that ptin shuld als be checked. The versins f exchange selected will determine which servers are shwn n the next page fr setting permissins. NOTE: If the surce versin f Exchange selected is Exchange 2010 r higher, a page will be shwn t cnfigure thrttling plicies s that the service accunts created are nt limited in perfrmance. 9. Exchange Permissins This page is used t cnfigure the specific MAPI/Exchange permissins based n the versin(s) selected n the previus page. It is pssible t nly set permissins n a single database, server, r the entire Exchange Organizatin. It is HIGHLY recmmended t set the permissins at the Organizatin level s that if new servers r databases are added t the envirnment after setup, the permissins can autmatically inherit frm the Org. It is quite cmmn t create a Dry-Run database after setup and if a setting ther than Exchange Org Level is used, there may be a need t re-run the setup wizard t apply the permissins t the dry-run database. NOTE: the tl may prmpt fr permissin t apply permissins t specific servers r database if inheritance has been blcked in the cntainer structure.
16 Envirnment Setup (Office 365) The setup wizard supprt bth Office365 and On-Premises migratin patterns, and even supprt cases where bth may ccur simultaneusly (mergers and acquisitins may drive this pattern mre than thers). 1. Office 365 Tenant Credentials The credentials entered here shuld be a Glbal Administratr f the Tenant. The credential can be requested frm a remte administratr using the Enable Web Request feature and the credentials prvide can be saved in the Priasft credential stre. Nte that clicking next will setup cnnectins t Office365 and AzureAD via pwershell and may take a few minutes t return. 2. Glbal Admin Selectin/Creatin This page allws fr the creatin/update f a Glbal Admin accunt, r allws fr the use/preparatin f the GA accunt used in the previus page. In either case, validatin f the accunt s status and assignments int prper rles are perfrmed s that the accunt can be used fr migratins. It is highly recmmended t let the tl create a new Glbal Admin accunt fr use by the tls. Nte that Office 365 limits pwershell sessins t a maximum f three per accunt, regardless f the hst that initiates the sessin. Fr example, if an admin creates a pwershell sessin n their desktp, then anther n their laptp, and a third sessin n a server in which they remted, n mre sessins can be made and migratins wuld nt be able t start because there are n available sessins fr the user accunt. This als means that nly three migratin hsts can be run cncurrently using the same credential.
17 3. Office 365 Migratin Service Accunts A unique and market leading feature f the Priasft Migratin Suite fr Office365 is ur ability t circumvent the built-in thrttling that exists when attempting t push data t the clud. This page f the wizard is used t pre-create several service accunts that are used fr lgging n t the Exchange Online services and accessing Office 365 mailbxes. With this apprach, the tls can migrate many dzen mailbxes cncurrently withut being thrttled this is achieved because the thrttling plicies are attached t the lgn tken used t authenticate t a mailbx, nt the mailbx itself. The service accunts created are Mail-Enabled users in Exchange Online (but hidden frm the GAL) and have a cmplex, calculated passwrd fr which part f it uses Tenant specific details. These service accunts d NOT cnsume licenses. It is recmmended t create 50 r mre f these accunts early in the migratin prject because the actual use f them and recgnitin f existence by Exchange Online is nt immediate it can take many minutes between creatin and valid use f the accunts. When building a batch fr migratin, a lwer number can be used fr cncurrency but cannt exceed the number entered here. The number can be adjusted by re-running the setup wizard.