How to Migrate Domino Mail-In Databases to Exchange 2010 ?

On a recent Domino R8.5 to Exchange 2010 email migration, using the Quest Notes Migrator to Exchange (QNME) tool, I had to migrate a large number of Domino Mail-In Databases to Exchange 2010 Group (shared) Mailboxes, whilst minimising any business impact.  Not an easy task.

The Domino Mail-In Database migrations had been left until last, after all user mailbox migrations had been completed, with Mail-In Database access provided via user’s legacy Lotus Notes client. 

Tip: for a Domino to Exchange migration it is always a good idea to provide user access to the legacy Lotus Notes mailbox – it solves many headaches.

Leaving the Mail-In Database migrations until last proved to be a smart move, as by the time we got to the migration of the Domino Mail-In Databases, the users were all comfortable using Outlook 2010, and therefore, less resistant to the changes they would experience when the Domino Mail-In Databases were migrated.

In this article, the phrases “Mail-In Database” and “Group Mailbox” are interchangeable.  “Group Mailbox” is the commonly used descriptor within Exchange 2010.  These mailboxes could also be referred to as Shared Mailboxes.  Pick a terminology that user’s are comfortable with – using new terminology can be a source of confusion during the email migration project, and is best avoided if possible.

The remainder of this article covers a typical Domino Mail-In Database migration process to Exchange 2010, and also the applying of required ACL permissions post-migration.

Note: do not forget – if you need expert assistance on your email migration project, then you can get in touch with me to get some expert assistance.   Use my consulting page within this website to get in touch.

Example Quest Migrate Mail-In Databases to Exchange 2010 Group Mailbox – Process

We migrated the Mail-In Databases to Exchange 2010 using our standard Quest NME process, which can be summarized as:

• Ensure DirSync AD Mail Contacts existed in Active Directory (AD) for each Domino Mail-In Database.
• Create AD user objects, in a separate AD OU, for each Domino Mail-In Database, with the correct SMTP address in the General|Email Address field.  Set a standard, secure, password on this new AD user objects, as no one should be logging on directly with the AD accounts.
• Use QNME Group Provisioning to ensure all Domino “Mail” and “Multi-Purpose” Mail Groups are provisioned into an AD OU.
• Use QNME to merge the Domino Mail-In Database AD Mail Contacts into the AD user objects, for each Mail-in Database (Group Mailbox).
• Use QNME to mailbox enable the AD mail-enabled objects for each Mail-In Database.
• Use QNME to place an email forwarder on the legacy Domino Mail-In Database instances, pointing to the new Exchange 2010 mailboxes.
• Use QNME to migrate the mail data from the legacy Domino Mail-In Database instances into the new, matching, Exchange 2010 Group Mailboxes.

As a test, you can now grant yourself access to any of the migrated Group Mailboxes in Exchange 2010, and open them up with an Outlook 2010 Profile – to check that the migration worked as expected, and that the Group Mailbox functions as planned.

QNME was configured (via the parameter ini file) to not migrate the Access Control Lists (ACLs) across from Domino, as we had found the ACL migration results in this area problematic, and also did not want all the “Domino system” ACL entries to be stamped on the Exchange 2010 Group Mailbox instances from Day 1.   Therefore, we had to plan for a standard process, post-migration, to put the required Group Mailbox ACL permissions in place.

Apply Exchange 2010 Group Mailbox ACL Permissions

We were now ready to apply the ACL to each Exchange 2010 Group Mailbox.   In my experience, you would typically find a Domino “Multi-Purpose” Mail Group that was used to provide Manager access for users to the Domino Mail-In Database instance.  This Domino “Multi-Purpose” Mail Group should have been provisioned in AD via the QNME Group Provisioning tool, which allows you to use it to apply the ACL to the matching Exchange 2010 Group Mailboxes.

Note: It is important that any such Domino “Multi-Purpose” Mail Groups are provisioned in AD as Universal Security Groups (USG), and not as Universal Distribution Groups (UDG).   This is a QNME Group Provisioning setting that can be modified, if required.   You cannot use a UDG as an ACL for an Exchange 2010 Group Mailbox.  Check in ADUC that the Distribution Lists (DLs) are set as USGs.

For the ACL, I strongly advise that the following permissions are applied under Exchange 2010, as these closely match the typical Domino permissions:

 

• Full Access – for an identified AD USG
• SendAs – for an identified AD USG

I advise staying away from adding in any granular Group Mailbox ACL permissions for individuals, or other USGs.   It is easier to manage one USG for each Exchange 2010 Group Mailbox.   If anyone needs access to the Exchange 2010 Group Mailbox, then they get added to the matching USG.    This has the additional benefit of being able to grant identified users the ability to manage the USG membership via their Outlook 2010 client – which is likely to have been the behaviour under Domino.  And it keeps things simple for support purposes – equally important.

The Full Access and SendAs permissions can be granted in two different ways.   The first method is via the Exchange Management Console (EMC).

You simply right-click on the Group Mailbox and select Manage Full Access Permission…

 

 

and select the required Distribution List (USG, not UDG).  Then do the same but for Manage Send As Permission…

Doing each of these will give you the opportunity to sight the Exchange Management Shell (EMS) equivalent command that is used – which is useful information if you wish to do these steps via EMS, and not EMC.

The second method, via EMS, is best used if you need to apply ACL permissions to a large number of Group Mailboxes on Exchange 2010, and you can even use a CSV file as an input.

Apply Full Access Permission in EMS:

A typical example one-liner to apply the Full Access permission to an Exchange 2010 Group Mailbox is as follows:

Add-MailboxPermission -Identity “CONTUSO\TestGroupmbx” -User “CONTUSO\TestGroupDL” -AccessRights FullAccess

The above example grants the DL called “TestGroupDL” the FullAccess permission to the mailbox called “Test Group Mailbox”.  Note the use of the NETBIOS (or shortname) of each object, and also the “-user” value referring to a DL object.

Apply SendAs Access Permission in EMS:

A typical example one-liner to apply the SendAs Access permission to an Exchange 2010 Group Mailbox is as follows:

Add-ADPermission -Identity “CN=Test Group Mailbox, OU=Users,DC=Contuso,DC=com” -User “CONTUSO\TestGroupDL” -ExtendedRights send-as

The above example grants the DL called “Test Group DL”, with shortname TestGroupDL, the FullAccess permission to the mailbox called “Test Group Mailbox”.  Note the use of the full canonical name (CN) of the Test Group Mailbox.  And the use of the NETBIOS (or shortname) of the Distribution List.   This is different from the format used for the earlier Full Access permission being applied.  Note that the parameter “-User” in this example is actually the DL name.

Each of these one-liners could be copied and pasted into the EMS shell window, or they can be saved as a text file, with a .ps1  suffix.  This allows you to run the .ps1 file under EMS.  That way, you could list multiple lines of code in the .ps1 file.  It would be best to have a separate .ps1 file for the Full Access permission cmdlets, and another one for the SendAs Access permission cmdlets.

Add “Full Access” Permissions via EMS Script with CSV Input File:

The final alternative, if you have a very large number of Group Mailbox permissions to apply, is to use a CSV file as input into each of the two different command functions.

Below is an example EMS cmdlet you could use here to grant the Full Access rights to a large number of Group Mailboxes to different Mail DLs.

Import-csv c:\temp\fullaccess_input.csv | foreach {Add-MailboxPermission -Identity $_.MBXNAME -User $_.DLNAME -AccessRights Fullaccess -InheritanceType all}

The CSV file would have two columns, with a header of MBXNAME and DLNAME for each – with the required data underneath the headings.  Do this in Excel, populate the values, and save as CSV (I use the DOS CSV option in Excel).

Do not forget to ensure the canonical name is used in the appropriate column. No need to place quote marks in the data values in the spreadsheet – they are placed automatically by saving the file as a CSV type.

Note: one annoying Microsoft glitch I found when granting “Send As” permissions in EMS was that the cmdlet succeeded even when the DL Group I was using as the ACL was a mail-enabled UDG, and not a USG.  In EMC if you try and do this, you are unable to, as the browse list only shows mailboxes and mail-enabled USGs.  However, the EMS command does not prevent you from doing this, and even shows up afterwards when you run a “Get-Mailboxpermission -Identity ….” cmdlet.  It will not work however, which is at least something.  It is confusing though.   You need to remove it, via “Remove-Mailboxpermission…. ” cmdlet, and make the DL Group a USG instead.

Add “Send As” Permissions via EMS Script with CSV Input File:

Below is an example EMS cmdlet you could use here to grant the SendAs rights to a large number of Group Mailboxes to different Mail DLs.

Import-csv c:\temp\sendas_input.csv | foreach {Add-ADPermission -identity $_.MBXNAME -user $_.DLNAME -ExtendedRights Send-As}

The CSV file would have two columns, with a header of MBXNAME and DLNAME for each – with the required data underneath the headings.

Do this in Excel, populate the values, and save as CSV (I use the DOS CSV option in Excel).   Do not forget to ensure the canonical name is used in the appropriate column.   No need to place quote marks in the data values in the spreadsheet.  They are placed automatically by saving the file as a CSV type.

Adding Exchange 2010 Group Mailboxes to Outlook 2010 Profile

You are now ready to add the Group Mailbox to the user’s Outlook 2010 setup.  This can be done with the new Add Account feature within Outlook 2010, which avoids the previous method of adding via the Outlook MAPI Profile.  See my blog entry on this topic by following this link>>.   For this level of Group Mailbox functionality, users are better off using the full Outlook 2010 client, and not Outlook Web Access (OWA).  OWA does allow for Group Mailboxes to be accessed, and used, but the experience is not as rich.

Conclusion - Migrate Domino Mail-In Databases to Exchange

This method will be more likely to be aligned to how Group Mailboxes (and ACLs) were setup within Domino, including the presentation to users within the Notes Address Book.   Planning to overhaul the way Exchange 2010 Group Mailbox permissions are applied, as part of the email migration, is not a wise move, in my opinion.

Use the objects, and permission structures, that are migrated from Domino to get the equivalent functions working in Exchange 2010.  Users will be more familiar with these object names.  If you wish to introduce new standards, then do so for any new Exchange 2010 Group Mailboxes that are requested.   That way you have minimised the business impact.

Also, check to see if users in Domino had access rights to change any Mail-In Database ACL Group membership, and if they did, grant them this same access right within Exchange 2010 for the matching AD USG.  See my earlier blog article on this topic by following this link>>.

Thanks for reading how to Migrate Domino Mail-In Databases to Exchange 2010, and I hope some of the information will be of use.  Please make a comment, or provide feedback.   Don’t forget to test first in your lab environment, especially when running EMS commands.