We had a multi forest environment with Server 2008 R2 domain controllers and Exchange 2013 CU2 installed and trying to migrate the mailboxes between two forest exchange installations with the New-Move request cmdlet.

New-MoveRequest -Identity “james@contoso.com” -Remote -TargetDatabase “Tailspin Mailb
ox Database” -RemoteGlobalCatalog “GC.Tailspin.com” -RemoteCredential $Rcred -TargetDeliveryDomain “Tailspin.org” -RemoteHos
tName server.tailspin.com -Verbose

However it kept failing with the following error

New-MoveRequest for a move mailbox across forest fails with the following error:

New-MoveRequest : The call to ‘https://server.tailspin.com/EWS/mrsproxy.svc’ failed. Error
details: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘server.tailspin.com‘.
–> The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. –>
The remote certificate is invalid according to the validation procedure.. –> Could not establish trust relationship
for the SSL/TLS secure channel with authority ‘server.tailspin.com‘. –> The underlying connection was closed: Could
not establish trust relationship for the SSL/TLS secure channel. –> The remote certificate is invalid according to the
 validation procedure.
VERBOSE: [22:04:46.229 GMT] New-MoveRequest : Admin Audit Log: Entered Handler:OnComplete.
The call to ‘https://server.tailspin.com/EWS/mrsproxy.svc’ failed. Error details: Could not establish trust
relationship for the SSL/TLS secure channel with authority ‘server.tailspin.com‘. –> The underlying connection was
closed: Could not establish trust relationship for the SSL/TLS secure channel. –> The remote certificate is invalid
according to the validation procedure..
    + CategoryInfo          : NotSpecified: (:) [New-MoveRequest], RemoteTransientException
    + FullyQualifiedErrorId : [Server=Server,RequestId=7263ad31-0002-494b-ba61-e5e53fc77293,TimeStamp=2/27/2014 9
   :47:46 PM] 63B92A35,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest
    + PSComputerName        : cmhpmexw001.netsmartpaas.lan

VERBOSE: [21:47:46.229 GMT] New-MoveRequest : Ending processing New-MoveRequest

After extensive research and troubleshooting we found the reason for this issue was, Failure to download the Certificate Revocation Lists (CRLs) from the CRL Distribution point which points to a file share, on the certificate produced by the source forest based Client Access Server

Had we have used an external third-party certificates like Godaddy or Verisign, Than such issues can be avoided.

However if one wants to use an internal Certificate authority and then make sure that your CRL distribution points are reachable from the involved source and target Exchange servers as well as domain Controllers.  Also make sure that Certificate authority’s Root certificate is added to Trusted Root store of involved servers, so that they can trust the certificate authority.

More Information

For cross forest mailbox moves via the MRSProxy service, the source and target servers use certificates to encrypt the HTTPS traffic. The CAS Servers in the source and target forests must have installed a valid certificate that has been issued by a trusted certificate authority recognized by the server in the other forest.

Exchange 2010 Cross-Forest Mailbox Moves

http://blogs.technet.com/b/schadinio/archive/2010/08/11/exchange-2010-cross-forest-mailbox-moves.aspx

Configuring Certificate Revocation

http://technet.microsoft.com/en-us/library/cc771079.aspx

Hope this articles helps you, for more paid support options, check our support plans here

The following two tabs change content below.
An automobile enthusiast at heart and computer geek by profession, started my Career with MS in 2005.Left Jobs and started Pledge Technologies (the parent company to Grishbi) back in 2009.We have been providing IT consulting to various Small and Medium businesses across US and UK since then.Our company specialises in Microsoft Server technologies like AD, Exchange, the rest and with numerous Office 365 migrations under our belt, we quite an expert with that too. Whatever we learn in our day to day life, we share it back on Grishbi as a Thank for all the love and support our customers have given us.
%d bloggers like this: