Migration | Active Directory and Microsoft Technology Blogs

QMM Transmission Agent (NTA) and Robocopy

November 25, 2013 Santhosh Sivarajan 3 comments

Quest Migration Manager (QMM) has its own logic to transfer (migrate) from data a source mailbox to a target mailbox MSA –> NTA –> MTA. Latest version of QMM for Exchange supports multiple agents on Quest Agent Host. You can have up to 10 MSAs and 10 MTAs but Transmission Agent (NTA) is still limited to 1 per Agent Host. This is still a huge limitation when transferring large amount of data. Quest’s NTA still performs a single threaded, sequential operation. Even if you have enough “available” bandwidth, these types of applications cannot be able to use all available bandwidth.

In QMM for Exchange, NTA is responsible for referring the exacted PRV files from Source to Target agent servers. If NTA is the bottleneck, you can use any other mechanism to copy PRV files from Transmission OUT folder to Transmission IN Folder. Keep in mind that you need to copy all extracted files at the same time (or in the correct order). I have decided replace NTA with a Robocopy option for the initial data copy. With Robocopy, you can specify the thread up to 128.

Using the following method, I have reduced the file copy time from weeks to hours!

Stop Transmission Agent (NTA)
Stop Mail Target Agent (MTA)
Start Mail Source Agent (MSA) and generate all PRV files from source mailboxes.
After the initial creation of all PRV files (you can verify this by reviewing the MSA log file), Stop MSA
Perform a Robocopy operation to copy all files from OUT folder to IN folder. Here is an example:

Robocopy “\\SourceAgentHost01\C$\Windows\SysWOW64\Aelita Exchange Migration Wizard\Mail Transmission Agent\OUT\TargetAgetnHost01\2” “\\TargetAgentnHost01\c$\Windows\SysWOW64\Aelita Exchange Migration Wizard\Mail Transmission Agent\IN\SourceAgentHost01\2” /MT:128

In the above example, MSA and NTA was running on SourceAgentHost01 and MTA was on TargetAgentnHost01

Start MTA agent and complete mail data import process.
After the initial data copy, you can start the MSA, NTA and MTA agents. The delta change or update will go thought the normal Quest process (MSA –> NTA –> MTA).

Microsoft Robocopy – http://technet.microsoft.com/en-us/library/cc733145.aspx

QMM Directory Sync–Mail Enabled and Mailbox Enabled Objects

April 10, 2013 Santhosh Sivarajan Leave a comment

With latest hotfix/update for Quest Migration Manager (QMM) – https://support.quest.com/SolutionDetail.aspx?id=SOL77417, you should be able to create mail enabled objects in the target or source domain. This was one of most requested and awaited feature for QMM.

You will see the following three new options in the Directory Synchronization tab after installing this update:

Users without mail options
Mail enabled users
Mailbox enabled users

Of course this a global configuration and these options will affect Source and Target directory synchronizations. If you are thinking about a Global Address List (GAL) synchronization solution, you may need to configure a separate QMM project with appropriate options.

___________________________________________________________________________________________

Migrating from Windows Server 2008 or Windows Server 2008 R2 to Windows Sever 2012?

Paperback – http://www.amazon.com/dp/1849687447/?tag=packtpubli-20

eBook – http://www.packtpub.com/migrating-from-2008-and-2008-r2-to-windows-server-2012/book

___________________________________________________________________________________________

Categories: Migration, QMM

Migrating to Windows Server 2012 – Intro (Part 2)

February 11, 2013 Santhosh Sivarajan Leave a comment

Introduction

Part 1 – Migrating to Windows Server 2012 – Intro (Part 1)

Part 2 – Migrating to Windows Server 2012 – Intro (Part 2)

This was the Introduction, New Features and Enhancements section in my Migration from Windows Server 2008 and 2008 R2 to 2012 book. Because of some changes in the format and content of this book, we have decided not to include any introduction or new features section in this book. The focus of the book is to provide more hands-on and step-by-step instructions on migration. So I decided to add Introduction, New Features and Enhancements section in my blog in 5 different parts. You can read the rest of the sections in the book.

Administration

As an administrator, the key to efficiently and proactively manage servers is to use the right administration tool. With the new features and enhancements in Microsoft Windows Server 2012, now an administrator can achieve this by using the native administrative tools. The details of these new features are explained in the following sections:

Multi-Sever Administration

Unlike other Microsoft server Operating Systems (OS), the Server Manager included in the Windows Server 2012 provides remote and multi-server administration and management capabilities. The previous versions of the Server Manager, has the ability to manage only a single server from a management console at a given time. In Windows Server 2012, Microsoft has redesigned the entire Server Manager application to support more “standard-based” management capabilities. With this new Server Manager, you can manage, monitor and administer multiple servers concurrently from a single dashboard.

In the background, the new Server Manager uses standard Windows Management Instrumentation (WMI) and PowerShell cmlets to query and collect data from local and remote servers. By default, the new Server Manager collects data every 10 minutes. However, this threshold value can be customized from the Server Manger. You can also manually refresh the data from dashboard using the Refresh button which will trigger a polling operation. The new Server Manager has the potential to manage a very large number of servers simultaneously. However the drawback of this is that it would be challenging for an administrator to monitor the events and alerts coming for these server into a single console.

Roles and Features

You will see two new options when adding Roles or Features in Windows Server 2012 – Roles based or Feature based Installation and Remote Desktop Service Installation.

The new Server Manager is fully customizable based on your requirements and the roles or features installed on these servers. For example, you can create a group called Houston and add all servers from the Houston data center to display the events and alerts from that particular location or you can add types of servers based on Roles to see only alerts from these types of servers. You will see more details of this in the Administration of Windows Server 2012 section (Chapter #3) of this book.

Server Manager – At a glance

Here are some of the key highlights of the new Server Manager:

1. Can manage multiple severs by Groups, Names, Roles and Features.

2. Deploy Roles and Features from a single hyperlink. In Windows 2008 and Windows 2008 R2, while installing we had to identify whether it is a role or feature, but in Windows Server 2012, you will be able to select both Roles and Features from a single console and hyperlink.

3. Can manage Windows Server 2008 and Windows Server 2008 R2 but with limited functionalities. You won’t be able to add roles or features, collect performance data etc. In-order to access and manage remote servers that are running Windows Server 2008 or Windows Server 2008 R2, you need to install the Windows Management Framework Targeted Release (WTR) on these servers.

4. Ability to deploy Roles and Features to remote servers and offline virtual disks.

Note: A 64 and 32 bit version of Remote Server Administration Tool (RSAT) is available for Windows 8.

There is no Remote Server Administration Tool (RSAT) tool for Windows 7. You have to use Windows 8 or Windows Server 2012.

You cannot install Server Manager on Server 2012 Core. However, you can manage Sever 2012 Core from Server Manager

ISO Support

The International Organization for Standardization (ISO) file formats are natively supported in Windows Server 2012. As you can see in the following screenshot, you can right click an ISO image and mount it as an image file without any additional tools. It is part of the Operating System.

PowerShell

In Windows Server 2012, Microsoft has introduced the next version of PowerShell – PowerShell 3.0. PowerShell 3.0 includes a total of 2300 cmdlets, 260 core cmdlets and 239 modules. These additional and improved PowerShell cmdlets provides more efficiency and automation to manage servers locally and remotely in an enterprise.

In a nutshell, Windows Server 2012 and PowerShell 3.0 offers the following out-of-the box capabilities:

1. Easy and automated administration

2. Scheduled job creation

3. Workflow capabilities

4. Disconnect and reconnect remote sessions

5. New PowerShell Integrated Scripting Environment (ISE)

6. IntelliSense support

7. Snippets support

8. PowerShell history viewer

9. Help file on-demand

10. Windows PowerShell Web Access

11. Show Command Window

PowerShell Integrated Scripting Environment (ISE)

By default, PowerShell and PowerShell Integrated Scripting Environment (ISE) are installed on any version of Windows Server 2012. The new PowerShell Integrated Scripting Environment (ISE) is equipped with IntelliSense and Snippets support to provide full development platform and experience for administrators.

IntelliSense

IntelliSense is an auto completion feature by Microsoft. Most of the programmers are familiar with this feature in the development platform. However, this is the first time Microsoft is integrating this feature into PowerShell Integrated Scripting Environment (ISE). Now you don’t feel like PowerShell is just about commands and command line options.

In the following screenshot, you can see an example of IntelliSense support:

Snippets

This term is popular in the development world. However, this is also new in PowerShell Integrated Scripting Environment (ISE) on Windows Server 2012. Snippet provides sample codes and syntax details inside a development environment. The following screenshot depicts an example of a Snippet code:

You will also see a new Command Window on the right pane. By default, this displays all available modules. From this window, you can search a cmdlet or module to get more information.

PowerShell Web Access

The PowerShell Web Access is a new feature in Windows Server 2012. This provides a PowerShell gateway service to remote servers. As the name sounds, this is a web based Windows console and it doesn’t require PowerShell or any plug-ins on the local computer. The remote machines can be managed from a web browser.

As you can see in the above screenshot (in the Optional Connection Settings), delegation of administration (or alternate credentials) is supported in PowerShell web access. You can use one account for the Gateway access and another account for the actual destination server access.

Note: Even though Server 2012 is shipped with PowerShell 3.0, you can add Windows PowerShell 2.0 as an additional feature for backward compatibility.

You can install PowerShell Add-Ons to enhance the administration and automation process with PowerShell ISE. These Add-Ons can be downloaded from the Microsoft site.

What is Next?

The following topics and step-by-step instructions are included in the book:

· Windows Server 2012 Core and GUI installation and configuration

· Windows Server 2012 local and remote administration

· Windows Server 2012 Roles and Feature deployment

· Active Directory and domain controller migration

· Network Services (DNS and DHCP) migration

· Data and file server migration

· Printer and print server migration

· Hyper-V and virtual server migration

· Decommissioning old servers and domain controllers

This book currently available in all major stores.

PactPub – http://www.packtpub.com/migrating-from-2008-and-2008-r2-to-windows-server-2012/book

Amazon – http://www.amazon.com/dp/1849687447/?tag=packtpubli-20

Barnes & Nobile’s – http://www.barnesandnoble.com/s/?keyword=Instant+Migration+from+Windows+Server+2008+and+2008+R2+to+2012+How-to+%5BInstant%5D

Safari Books Online – http://my.safaribooksonline.com/9781849687447?cid=packt-cat-readnow-9781849687447

Categories: ebook, Microsoft, Migration, Windows

Mailbox Migration – MAPI_E_FAILONEPROVIDER / Invalid Data

January 29, 2013 Santhosh Sivarajan Leave a comment

Mailbox migrations can be challenging and interesting Smile I ran into an issue this morning with one mailbox using Quest Migration Manager. Quest Mail Target Agent (MTA) was failing with our “favorite” MAPI_E_FAILONEPROVIDER error.

1/29/2013 5:16:19 PM CSession::Logon Error -2147221219 You do not have permission to log on. – MAPI_E_FAILONEPROVIDER (Microsoft Exchange Server Information Store) Low level error: 0x0 File: ‘aeWrapHelpers.h’ Line: ‘279’

1/29/2013 5:16:19 PM MailKernel::Connect Informational 2079 Synchronization status: Object XXXXXXXXXXXXXXXXXXXXXX synchronization was not started due to connection errors.

When I open the properties of this mailbox in Exchange 2010 side, I was getting the following error message:

I found some detailed error message by going through the properties of this mailbox. In my case it was due the value of Delivery Restriction property in Exchange 2010.

The 30 GB Sending message size!!! (don’t ask me why Winking smile ) was configured in the source mailbox.

QMM tries to populate this value during the Quest directory sync. It was failing due to the size limitation in the target Exchange 2010 environment.

Categories: Exchange, Microsoft, Migration, QMM, Quest Migration Manager

Quest Migration Manager EMWProf – MAPI_E_USER_CANCEL 0X80040113

July 19, 2012 Santhosh Sivarajan Leave a comment

This error message was little misleading!

[Error] Cannot open default message store.

MAPI error.

Error code: 0x80040113

Description: MAPI_E_USER_CANCEL

Stack:

Function Address: 004e7801

Function Address: 00456a5e

Function Address: 0046bcb3

Function Address: 0046a6dc

Function Address: 0042b42c

Function Address: 0042b7e6

Function Address: 0047981b

Function Address: 005e5fdf

Function Address: 7c817077

Resolution

According to all Quest documents, this error is due name resolution issues. In my case, it was “technically” true. However, the actual issues wasn’t related to a “pure” NetBIOS or FQND name resolution. I had the same computer object (same name) in the target domain. So the workstation or EMWProf wasn’t getting the correct source Exchange information. It was resolving to an object in the target domain instead of the source Exchange server. I deleted the duplicate computer name in target domain and everything started working!

Categories: Exchange, Microsoft, Migration, QMM, Quest Migration Manager

ADMT – “ ERR3:7194 Could not open input file C:\Program Files\OnePointDomainAgent ” Issue

March 8, 2012 Santhosh Sivarajan 1 comment

Issue

Active Directory Migration Tool (ADMT) Security Translation Process failed with the following error message in the ADMT log file:

ERR3:7194 Could not open input file C:\Program Files\OnePointDomainAgent\AccountsXXXXX.txt

Cause

This is most likely due to a corrupted ADMT agent (OnePointdomainAgent) installation.

Resolution

Uninstall and reinstall the ADMT agent (OnePointdomainAgent). If you can’t uninstall from the console or control panel, you need to perform a manual removal process.

You can use SC command to delete the agent if needed – SC Delete "OnePointdomainAgent"

Also, make sure the HKLM\Software\Microsoft\ADMT registry key and c:\windows\ADMT Directory are not present after the agent removal.

Categories: ADMT, ADMT 3.2, Microsoft, Migration

ObjectSID and Active Directory

September 13, 2011 Santhosh Sivarajan 4 comments

when I was about to publish this blog, I saw Ned’s latest blog on ASK DS about Managing RID Pool Depletion (http://blogs.technet.com/b/askds/archive/2011/09/12/3452538.aspx). I think both these blogs cover same information about RID pool. Since I typed all these I thought I would publish it anyway!

What is an objectSID in Active Directory?

When a new object is created in Active Directory, Domain Controller assigns a unique value used to identify the object as a security principal. This value is unique inside the domain. An ObjectSID includes a domain prefix identifier that uniquely identifies the domain and a Relative Identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID

How do I get ObjectSID information from Active Directory?

You can see the ObjectSID information using ADSI Edit or Attribute Editor or you can use DSQUERY commands. I will explain these details with the a few screenshots:

Domain SID – I am using the following DSQUERY command with a name filter to get the SID of my domain.

User SID – As you can see from the following screenshot, the objectSID of the user (TestABC1) is consist of Domain SID of the domain (santhosh) + Relative ID(RID) of the user account.

RID Allocation

RID number will assigned from the RID pool (rIDAAllocationPool) of the Domain Controller. Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master FSMO role. You can get the RID pool allocation table details using the dcdiag /test:ridmanager /v command.

Keep in mind that the RID pool will be different in each domain controller. RID will be allocated to an object in Active Directory based on the Domain Controller that you are using. Here is an example from my second domain controller in my domain:

As you can see in the above screenshot, if I create a new object using this domain controller, the new object will be assigned with 1601 (rIDNextRID) as the RID.

You can also use DQUERY command to get the properties of the RID Set. However, you need to convert some of the values.

By default, RID pools will be allocated in increments of 500 (rIDAllocationPool).

Computer Migration – Things to Consider (Updated)

September 6, 2011 Santhosh Sivarajan 2 comments

Here are a few points which you can consider while doing computer migration. These points are applicable to all migrations irrespective of the migration tool (ADMT, NetIQ, Quest etc).

Here is a high level flow chart that describes the computer migration process:

Admin$ Access (PreMig1 Script) – Ensure that you can access Admin$ or C$ on the workstation using your migration service account. You can use the following script to test the Admin$ permission:

http://portal.sivarajan.com/2010/01/check-admin-share-using-poweshell.html

Ping (part of PreMig1 Script)– Make sure you can ping the workstation from the migration console/server. But keep in mind that, if ICMP is disabled on your network, you won’t be able to ping the workstation. Also, I have seen in many cases that Ping is resolving to an incorrect IP address, which can be due to a bad WINS server or bad name resolution.

Read more at – http://www.sivarajan.com/cm.html

Categories: Active Directory, Active Directory Migration, AD, ADMT, ADMT 3.2, Microsoft, Migration

ADMT User Migration and Leaf Object Error Message

July 19, 2011 Santhosh Sivarajan Leave a comment

Issue:

ADMT displays the following error message when try to migrate a user account:

ERR2:7422 Failed to move source object ‘CN=XXXX’. hr=0x8007208c The operation cannot be performed because child objects exist. This operation can only be performed on a leaf object.

Cause/Resolution:

Some application may add configuration details to a user object. Exchange ActiveSync is an example. If you have ActiveSync, make sure the ExchangeActiveSync child object has the proper value. Or if the application is not using this configuration, you can remove the attribute value. You can use ADSI Edit to verify this value (ADSIEdit –> Default Naming Context –> Properties of the User).

If the issue is only happening on a few user accounts, you can dump the user account properties using DSQUERY command and compare them with a “good” user account value.

Other Related Blogs & Articles:

Active Directory Migration Using ADMT – http://www.sivarajan.com/admt.html

Computer Migration – Things to Consider – http://www.sivarajan.com/cm.html

User Account Migration and Merging Using ADMT – http://www.sivarajan.com/

ADMT Include File – http://portal.sivarajan.com/2011/06/admt-include-file.html

User Migration and Input File Format – http://portal.sivarajan.com/2010/12/user-migration-and-input-file-format.html

Categories: Active Directory, Active Directory Migration, ADMT, ADMT 3.2, Migration, Windows, Windows 2008 R2

>User Account Migration and Merging – Part II (Quest Migration Manager)

July 6, 2011 Santhosh Sivarajan 25 comments

Part I – User Account Migration and Merging Using ADMT

Part II – User Account Migration and Merging Using QMM

Pre-creating user account in the target domain is a common scenario these days due to single-sign-on solution, HR management procedure etc. This will make the user migrate procedure more challenging. During the migration you need to make sure these accounts are properly “merged” with correct SID information.

In this example, I will explain a procedure to migrate and merge user accounts using Quest Migration Manager (QMM). You can read the Part I (User Account Migration and Merging – Part I (ADMT)) of this document in the following link:

http://portal.sivarajan.com/2011/05/user-account-migration-and-merging-part.html

Scenario:

I have pre-created user accounts in the target domain. Their logon name (samAccoutnName) is different in the target domain. My goal to migrate an account from the source domain, merge it with the corresponding account in the target domain and maintain the source SID in the migrated object.

Migration Plan:

My plan is to use an input file which contains a mapping between source and target user accounts. The file encoding type must be ANSI. You can read about this requirement in my following blog:

http://portal.sivarajan.com/2010/12/user-migration-and-input-file-format.html

Here is an example of this input file:

In the above example, my plan is to migrate User1 and merge it with a pre-created user account (12345) in the target domain. The column headers are Source sAMAccountName, Target sAMAccountName and Target Name.

Migration Procedure:

1. Open Quest Migration Manager console. Right click on the Migration node and select New Session option.

Note: Make sure the Account Name matching attributes is selected in the domain pair configuration (Domain Pair –> Properties –> Object Matching).

2. Click Next on the Welcome window.

3. Specify the name in the Name box for this migration session. Click Next.

4. On the Select Object in Source Domain window, click on Import button and select the user input file and click Open.

5. Click Next on Select Objects in Source Domain window.

6. On the Select Target Container window:

a. Click Browse to select the appropriate target OU

b. Select Migrate objects without OUs as a flat list option and

c. Select Merge and leave the account where it was before the migration option.

d. Click Next.

7. On the Set Security Settings window, select appropriate options. Click Next.

8. On the Specify Object Processing Options window, select appropriate options. Click Next.

9. Click Next on the Specify Object Processing Options window.

10. On the Select Migration Agent window, select the correct DSA as the migration agent server. Click Next.

11. Click Next on the Migrate Active Directory Objects window.

12. Click Yes on the Migration Wizard Popup window. Migration process status will display on the status windows

14. Select View log button on the Completing the Migration Wizard windows to verify the log file.

15. Click Finish to complete the user migration process.

sIDHistory

You can verify the sIDHistory value using ADSI Editor or one of the following scripts. The sIDHistory value should be equal to the ObjectSID in the source domain.

Verify sIDHistory and Identify the Source User Account – http://portal.sivarajan.com/2011/03/verify-sidhistory-and-identify-source.html

siDHistory Report – with Multi Value Support – http://portal.sivarajan.com/2011/04/sidhistory-report-with-multi-value.html

Generate sidHistory Report using DSQUERY command – http://portal.sivarajan.com/2011/01/generate-sidhistory-report-using.html

[image7.png]

QMM Directory Synchronization

If you are planning to use Quest directory synchronization, you can enable the directory synchronization after the user migration. QMM will update the user information (user properties, group membership etc) based the QMM matching attribute value (adminDescription & adminDisplayName or ExtensionAttribute 14 and 15). These values get populated during the user migration.

Other Related Blogs & Articles: