Why is the two-way trust relationship required for Exchange Migrator? (NETIQKB3682)

  • 7703682
  • 02-Feb-2007
  • 15-Jan-2008


Why is the two-way trust relationship required for Exchange Migrator?

Exchange Migrator 1.X

Exchange Migrator 2.X

NetIQ Quality Engineering only performs testing with Two-Way trust relationships between the source and target domains. Therefore, the two-way trust relationship scenario is the only supported scenario.


A one-way trust is needed to set up permissions for the migration since this is done prior to adding a user from one domain to the Administrators Local Group of the other domain. Pass-through authentication (a.k.a 'Shadow Account'), where the source and target domains have an administrative account with the same username and password, does not work with Windows 2000 and is not a supported scenario.

Functionality that would be lost as a result of not setting up the two-way trust relationship would include at least the following. This is not a complete list because complete testing has not been done in the one-way trust relationship scenario.

  • Unable to specify alternate credentials since DAPI does not allow you to pass a name and password unless a two-way trust is in place and functioning
  • Unable to associate the Microsoft NT 4 account with the E2K mailbox; this only applies for an Exchange 5.5 to Exchange 2000 migration
  • The ability to "Merge" accounts based on Sid History is lost

Additional Information

Formerly known as NETIQKB3682