Can't switch mailbox

QMM 8.14

I'm in the testing phase of an Exchange 2013 to Ofiice 365 migration.

I've sync the mail and calendar items, but when I try to switch the mailbox I get the error below

The qmm_trg_ad in the log is an enterprise admin in the target, and a member of the administrators group in the source. It looks like it's having issue connecting to the ADLDS, but I'm not sure.

Here's the KB I found but again, it's a member of the proper groups

https://support.quest.com/migration-manager-for-exchange/kb/136979

...and here's the error:

2017-06-22 17:37:38.1098 Px2034 Tx1 A- C- M- Info ===== Begin executing command 'Switch'
2017-06-22 17:37:38.3158 Px2034 Tx1 A- C- M- Info AfterLoad
2017-06-22 17:37:40.0879 Px2034 Tx21 A- C- M- Info Switch mailbox Dell Test1
2017-06-22 17:37:40.0879 Px2034 Tx21 A- C- M- Info OnProgress:Switching mailbox...
2017-06-22 17:37:40.1039 Px2034 Tx21 A- C- M- Trace Exec SQL: GET_MAILBOX_PROCESSING_PROPERTY @MAILBOX_ID = '1', @SYNC_TYPES = '<ArrayOfInt><int>0</int></ArrayOfInt>', @PROP_NAME = 'UseFilteringInBackwardSync',
2017-06-22 17:37:40.1059 Px2034 Tx21 A- C- M- Trace Exec SQL: GET_COLLECTION_PROPERTIES @COLLECTION_ID = '21',
2017-06-22 17:37:40.1099 Px2034 Tx21 A- C- M- Trace Exec SQL: GET_COLLECTION_PROPERTIES @COLLECTION_ID = '21',
2017-06-22 17:37:40.1129 Px2034 Tx21 A- C- M- Info Filter body is empty
2017-06-22 17:37:40.1139 Px2034 Tx21 A- C- M- Trace Exec SQL: GET_MAILBOX_PROCESSING_PROPERTY @MAILBOX_ID = '1', @SYNC_TYPES = '<ArrayOfInt><int>0</int></ArrayOfInt>', @PROP_NAME = 'UPLOAD_ITEMS_LIMIT_O365',
2017-06-22 17:37:40.1149 Px2034 Tx21 A- C- M- Trace Exec SQL: GET_COLLECTION_PROPERTIES @COLLECTION_ID = '21',
2017-06-22 17:37:40.1189 Px2034 Tx21 A- C- M- Trace Exec SQL: GET_OPTIONS
2017-06-22 17:37:40.1199 Px2034 Tx21 A- C- M- Trace Exec SQL: GET_MAILBOX_PROCESSING_PROPERTY @MAILBOX_ID = '1', @SYNC_TYPES = '<ArrayOfInt><int>0</int></ArrayOfInt>', @PROP_NAME = 'SOURCE_CONNECTOR',
2017-06-22 17:37:40.1219 Px2034 Tx21 A- C- M- Trace Execute SQL: GET_MAILBOX @MAILBOX_ID = 1
2017-06-22 17:37:40.1229 Px2034 Tx21 A- C- M- Trace Execute SQL: GETADAMPROJECTPROP @PROJECT_TYPE = 2
2017-06-22 17:37:40.1229 Px2034 Tx21 A- C- M- Trace Adam connection props: Server- 'ITREGGSQMMAD01', Port - '389', Partition- 'CN=QMM-O365', Account - 'net\qmm_trg_ad'.
2017-06-22 17:37:48.2684 Px2034 Tx21 A- C- M- Error System.Runtime.InteropServices.COMException (0x80004005): The user has insufficient access rights. (00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
)
at DirectoryMigration.IDMObjectPair.Switch()
at Dell.MigrationManagerForExchange.Shared.Switching.O365SwitcherAndMatcher.Switch(Guid sourceGuid)
at Quest.MigrationManager.Exchange.O365ProvisioningWebService.O365ProvisioningProxy.<>c__DisplayClass2_0.<Switch>b__0()
at Quest.MigrationManager.Exchange.O365ProvisioningWebService.O365ProvisioningProxy.InvokeTryCatchAction(Action act) at Quest.MigrationManager.Exchange.O365UserProvisioning.O365UserProvisioning.CheckAndThrow(Func`1 exceptionFunc)
at Quest.MigrationManager.Exchange.O365UserProvisioning.O365UserProvisioning.Switch(Int32 mailboxId, Int32 collectionId, Boolean rollbackSwitchOnFail, ExchangeProtocol srcMbxProtoPreference)
2017-06-22 17:37:48.2704 Px2034 Tx21 A- C- M- Error Quest.MigrationManager.Exchange.O365UserProvisioning.SwitchException: Failed to Switch user. | at Quest.MigrationManager.Exchange.O365UserProvisioning.O365UserProvisioning.Switch(Int32 mailboxId, Int32 collectionId, Boolean rollbackSwitchOnFail, ExchangeProtocol srcMbxProtoPreference)
at Dell.MigrationManagerForExchange.API.O365DoSwitch.O365UserProvisioningSwitch(Int32 mailboxID, Int32 collectionID)
at Dell.MigrationManagerForExchange.API.O365DoSwitch.SwitchUnswitch(Boolean isSwitch, Int32 mailboxID, Int32 collectionID)
at Dell.MigrationManagerForExchange.API.O365DoSwitch.Switch(Int32 mailboxID, Int32 collectionID)
at Quest.MigrationManager.Exchange.COM.Commands.SwitchCommandHolder.DoO365Switch(Int32 mailboxID, Int32 collectionID)
at Quest.MigrationManager.Exchange.COM.Commands.SwitchCommandHolder.<ExecuteInternal>b__19_1(DoActionHandlerViewItem item, Object[] arg)
[inner] System.Runtime.InteropServices.COMException: The user has insufficient access rights. (00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
) | at DirectoryMigration.IDMObjectPair.Switch()
at Dell.MigrationManagerForExchange.Shared.Switching.O365SwitcherAndMatcher.Switch(Guid sourceGuid)
at Quest.MigrationManager.Exchange.O365ProvisioningWebService.O365ProvisioningProxy.<>c__DisplayClass2_0.<Switch>b__0()
at Quest.MigrationManager.Exchange.O365ProvisioningWebService.O365ProvisioningProxy.InvokeTryCatchAction(Action act) at Quest.MigrationManager.Exchange.O365UserProvisioning.O365UserProvisioning.CheckAndThrow(Func`1 exceptionFunc)
at Quest.MigrationManager.Exchange.O365UserProvisioning.O365UserProvisioning.Switch(Int32 mailboxId, Int32 collectionId, Boolean rollbackSwitchOnFail, ExchangeProtocol srcMbxProtoPreference)
2017-06-22 17:37:48.2704 Px2034 Tx21 A- C- M- Info OnComplete:Failed to Switch user. The user has insufficient access rights. (00002098: SecErr: DSID-03150E49, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
)
2017-06-22 17:38:48.6402 Px2034 Tx1 A- C- M- Info ===== End executing command 'Switch'

 

Thanks

  • HI Rick,

    I'm wondering if you are experiencing the issue that has been found with the product where if the o365 environment doesn't have a Public Folder, switching is failing.
    support.quest.com/.../229792

    Luke
  • In reply to Luke.Adams:

    They don't have PFs in Office365 so I suppose that's possible. Wondering if it may be soething with the ADLDS though. The Trace line above the Error reads:

    Trace Adam connection props: Server- 'ITREGGSQMMAD01', Port - '389', Partition- 'CN=QMM-O365', Account - 'net\qmm_trg_ad'
  • In reply to Luke.Adams:

    This was also a fresh install of 8.14 not an upgrade if that matters. I also do not see the errors mentioned in the KB in the log.
  • So couple of questions here:

    Does the 'net\qmm_trg_ad' have admin rights in AD LDS? How did you establish the administrative permissions for the AD LDS instance - i.e. did you do a proper "Advanced" install of QMMEX (and setup AD LDS yourself) or just the "Express" so the permissions were set to the default?

    Are you attempting a manual switch or using a Switch collection?
  • In reply to JohnnyQuest:

    Yes I did an Advanced install. qmm_trg_ad has full access to the project. I'm attempting a manual switch now just for testing, but I planned on a switch collection later.
  • In reply to rich_stevenson:

    Use the KB below to check and make sure that the "Full Admin" role is assigned/delegated for that user.

    support.quest.com/.../70448

    There is a permissions breakdown somewhere in the project for the insufficient rights message to be displayed. The server account should also NOT be an "Enterprise Admin", it only should be a member of the "builtin\administrators" group.
  • In reply to Chris.Holley:

    Yes the account has the Full Admin role. As another test I set the collection to switch automatically. Now I see the error about the public folder referrenced in the kb. I have a ticket opened with you guys now as well.