Resources for IT Professionals
How to Move a Mailbox Across Forests

Applies to: Exchange Server 2007 SP1, Exchange Server 2007 Topic Last Modified: 2008-05-15

This topic explains how to use the Exchange Management Shell to move a mailbox across different forests.

Aa997145.note(en-us,EXCHG.80).gifNote:
You cannot use the Exchange Management Console to move mailboxes across forests. You must use the Exchange Management Shell.

You can use this procedure to move mailboxes in the following scenarios:

  • Moving from an Exchange 2007 server in one forest to an Exchange 2007 server in another forest.
  • Moving from a server running Exchange Server 2003 in one forest to an Exchange 2007 server in another forest.
  • Moving from an Exchange 2007 server in one forest to an Exchange 2003 server in another forest. 
  • Moving from an Exchange 2000 server in one forest to an Exchange 2007 server in another forest.

In the case where you want to move mailboxes from one forest to another without interrupting the user's access to the mailbox, you should use the Move-Mailbox cmdlet with the AllowMerge parameter. For more information, see How to Merge Mailboxes.

To perform the following procedures, the account you use for the source forest must be delegated the following:

  • Exchange Recipient Administrator role for the source Exchange organization 
  • Exchange Server Administrator role and local Administrators group for the source server
Aa997145.note(en-us,EXCHG.80).gifNote:
You must specify this account by using the -SourceForestCredential parameter

The account you use for the target forest must be delegated the following:

  • Exchange Recipient Administrator role for the target Exchange organization 
  • Exchange Server Administrator role and local Administrators group for the target server
    Aa997145.note(en-us,EXCHG.80).gifNote:
    You must specify this account by using the -TargetForestCredential parameter

All multiple forest topologies containing Exchange 2007 require directory servers in each forest running Windows Server 2003 with Service Pack 1 or later.

The account you use to run the command must be delegated the Exchange Server Administrator role on the server where you run the command.

For more information about permissions, delegating roles, and the rights that are required to administer Microsoft Exchange Server 2007, see Permission Considerations.

Also, before you perform this procedure, be aware of the following:

  • This procedure moves only the mailbox to the target forest. It does not move the user account. If you want to move both the user account and the corresponding mailbox to the target forest, you must first use a tool such as the Active Directory Migration Tool version 3.0 (ADMT v3) to move the user account to the target forest, and then move the mailbox to the target account. For more information about ADMT v3, see Active Directory Migration Tool v3.0.
  • If you move a mailbox across forests, items in the dumpster will not be moved unless you are merging mailboxes by using the AllowMerge parameter. Items in the Deleted Items folder will be moved. For more information about configuring deleted item retention, see Configuring Deleted Mailbox and Deleted Item Retention.
  • To move contacts or distribution groups from one forest to another, you must use a tool such as the Active Directory Migration Tool version 3.0 (ADMT v3). For more information about the ADMT v3, see Active Directory Migration Tool v3.0.
  • If you have a forest with a previous version of Exchange that contains only Windows 2000 Server  domain controllers (not Windows Server 2003 domain controllers), you cannot use the Move-Mailbox cmdlet to move mailboxes to an Exchange 2007 server in another forest. The Move-Mailbox cmdlet can communicate only with domain controllers running Windows Server 2003 with Service Pack 1 or later. To move mailboxes, you must have at least one domain controller in both the source and the destination forests running Windows Server 2003 with Service Pack 1 or later.
  • To enable cross forest moves, you must open the following ports:

    Port Protocol

    53 (TCP)

    Domain Name Service (DNS)

    88 (TCP)

    Kerberos

    135 (TCP)

    Microsoft Remote Procedural Call (MS-RPC)

    389 (TCP)

    Light Weight Directory Access Protocol (LDAP)

    445 (TCP)

    Microsoft-DS Service

    3268 (TCP)

    LDAP

    >1024 (TCP)

    If the Exchange store is statically configured, you must also open at least one port greater than 1024.

Exchange Server 2007 Service Pack 1 (SP1)

This section contains the SP1-specific Exchange Management Shell procedure.

  1. Move the user account to the target forest by using ADMT v3. For more information about the ADMT v3, see Active Directory Migration Tool v3.0.

  2. On the Exchange 2007 server where you will run the Move-Mailbox cmdlet, in the Exchange Management Shell, run the following command to create a credential object: 

    $SourceCredential = Get-Credential

    You will be prompted for credentials. Specify an account that has permissions to move the mailboxes in the source forest.

  3. On the Exchange 2007 server where you will run the Move-Mailbox cmdlet, in the Exchange Management Shell, run the following command to create a credential object: 

    $TargetCredential = Get-Credential

    You will be prompted for credentials. Specify an account that has permissions to move the mailboxes in the target forest.

  4. On the Exchange 2007 server, in the Exchange Management Shell, run the Move-Mailbox command to move the mailbox. For example:

    Move-Mailbox -TargetDatabase "Target Server\First Storage Group\Mailbox Database" -Identity john -GlobalCatalog GC01.fabrikam.com -SourceForestGlobalCatalog GC02.contoso.com -NTAccountOU "OU=OrgUnit01,DC=fabrikam,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential

    Note the following:

    • In this example, the contoso domain is in the source forest and the fabrikam domain is in the target forest.
    • In this example, the command is run on a Mailbox server in the target forest.
    • If any parameter values contain a space, you must enclose the value in quotation marks.
    • The GlobalCatalog and SourceForestGlobalCatalog parameters are used to locate the mailbox in the target and source forests. If you do not specify a source forest global catalog or a target forest global catalog, the forest for the local computer on which you are running the Move-Mailbox command will be used to determine a global catalog server to use. For mailbox moves across different forests, you must specify at least one of these two parameters.
    • The DomainController parameter is used to identify a specific domain controller in the target forest for the mailbox move. The domain controller will be used during the migration for Active Directory write operations. If you do not specify a target forest domain controller, the local forest on which you are running the Move-Mailbox command will be used to determine a domain controller to use.
    • The NTAccountOU parameter is used to specify the organizational unit in the target forest where the user account for the mailbox will be created, if it does not exist, or where the user account is located, if it already exists.
      Aa997145.note(en-us,EXCHG.80).gifNote:
      You cannot use the NTAccountOU parameter if you use the AllowMerge parameter. The AllowMerge parameter specifies that you want to merge the mailbox with a mailbox that already exists in the target forest.
    • If you want to specify the time-out limit for moving a mailbox, use the RetryTimeout parameter. If a mailbox move takes longer than the specified time, the move will fail. You can also specify the interval for displaying mailbox status information by using the RetryInterval parameter. For example:
      Move-Mailbox -TargetDatabase "Target Server\First Storage Group\Mailbox Database" -Identity john -GlobalCatalog GC01.fabrikam.com -SourceForestGlobalCatalog GC02.contoso.com -NTAccountOU "OU=OrgUnit01,DC=fabrikam,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential -RetryTimeout 1:00:00 -RetryInterval 5:00
    • If you do not want to keep recipient policies on the mailbox after it is moved, use the IgnorePolicyMatch parameter. For example:
      Move-Mailbox -TargetDatabase "Target Server\First Storage Group\Mailbox Database" -Identity john -GlobalCatalog GC01.fabrikam.com -SourceForestGlobalCatalog GC02.contoso.com -NTAccountOU "OU=OrgUnit01,DC=fabrikam,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential -IgnorePolicyMatch:$true
    • If you want to filter the messages that are moved to the target mailbox, you can use any of the following filter parameters: AttachmentFilenames, ExcludeFolders, IncludeFolders, ContentKeywords, SubjectKeywords, RecipientKeywords, or SenderKeywords. For example: 
      Move-Mailbox -TargetDatabase "Target Server\First Storage Group\Mailbox Database" -Identity john -GlobalCatalog GC01.fabrikam.com -SourceForestGlobalCatalog GC02.contoso.com -NTAccountOU "OU=OrgUnit01,DC=fabrikam,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential  -AttachmentFilenames *.doc -ExcludeFolders \Inbox\Personal,\Inbox\OldProjects -ContentKeywords merger -SubjectKeywords Important -RecipientKeywords christine@northwindtraders.com
    • By default, the Move-Mailbox command does not delete the source mailbox or the source user account. If you are moving a user's mailbox to a new forest, and you have already moved the user account to the new forest using the ADMT, and you want to delete both the source mailbox and the source user account after the mailbox is moved, you can use the DeleteSourceNTAccount option of the SourceMailboxCleanupOptions parameter. For example:
      Move-Mailbox -TargetDatabase "Target Server\First Storage Group\Mailbox Database" -Identity john -GlobalCatalog GC01.fabrikam.com -SourceForestGlobalCatalog GC02.contoso.com -NTAccountOU "OU=OrgUnit01,DC=fabrikam,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential -SourceMailboxCleanupOptions DeleteSourceNTAccount

  5. Check the command's output to verify that the move completed successfully.

  6. If the user whose mailbox was moved uses Microsoft Office Outlook 2003 or a previous version of Outlook, you must modify the Outlook profile of that user so that it accesses e-mail messages from the target Exchange server.

  7. Verify that the user can access e-mail messages from an e-mail client computer.

For detailed syntax and parameter information, see the Move-Mailbox reference topic.

Exchange Server 2007 RTM

This section contains the release to manufacturing (RTM)-specific Exchange Management Shell procedure.

  1. Move the user account to the target forest by using ADMT v3. For more information about ADMT v3, see Active Directory Migration Tool v3.0.

  2. On the Exchange 2007 server where you will run the Move-Mailbox cmdlet, in the Exchange Management Shell, run the following command to create a credential object: 

    $SourceCredential = Get-Credential

    You will be prompted for credentials. Specify an account that has permissions to move the mailboxes in the source forest.

  3. On the Exchange 2007 server where you will run the Move-Mailbox cmdlet, in the Exchange Management Shell, run the following command to create a credential object: 

    $TargetCredential = Get-Credential

    You will be prompted for credentials. Specify an account that has permissions to move the mailboxes in the target forest.

  4. On the Exchange 2007 server, in the Exchange Management Shell, run the Move-Mailbox command to move the mailbox. For example:

    Move-Mailbox -TargetDatabase "Target Server\First Storage Group\Mailbox Database" -Identity john -GlobalCatalog GC01.fabrikam.com -SourceForestGlobalCatalog GC02.contoso.com -NTAccountOU "OU=OrgUnit01,DC=fabrikam,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential

    Note the following:

    • In this example, the contoso domain is in the source forest and the fabrikam domain is in the target forest.
    • In this example, the command is run on a Mailbox server in the target forest.
    • If any parameter values contain a space, you must enclose the value in quotation marks.
    • The GlobalCatalog and SourceForestGlobalCatalog parameters are used to locate the mailbox in the target and source forests. If you do not specify a source forest global catalog or a target forest global catalog, the forest for the local computer on which you are running the Move-Mailbox command will be used to determine a global catalog server to use. For mailbox moves across different forests, you must specify at least one of these two parameters.
    • The DomainController parameter is used to identify a specific domain controller in the target forest for the mailbox move. The domain controller will be used during the migration for Active Directory write operations. If you do not specify a target forest domain controller, the local forest on which you are running the Move-Mailbox command will be used to determine a domain controller to use.
    • The NTAccountOU parameter is used to specify the organizational unit in the target forest where the user account for the mailbox will be created, if it does not exist, or where the user account is located, if it already exists.
      Aa997145.note(en-us,EXCHG.80).gifNote:
      You cannot use the NTAccountOU parameter if you use the AllowMerge parameter. The AllowMerge parameter specifies that you want to merge the mailbox with a mailbox that already exists in the target forest.
    • If you want to specify the time-out limit for moving a mailbox, use the RetryTimeout parameter. If a mailbox move takes longer than the specified time, the move will fail. You can also specify the interval for displaying mailbox status information by using the RetryInterval parameter. For example:
      Move-Mailbox -TargetDatabase "Target Server\First Storage Group\Mailbox Database" -Identity john -GlobalCatalog GC01.fabrikam.com -SourceForestGlobalCatalog GC02.contoso.com -NTAccountOU "OU=OrgUnit01,DC=fabrikam,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential -RetryTimeout 1:00:00 -RetryInterval 5:00
    • If you do not want to keep recipient policies on the mailbox after it is moved, use the IgnorePolicyMatch parameter. For example:
      Move-Mailbox -TargetDatabase "Target Server\First Storage Group\Mailbox Database" -Identity john -GlobalCatalog GC01.fabrikam.com -SourceForestGlobalCatalog GC02.contoso.com -NTAccountOU "OU=OrgUnit01,DC=fabrikam,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential -IgnorePolicyMatch:$true
    • If you want to filter the messages that are moved to the target mailbox, you can use any of the following filter parameters: AttachmentFilenames, ExcludeFolders, IncludeFolders, ContentKeywords, or SubjectKeywords. For example: 
      Move-Mailbox -TargetDatabase "Target Server\First Storage Group\Mailbox Database" -Identity john -GlobalCatalog GC01.fabrikam.com -SourceForestGlobalCatalog GC02.contoso.com -NTAccountOU "OU=OrgUnit01,DC=fabrikam,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential  -AttachmentFilenames *.doc -ExcludeFolders \Inbox\Personal,\Inbox\OldProjects -ContentKeywords merger -SubjectKeywords Important
    • By default, the Move-Mailbox command does not delete the source mailbox or the source user account. If you are moving a user's mailbox to a new forest, and you have already moved the user account to the new forest using the ADMT, and you want to delete both the source mailbox and the source user account after the mailbox is moved, you can use the DeleteSourceNTAccount option of the SourceMailboxCleanupOptions parameter. For example:
      Move-Mailbox -TargetDatabase "Target Server\First Storage Group\Mailbox Database" -Identity john -GlobalCatalog GC01.fabrikam.com -SourceForestGlobalCatalog GC02.contoso.com -NTAccountOU "OU=OrgUnit01,DC=fabrikam,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential -SourceMailboxCleanupOptions DeleteSourceNTAccount

  5. Check the command's output to verify that the move completed successfully.

  6. If the user whose mailbox was moved uses Microsoft Office Outlook 2003 or a previous version of Outlook, you must modify the Outlook profile of that user so that it accesses e-mail messages from the target Exchange server.

  7. Verify that the user can access e-mail messages from an e-mail client computer.

For detailed syntax and parameter information, see the Move-Mailbox (RTM) reference topic.

Page view tracker