Migrate Exchange Server 2010 Accounts and Add Them to Super Users Groups

Applies To: Windows Server 2008 R2, Windows Server 2008 R2 with SP1

To implement such Microsoft Exchange Server 2010 Information Rights Management (IRM) features as journal report decryption and transport decryption across forest boundaries, the Federated Delivery mailbox (a system mailbox created by Exchange 2010 Setup) in each forest must be able to be authenticated by the other forest. The preferred method for enabling this authentication is by migrating the Federated Delivery mailbox of each forest to the other forest. These migrated accounts can then be added to the super users group of the Active Directory Rights Management Services (AD RMS) cluster in each forest. This gives Exchange Server 2010 in each forest the ability to decrypt content protected by the AD RMS cluster in the other forest.

This migration can be performed in one of two ways:

  • Migrate the Federated Delivery mailbox (named FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042) with SID history from one forest to the other, disabling the account in the target forest. The migrated accounts must then be added to the super users group of the AD RMS cluster in the target forest.

  • Migrate the SID history of the Federated Delivery mailbox in one forest to the corresponding Federated Delivery mailbox account in the target forest. If you have not yet followed the instructions in Configuring AD RMS to Integrate with Exchange Server 2010 in a Single Forest to enable Information Rights Management (IRM) features in Exchange Server 2010 in the target forest, you must then add the Federated Delivery mailbox account to the AD RMS super users group in the target forest.

The method that you choose will depend on the configuration and requirements of the forests where the migration will occur. For information about how to create and configure super user groups for Exchange Server 2010 IRM, see Configure the AD RMS Super Users Group.

You use the Active Directory Migration Tool (ADMT) to migrate the Federated Delivery mailbox or its SID history. To learn how to use ADMT to migrate user accounts, see ADMT Guide: Migrating and Restructuring Active Directory Domains(http://go.microsoft.com/fwlink/?LinkId=198027), in particular Migrating Accounts While Using SID History (http://go.microsoft.com/fwlink/?LinkId=198028).