Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Migrate local user mailboxes to AD user mailboxes?
  •  
jbrave

Messages: 12
Karma: 0
Send a private message to this user
Ok, finally got Kerio talking to Windows Server 2008 64bit. Yay! now how do I migrate sam<_a.t_>mycompany.com (local user) to sam<_a.t_>mycompany.com (AD user). Can't add AD user to kerio since his name is already in use.

- Joel
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
It is possible to move the user from one domain to another, on the file level.

You will, though, have to rename the current domain.com to something else, create domain.com as an AD bound domain, and then create the user(s) and move the mail storage on the file level.

Might wanna take the server offline while you do so.. Wink at least from incoming internet traffic...

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Please no moving or copying on file level. It is not good.

There is one much simpler way:
1. Stop KMS
2. Edit users.cfg file and remove all user accounts (except the administrator).
3. Start KMS. Open the administration console.
4. Configure existing domain and activate users from AD. As long the users have same name as local ones, the mailbox will be available to new AD accounts.
  •  
marook

Messages: 520

Karma: 3
Send a private message to this user
Ok, sorry..

But then you would want to Backup that users.cfg file first (or the whole mailserver)

Now we know it's "not good" to move files (though I don't know why..)
but the method mentioned, has been used with success with over 100 users on OS X Server....

Regards,

Jakob Peterhänsel
Consultant - Humac A/S

Apple Certified Support Professional (ACSP)
Apple Certified Technical Coordinator (ACTC)
AppleSeed/CQF member since 1998
Kerio Messaging Partner
  •  
jbrave

Messages: 12
Karma: 0
Send a private message to this user
That is great, thank you very much. Please include useful information like this in the Admin guide!

- Joel
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Why mess with the users.cfg? You can just select all the accounts in the admin console, click Remove, and select 'Do not delete user's message folder'. That will leave the folder behind so when you add the AD account with the same name, it will use that message store.

Scott
  •  
jbrave

Messages: 12
Karma: 0
Send a private message to this user
I used myself as a test subject. I was able to do exactly what you suggested, but now I can't login from anywhere - outlook, webmail, mac mail (IMAP) - all reject my password. My password has not changed.

I have searched the forums and the answers I found are not very helpful:

- My AD account is allowed to log in from anywhere
- there is a user account for the Kerio server in AD, part of Domain Admins
- Kerebos - I think this is working, otherwise, how could I get a user listing from the Domain Controller?

The active directory domain name is the same as the email domain:

company.com

does the username used for logging-in change after switching to an AD user?

is it something other than me<_a.t_>company.com?

Here are the warning logs:

[04/Dec/2008 10:55:09] IMAP: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 76.235.150.55
[04/Dec/2008 10:58:57] HTTP/WebMail: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50
[04/Dec/2008 10:59:11] HTTP/WebMail: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50
[04/Dec/2008 10:59:24] HTTP/WebMail: User joel<_a.t_>kerio.company.com doesn't exist. Attempt from IP address 10.17.28.50
[04/Dec/2008 10:59:36] HTTP/WebMail: User company\joel<_a.t_>kerio.company.com doesn't exist. Attempt from IP address 10.17.28.50
[04/Dec/2008 10:59:52] HTTP/WebMail: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:01:09] HTTP/WebMail: User joel<_a.t_>kerio.company.com doesn't exist. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:01:23] HTTP/WebMail: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:05:32] HTTP/WebMail: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:06:20] HTTP/WebMail: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:06:39] HTTP/WebMail: User joel<_a.t_>company doesn't exist. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:11:18] HTTP/WebMail: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:14:39] Directory server failure while expanding address <erica<_a.t_>company.com>, expanded to 1 recipients
[04/Dec/2008 11:14:39] Directory server failure while expanding address <lynne<_a.t_>company.com>, expanded to 1 recipients
[04/Dec/2008 11:14:39] Directory server failure while expanding address <mari<_a.t_>company.com>, expanded to 1 recipients
[04/Dec/2008 11:14:46] Cannot list users, internal database error: 800.
[04/Dec/2008 11:16:02] HTTP/WebMail: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:29:54] HTTP/WEBDAV (KOFF): Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:30:00] HTTP/WebDAV: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:32:44] HTTP/WebMail: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:32:55] HTTP/WebMail: User joel<_a.t_>kerio.company.com doesn't exist. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:44:16] IMAP: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 76.235.150.55
[04/Dec/2008 11:44:37] IMAP: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 76.235.156.55
[04/Dec/2008 11:48:44] HTTP/WEBDAV (KOFF): Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50
[04/Dec/2008 11:48:50] HTTP/WebDAV: Invalid password for user joel<_a.t_>company.com. Attempt from IP address 10.17.28.50

- Joel

  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Here's how we did it, although this involves quite a bit of manual labour:

1. Create all the necessary AD users
2. Add them to KMS
3. Delete the internal user
4. When you're asked where to put the newly deleted user's mail folder, select the corresponding AD user.

You'll now have an Outlook folder called "Deleted items" in the AD user's Outlook. Just move them to their correct "real" folders, and off you go ...
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
jbrave wrote on Thu, 04 December 2008 21:07


does the username used for logging-in change after switching to an AD user?

is it something other than me<_a.t_>company.com?



Have you delegated all the necessary rights to the AD user which reads and writes from KMS to AD? If you don't give the LDAP user the neccessary rights in AD, it can't read the password, just the other account details. Remember: you're effectively giving another computer the right to read someone's password, and that doesn't happen by default.

Make sure the ldap user has "Read Domain Password & Lockout Policies", and "Write Domain Password & Lockout Policies" rights.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
jbrave wrote on Thu, 04 December 2008 21:07

I used myself as a test subject. I was able to do exactly what you suggested, but now I can't login from anywhere - outlook, webmail, mac mail (IMAP) - all reject my password. My password has not changed.

I have searched the forums and the answers I found are not very helpful:

- My AD account is allowed to log in from anywhere
- there is a user account for the Kerio server in AD, part of Domain Admins
- Kerebos - I think this is working, otherwise, how could I get a user listing from the Domain Controller?

The active directory domain name is the same as the email domain:

company.com

does the username used for logging-in change after switching to an AD user?

is it something other than me<_a.t_>company.com?

- Joel



Make sure that Kerberos realm in the Domain setting is correct. Users are mapped via LDAP and authenticated via Kerberos. So, it is possible that users are correctly mapped to the email domain but can't login because of wrong Kerberos configuration.
  •  
siter

Messages: 2
Karma: 0
Send a private message to this user
I have ran into this issue - I am attempting to find a way to migrate users from local accounts to AD linked accounts.
I ran some test scenarios - and take Kerio's word - do NOT copy/paste files mail stores at the file level. It will take longer to resolve the errors than it's worth. Also, dumping the deleted files to another account and then transferring to the new folders is not very elegant, especially if there are many users.
Kerio should have a tool for this task.

Does anyone else have any experience with a 'better way' for this task?

So far I'm thinking this:

1) Email each user with the below noted password/login info change information, provide cell # for login support
2) Create new set of AD linked Accounts under false domain
3) Delete existing accounts and select to move messages to folders
4) Create GP Welcome message instructing users that their password is 'Password123' followed by the last 4 charaters of their surname.
5) Reset AD User passwords to the above criteria.
6) Login as each AD User and migrate their emails, contacts, calendars
7) Set Password as above criteria again, this time selecting to Prompt user to change password on next login and setting a 3 day expiration/disabling.
8 ) Delete primary domain, enable the new domain as primary domain and rename

If I've missed a step, please fill in the blanks. Looks like we as users will have to mitigate this 'drop of the ball' by Kerio. ehem.
This is not easy administration.

[Updated on: Wed, 01 July 2009 17:54]

  •  
jamesf

Messages: 119
Karma: 2
Send a private message to this user
It turns out this is very easy.

1. Open Kerio's Admin Console.

2. Highlight the account to be changed.

3. Click Status and select "User Statistics".
*I copied the Disk Space and Item Count info.

4. Click Close.

5. Click Remove.
* Make sure "Do not delete user's mailbox" is selected.

6. Click Apply.

7. Click Add and select "Activate user in directory service".

8. Click the checkbox of the user account from the "Active Users in Directory Service" window.

9. Click OK.

10. Click Apply.

The "Data Source" will now read LDAP instead of Internal.

After doing this I checked the "User Statistics" then logged into the user account and all the messages were there.

That's all there was to it.

Previous Topic: rsync the kerio mail store to NON kerio server
Next Topic: ActiveSync Access Denied
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Oct 18 15:03:14 CEST 2017

Total time taken to generate the page: 0.00466 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.