Copy users from on Active Directory to another (no trust/ADMT)
I had a scenario whereby a customer wanted to migrate from SBS2003 to Server 2012 and Exchange 2013 in one hop. There was not enough resources to install and exchange 2010 migration server to move mailboxes over EWS and due to SBS constraints we cannot use ADMT to migrate as Domain Trusts cannot be made between SBS and any other domain. The solution we opted for was to build a new domain with exchange 2013 installed and then migrate the users over using a mixture of export scripts from the SBS domain and PST files for their email.
As we were migrating to an independent domain we don’t really need to worry about SID History as we are not accessing resources in the old domain after migration. What we do need to worry about is the X500 address of the user. I have another blog post about the importance of this attribute when moving between exchange servers on different domains.
First I exported all the users from the old domain using CSVDE, because AD Powershell was not available on SBS2003
CSVDE -f c:\users.csv -d “OU=users,OU=SBS Company,DC=domain,DC=local” – r (objectClass=user)
This produced the required CSV with all the attributes we need and more!
I then copied this file to the new domain and created a powershell script to read through these users, enable their mailboxes (if required) and add them to or create and add them to security groups they were members of in the old domain. In order to achieve this the script reads the memberOf field of the user and splits the groups into an array. It then checks the groups exists in new domain. if it does it will add the user to the group. If it doesn’t it will create the group and add the user to it. There is a limitation in using this script in this way. It will not discriminate between distribution or security groups. What I mean is that when it creates a group it will be a security group regardless whether the group was a distribution group in the old domain. But this was OK for me to do it this way.
The script allows you to add the destination location of the users and groups OU as well as choosing whether to enable a mailbox or not. If you choose to enable a mailbox then you must supply the PowerShell URL of the exchange server e.g http://exchangeserver.domain.com/powershell
Log files are written to C:\ADMigration folder which will be created. During the user import, a random password will be generated for the user. These passwords are stored in a folder called userpasswords.txt located in C:\ADMigration folder.
Ensure Exchange is installed before running this script if you are migrating mailboxes, otherwise it will create the exchange groups and may cause issues
Turn off Password history and complexity requirements temporarily in the domain as I have had weird issues with this script when it is enabled
Here is the script, copy this into notepad or PS ISE and save with the ps1 extension
Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale