Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Move from Exchange 2k3 to Kerio AD enabled domain
  •  
reverent

Messages: 49
Karma: -1
Send a private message to this user
Background:

We run Exchange 2003 and only use Outlook Web Access, no other mail client is allowed or used.

On Kerio we have an email domain, lets call it web.com, that uses Kerberos to authenticate to our AD domain web.local. This works very well. I can add a user right out of AD. Very slick.

Now we want to move our users from exchange to Kerio using the Exchange migration tool. When I run it a new domain, web.local, is created and all of the users are imported under that domain instead of the web.com domain. If I look at the imported users they are all setup as local database and thus don't use Kerberos/AD to authenticate.

Is there a way to either import the mailboxes into the web.com domain that is setup with Kerberos without creating a separate web.local domain that uses a local user database?

If there isn't, is there a reasonably painless way to get 125 users email into the AD imported Kerio users? I suppose I could export as PST using EXMERGE but is there a way to import to Kerio without using Outlook?

tl;dr: Looking for a way to move users from exchange 2003 to an AD enabled domain on Kerio instead of the default local domain it creates when I run the Exchange migration tool.
  •  
reverent

Messages: 49
Karma: -1
Send a private message to this user
As a test I imported my user from AD into the web.com domain then I ran the exchange migration tool which, as I said in my previous post, created the user in the web.local domain as a local database user. I then went into the web.local store directory and copied all the files out and overwrote the files in the web.com user's folder and then reindexed and everything went better then expected as that seemed to get me the result I wanted.

However, is this the "supported" or recommended way of doing it? Copying and replacing the folders and files seems pretty clunky but I will take clunky over trying some strange pst outlook import process. Any thoughts on this would be helpful as I don't want to migrate all my users this way only to find out I screwed the pooch.
  •  
Charles B

Messages: 77
Karma: 3
Send a private message to this user
I don't know how much value my thoughts may be because I don't have a direct analog of what you are trying to do. When I migrated to Kerio, I migrated all the accounts into a local migration domain (sounds like web.local in your case). Then, when everyone's account was migrated, I renamed the migration domain to the actual domain I wanted, and configured it to use AD authentication.

You might try experimenting with imapsync--it seems to have a lot more configuration options. I couldn't get Kerio's import tool to do what I wanted immediately, so I used imapsync. I'm not saying Kerio's tool would not have been able to do it, but I was already familiar with imapsync and when Kerio's tool didn't to do what I wanted immediately, I didn't spend much time trying to figure it out.

Further thoughts: Watch out for issues with your user passwords!
While both Kerio and AD support complex passwords separately, there are a couple bugs in Kerio's connection to AD that can bite you when used together.

First, get rid of commplex passwords before you migrate. After converting from test to production, several of my users couldn't log into their email. According to the Kerio logs it was due to invalid password, even though the password was correct. Local accounts could still log in, but Kerio Connect would not authenticate some of the accounts imported from, and authenticating with, active directory. All of the affected accounts used passwords containing extended characters. Prior to going live on Kerio Connect, I verified that all of our email clients could indeed log in to Kerio Connect. It was only after switching from local authentication to active directory that the issue showed up. Kerio support basically said 'yes, that's true', but had not fix. The only solution was to change to affected account passwords to something simpler.

Second, Kerio's client interface will let you change your password to something complex, that it then will not let you use. And since you can't log back into webmail with your new password due to the previously described bug, you are not able to change it to something that Kerio will accept.

Mid 2015: Quit Kerio and moved to Exchange 2013 and Meraki.
Kerio Control 8.4.0--Used since it was WinRoute, many years ago
Kerio Connect 8.4.0 on Ubuntu. Bought Connect just in time for the switch to NO SUPPORT(aka pay for support). Not. Happy.
  •  
reverent

Messages: 49
Karma: -1
Send a private message to this user
Thanks Charles.

Support suggested the domain rename strategy you describe but also said the copy/paste of the folders as I tested in my 2nd post would also work. At this point in time I am not sure which way we are going to go.

I tested another user today and they popped in the correct email domain but they weren't kerberos authenticated. It isn't difficult to go in and change the internal database to kerberos but the icons aren't the same as a directory mapped user and they dont show up in the schema on the DC. No big deal really but I just don't like things that look different.

We will not have any local users except the admin so I hope I dont have your issues.

Thanks for the tips!
  •  
Charles B

Messages: 77
Karma: 3
Send a private message to this user
reverent wrote on Mon, 01 October 2012 19:00
Thanks Charles.We will not have any local users except the admin so I hope I dont have your issues.


The password issues aren't due to local users, but rather due to something broken in the Kerio code that talks to Active Directory. If your AD users have complex passwords, you'll most likely have the same issues when you switch to Kerio. And it is a Kerio bug--the same users/passwords worked fine in Zimbra, which was the other solution we evaluated.

Mid 2015: Quit Kerio and moved to Exchange 2013 and Meraki.
Kerio Control 8.4.0--Used since it was WinRoute, many years ago
Kerio Connect 8.4.0 on Ubuntu. Bought Connect just in time for the switch to NO SUPPORT(aka pay for support). Not. Happy.
Previous Topic: Out of control .carddav.db
Next Topic: Messages in Outbox and Sent Items
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 10:27:49 CET 2017

Total time taken to generate the page: 0.00422 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.