I am unable to migrate mailboxes from an on prem (same physical virtual host) to an on prem (same physical virtual host) cross forest. 

MRSProxy is enabled on both the target and the source.. and a migration endpoint is enabled on the source. I can succesefuly prepare-moverequest on the target, but when I perform 

PS] D:\Exchange\Scripts>New-MoveRequest -Identity migrate1@domain.com -Remote -TargetDatabase "DomainCorp" -RemoteGlobalCatalog ads-ad-01.domain.local -RemoteCredential $RemoteCredentials -TargetDeliveryDomain "domaincorp.local" -Remote
HostName ads-exch-01domain.local
The call to 'https://ads-exch-01.domain.local/EWS/mrsproxy.svc' failed. Error details: Could not establish trust
relationship for the SSL/TLS secure channel with authority 'ads-exch-01.domain.local'. --> The underlying connection
was closed: Could not establish trust relationship for the SSL/TLS secure channel. --> The remote certificate is
invalid according to the validation procedure..
    + CategoryInfo          : NotSpecified: (:) [New-MoveRequest], RemoteTransientException
    + FullyQualifiedErrorId : [Server=ADS-EXCHCORP-01,RequestId=3f49d075-8110-48fd-8157-9b4d87921252,TimeStamp=5/1/201
   5 4:00:11 PM] [FailureCategory=Cmdlet-RemoteTransientException] EA6D7B2B,Microsoft.Exchange.Management.RecipientTa
  sks.NewMoveRequest
    + PSComputerName        : ads-exchcorp-01.domaincorp.local

If I change remote hostname to exch.domain.com I get a different error message. 

[PS] D:\Exchange\Scripts>New-MoveRequest -Identity migrate1@domain.com -Remote -TargetDatabase "domainCorp" -RemoteGlobalCatalog ads-ad-01.domain.local -RemoteCredential $RemoteCredentials -TargetDeliveryDomain "domaincorp.local" -Remote
HostName exch.domain.com
The call to 'https://exch.domain.com/EWS/mrsproxy.svc' timed out. Error details: The request channel timed out
attempting to send after 00:00:07.9643241. Increase the timeout value passed to the call to Request or increase the
SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. -->
The HTTP request to 'https://exch.domain.com/EWS/mrsproxy.svc' has exceeded the allotted timeout of
00:00:07.9640000. The time allotted to this operation may have been a portion of a longer timeout. --> The operation
has timed out
    + CategoryInfo          : NotSpecified: (:) [New-MoveRequest], RemoteTransientException
    + FullyQualifiedErrorId : [Server=ADS-EXCHCORP-01,RequestId=f5807f2d-c8d5-4fb3-86b3-a831cae92626,TimeStamp=5/1/201
   5 4:01:10 PM] [FailureCategory=Cmdlet-RemoteTransientException] F2700578,Microsoft.Exchange.Management.RecipientTa
  sks.NewMoveRequest
    + PSComputerName        : ads-exchcorp-01.domaincorp.local  

I feel like I have been hitting my head on the desk for about a week now. 

We Also should note that we exported the Wildcard cert from the source server and imported it into the target server. 

Hello

if open imported wildcard cert from mmc on source computer it show the cert is ok? not missing root cert?

Hi,

From your description, the issue should be related to the certificate, I would like to clarify the following things for troubleshooting:

1. Export source and target certificates for CAS EWS service (IIS).
2. Export source and target CA root certificate.
3. Import source certificate and source CA root certificate on the target CAS.
4. Import target certificate and target CA root certificate on the source CAS.

Hope this can be helpful to you.

Best regards,

This is the same wildcard cert from my source server that was imported into the target server. It does have the root CA when I manually look at the cert. 

Thank you for getting back to me... 

THis is the same wild card cert *.domain.com that is on the source server. It was exported to a pfx and imported on the target server.. its a valid cert as far as I can tell. Everything looks good on it, yet when I browse to https://hostname.domain.local it still throws an invalid SSL cert. hostname.domain.com is only accesable to the public (internet) on the source server so that could also have something to do with it. 

I have Exported from the source server and imported into the target server. Certs look good from what I can tell. 

Hi RyanMGravess,

Do you have a valid certificate for the other domain domaincorp.local. (ads-exchcorp-01.domaincorp.local)

As you said its cross forest, that would mean there are 2 domains involved and that would require you to have atleast 2 certificates.

Hi Ryan,

After go through your query it may be not a big issue. I would like to recommend you to go through step by step migration once again. You can follow this informative article that provides detailed process for migrate mailboxes : https://technet.microsoft.com/en-us/library/ee633491(v=exchg.150).aspx

Also to get rid from such manual actions and and to do hassle free migration i would recommend you to use automated  tool which helps you to do Exchange to Exchange migration in a single go follow the link ahead : Exchange Migrator.

In addition here is the guide link to import a Wildcard SSL Certificate in Exchange 2013.

Hopefully my suggestions will help you do your task easily.

Yes. Its a wildcard cert for domain.com, the source domain is domain.local and the target domain is domaincorp.local, but will still use domain.com as the valid email address. The cert was exported off the source server domain.local and imported into the target server domaincorp.local

Hi Ryan,

Are you able to access this site without warning from both locations?

Open websites with no certificate prompt: 

On the target side https://SOURCECAS/EWS/mrsproxy.svc ; 
On the source side https://TARGETCAS/EWS/mrsproxy.svc ;

And if you are getting warnings\prompts let us know. Do you see same certificate on both websites?

As both are two seperate exchange org, it would have thier individual certificates (Self-Signed atleast automatically)

You got to Export the Cert from Source Exchange Server and import it on Target Exchange Server. And vice versa (Import target certificate + target CA root certificate on the source CAS).

Also regarding the second error:

It appears the account was not prepared. You may try to run /prepare-moverequest.ps1 to create move request from target forest.

References:

Exchange 2013: Cross Forest/ORG Migration

http://blogs.technet.com/b/meamcs/archive/2011/06/10/exchange-2010-cross-forest-migration-step-by-step-guide-part-i.aspx