Cross-forest migration from Exchange 2010 to Exchange 2010/2013/2016

I. Pre-migration activities

Before you install and configure CodeTwo Exchange Migration make sure that your environment (both the source and target server) is prepared for migration.

Below you will find the list of key points to be considered:

Step 1: Prepare a clean target Exchange environment in a new Active Directory forest

The following points need to be revised:

Step 2: (Optional) Enable the two-way trust relationship between the forests

Learn more about creating a forest trust on Windows Server 2008 and 2012.

This step is not necessary but recommended. Trust setup process will most likely reveal any issues you would otherwise find only during the actual migration and of course, it is better to address those before starting the migration. Secondly, setting up a trust makes it easier to configure CodeTwo software (see II Migration Process, step 2).

* Please note that setting the trust relationship doesn't apply to SBS based environments.

Step 3: Configure mail flow between the source and the target server

  • Configure Send and Receive Connectors on Exchange 2010.
  • Configure Send and Receive Connectors on Exchange 2013 (default Receive Connector is typically created during Exchange Server installation process)
  • Configure Send and Receive Connectors on Exchange 2016 (default Receive Connector is typically created during Exchange Server installation process)

Step 4: Prepare domain accounts on the target server

  • Migrate domain accounts between the Active Directory forests. You may do it automatically using Active Directory Migration Tool (ADMT) or create the accounts manually in the target forest.
  • During the mailboxes matching step, you can also set the program to create the mailboxes and the corresponding users automatically.


    Please be aware that prior to migration you have to prepare (in the target environment) a mailbox-enabled user account for each user included in the migration.

    What is more, if you choose either to manually create the mailboxes or allow the program to prepare them for you, be advised that the account data (such as permissions) will not be migrated.

Step 5: Make sure that the target server's administrator belongs to the appropriate AD group, has permissions on users mailboxes and has his mailbox correctly configured

  • Check if the Administrator belongs to the Organization Management group:
    • Open the Exchange Management Shell on the target server and enter Import-Module ActiveDirectory script
    • Then execute Get-ADPrincipalGroupMembership
  • Check the Administrator's impersonation rights on users mailboxes
    Learn more on how to configure the impersonation rights
  • Check that the Administrator's mailbox is configured and activated

Step 6: Verify permissions of the software user and target server admin's account.

Make sure that the administrator who runs the migration has appropriate permissions on the Source server. Furthermore, make sure that the target server admin, whose credentials are used, has proper access rights to the Target server's EWS service and that his mailbox is not hidden from the Exchange address lists

Verify the following:

  • Domain Admins membership
  • Organization management membership of the target server administrator
  • Access to the target server's EWS service using IP or a Domain Name, e.g. https://[Exchange_IP]/EWS/Exchange.asmx or https://[Exchange_Name]/EWS/Exchange.asmx
  • If a Client connects to EWS from the outside of the local network he needs to have the external EWS URL correctly configured:
    • Open the Exchange Management Shell on the target server and check if the ExternalUrl is defined: Get-WebServicesVirtualDirectory | fl
    • If there's no address in the ExternalUrl line it needs to be defined. Execute the following script: Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl https://[Target server's internet name]/EWS/Exchange.asmx

Step 7: Adjust the EWS throttling settings and change the maximum size limit of sent mail to decrease the time of migration processing

Step 8: Installation of components required to install CodeTwo Exchange Migration on the source server (the installation wizard will guide you through this process)

  • MAPI CDO (MAPI Client and Collaboration Data Objects, required on any system except systems with coexisting MS Outlook x86 older than version 2016)
  • .NET 4.0 (required on any system, might be already installed)
    Learn more
  • PowerShell 2.0 (or higher, must be installed on Windows Server 2008)
    • Download Windows Management Framework Core (WinRM 2.0 and Windows PowerShell 2.0) Windows Server 2008
    • Newer Windows releases (Windows 7 or higher, Windows Server 2008 R2 or higher) already have PowerShell 2.0 (or higher) built-in.

Step 9: Installation and activation of CodeTwo Exchange Migration

The program needs to be installed and activated on a machine within the source server domain.


Please note that it is recommended that you install the migration tool directly on the source server.


Make sure you meet the system requirements prior to installing the software.

II. Migration process

The steps below will guide through the correct configuration of CodeTwo Exchange Migration:

Step 1: Connect to the source server

Once the program's installation is completed, you will see the Dashboard view. Click Create a new migration job link on the How to start card. Select the source server type: Exchange. The create Exchange migration job wizard will open. Set the name of the job and hit Next to proceed to the Source mailboxes step. If this is your first migration job, you will need to configure connection to your on-premises Exchange Server which will be used as the source of the migration. Click Add new source connection and a wizard will open. First, choose a protocol. If you migrate via the MAPI protocol, you need to go through the steps below:

  • Service account - in this step, the program creates a service responsible for accessing mailboxes selected for migration. As the service works under the administrator's MAPI profile, enter the administrator's email address and password. Note that this user needs to belong to Domain Admins group. By default, the currently logged administrator's email address is filled automatically. However, you can change it by clicking Browse and selecting another user's email address from the picker.
  • Connection method - there you can allow the program to automatically recognize the Exchange Server located within your network or select it manually from the picker.
  • Configuration - this step configures your source server connection based on the entered settings.

If you want to configure connection to the source Exchange Server via EWS, read this article for guidelines.

If all data has been correctly entered, the source server mailboxes should be listed later.


Step 2: Select mailboxes you want to migrate and define target connection

After successfully configuring the source connection, you will get back to the migration job wizard.

The Source mailboxes step now allows you to include or exclude mailboxes by using multiple filters. You may, for example, include all users' mailboxes from a particular Organizational Unit or Active Directory group. By default program includes All users along with the Public Folders as it is a most common scenario. Choose the mailboxes you want to migrate and proceed to the next step (Target mailboxes).

Now set up a new target server connection by choosing Add new target connection... from the Target server drop-down menu. A simple wizard will open.

  • In the Server connection step choose either Autodiscover Exchange Server (default option) to automatically find the proper target server or configure the connection manually.


    If you decided to configure the target connection manually, be aware that using an IP address will make granting impersonation rights and creating mailboxes impossible, unless you configure PowerShell Virtual Directory in IIS to allow basic authentication.

  • Admin's credentials - specify the UPN and password of the target server administrator. If you opted to configure a trust relationship between forests (see I Pre-migration activities, Step 2) you can click the Browse button to user AD user picker. Next, enter the admin's credentials and move on to Configuration.


    UPN (User Principal Name) is an Internal account name of a user in an e-mail address format.

  • Configuration - this process configures the target server connection based on the entered settings.
    • Once the configuration is completed there should be no errors under the three following points. However, if any errors appear please consult the Learn more sections describing the most common configuration mistakes.
    • Now is the time to test the Administrator's impersonation rights on the chosen Target mailbox. Under the Test button provide the Active Directory user's e-mail address and hit Test. If your rights have been successfully granted, you will be notified about that.

After your connection is established, proceed to the next step (Match mailboxes).

Step 3: Match target and source mailboxes

Matching the source with the target mailbox can be done in two ways: automatically via the built-in Automatch feature or manually. Either way, hit the Match mailboxes button.

To match manually a single mailbox, click on Click to match target link in the Target user mailbox column and choose most appropriate option for this user. After selecting an option you may be asked to provide further details (e.g. password for newly created users). The available approaches are:

  • Create a new user - to create both Active Directory user and corresponding mailbox, using the defaults values that you can also change.
  • Choose an existing user from the list - to select an existing user in the target environment that does not have mailbox created yet.
  • Manually specify the mailbox address - this option should be used in the case you are unable to list the target environment.

However, when it comes to matching hundreds of mailboxes, the process may be extremely time-consuming. To automatically set the best available actions for desired users, simply select them on the list (you can use Ctrl+A shortcut to choose all entries) and eventually hit Automatch. Select desired options and start the process.

When you have matched all your mailboxes you can continue to configure additional options.

Step 4: Customize all necessary aspects of the migration job

You may configure the following additional options:

  • Scheduler - allows you to set the job to be automatically started in desired period of times, so you do not have to control it manually.
  • Time filter - is used to exclude items that are older or newer than a particular date.
  • Folder filter - may completely exclude specific folders from the migration process.
  • Advanced settings - provides an option to define how many mailboxes should be migrated at same time. This number should correspond to the number of logical processors. You can also define the maximum size of items to be migrated.

Step 5: Start the migration

Move on to the JOBS tab and click Start on the toolbar to begin the migration.


The migration processing time depends on several different factors, e.g. the number of mailboxes and items, the speed of internet connection, EWS throttling settings. We have published more details here.

Step 6: Check if the number of migrated items in the target mailboxes matches the source server mailboxes

If you notice any missing items in the target mailbox restart the migration by using the Rescan feature.


Please be aware that the program does not migrate some specific folders at all. Those are i.e. Sync Issues or ones created while putting a mailbox on a litigation hold.


If any problems appear during the migration process they will be indicated on the dashboard, pointed on the reports and logged in the log files. Check out the software's diagnostics.

Step 7: Check if there are any new items in the source mailbox after migration

Once the migration is finished and you have noticed that some new items appeared in the migrated source mailbox, just restart the migration by using the Rescan feature. Please keep in mind that the Rescan feature uploads only new items, not the changed ones.

III. Post-migration cleanup

Once the migration is completed please follow the points below:

Step 1: MX records

Change MX records with your domain registrar to enable mail flow to new servers instead of the old ones. Please note that this process may take several hours.


If any new items appear in a source mailbox while the MX records are being changed, it is possible to migrate them after the records' migration process is completed. It can be done by using the Rescan feature.

Step 2: The previous domain

Disconnect the previous domain and Exchange Servers.


If you have any problems with disconnecting your domain, please consult your Domain Provider.

IV. Troubleshooting

For troubleshooting information, refer to our Knowledge Base.

For additional resources, refer to Frequently Asked Questions or contact us.

Was this information useful?