Migrating Linked Mailboxes: The Solution to Your Challenges

by

If you’re looking to migrate linked mailboxes and are facing challenges, you’re not alone. Microsoft has yet to publish a comprehensive guide on this topic. However, this blog will walk you through the scenario, root causes, and steps to remediate the issue.

Scenario

In a multi-forest environment, the same user exists in both forests due to a linked mailbox setup. The structure is as follows:

  • Forest A (Exchange Forest): Contains a disabled user account with a linked mailbox.
  • Forest B (Authentication Forest): Holds the enabled user account, which is used for authentication.

Common Issue During Migration

When synchronizing to Entra ID:

  • The user appears in Entra ID but lacks Exchange properties.
  • The user is not listed as a Mail User in the Exchange Admin Center.
  • The user does not appear in migration batches, making mailbox migration impossible.
  • 2 user accounts will appear in Metaverse search.

Since Entra AD Connect is responsible for synchronizing identities from on-premises to Entra ID, let’s explore the correct configuration to resolve this issue.

Troubleshooting Steps

Before making changes to Entra AD Connect, perform these basic checks:

Verify msExchMasterAccountSID and ObjectSID

  1. In Forest A (Exchange Forest):
    • The linked mailbox should have msExchMasterAccountSID populated.
    • This value should match the ObjectSID of the corresponding account in Forest B.
  2. In Forest B (Authentication Forest):
    • The user account should have an ObjectSID value.

Permanent Fix

1. Configure Entra AD Connect with Proper Permissions

Create a service account with the necessary permissions for Entra AD Connect. You can follow this guide to assign permissions: How to Give AAD Connect Account Permissions

2. Ensure Proper Attribute Matching in Metaverse

AAD Connect typically joins objects based on attributes like mail, proxyAddresses, objectSID, and msExchMasterAccountSID. If these attributes don’t match correctly, AAD Connect may create separate objects instead of merging them.

  • Revalidate msExchMasterAccountSID and ObjectSID.
  • If soft matching fails, use immutableId in Entra ID to perform hard matching.

3. Reconfigure Entra AD Connect Correctly

If the above steps do not resolve the issue, reinstall and reconfigure Entra AD Connect with the following considerations:

  1. Add All Directory Forests in Configuration
    • Ensure all necessary forests are included in synchronization settings.
  1. Choose the Right UPN/Login Configuration
    • For SSO scenarios, selecting the Mail attribute often works best.
  1. Enable Multi-Forest Merging Options
    • Since we are working with a multi-forest environment and linked mailboxes, select the appropriate options to merge users when syncing to Entra ID.
    • Let Azure manage the Source Anchor to merge identities correctly.

Following these steps ensures a smooth migration of linked mailboxes while maintaining consistency across forests and Entra ID.

!!! THANKS FOR READING !!!

Regards,
HARISH KUMAR

Knowledge is not a finite resource to hoard; it’s a boundless treasure that grows when shared

Leave a Comment