G Suite (IMAP) to On-Premises Exchange Migration Guide

Introduction

This is the migration guide for the G Suite (IMAP) to On-Premises Exchange Migration scenario. This migration uses the IMAP endpoint and migrates emails and user information from G Suite to an On-Premises Exchange instance. 

Important: Migrating from a G Suite/Gmail endpoint requires a super administrator email address which matches the end-user domain.

OAuth administrative credentials will not function properly with G Suite for Business Legacy free accounts, G Suite Legacy free accounts, or Google Apps Legacy free accounts. As a result, migration of Google Legacy free accounts is not supported.

There are some tools and resources that will make the migration easier.

Google questions and troubleshooting

Our G Suite Migration FAQ covers questions and expands on some of the information found in this guide. To learn more about OAuth 2.0, check out the OAuth 2.0 FAQ and OAuth 2.0 set up guides.

Exchange questions and troubleshooting

Our Exchange Mailbox FAQExchange Migration Setup and Planning, and Exchange Mailbox Migration Troubleshooting guides contain a number of common questions and concerns, along with more information, guidance, and steps to resolve issues such as throttling.

First migration?

We’ve created a guide on scoping, planning, and managing the migration process for your use. If this is your first migration, we recommend reading this guide carefully.

MigrationWiz

MigrationWiz is a migration tool, not a syncing tool. If changes are made at the source after migration, they will not sync to the destination, nor will changes made at the destination sync to the source. We do not have “live” monitoring of changes (as with a sync agent) and we cannot handle scenarios such as conflict resolution without user interaction.

MigrationWiz supports the capability to share migration projects across a Workgroup. When the Project Sharing feature is turned on, all Agents besides those who are Inactive can view all migrations projects. 

We are not able to support migrations with two-factor or multifactor authentication. 

Prepare the Source Environment

Grant MigrationWiz OAuth 2.0 access to G Suite

Complete these steps in the G Suite Admin Consol to grant BitTitan client ID access to the appropriate scopes:

  1. Go to https://admin.google.com and authenticate as a Super Administrator.
  2. Click Security. If you do not see the security icon on your admin console home page, you do not have the necessary rights on your account to make these changes. Request Super Administrator access from the customer to implement these changes.
  3. Click Advanced settings. Google limits accessing and changing this setting to only G Suite Super Administrator accounts.
  4. You will now have one of two options, depending on whether your tenant has been updated to the new Google API or not. 
  5. Old Google Tenant:

    • Go to the G Suite admin page at google.com
    • Click on Security
    • Click on Advanced Settings
    • Click Manage API Client Access.

    OR If your account shows the latest UI updates from Google, as shown below:New_Google_Admin_APP_Access_Control.JPG

    • Go to the G Suite admin page at google.com
    • Click on Security
    • Click Advanced Settings
    • Under ‘Domain-wide delegation’, click Manage domain-wide delegation
    • On the Manage domain-wide delegation page, click Add new
  6. Click MANAGE DOMAIN WIDE DELEGATION.
  7. Click Add New.
  8. Enter 113321175602709078332 into the Client ID field. 
  9. Enter the following groups of scopes into the OAuth Scopes (comma-delimited) field:
    • G Suite as the Source (read-only scopes):
      https://mail.google.com/, https://www.google.com/m8/feeds, https://www.googleapis.com/auth/contacts.readonly, https://www.googleapis.com/auth/calendar.readonly, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/drive, https://sites.google.com/feeds/, https://www.googleapis.com/auth/gmail.settings.sharing, https://www.googleapis.com/auth/gmail.settings.basic
  10. Click Authorize.
  11. The client name is 113321175602709078332 (make sure there are no leading or trailing spaces, as this may cause the error "URL ends with an invalid top-level domain name."). This will grant BitTitan products access to the appropriate scopes.

Multiple domain migrations

If you are migrating from multiple domains, repeat these steps for each domain.

Enable IMAP access

Follow the steps outlined by Google to verify that all users have access to IMAP.

Folder size limits

Verify that the size limits on IMAP folders have been removed for all users. This is an end-user setting that must be manually verified for each user. We recommend sending the following directions to each user to have them check the setting. 

For each user:

  1. Navigate to your Gmail account.
  2. Click on the gear icon.
  3. Click Settings.
  4. Select the Forwarding and Pop/IMAP tab.
  5. Click Folder Size Limits.
  6. Select Do not limit the number of messages in an IMAP folder (default).

Export mailboxes to CSV files

From the Google Admin portal:

  1. Click Users.
  2. Click ⁝ (3 vertical dots)
  3. Select Download Users.
  4. Select Download All Users.
  5. Click OK.
  6. Click Save.

Prepare the Destination Environment

First, set up user accounts, then complete the following steps.

Create Admin Account

Create an administrator account in Exchange to be used for migration or use the global admin account for the tenant. The administrator account must have either full access to the user mailboxes or be granted impersonation rights. We recommend using impersonation as it will help reduce the likelihood of the migration being throttled by Microsoft. 

  1. Open the Exchange Management Console.
  2. Expand the Recipient Configuration
  3. Right-click on the Mailbox
  4. Click on New Mailbox.
  5. Click on Next.
  6. Click on Next.
  7. Enter "MigrationWiz" as the first name.
  8. Enter "MigrationWiz" as the user logon name, and optionally select a user principal name (UPN) domain.
  9. Enter a password and confirm the password.
  10. Click on Next.
  11. Click on Browse to select a Mailbox database.
  12. Click on Next.
  13. Click on New.
  14. Click on Finish.

To grant the account access, perform the following from the Exchange Server machine:

  1. Open the Exchange Management Shell.
  2. Enter the following command:
    Get-Mailbox -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -User MigrationWiz

The above command needs to be applied each time a new mailbox is created, since permissions are set directly on each mailbox. The administrative account will not have access until the permissions are applied.

In the above script, the username "MigrationWiz" should be replaced with the name of the administrative account that was set up, by following the earlier instructions in this article.

This username is the Administrative Username that needs to be entered under project source or destination settings, within MigrationWiz, when checkmarking the box labeled: Use Administrative Login.

Set up PowerShell session

Set up a remote PowerShell session with Exchange 2010+

To manually grant administrative access for migration, execute the following PowerShell command in the Exchange PowerShell Console:
Get-Mailbox -ResultSize Unlimited | Add-MailboxPermission -AccessRights FullAccess -Automapping $false -User MigrationWiz

In the PowerShell script above, change the -User account to match the name of the admin account that was set up for migration.

Any user account that is a part of the domain administrator, schema administrator, or enterprise administrator groups will not have any administrative rights to mailboxes, no matter how many permissions are granted. A security default of Exchange Server is to explicitly deny any user that is a member of these groups. This is why we recommend creating a new user account specific for migration.

Disable Throttling

Disable throttling against the admin account.

Disable Throttling

Disable throttling against only the migrating account (if not using impersonation). This way, the admin account can migrate at a faster rate because it is not subjected to any throttling.

Use this option if using impersonation during the migration. If migrating using admin credentials, it is only necessary to disable throttling against the admin account, rather than all users.

If migrating mailboxes using administrative credentials at the Source, but not using impersonation, we recommend disabling throttling limits on this administrative account in order to improve the speed of migration.

We recommend the creation of a migration administrative account and disabling policy enforcement for this account.

Exchange Server 2013+

To disable all throttling parameters for an admin account called "MigrationWiz":

  1. Open the Exchange Management Shell.
  2. Type the following command and press Enter.

    New-ThrottlingPolicy MigrationWizPolicy

  3. Type the following command and press Enter.

    Set-ThrottlingPolicy MigrationWizPolicy -RCAMaxConcurrency Unlimited -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -CPAMaxConcurrency Unlimited -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsRechargeRate Unlimited

  4. Type the following command and press Enter.

    Set-Mailbox "MigrationWiz" -ThrottlingPolicy MigrationWizPolicy

Verify mailbox accessibility using EWS

 You can verify independently if a mailbox is accessible using EWS with the following steps:

  1. Go to https://testconnectivity.microsoft.com
  2. If using Office 365, click the Office 365 tab.
  3. Select Service Account Access (Developers) and click Next.
  4. Specify the target mailbox email address.
  5. Specify the service account user name. If using admin credentials on the connector, enter the exact same user name.
  6. Specify the service account password. If using admin credentials on the connector, enter the exact same password.
  7. Check Specify Exchange Web Services URL and specify the URL (example: https://server/EWS/Exchange.asmx).
  8. If using Exchange Server, do not check Use Exchange Impersonation. If you are using Office 365, and using impersonation, do check the box.
  9. Check Ignore Trust for SSL.
  10. Click Perform Test.
  11. Once results are displayed, check the overall result, and click Expand All.

It may be necessary to first manage permissions.

If you want to be able to migrate messages with attachments larger than 10MB, the following limits need to be increased:

Increase Message Size Limits

This is a two-step process. The reason for this is that if the message size limits of Exchange are increased, the IIS limits will also have to be increased to allow increased payloads. There are other non-standard settings that can also cause size restrictions for the IIS or EWS connections, but we are unable to troubleshoot or identify specific environment restrictions outside of these settings.

To display current message size limits:

  1. Open the Exchange Management Shell.
  2. Enter the following commands:

Get-TransportConfig | Format-List -Property MaxReceiveSize, MaxSendSize
Get-SendConnector | Format-List -Property Identity, MaxMessageSize
Get-ReceiveConnector | Format-List -Property Identity, MaxMessageSize
Get-MailBox | Format-List -Property PrimarySmtpAddress, MaxSendSize, MaxReceiveSize

To increase message size limits on the Exchange Server:

  1. Open the Exchange Management Shell.
  2. Enter the following commands:

Set-TransportConfig -MaxReceiveSize 150MB -MaxSendSize 150MB
Get-SendConnector | Set-SendConnector -MaxMessageSize 150MB
Get-ReceiveConnector | Set-ReceiveConnector -MaxMessageSize 150MB
Get-Mailbox | Set-Mailbox -MaxSendSize 150MB -MaxReceiveSize 150MB

 

Increase IIS Limits to Allow Accepting Payloads

There are three limits that should be increased in IIS:

  • maxRequestLength
  • maxAllowedContentLength
  • maxReceivedMessageSize

Follow these steps to increase the Exchange message size limits on your client access server:

  1. OpenWindows Explorer.
  2. Navigate to %ExchangeInstallPath%FrontEnd\HttpProxy\ews\
  3. Open the file Web.Config in a text editor, such as Notepad.
  4. Find the XML tag starting with for each change.
  5. Change the existing value to maxRequestLength="200000" -- this occurs in one place in the Web.Config file.
  6. Change the existing values to maxAllowedContentLength="200000000" -- this occurs one place in the Web.Config file.
  7. Change the existing values to maxReceivedMessageSize="200000000" -- this entry occurs up to 12 times. This needs to be changed for each Authentication method.
    For example:
    <httpsTransport maxReceivedMessageSize="200000000" authenticationScheme="Anonymous" maxBufferSize="81920" transferMode="Streamed" />
    <httpsTransport maxReceivedMessageSize="200000000" authenticationScheme="Basic" maxBufferSize="81920" transferMode="Streamed" />
    etc.
  8. If you are running IIS7 and Windows 2008, it may be necessary to increase WCF settings.
  9. Save the file.
  10. IIS Reset is not needed, web.config changes are picked up by the next connection.

Follow these steps to increase the Exchange message size limits on your mailbox server:

  1. OpenWindows Explorer.
  2. Navigate to %ExchangeInstallPath%ClientAccess\exchweb\ews\
  3. Open the file Web.Config in a text editor, such as Notepad.
  4. Find the XML tag starting with for each change.
  5. Change the existing value to maxRequestLength="200000" -- this occurs in one place in the Web.Config file.
  6. Change the existing values to maxAllowedContentLength="200000000" -- this occurs one place in the Web.Config file.
  7. Change the existing values to maxReceivedMessageSize="200000000" -- this entry occurs up to 12 times. This needs to be changed for each Authentication method.
  8. If you are running IIS7 and Windows 2008, it may be necessary to increase WCF settings.
  9. Save the file.
  10. IIS Reset is not needed, web.config changes are picked up by the next connection.
Increase Maximum Accepted Content Length

You may increase the maximum accepted content length by following these directions:

  1. Open Windows Explorer.
  2. Navigate to C:\Program Files\Microsoft\Exchange Server\ClientAccess\exchweb\ews
  3. Open the file Web.Config in a text editor such as Notepad.
  4. Go to the end of the file.
  5. Insert or edit the following XML code before the </configuration> tag:

    <system.webServer>
    <security>
    <requestFiltering>
    <requestLimits maxAllowedContentLength="104857600" />
    </requestFiltering>
    </security>
    </system.webServer>

If XML code is already present in the Web.Config file, edit it to match what is shown above.

Sample Web.Config before changes:

<configuration>
<system.web>
...
...
</system.web>
</configuration>

Sample Web.Config after changes:

<configuration>
<system.web>
...
...
</system.web>
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="104857600" />
</requestFiltering>
</security>
</system.webServer>
</configuration>

 

Increase Maximum Received Message Size

If you are running IIS7 and Windows 2008, you may need to increase WCF settings:

  1. Open Windows Explorer.
  2. Navigate to C:\Program Files\Microsoft\Exchange Server\ClientAccess\exchweb\ews
  3. Open the file Web.Config in a text editor like Notepad.
  4. Find all XML tags starting with maxReceivedMessageSize=
  5. Change existing values to maxReceivedMessageSize="104857600"
  6. Save the file.
  7. Open a Command Prompt (cmd.exe).
  8. Type: cd %windir%\system32\inetsrv
  9. Type: appcmd.exe set config "Default Web Site/ews" -section:requestFiltering -requestLimits.maxAllowedContentLength:104857600
  10. Run: iisreset

MSPComplete Steps

Licensing

Purchase licenses. We recommend that you use the User Migration Bundle license for this migration scenario. 

  • These licenses enable multiple migrations of user mailboxes, documents, and in-place archives. It also allows the use of DeploymentPro to perform post-migration Outlook email profile configuration.
  • User Migration Bundle Licenses have unlimited data available per license.
  • User Migration Bundle Licenses are applied to the customer's users and expire 12 months after their purchase date. 
  • Document, Personal Archive, and DeploymentPro projects are all included when using User Migration Bundle Licenses.
  • This license type must be applied manually.

Apply licenses

  1. Sign in to MSPComplete at https://manage.bittitan.com.
    • When you sign in, make sure to select the MSPComplete button above the email field.
  2. Select the correct workgroup on the top of the left navigation pane. This is the workgroup that the customer and migration project were created under. Your account must be part of the workgroup if the project was not created under your account.
  3. On the left navigation pane, click Customers.
  4. Click the customer that employs the user to whom you want to apply a User Migration Bundle license.
  5. Click the Users tab at the top of the page.
  6. Check the box to the left of the email for the user(s) to whom you want to apply a license.
  7. Click the Apply User Migration Bundle License button at the top of the page. 
  8. If there is at least one unassigned User Migration Bundle license available for each selected user, click Confirm.
    Important: If there are no User Migration Bundle licenses currently available to be assigned and your role in the workgroup is Manager or higher, the form that appears provides all the necessary information and will walk you through the steps of purchasing User Migration Bundle licenses.

MigrationWiz Steps

Create a Mailbox Migration project

  1. Click Go to My Projects.
  2. Click Create Project.
  3. Create a Mailbox Migration
  4. For mailbox migrations, use administrative credentials to access mailboxes​. In most migration scenarios, the admin account needs to have full access rights to the Source mailboxes. 
  5. Click Next Step.
  6. Enter a Project name and select a Customer.
  7. Click Next Step.
  8. Select G Suite (IMAP) from the Endpoint dropdown menu. 
  9. Provide requested credentials.
  10. Select Exchange Server 2003+ from the Endpoint dropdown menu.
  11. Enter the OWA URL. 
  12. Click the Provide Credentials radio button and enter the admin account credentials for the account that was set up under the "Prepare the Destination Environment" section of this guide.
  13. Click Save and Go to Summary.

Endpoints

Endpoints are now created through MigrationWiz, rather than through MSPComplete. The steps for this section outline how to create the endpoints in MigrationWiz.

If you are selecting an existing endpoint, keep in mind that only ten endpoints will show in the drop-down. If you have more than ten, you may need to search. Endpoint search is case and character specific. For example, Cust0mer will not show up if the search is customer. We recommend keeping a list of endpoints you have created, along with any unique spellings or capitalization you may have used.

You may either use existing endpoints, or create new ones. 

To create a new source endpoint:

  1. Click Endpoints.
  2. Click Add Endpoint.
  3. Fill in the required information and credentials.

To create a new destination endpoint:

  1. Click Endpoints
  2. Click Add Endpoint
  3. Click + Find My Service Provider button
  4. Click the down arrow in the Service Provider field, and select the Hosted Exchange Provider (taking care to select the correct version of Exchange that the customer is running). This will auto-populate the Outlook Web Access URL with their verified URL.
  5. Or, instead of clicking on the + Find My Service Provider button, click the Exchange Server 2003+ button and manually enter the Outlook Web Access URL.
  6. It is necessary to add all domains that will be part of the migration on either the Source or the Destination. This means that, if there are users in one project with domain names Sourcedomain.com and Destinationdomain.com, it is important to ensure that both of these are added under “Your Domains” when creating the endpoints. When adding a domain, you need to click the "+" button.
  7. Click the Provide Credentials radio button and enter the admin account credentials. These are the credentials that you obtained from your Hosted Exchange Provider when following the steps under the "Prepare the Source Environment" section of this guide.

Add Users

Add the user accounts that will be migrated to the project.

To import one or more mailboxes:

  1. Sign in to your MigrationWiz account.
  2. Select the Project for which you want to perform the bulk import.
  3. Click Add.
  4. Click Bulk Add.
  5. Follow the instructions on the page.

Add Advanced Options

Under Advanced Options:

The following options are the most valuable for this migration scenario:

  • Under Filtering, add: (^All Mail$|^All Mail/)
    • This will filter out the All Mail label from your migration passes. It will speed up your migration passes.
    • You will remove this folder filter before performing your final migration pass. These steps are included later in this section.
  • Under Support/Support options, add:
    • StoreOverflowGooglePropertiesInNotes=1
    • StoreOverflowGooglePropertiesInNotesPrefix="enter your text here"
    • SuppressReminderDays=N

Run Verify Credentials

  1. Open the Project containing items you wish to validate​.
  2. Select the items you wish to validate.
  3. Click on the Start button in your dashboard.
  4. Select Verify Credentials from the drop-down list.

Once complete, the results of the verification will be shown in the Status section.​ 

Notify Users

Notify users that a migration is occurring. Send email to all users telling them the time and date of the migration.

Run Migration

Pre-Stage pass

  1. Select the users you wish to migrate
  2. Click the Start button from the top
  3. Select Pre-Stage Migration
  4. Under the Migration Scheduling section, from the drop-down list, select 90 days ago
  5. Click Start Migration.

MX Record Cutover

Change over MX records on the DNS provider's portal.

Also, include the AutoDiscover (CName) setting.

If you are migrating in batches and mail coexistence is required, you will not be cutting over the MX records until your final batch of users has been migrated, and you must set up mail forwarding.

Mail Forwarding

If you are not cutting over an entire domain/organization at once by changing the MX records, you can perform a phased migration and set up coexistence by setting up forwards on the mailboxes you wish to migrate.

  • Manually set forwards during a migration on a per-user basis, from the individual users' portal. This is only a valid option if there are a small number of users.
  • Manually set forwards during a migration on a per-user basis, from the admin portal. This is a suitable option for small- to medium-sized projects.
  • Automate the setup of mail coexistence (forwards) for G Suite through the MigrationWiz management console tool. This is the best option for large projects. Contact Support for assistance with this process.

Notify users

Send email to end users to let them know what to expect for their Outlook profile reconfiguration. Samples and screenshots can be found in our DeploymentPro documentation.

Enable AutoDiscover again, so that users can create new profiles via AutoDiscover, or use DeploymentPro to automate the configuration of new Outlook profiles. 

Full (Delta) pass

  1. Select the users
  2. Click the Start button from the top
  3. Select Full Migration
  4. Click Start Migration

Run Retry Errors

Look through the user list and click any red "failed migration" errors. Review the information and act accordingly.

If problems persist, contact Support.

Outlook Configuration

If not using DeploymentPro, users must create new Outlook profiles, and set up their signatures again, and reattach any PST files that were attached to their previous profile.

Remove the All Mail label

Remove the All Mail filter from project Advanced Options, and run one final (Full) migration pass.

  1. Under Project Advanced Options: Filtering section, delete: (^All Mail$|^All Mail/)
  2. Select the users.
  3. Click the Start button from the top
  4. Select Full Migration
  5. Click Start Migration.

Request Statistics

Click the pie chart icon in the MigrationWiz dashboard to receive an email containing all the project migration statistics.

 

Was this article helpful?
0 out of 0 found this helpful