Quick question on this. We are going through a domain split. Our consultant we hired to split the domains is requesting 2 service accounts. 1 for the AD portion, and 1 for the Exchange portion. I understand the reason for 2 accounts, but would 1 account work?
Also, he's requesting that the the AD service account have the following permissions:
a. This account needs to be a DOMAIN ADMIN of source domain.
b. This account needs to be a LOCAL ADMINISTRATOR on all workstations and servers that are going to be migrated to target domain.
c. This account needs FULL CONTROL over the Organizational Units where source accounts are going to be migrated from.
Does this seem accurate?
And for the Exchange account, they are requesting the following permissions:
a. This account needs to have impersonation rights in the source exchange organization (msdn.microsoft.com/.../bb204095(v=exchg.140).aspx)
b. This account needs to be a local administrator on every exchange server in the source domain
c. This account needs full control over the mailbox databases in the source domain (ADSI Edit – configuration container services ex org expand the administrative group and then databases, right click each database and grant full control to each database).
d. A throttling policy in source exchange environment needs to be set on this account so that it is unrestricted in its ability to sync mail for hundreds of mailboxes simultaneously.
Does this seem accurate as well?
I can't seem to find any documentation on the Quest site regarding the service accounts needed for AD and for Exchange respectively. I have only been searching for a couple minutes though. Could you point me in the right direction?
We have a Domain Admins AD group. This Domain admins group is a member of the local admins group on all servers and workstations. If we created a DA account for the QMM software and added it to this group, do you think this account will have the access it needs?
Thanks in advance!