Move maiboxes between on-prem Exchange systems with PowerShell

An interesting test is how to migrate user mailboxes between two on-prem Exchange systems that have no connection whatsoever, other than a plain network connection through the internet. They belong to different forests, and there are no trust relationships set up between them. We use the same method we used with Office365 on- and offboarding, not suggesting to do this on production environments as this method is NOT supported by Microsoft.

But it works!

1. Our Goal

We have ten users in AlwaysHotCafe.com that we want to migrate to the ProtectiGate.com Exchange servers through the internet.

2. Preparation

a. On the ProtectiGate DC we add the AlwaysHotCafe.com alternative UPN suffix. Open the AD Domains and Trusts snap-in, right click on the "Active Directory Domains and Trusts" option, and add the suffix there.

b. Add the AlwaysHotCafe.com as an internal relay to the Exchange system, also in the ProtectiGate.com domain.

PS C:\> New-AcceptedDomain -Name "AlwaysHotCafe.com" -DomainName "AlwaysHotCafe.com" -DomainType InternalRelay

c. Export users from the AlwaysHotCafe DC to recreate them in the destination domain.

$UserToMove = @(
"Sammy Robertson"
"Milo Lang"
"Zoey Maldonado"
"Maia Ortega"
"Gary Berry"
"Rylie Freeman"
"Gaige Meyer"
"Cierra Morrow"
"Aaron Mullen"
"Alice"
)

$UserToMove | Get-Mailbox | select @{name="FirstName";expression={(Get-ADUser $_.SamAccountName).GivenName}},@{name="LastName";expression={(Get-ADUser $_.SamAccountName).SurName}},Name,DisplayName,UserPrincipalName,SamAccountName,WindowsEmailAddress,Alias,PrimarySmtpAddress,ExchangeGuid | Export-Csv Users.csv

d. Create the Users on the target domain controller (ProtectiGate.com) in a separate OU and add the necessary account properties to them

# Create New organizational unit to store the imported users
New-ADOrganizationalUnit -Name "AHC" -Path "DC=protectigate,DC=com" -Verbose

# Create Users
Import-Csv Users.csv | %{
	New-ADUser -Name $_.Name -DisplayName $_.DisplayName -GivenName $_.FirstName -Surname $_.LastName -UserPrincipalName $_.UserPrincipalName -SamAccountName $_.SamAccountName -Path "OU=AHC,DC=protectigate,DC=com" -Enabled:$true -EmailAddress $_.WindowsEmailAddress -AccountPassword(ConvertTo-SecureString "Password12345!" -AsPlainText -Force)
	Enable-RemoteMailbox -Identity $_.UserPrincipalName -RemoteRoutingAddress $_.UserPrincipalName
	Set-RemoteMailbox -Identity $_.UserPrincipalName -EmailAddressPolicyEnabled:$false
	Set-RemoteMailbox -Identity $_.UserPrincipalName -ExchangeGuid $_.ExchangeGuid -WindowsEmailAddress $_.WindowsEmailAddress -PrimarySmtpAddress $_.PrimarySmtpAddress
}

e. Create Migration Endpoint on the source (Al;waysHotCafe) Exchange server

#  Use the Protectigate admin credentials to form the endpoint
PS C:\> New-MigrationEndpoint -Name "Protectigate" -RemoteServer mail.protectigate.com -ExchangeRemoteMove -MaxConcurrentMigrations 50 -MaxConcurrentIncrementalSyncs 40 -Credentials $cr

On the AlwaysHotCafe server create the migration batch with the following cmdlet.

#  Create batch
PS C:\> New-MigrationBatch -Name "OnPremMove" -TargetEndpoint "Protectigate" -CSVData ([System.IO.File]::ReadAllBytes("OnPremMove.csv")) -BadItemLimit 100 -LargeItemLimit 100 -TargetDeliveryDomain protectigate.com -TargetDatabases "3edef40c-befc-49a8-8703-aec82cd4e385"

#  Start the batch to sync the mailboxes
PS C:\> Start-MigrationBatch "OnPremMove"

4. Finish the Migration Batches

After the mailboxes are all synced and ready for completion, we finish the batch. If you need to complete only individual mailboxes, check out the guide here

The process does a final sync to the target and removes the mailboxes from the source system.

# Complete the migration by finalizing the synced mailboxes
PS C:\> Complete-MigrationBatch "OnPremMove"

5. Verify the Mailboxes are Moved Successfully

The migrated mailboxes disappeared from the source system and they appear in the ProtectiGate Exchange environment.