Checking full access permission on mailbox

Hi all,

I'm currently doing a migration from Notes to Exchange Online.

I did one this morning and all went OK, however trying a migration now for 7 mailboxes and the bit right at the beginning where it says "Checking full access permission on mailbox" has been sitting there for 20 mins now where as it usually takes 2 seconds per mailbox. 

Checking the Microsoft 365 admin centre Service Health shows an issue:

"A very limited number of users may intermittently be unable to access Exchange Online via any connection method" which started on August 26th !

Any ideas whats going on?

Thanks

Parents
  • Hello Raj,

    Thanks for posting to the Migrator for Notes to Exchange (MNE) forum. I understand you are experiencing an issue with your Notes to Office 365 migration where the migration is sitting and checking for "Full Access" rights. MNE does require Full Access rights when migrating to Office 365. At the beginning of the migration process, MNE checks to see if it already has Full Access rights to all target mailboxes. If it does, then it starts the migration typically in less than three minutes. If MNE does not have Full Access rights already, then MNE grants itself Full Access rights, but then must wait for them to take effect, which could be up to 45 minutes.

    If you are already pre-provisioning the target Office 365 mailboxes outside of MNE, then you can run the MNE "Add-MNEMailboxAdminPermission" PowerShell cmdlet at least 45 minutes prior to starting the migration to ensure that the Full Access permissions already in place. The following section of the MNE Administrator Guide provides additional details about the MNE PowerShell cmdlets:

    support.quest.com/.../57

    Of course any Office 365 Service Health related issues can also impact the migration process. For more information on whether or not this specific Office 365 Service Health Advisory is effecting your users, you may want to reach out to Microsoft directly.

    Please let me know if you have any additional questions or need any additional clarification.

    Regards,

    Trevor Taegder
    Senior Technical Support Engineer
    Quest | Support

  • Hi Trevor,

    Thanks for you very detailed answer.

    I usually apply permissions to our service account via the command:

    Add-MailboxPermission -User Domino.Migration_SVC -AccessRights FullAccess -InheritanceType All -AutoMapping $false

    and this usually does the trick though Microsoft propagation sometimes takes a few hours to replicate it around.  Does that command so the same thing as the Add-MNEMailboxAdminPermission command?

    I'm currently struggling with a mailbox that even 9 hours later is still coming back with permissions problems but I have opened a service ticket for that.

    Thanks

    Raj

     

  • Hi Trevor,

    When I run the command add-MNEMailboxAdminPermission "emea_mig_5b", I get the following error: (I have removed the personal details):

    PS C:\Windows\system32> add-MNEMailboxAdminPermission "emea_mig_5b"
    add-MNEMailboxAdminPermission : Failed to check admin permission 'Notes Migrator Admins Role Group' to mailbox
    'xxx.xxx@xxx.com': Error: Error on proxy command 'Get-MailboxPermission -User:'Notes Migrator Admins Role Group'
    -Identity:'CN=xxxx xxxxx,OU=xxxxxUS.onmicrosoft.com,OU=Microsoft Exchange Hosted
    Organizations,DC=NAMPR02A900,DC=PROD,DC=OUTLOOK,DC=COM'' to server DB6P189MB0376.EURP189.PROD.OUTLOOK.COM: Server version 15.20.3391.0000, Proxy
    method PSWS:
    Request return error with following error message:
    The remote server returned an error: (401) Unauthorized...
    .
    At line:1 char:1
    + add-MNEMailboxAdminPermission "emea_mig_5b"
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (Notes Migrator ...unting-intl.com:String) [Add-MNEMailboxAdminPermission], ApplicationException
    + FullyQualifiedErrorId : UnableToCheckFullAccessPermission,QuestSoftware.NME.PSModule.Utils.AddMailboxAdminPermissionCmdlet


    AdminUserOrRoleGroup : Notes Migrator Admins Role Group
    Action : Grant
    AccessRights : FullAccess
    Mailboxes : {}
    MailboxesSkipped : {xxxx@domain.com}

    Any idea whats going wrong? I am running this from the Quest server and its worked OK in the past.

    Thanks

    Raj

  • Another thing Trevor, what is it doing when it says "Verifying Exchange account for" ?

    this step used to take 2 seconds  per mailbox but is now taking three mins and then coming back with an error in the log:

    14:46:12 ERROR: [1288-53-14-00000000]'test-mapiconnectivity' cmdlet failed; this can occur if a recently created mailbox has not finished propagating.

    However I created the mailbox and applied the permissions 36 hours ago. I just can't get passed this step and the migration fails every time when Quest is trying to apply permissions with the add-MNEMailboxAdminPermission command.

    Thanks

    Raj

     

  • Can anyone here help?

    The command Add-MNEMailboxAdminPermission -CollectionName "collectionname" fails every time with:

    Add-MNEMailboxAdminPermission : Failed to check admin permission 'Notes Migrator Admins Role Group' to mailbox
    'Quest.user@domaincom': Error: Error on proxy command 'Get-MailboxPermission -User:'Notes Migrator Admins
    Role Group' -Identity:'CN=user,OU=domain,OU=Microsoft Exchange Hosted
    Organizations,DC=NAMPR02A900,DC=PROD,DC=OUTLOOK,DC=COM'' to server SG2PR01MB2870.apcprd01.prod.exchangelabs.com:
    Server version 15.20.3391.0000, Proxy method PSWS:
    Request return error with following error message:
    The remote server returned an error: (401) Unauthorized...
    .
    At line:1 char:1
    + Add-MNEMailboxAdminPermission -CollectionName "collectionname"
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (Notes Migrator ...unting-intl.com:String) [Add-MNEMailboxAdminPermission]
    , ApplicationException
    + FullyQualifiedErrorId : UnableToCheckFullAccessPermission,QuestSoftware.NME.PSModule.Utils.AddMailboxAdminPermis
    sionCmdlet

    As a result I cannot perform any migrations at all - this is happening on both Quest servers from last Thursday.

    Raj

  • Hi Raj,

    To help investigate this error you are seeing could you please create a Service Request so that one of our engineers can assist you, you can create an Service Request here https://support.quest.com/create-service-request

    Thanks

    Darin MacKenzie

  • Hi Darin,

    I have an open service req - #4769147.

    Wayne and I were on a Webex for over three hours on Friday but no joy I'm afraid.

    Raj

  • so the issue is EXO and not the Quest servers. 
    The 'Get-MailboxPermission cmdlet failed with a 401 error. This means the calling account is "Unauthorized" to preform this task. If the account being used is a Global Admin, that means this is an MS issue, and you need to open a support case with MS. I would advise you remove "Quest" from the conversation and focus on the that 'Get-MailboxPermission cmdlet is failing with a 401 error. 

  • Hi Jeff,

    The Get-MailboxPermission cmdlet is not failing, it works perfectly fine when run against the mailbox. 

    whats fails is the Add-MNEMailboxAdminPermission command which is a Quest proprietary command.

    I am also using the same Global Admin account on all three Quest servers and the command fails on two.

  • Hi Raj,

    On the two MNE servers that are not working, can you open File Explorer, navigate to %temp% and delete the file called "MNETokenCache.dat", then try running the Add-MNEMailboxAdminPermission again. 

    Regards, 

    Trevor

Reply Children
  • Hi Trevor, that file doesn't exist in my %temp% folder ?

  • Hi Raj,

    Can you navigate to one of the MNE migration servers that is not working. Try going to the Exchange Server settings screen. Make a slight change to the Exchange Administrator username, such as clicking backspace to remove a character, then add it back. Now click on the Office 365 User domain drop-down list. 

    Were you able to get the list of domains?

    If yes, then try running the Add-MNEMailboxAdminPermission cmdlet from this MNE migration server again.

    If these steps do not resolve the issue, then we will need to investigate further via the Service Request you have for this issue.

    Regards,

    Trevor

  • Hi Trevor, I removed the character and added it back but still got the list of domains.

    Same error when running the command I'm afraid to say.

    Raj

  • so the issue is EXO and not the Quest servers. 
    The 'Get-MailboxPermission cmdlet failed with a 401 error. This means the calling account is "Unauthorized" to preform this task. If the account being used is a Global Admin, that means this is an MS issue, and you need to open a support case with MS. I would advise you remove "Quest" from the conversation and focus on the that 'Get-MailboxPermission cmdlet is failing with a 401 error. 

  • Hi Trevor, I tried an uninstall, delete the C:\Program Files (x86)\Quest, delete the contents of %temp% and re-install, but Quest starts up with all the old details, how can I completely wipe it from the system to perform a clean install again?

    Thanks

    Raj

  • Again, this is NOT a Quest Migrator for Notes to Exchange issue. 

  • OK so tell me why it works on one Quest server but not the other two?

  • The issue is authentication and authorization in EXO.  Add-MNEMailboxAdminPermission command which is a Quest proprietary command is really just a wrapper for native EXO cmdlets. Think of it as a function in a script. Your error is the key.
    Error: Error on proxy command 'Get-MailboxPermission -User:'Notes Migrator Admins
    Role Group' -Identity:'CN=user,OU=domain,OU=Microsoft Exchange Hosted
    Organizations,DC=NAMPR02A900,DC=PROD,DC=OUTLOOK,DC=COM'' to server SG2PR01MB2870.apcprd01.prod.exchangelabs.com:
    Server version 15.20.3391.0000, Proxy method PSWS:
    Request return error with following error message:
    The remote server returned an error: (401) Unauthorized..

    How you executed the connection to EXO is most likely different as we are using Modern Authentication, I suspect you are using basic auth. This why Trevor pointed to this test. "On the two MNE servers that are not working, can you open File Explorer, navigate to %temp% and delete the file called "MNETokenCache.dat", then try running the Add-MNEMailboxAdminPermission again. . This would have removed the cached token and forced it to be recreated.  

    The configuration for the consoles are stored in the SQL DB. So you can't really get ride of those as they are shared between all consoles. I would recommend you reconnect with Quest support using your #4769147. Clearly the token is not getting cached on two of your three servers. 

  • ok, good explanation. Thanks. I'll see if Quest support can help.