Troubleshoot Migration Permanent Exception directory property ‘homeMDB’ is not writeable on recipient

Error Moving a Mailbox to Exchange 2013

When you are upgrading your Exchange 2007 to Exchange 2013, you can face issues related to mailbox migration that can cause delay to your upgrade. Recently I have been working with Exchange 2007 to Exchange 2013 upgrade and got the following error message when migrating a mailbox from Exchange 2007 to Exchange 2013.

Error: MigrationPermanentException: Active Directory property ‎’homeMDB‎’ is not writeable on recipient ‎’mscloudtalks.com/Admin/Users/Riaz Butt’. –> Active Directory property ‎’homeMDB‎‘ is not writeable on recipient

Troubleshoot Migration Permanent Exception directory property 'homeMDB' is not writeable on recipient

This error message clearly states that there is something wrong with recipient properties in Active Directory. Before troubleshooting this issues, make sure that you’ve appropriate permissions to move mailboxes. Let’s see how we can fix this issue?

How to fix Mailbox migration issue?

  • login to domain controller and open Active Directory Users and Computers
  • Make sure that you have advanced features enabled
  • Navigate to user account and select the properties of user
  • Under user properties in AD, navigate to security
  • Click on Advanced and select the option to “Include Inheritable permissions from this object’s parent

1js

2

  • Once done, wait for active directory replication or enforce active directory replication using repadmin /syncall / force cmdlet
  • Once active directory is replicated, re-initiate the user mailbox migration and it will be migrate the mailbox to Exchange 2013

Root Cause of Failed Migration

So now the issue is being fixed but why we had this issue? Why we were able to migrate other users and have issues with only few user account?Well, the reason why we had this issue is because Active Directory permissions were not inherited to the user account and it happens when you have unchecked “Include inheritable permissions from this object’s parent” checkbox. You can either manually uncheck permissions inheritance on individual user or it can happen when you add the user account to a Protected Group. When you add a user to a Protected Group, user’s AdminCount attribute will be be set to 1. Following are the Protected Group in Active Directory that will change the AdminCount and set it to 1.

  • Administrators
  • Server Operators
  • Account Operators
  • Print Operators
  • Backup Operators
  • Domain Admins
  • Enterprise Admins
  • Schema Admins
  • Cert Publishers

To streamline the migration for remaining mailboxes, it’s necessary to get a list of all users with AdminCount value set to 1. You can get the list of all users by running a powershell cmdlet Get-ADuser -Filter {admincount -gt 0} -Properties AdminCount | select name. You can use PowerShell script to get a list of all users on which Inheritance is blocked. PowerShell script can be downloaded from TechNet Gallery.