This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Service account access question for AD and Exchange migration.

Quick question on this. We are going through a domain split. Our consultant we hired to split the domains is requesting 2 service accounts. 1 for the AD portion, and 1 for the Exchange portion. I understand the reason for 2 accounts, but would 1 account work?

Also, he's requesting that the the AD service account have the following permissions:
a. This account needs to be a DOMAIN ADMIN of source domain.
b. This account needs to be a LOCAL ADMINISTRATOR on all workstations and servers that are going to be migrated to target domain.
c. This account needs FULL CONTROL over the Organizational Units where source accounts are going to be migrated from.

Does this seem accurate?

And for the Exchange account, they are requesting the following permissions:
a. This account needs to have impersonation rights in the source exchange organization (msdn.microsoft.com/.../bb204095(v=exchg.140).aspx)
b. This account needs to be a local administrator on every exchange server in the source domain
c. This account needs full control over the mailbox databases in the source domain (ADSI Edit – configuration container  services  ex org  expand the administrative group and then databases, right click each database and grant full control to each database).
d. A throttling policy in source exchange environment needs to be set on this account so that it is unrestricted in its ability to sync mail for hundreds of mailboxes simultaneously.

Does this seem accurate as well?


I can't seem to find any documentation on the Quest site regarding the service accounts needed for AD and for Exchange respectively. I have only been searching for a couple minutes though. Could you point me in the right direction?

 

We have a Domain Admins AD group. This Domain admins group is a member of the local admins group on all servers and workstations. If we created a DA account for the QMM software and added it to this group, do you think this account will have the access it needs? 

 

Thanks in advance!

Parents
  • Using 1 or 2 accounts depends on the several factors within your organization.


    MigrationManager_8.14_SysReqAndAccessRights.pdf has pretty much all your answers to your questions.

    I personally use two accounts one for source and one target (Regular account > dropped into the Builtin Administrators group on the DC on either end. Then dropped into the Local Admins group of every Server (including Exchange) & PC that will be migrated. Then add Exchange permissions to either account on their respective sides. Then apply this group to the Ad structure, in the documentation see below

    Now for the Exchange rights it all depends on the version you are running. From what to what?

    The following can be found in this directory in the extracted QMM folder:

    .....migration-manager-full-package_814\CD\Documentation

    Then again this can work with one account, with all the rights combined. Never with Domain Admin rights, when Exchange is involved. (Domain Admins group has Deny for Send As and Receive As).

    All the information your are looking for is in the directory I mentioned above. Please keep in mind my approach is the way I like to do it using two accounts, I was shown to use a single account.............I prefer two. Sometimes you have no choice to use 1 account , perhaps two when you are really nice.
Reply
  • Using 1 or 2 accounts depends on the several factors within your organization.


    MigrationManager_8.14_SysReqAndAccessRights.pdf has pretty much all your answers to your questions.

    I personally use two accounts one for source and one target (Regular account > dropped into the Builtin Administrators group on the DC on either end. Then dropped into the Local Admins group of every Server (including Exchange) & PC that will be migrated. Then add Exchange permissions to either account on their respective sides. Then apply this group to the Ad structure, in the documentation see below

    Now for the Exchange rights it all depends on the version you are running. From what to what?

    The following can be found in this directory in the extracted QMM folder:

    .....migration-manager-full-package_814\CD\Documentation

    Then again this can work with one account, with all the rights combined. Never with Domain Admin rights, when Exchange is involved. (Domain Admins group has Deny for Send As and Receive As).

    All the information your are looking for is in the directory I mentioned above. Please keep in mind my approach is the way I like to do it using two accounts, I was shown to use a single account.............I prefer two. Sometimes you have no choice to use 1 account , perhaps two when you are really nice.
Children
No Data