Known solutions for hybrid migrations errors

This article documents some of the most common errors related to failed hybrid migrations, along with the steps to resolve them or some fix suggestions, where there are multiple root causes.

In case you need guidance with extracting the detailed migration errors or with analyzing the migration report from PowerShell, please consult our below article, for step by step instructions:

https://blogs.technet.microsoft.com/exovoice/2017/06/29/how-to-extract-and-analyze-the-errors-from-the-hybrid-migration-report-using-powershell/

If you had experienced a new error that is missing from this list and for which you found the solution, you are more than welcome to share it here, because it will help us to consolidate this initiative and will also help other persons to fix their migration issues faster.

 

Known solutions for hybrid migration errors

 

 

 1) MigrationPermanentException: You must specify the PrimaryOnly parameter. 

This error can occur when you attempt to migrate to cloud an on-prem mailbox via a migration batch from EAC, where the online archive already exists for this user. 

Fix: In order to migrate the primary mailbox to Office 365, you will need to start the mailbox move with the following command, from Exchange Online PowerShell:

New-MoveRequest –Identity <user> -RemoteCredential (Get-Credential) -Remote -RemoteHostName 'mail.contoso.com' -TargetDeliveryDomain <tenant.mail.onmicrosoft.com -PrimaryOnly

 

 

 2) Couldn't switch the mailbox into Sync Source mode. This could be because another administrator is currently moving the mailbox into the destination database,<br>the mailbox is locked, or the Microsoft Exchange Mailbox Replication service doesn't have the correct permissions.<br>FailureType: SourceMailboxAlreadyBeingMovedTransientException. 
This error can also be correlated with slow migration performance.
Possible solutions:
-Check if there is any local move request for this user on the on-prem Exchange Server.
-In case you have Exchange 2010 with multiple CAS servers that are load balanced, make sure that your Load Balancer maintains the session affinity,
 more exactly all the incoming migration requests for a mailbox should be processed by the same CAS server.
-Try to see if setting the TCP KeepAliveTime on the server hosting the source mailbox to 5 minutes (instead of 2 hours) will fix the issue.

More details can be found into this article: https://blogs.msdn.microsoft.com/brad_hughes/2016/12/16/source-mailbox-already-being-moved-errors-while-moving-mailboxes/

 

 

 3) Failed to convert the source mailbox 'mailboxID' to mail-enabled user after the move. <br>FailureTpe: UpdateMovedMailboxPermanentException. 

- The user might end with 2 mailboxes: 1 in the cloud and 1 in local Exchange.
- Such issues can occur if the affected user have the inheritance disabled in local AD.
- There is a property called AdminCount on each user in local AD, that by default is not populated or it gets set to “1”, once the account is added to a privileged group.  
- The AdminCount value is used as a flag to indicate the account is, or was, protected. 
- More information about inherited AD permissions can be found in the next article:
https://blogs.msdn.microsoft.com/muaddib/2013/12/30/how-to-modify-security-inheritance-on-active-directory-objects-using-powershell/

Fix: 
https://support.microsoft.com/en-us/help/2745710/a-user-can-t-access-a-mailbox-by-using-outlook-after-a-remote-mailbox-move-from-an-on-premises-exchange-server-environment-to-office-365

 

 4) MapiExceptionTooComplex: Unable to query table rows. (hr=0x80040117, ec=-2147221225) 

Fix:
To prevent this failure during the move process (onboarding or offboarding) you need to skip moving the folder views or folder restrictions along with the mailbox, by starting the move from EXO PowerShell as below:
New-MoveRequest –Identity user@contoso.com -SkipMoving: FolderViews, FolderRestrictions -Remote -RemoteCredential(Get-Credential)-RemoteHostName "mrsproxy.contoso.com" -TargetdeliveryDomain contoso.com

 

 

 5) MigrationPermanentException: You can’t use the domain because it’s not an accepted domain for your organization. –> You can’t use the domain because it’s not an accepted domain for your organization. 

Fix: Check on the AD user object if there are any proxy addresses in some domains that are not verified in Exchange Online. 
Once you identified the faulty email addresses, remove them and force the AADconnect sync. Then start a new migration for the affected user.

 

 

 6) MigrationPermanentException: The target mailbox doesn’t have an SMTP proxy matching ‎'contoso.mail.onmicrosoft.com‎'. 

This issue may occur if the source mailbox isn't stamped with a <domain.mail.onmicrosoft.com> SMTP address.

Fix: https://support.microsoft.com/en-gb/kb/2939340

 

 

 7)  MigrationPermanentException: Cannot find a recipient that has mailbox GUID <GUID>"  error message when you try to move a mailbox in an Exchange hybrid deployment. 

This behavior occurs because the value of the ExchangeGUID attribute from Exchange Online user isn't stamped on the associated remote mailbox from the on-premises organization.

 Fix:  https://support.microsoft.com/en-us/kb/2956029

 

 8)  Fatal error TooManyMissingItemsPermanentException has occurred. 
or Fatal error TooManyBadPermanentException has occurred. 

This issue can occur because the bad items limit for the move request has been reached. Fix: In order to fix the issue, you should increase the bad items limit to a higher value:
     Set-MoveRequest <user> –BadItemLimit 100
     Resume-MoveRequest <user> 

 

 

 9) The call to 'https://mail.contoso.com/EWS/mrsproxy.svc' timed out. Error details: The request channel timed out attempting to  send after 00:00:00.  
Increase the timeout value passed to the call to Request or increase the SendTimeout value on the  Binding. 
or
The call to 'https://mail.contoso.com/EWS/mrsproxy.svc' failed because no service was listening on the specified endpoint.  
Error details: There was no endpoint listening at https://mail.contoso.com/EWS/mrsproxy.svc that could accept the message.  
This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. --> The remote server returned an error: (404) Not Found. 

These errors are usually occurring only for particular users, while other mailboxes can be moved successfully. 
They are caused by the ExchangeGuid mismatch between EXO and local Exchange:

Fix: https://support.microsoft.com/en-us/kb/306575

 

 

 10) The call to ‘https://mail.domain.com/EWS/mrsproxy.svc ‘ failed. Error details: The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults<br> (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation  and inspect the server trace logs.. –><br> The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) <br>on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.   

The failure type for this error is CommunicationErrorTransientException.   

This error is caused by some particular folders views from source mailbox. MRS fails to create these folders into the hierarchy of the destination mailbox. 

Fix: https://blogs.technet.microsoft.com/latam/2016/01/05/o365-error-when-trying-to-move-a-mailbox-to-the-cloud-creatingfolderhierarchy-communicationerrortransientexception/ https://support.microsoft.com/en-us/help/3063045/-transientexception-errors-when-you-try-to-move-mailboxes-from-exchange-online-to-exchange-server-2007-in-the-on-premises-environment

 

 

 11) Failed to find a principal in the target forest that corresponds to a source/target forest principal ( A corrupted item was encountered: Folder ACL “Foldername"). 

This message is related to mailbox/mailboxfolder permissions that cannot be migrated, since MRS cannot find the object from permissions list in the source or destination forest, being unable to map the permissions. 

Fix: See below article for more details:
https://blogs.technet.microsoft.com/exchange/2017/05/30/toomanybaditemspermanentexception-error-when-migrating-to-exchange-online/

 

 

 12) Cannot query rows in a table. --> MapiExceptionMaxObjsExceeded: Unable to query table rows. 
FailureType       : StoragePermanentException

Fix: Increase limit of Search Folders in the on-premises Exchange Server as per below steps:

1.On the Exchange server hosting the target database where cloud mailbox will be offboarded, look for and open the following config file:
 Microsoft.Exchange.Store.Worker.exe.config,  found in Bin folder of %ExchangeInstallPath% . 

2.Add the following lines in Configuration tag, between  </runtime>  and  </configuration> 
 <appSettings> 
 <add key="DynamicSearchFolderPerScopeCountReceiveQuota" value="250" /> 
 </appSettings> 

3.Restart Microsoft Exchange Information Store service after modifying this file and try again the move.

 

 

 13) The call to 'https://MRSPROXYHOST/EWS/mrsproxy.svc SERVER.domain.com (14.3.178.0 caps:05FFFF)' failed.<br>Error details: The remote endpoint no longer recognizes this sequence. This is most likely due to an abort on the remote endpoint. The value of wsrm:Identifier is not a known Sequence identifier. The reliable session was faulted. 
FailureType:CommunicationErrorTransientException. 

This error is usually caused by a wrong load-balancing configuration, when using multiple Exchange 2010 CAS servers.

Fix: To prevent this issue to occur, make sure that your load-balancer is keeping the session affinity/persistence. This behavior is explained in the next article: 
     https://blogs.msdn.microsoft.com/brad_hughes/2017/02/21/its-always-the-load-balancer/

 

 

 14) Error:MissingExchangeGuidException: The user object for ‎'user@domain.com‎' does not have a valid ExchangeGuid property and cannot be migrated. 
This issue occurs when EXO fails to provision the ExchangeGUID attribute for an user(msoluser will have a validation error), because this ExchangeGUID value is already used by another object from EXO, it could be an active mailbox/mailuser or a soft deleted mailbox/mailuser.

Fix:  First use this command to get the ExchangeGUID/ArchiveGUID from the validation error:
 (Get-MsolUser -UserPrincipalName affecteduser@domain.com).errors.errordetail.objecterrors.errorrecord| fl

Search in EXO PowerShell for the object that is using the mentioned EXchangeGUID or ArchiveGUID: 
Get-Recipient -IncludeSoftDeletedRecipients 'ExchangeGUID value'|ft RecipientType,PrimarySmtpAddress,*WhenSoftDeleted* 

Once you found the object that is using this guid, you have to purge it: 
1.If it is a softdeleted MailUser: Remove-MailUser 'ExchangeGUID value' -PermanentlyDelete 
2.If it is a softdeleted UserMailbox, run:  Remove-Mailbox 'ExchangeGUID value' -PermanentlyDelete 
-if this command fails due to mailbox being protected by hold, you have to disable the hold first(check if data backup is required): 
Set-Mailbox user@domain.com -LitigationHoldEnabled $false -InactiveMailbox 
3. If it turns to be an active mailuser/mailbox that is using this ExchangeGUID/ArchiveGUID, you need to evaluate the option to purge that user(however, this is a very rare scenario though). 
4. After the faulty object has been purged from EXO, we need to fix the validation error by forcing the object provisioning: 
 Get-MsolUser -UserPrincipalName user@domain.com |fl *objectID* 
Redo-MsolProvisionUser -ObjectId 'paste the *objectID* value from above command'  
5. After 5 minutes run this command to confirm if your validation error is fixed: 
 (Get-MsolUser -UserPrincipalName user@domain.com).errors.errordetail.objecterrors.errorrecord| fl 
6. If the validation error is gone, you can try again the migration.

 

 

 15) The call to 'https://<ServerName>/EWS/mrsproxy.svc' failed. Error details: Access is denied”   error when you try to create a new migration batch or to start a new move request, using Exchange 2013 as the migration server.

This issue occurs if the computer account of the Exchange 2013 hybrid server is a member of one or more protected groups.  

Fix: https://support.microsoft.com/en-us/help/2975731/access-is-denied-error-when-you-try-to-move-mailboxes-to-exchange-onl

 

 

 16)  The remote server returned an error: (403) Forbidden. The connection to the server 'mail.contoso.com' could not be completed.The call to 'https://mail.contoso.com/EWS/mrsproxy.svc' failed. Error details: The HTTP 
request was forbidden with client authentication scheme 'Negotiate' .

This error is related to MRSproxy endpoint not being enabled on the CAS servers involved in the migration.

You need to enable MRsproxy endpoint on EWS virtual directory for every CAS server or in case it shows as being already Enabled, you might need to disable/re-enabled it, followed by and IIS reset.

More  details can be found into this article:
https://support.microsoft.com/en-gb/help/3063913/-the-remote-server-returned-an-error-403-forbidden-error-when-you-try

 

 

 17) The call to 'https://mail.contoso.com/ews/mrsproxy.svc' failed. Error details: Unable to cast object of type 'System.String' to type 'System.String[]'.. --] Unable to cast object of type 'System.String' to type 'System.String[]'. 
FailureType:CommunicationErrorTransientException

This error can be caused by some restrictions or invalid properties on the "Search Folders" defined by the user.

Fix: Start Outlook client from where the affected user profile is configured, using the switch "outlook.exe /cleanfinders", and re-attempt the migration.

 

 18) Target database 'xxxx-xxxx-xxxx-xxxx' cannot be used: Database is excluded from provisioning: 'True'. 
This error can occur when the migration service is assigning you a target database that might be under maintenance work.

Fix: The fastest solution is to delete the affected move request and to start a new one, in order for the migration service to select a new database.

 

 

 19) Failuretype: MailboxIsNotInExpectedMDBPermanentException /Error Message: The mailbox is in not in the expected mailbox database. 

Fix: This error can be expected when the source mailbox being relocated to another database during the remote move.(can be the result of a local move or a database failover).
Usually this error can be fixed when you resume the moverequest. If the error persists, you can try moving the affected mailbox to another local database, then to start a new move request to Exchange Online.

 

 

 20) FailureType: StoragePermanentException . Error Message: Cannot save changes made to an item to store. --> MapiExceptionMaxObjsExceeded: Unable to save changes. 

Fix: This error is usually related to the max number of items from a mailbox folder being reached ( >1 million items).

In order to find the folder in question(it can be a folder under IPM subtree or from outside IPM) , you can run below commands:

 $root=Get-MailboxFolderStatistics -Identity user@domain.com

 $root|sort itemsinfolder -descending |ft folderpath,itemsinfolder

 $non_root=Get-MailboxFolderStatistics user@domain.com -FolderScope NonIpmRoot

 $non_root|sort itemsinfolder -descending |ft folderpath,itemsinfolder

If the faulty folder is accessible from Outlook/MFC MAPI, then you can move some of the items to other folders, to have under 1 mil items per folder and resume the migration. 
If this folder is a non IPM folder, for example "/"  root folder, there is no easy way to access the items from it and the best option would be to export the mailbox content into a PST file 
and import it in the remote mailbox, after following this article: https://support.microsoft.com/en-us/help/2745710/a-user-can-t-access-a-mailbox-by-using-outlook-after-a-remote-mailbox