Checking full access permission on mailbox

Hi all,

I'm currently doing a migration from Notes to Exchange Online.

I did one this morning and all went OK, however trying a migration now for 7 mailboxes and the bit right at the beginning where it says "Checking full access permission on mailbox" has been sitting there for 20 mins now where as it usually takes 2 seconds per mailbox. 

Checking the Microsoft 365 admin centre Service Health shows an issue:

"A very limited number of users may intermittently be unable to access Exchange Online via any connection method" which started on August 26th !

Any ideas whats going on?

Thanks

Parents
  • Hello Raj,

    Thanks for posting to the Migrator for Notes to Exchange (MNE) forum. I understand you are experiencing an issue with your Notes to Office 365 migration where the migration is sitting and checking for "Full Access" rights. MNE does require Full Access rights when migrating to Office 365. At the beginning of the migration process, MNE checks to see if it already has Full Access rights to all target mailboxes. If it does, then it starts the migration typically in less than three minutes. If MNE does not have Full Access rights already, then MNE grants itself Full Access rights, but then must wait for them to take effect, which could be up to 45 minutes.

    If you are already pre-provisioning the target Office 365 mailboxes outside of MNE, then you can run the MNE "Add-MNEMailboxAdminPermission" PowerShell cmdlet at least 45 minutes prior to starting the migration to ensure that the Full Access permissions already in place. The following section of the MNE Administrator Guide provides additional details about the MNE PowerShell cmdlets:

    support.quest.com/.../57

    Of course any Office 365 Service Health related issues can also impact the migration process. For more information on whether or not this specific Office 365 Service Health Advisory is effecting your users, you may want to reach out to Microsoft directly.

    Please let me know if you have any additional questions or need any additional clarification.

    Regards,

    Trevor Taegder
    Senior Technical Support Engineer
    Quest | Support

  • Hi Trevor,

    Thanks for you very detailed answer.

    I usually apply permissions to our service account via the command:

    Add-MailboxPermission -User Domino.Migration_SVC -AccessRights FullAccess -InheritanceType All -AutoMapping $false

    and this usually does the trick though Microsoft propagation sometimes takes a few hours to replicate it around.  Does that command so the same thing as the Add-MNEMailboxAdminPermission command?

    I'm currently struggling with a mailbox that even 9 hours later is still coming back with permissions problems but I have opened a service ticket for that.

    Thanks

    Raj

     

  • so the issue is EXO and not the Quest servers. 
    The 'Get-MailboxPermission cmdlet failed with a 401 error. This means the calling account is "Unauthorized" to preform this task. If the account being used is a Global Admin, that means this is an MS issue, and you need to open a support case with MS. I would advise you remove "Quest" from the conversation and focus on the that 'Get-MailboxPermission cmdlet is failing with a 401 error. 

  • Hi Jeff,

    The Get-MailboxPermission cmdlet is not failing, it works perfectly fine when run against the mailbox. 

    whats fails is the Add-MNEMailboxAdminPermission command which is a Quest proprietary command.

    I am also using the same Global Admin account on all three Quest servers and the command fails on two.

  • Hi Raj,

    On the two MNE servers that are not working, can you open File Explorer, navigate to %temp% and delete the file called "MNETokenCache.dat", then try running the Add-MNEMailboxAdminPermission again. 

    Regards, 

    Trevor

  • Hi Trevor, that file doesn't exist in my %temp% folder ?

  • Hi Raj,

    Can you navigate to one of the MNE migration servers that is not working. Try going to the Exchange Server settings screen. Make a slight change to the Exchange Administrator username, such as clicking backspace to remove a character, then add it back. Now click on the Office 365 User domain drop-down list. 

    Were you able to get the list of domains?

    If yes, then try running the Add-MNEMailboxAdminPermission cmdlet from this MNE migration server again.

    If these steps do not resolve the issue, then we will need to investigate further via the Service Request you have for this issue.

    Regards,

    Trevor

  • Hi Trevor, I removed the character and added it back but still got the list of domains.

    Same error when running the command I'm afraid to say.

    Raj

  • so the issue is EXO and not the Quest servers. 
    The 'Get-MailboxPermission cmdlet failed with a 401 error. This means the calling account is "Unauthorized" to preform this task. If the account being used is a Global Admin, that means this is an MS issue, and you need to open a support case with MS. I would advise you remove "Quest" from the conversation and focus on the that 'Get-MailboxPermission cmdlet is failing with a 401 error. 

  • Hi Trevor, I tried an uninstall, delete the C:\Program Files (x86)\Quest, delete the contents of %temp% and re-install, but Quest starts up with all the old details, how can I completely wipe it from the system to perform a clean install again?

    Thanks

    Raj

  • Again, this is NOT a Quest Migrator for Notes to Exchange issue. 

  • OK so tell me why it works on one Quest server but not the other two?

Reply Children
  • The issue is authentication and authorization in EXO.  Add-MNEMailboxAdminPermission command which is a Quest proprietary command is really just a wrapper for native EXO cmdlets. Think of it as a function in a script. Your error is the key.
    Error: Error on proxy command 'Get-MailboxPermission -User:'Notes Migrator Admins
    Role Group' -Identity:'CN=user,OU=domain,OU=Microsoft Exchange Hosted
    Organizations,DC=NAMPR02A900,DC=PROD,DC=OUTLOOK,DC=COM'' to server SG2PR01MB2870.apcprd01.prod.exchangelabs.com:
    Server version 15.20.3391.0000, Proxy method PSWS:
    Request return error with following error message:
    The remote server returned an error: (401) Unauthorized..

    How you executed the connection to EXO is most likely different as we are using Modern Authentication, I suspect you are using basic auth. This why Trevor pointed to this test. "On the two MNE servers that are not working, can you open File Explorer, navigate to %temp% and delete the file called "MNETokenCache.dat", then try running the Add-MNEMailboxAdminPermission again. . This would have removed the cached token and forced it to be recreated.  

    The configuration for the consoles are stored in the SQL DB. So you can't really get ride of those as they are shared between all consoles. I would recommend you reconnect with Quest support using your #4769147. Clearly the token is not getting cached on two of your three servers. 

  • ok, good explanation. Thanks. I'll see if Quest support can help.