Curing two Exchange 2010 mailbox move headaches

Moving Exchange 2010 mailboxes may seem like a breeze, but two common problems can stand in the way.

Issues often occur when moving Exchange 2010 mailboxes from one database to another. The following fixes address the two most common problems admins encounter when moving mailboxes -- lingering move requests and inadequate access rights.

The Exchange 2010 mailbox has already been moved 
When you move a mailbox in Exchange 2010, the server appends an In Transit flag to the mailbox. The problem is that the flag remains -- even after the move is complete. If you try to issue a move request against a mailbox that you already moved, the New Local Move Request option won’t appear in the menu. Exchange won’t allow you to move the mailbox because it thinks a move is still in progress.

To fix this, you’ll need to get rid of the previous move request. Open the Exchange Management Console (EMC) and navigate to the Recipient Configuration -> Move Requests node. Select the mailbox or mailboxes with the existing move request, right-click on the mailbox or mailboxes and then select Clear Move Request.

If you want to clear move requests for a large number of mailboxes, I recommend using the following command in the Exchange Management Shell (EMS).

Get-MoveRequest –MoveStatus Completed | Remove-MoveRequest

This command also examines the mailboxes' move status and ensures that the previous move has completed before removing the move request.

Note: To find out which mailboxes have been moved already without clearing existing move requests, use the Get-MoveRequest –MoveStatus Completed command.

Insufficient access rights
When you try to move an Exchange 2010 mailbox, you may also encounter this common error:

Active Directory operation failed on {Domain Controller Name}. This error is
not retriable. Additional information: Insufficient access rights to perform
the operation.
Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003

This message indicates that the person attempting to move the mailbox lacks the required permissions. Two primary factors usually cause this error.

  1. Inadequate Exchange admin permissions. A domain administrator is not allowed to manage Exchange Server until he has been granted the necessary administrative permissions.
  2. Blocked account inheritance. If the account inheritance is blocked, mailbox permissions cannot be assigned to the Exchange account.

To assign the proper permissions to yourself or another administrator, open ADSI Edit and right-click on the ADSI Edit container. Next, select the Connect To option. Then choose the connect to a well-known naming context option and click OK.

Now, navigate to Default Naming Context -> DC=<your domain>, DC=com -> CN=Users. Locate the Active Directory object that corresponds with the person who is trying to move the mailbox (Figure 1).

Locate the corresponding object in ADSI Edit.
Figure 1. Locate the corresponding object for the Exchange admin who can't move mailboxes. 

Right-click on the object and select the Properties command. Next, select the Security tab and click on the Advanced button. Finally, select the Include inheritable permissions from this object’s parents checkbox (Figure 2).

Click the Include inheritable permissions checkbox to allow mailbox moves.
Figure 2. Select the Include inheritable permissions checkbox to give the administrator mailbox move rights.

Brien Posey is a seven-time Microsoft MVP with two decades of IT experience. Before becoming a freelance technical writer, Brien worked as a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the nation’s largest insurance companies and for the Department of Defense at Fort Knox.

Dig Deeper on Exchange Server setup and troubleshooting