jremmc
Wed Jul 20 09:49:45 CDT 2005
Hi Lee,
Every MS Doc I have read says use ADClean to merge the two accounts (new
enabled AD and ADC-created disabled) in scenarios when you have installed
Exchange 2003 before migrating user accounts to WS2K3 from NT. That is our
scenario. We upgraded HQ to WS2K3 and Ex2003. We left the branch offices at
NT4 (each office is separate NT4 domain) and Ex5.5 (each office is single
5.5 server in separate Site same Ex Org). We have ADC-created disabled
accounts for each branch user as a result. Now we are ready to migrate one
of the branch offices to HQ WS2K3 domain. We intend to migrate the user
accounts, *then* move their mailboxes to Ex2003, not the other was around,
so that their NT accounts do not need to access their Ex2003 mailboxes. We
did this in HQ (AD accounts accessing 5.5, then moving mailboxes to 2003)
with good success.
MS instructions are to use ADMT to migrate the accounts to AD, then use
ADClean to merge the enabled with the disabled. This worked in my test,
except Primary NT Account on 5.5 mailbox did not change. Yet, according to
an MS employee blog (can't remember who but think ADMT team member) about
why ADC-created disabled account has the weird random characters, after
ADClean then next ADC replication cycle the Primary NT Account on 5.5
mailbox should change. If I can find the blog again, I will post link.
"Lee Li [MSFT]" <v-leeli@online.microsoft.com> wrote in message
news:1azbbARjFHA.3472@TK2MSFTNGXA01.phx.gbl...
> Hi Customer,
>
> I appreciate you taking time to write to us. However, I am afraid I am not
> quite clear about your concern. Let me explain as below.
>
> First of all, if your original intention is to migrate Exchange Server 5.5
> from one domain to Exchange Server 2000/2003 in another domain, the
> correct
> steps are as below.
>
> 1. Run ADMT to create active user accounts in your Active Directory.
> 2. Run Exchange Server Migration Wizard to move mailbox content from
> original Exchange Server to this new-created Exchange Server.
>
> Let me provide further explanation regarding this procedure.
>
> 1. First, actually, it is not necessary to run AD Cleanup Wizard
> (ADClean),
> which is used in the following scenario.
>
> If the ADC does not find matching User objects when it replicates the
> Exchange mailboxes to AD, it creates new disabled User accounts, and
> populates those with the mailbox attributes.
>
> Using ADMT Feature to Avoid Twin Accounts
> If you use the ADMT tool to migrate the NT4 accounts into the same domain
> where the ADC-created disabled accounts reside, you can instruct ADMT to
> merge the NT4 accounts directly into the existing accounts. This option in
> ADMT is called Replace conflicting accounts.
>
> Creating Twin Accounts
> Otherwise, if you upgrade the NT4 domain or use ADMT to migrate the NT4
> accounts to a different domain from the ADC-created disabled accounts,
> then
> you will be left with two User accounts in the Forest for each person you
> have migrated. The ADC disabled account contains the correct email
> attributes, while the other account contains the correct SID and is the
> one
> that should be used for log on.
> The solution is to copy the email attributes from the disabled account to
> the enabled account, and then delete the disabled account. The AD Cleanup
> Wizard performs this function.
>
> From the information above, you can see AD Cleanup Wizard is only used
> when
> you run Active Directory Cleanup before running ADMT. For inter-org
> migration, it is not necessary to run ADC first. And the recommended way
> is
> to run ADMT to migrate account as first step.
>
> 2. Even if you have followed Exchange Migration Wizard to move Exchange
> Information Store from Exchange Server 5.5 to Exchange Server 2000/2003,
> the Primary NT Account attribute for Exchange Server 5.5 mailbox will
> never
> change as new user account. Please understand if you perform inter-org
> migration, Exchange Server 5.5 and Exchange Server 2003 are located in
> totally different Active directory; Exchange Migration Wizard just let you
> copy Exchange Server 5.5 Information Store to Exchange Server 2003.
> Exchange Server 5.5 still has its own Primary NT Account. And the new
> mailbox in Exchange Server 2003 is associated to new user account in new
> domain.
>
> 3. The behavior that only old NT 4.0 user account can login new mailbox is
> caused by all of the permissions that are necessary for mailbox access
> were
> not migrated successfully during ADMT Migration.
>
> The solution for this scenario is just as you mentioned to modify
> permissions for the Active Directory users to include SELF rights. More
> info here:
>
> Active Directory Users Cannot Obtain Access to Mailbox After Upgrade from
> Exchange 5.5
>
http://support.microsoft.com/?id=326018
>
> Meanwhile, I am afraid I have not heard about ADMT Exchange Directory
> Wizard. If you have further concern about ADMT Migration tool, since it is
> pure Active Directory Migration tool, if you have any further concern, it
> is better for you to submit your question in the newsgroup below, where a
> dedicated engineer will help you explain the usage of ADMT.
>
> microsoft.private.directaccess.win2003.activedirectory (for Windows 2000
> Server)
>
> microsoft.private.directaccess.win2000.activedirectory (For Windows Server
> 2003)
>
> Thanks for your understanding regarding this. Should there is anything we
> can help in the future, feel free to let me know. Thanks and have a nice
> day!
>
> Lee Li
>
> Microsoft Online Partner Support
> ?
> Get Secure! - www.microsoft.com/security
> ?
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>