Mailbox Move Failure on Exchange 2010

You’ve attempted to move mailboxes to your new Exchange 2010 server and you receive the following error:
Active Directory operation failed on dc1.domain.name. This error is not retriable. Additional information: Insufficient access rights to perform the operation. Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 The user has insufficient access rights. Exchange Management Shell command attempted: ‘dc1.domain.name/users/test user’ | New-MoveRequest-TargetDatabase ‘Mailbox Database 1’

Subsequent attempts to move the mailbox result in the following error:
The queue in ‘Mailbox Database 1’ database already contains a move request for ‘Test User’, while AD reports the mailbox as not being moved. It is possible that someone created this move request recently, while targeting a different domain controller and AD replication did not yet occur. You can examine this move request by running ‘Get-MoveRequestStatistics –MoveRequestQueue ‘Mailbox Database 1’ –MailboxGuid 123456 –IncludeReport | fl’. If you believe this to be an abandoned move request, you can remove it by running ‘Remove-MoveRequest –MoveRequestQueue ‘Mailbox Database –MailboxGuid 123456’.

The initial problem is due to permissions being removed from the users Active Directory account. Open “Active Directory Users and Computers”. Select “Advanced Features” under “View” at the top:

Locate the users Active Directory account, right click it, select properties, select the security tab, and click the “Advanced” button to display the screen below. Check the “Include inheritable permissions from this object’s parent” check box and click “OK”:

At this point the initial issue is resolved, but the move request still exists even though they cannot be seen in the GUI. Open “Exchange Management Shell” on the Exchange 2010 server. Using the users GUID and Mailbox Database information from the second attempt at moving the mailbox run the following PowerShell commands. Run this command to verify there is a move status on the account in question:

Run this command to forcibly remove the move status:

Trying to move the mailbox after adding the above permissions and removing the prior move status should now allow you to successfully move the mailbox or mailboxes that previously failed.

µ

9 Comments

  1. Colin Tyrrell

    Thank you so much; I had problems on the largest mailbox and also on the bosses mailbox. Typical!
    Excellent article.

    Reply
  2. RotahautCatty

    Hi, very interesting post, greetings from Greece!

    Reply
  3. Raveesh

    Thanks Mike for posting this, This has really helped me to move the mailboxes from exchange 2003 to exchange 2010.

    In general I have around 500 users and doing this manually for each users is not possible, is there any way to get this done for all the users with different organizational unit.

    I know it too late posting here, but hoping that you may got the solution and reading the comments.

    Thanks,

    Reply
    • µ

      I’m sure you can set it with a script, although I haven’t done that before. One thing I did on my last migration was to run a VBScript to identify the users who had the issue. Luckily it was only about two out of around fifty so do big deal to fix manually. Here’s the script I used to identify the user accounts that had the issues. Setting it to run at the domain level context will search all sub-OU’s.

      I’m definitely interested in figuring out how to automate this solution so if you figure it out before I do, please share the information.

      µ

      Reply
      • Raveesh

        I am getting error on line 13.

        C:script.vbs(13, 1) Provider: One or more errors occurred during processing of
        command.

        Reply
        • µ

          Give it another shot. Some of the formating was lost when posting the script on WordPress. I’ve used a different method for posting the script.

          µ

          Reply
  4. Lars Rasmussen

    Checking the “Include inheritable permissions from this object’s parent” check box and clicking “OK” worked for me. I was able to remove 3 move requests that were stuck as ‘Queued’.

    Thank you for the post!

    Reply
  5. Austin

    Thank you, sir!

    Reply
  6. Gurvinder Bharya

    Can i do this to an Administrator account?

    Reply

Leave a Reply

%d bloggers like this: