Troubleshoot the data migration service

There are 2 types of issues when using the data migration service—blocking and non-blocking.

Blocking issues

Blocking issues prevent the migration of user accounts. They usually occur if you specify an incorrect username or password when you set up migrations from IMAP environments. Or, you might get them if your Microsoft Exchange administrator account lacks certain privileges.

Non-blocking issues

Non-blocking issues prevent some, but not all, messages from migrating. You might have message-level errors (where a single message hasn't migrated correctly) or folder-level errors (where an entire folder hasn't migrated).

How to address blocking issues

Migrating from an Exchange Web Services environment (Exchange 2007 and later)

If you encounter problems when migrating from a Microsoft Exchange Web Services (EWS) environment, verify:

  1. EWS—Select the Synchronization, Notification, Availability, and Automatic Replies option on the Exchange Server tab in the Microsoft Remote Connectivity Analyzer tool to verify that servers can reach and, through the Autodiscover service, recognize EWS.
  2. The logs show the data migration service can communicate with Exchange—Check the Exchange server Internet Information Services (IIS) logs for the SyncFolderItems call with response code 200.
  3. AD Conditional Access—Check whether you’re using Conditional Access policies on your Microsoft Active Directory. If so, turn off the policies and try migrating again. For more information, consult your Microsoft documentation.
  4. Impersonation—For more information, consult your Microsoft documentation on how to set up Exchange impersonation.
  5. TLS certificates—Verify your TLS certificates are signed and valid. For details, go to Set up your TLS certificate.
  6. Exchange user account—Verify the Exchange user account is a valid account and the mailbox is turned on. Also, check the Exchange mailbox isn't corrupt.
  7. Migration client ID—Verify the following service account client ID appears in the list of clients that have access to mail and migration APIs:

    955661971872-ie97v0ns6ndb19rbr9nlpkahpmfk9ugf.apps.googleusercontent.com

    To check the client ID:

    1. Sign in to your Google Admin console.

      Sign in using an account with super administrator privileges (does not end in @gmail.com).

    2. On the Admin console Home page, go to Securityand thenAPI controls.
    3. Click Manage Domain Wide Delegation.

      The client ID should be listed under API clients.

    If the client ID doesn't appear:

    1. Click Add new and enter your service account client ID.

      You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account or in the Google Cloud Console (click IAM & Adminand thenService accountsand thenyour service account).

    2. Click Client ID and enter your service account client ID.

      You can find the service account client ID in the JSON file that you downloaded when you created the service account. Alternatively, you can find the client ID (also known as the Unique ID) in the Google Cloud Console. Click IAM & Adminand thenService accounts and then select your service account.

    3. In the OAuth scopes field, copy and paste the following comma-delimited list of scopes:

      https://mail.google.com/,
      https://www.googleapis.com/auth/email.migration,
      https://www.googleapis.com/auth/gmail.insert,
      https://www.googleapis.com/auth/gmail.labels

    4. Click Authorize.
    5. Select the new client ID, click View details, and make sure every scope is listed.

      If a scope is not listed, click Edit, enter the missing scope, and click Authorize. You can't edit the client ID.

  8. The relevant Google service—Check that you turned on the target Google service (Gmail, Contacts, or Calendar). For details, go to Turn a service on or off for Google Workspace users.
  9. The super administrator—Check that a super administrator is assigned to the Google Workspace domain.
  10. Your server gets connections from Google mail servers—For details, go to Google IP address ranges for outbound mail servers.
Migrating from IMAP, Gmail, or a Google Workspace account

Blocking issues when migrating from an IMAP server, Gmail, or a Google Workspace account might indicate an obstacle accessing the mailbox. Try to access the mailbox using an IMAP email client such as Mozilla Thunderbird, Apple Mail, or Microsoft Outlook. This ensures the mailbox has IMAP access and that you have the correct username and password.

If you still have issues, confirm the following:

  1. Migration client ID—Verify the following service account client ID appears in the list of clients that have access to mail and migration APIs:

    955661971872-ie97v0ns6ndb19rbr9nlpkahpmfk9ugf.apps.googleusercontent.com

    To check the client ID:

    1. Sign in to your Google Admin console.

      Sign in using an account with super administrator privileges (does not end in @gmail.com).

    2. On the Admin console Home page, go to Securityand thenAPI controls.
    3. Click Manage Domain Wide Delegation.

      The client ID should be listed under API clients.

    If the client ID doesn't appear:

    1. Click Add new and enter your service account client ID.

      You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account or in the Google Cloud Console (click IAM & Adminand thenService accountsand thenyour service account).

    2. Click Client ID and enter your service account client ID.

      You can find the service account client ID in the JSON file that you downloaded when you created the service account. Alternatively, you can find the client ID (also known as the Unique ID) in the Google Cloud Console. Click IAM & Adminand thenService accounts and then select your service account.

    3. In the OAuth scopes field, copy and paste the following comma-delimited list of scopes:

      https://mail.google.com/,
      https://www.googleapis.com/auth/email.migration,
      https://www.googleapis.com/auth/gmail.insert,
      https://www.googleapis.com/auth/gmail.labels

    4. Click Authorize.
    5. Select the new client ID, click View details, and make sure every scope is listed.

      If a scope is not listed, click Edit, enter the missing scope, and click Authorize. You can't edit the client ID.

  2. The relevant Google service—Check that you turned on the target Google service (Gmail, Contacts, or Calendar). For details, go to Turn a service on or off for Google Workspace users.
  3. The super administrator—Check that a super administrator is assigned to the Google Workspace domain.
  4. Your server gets connections from Google mail servers—For details, go to Google IP address ranges for outbound mail servers.

How to address non-blocking issues

If non-blocking issues or errors occur, request a domain migration and item error report. For details on migration reports, go to Monitoring a data move. Then, try troubleshooting non-blocking issues.

Troubleshoot missing messages

Step 1: Check your setup steps

If you have a blocking issue, check that you completed all the steps to Prepare your legacy environment and try the migration again. Then, if the problem persists, use the blocking issues steps above to troubleshoot.

Step 2: Check for the email header

If some email messages seem to disappear after a migration, perform the following search to make sure the email isn't mislabeled:

  1. Get the Message-ID of the email from the legacy account. The Message-ID of an email is found in the message header. For details, go to Trace an email with its full headers.
  2. Search for the Message-ID header in the new account using the rfc822msgid: Gmail search operator. For details, go to Search operators you can use with Gmail.

Step 3: Additional checks

If you still can't find the email, perform the following checks:

Troubleshoot missing email folders

If you have an email folder missing after a migration, contact your legacy email service provider for help with resolving the issue with the folder.

If the issue can’t be resolved, you could delete the folder and run the migration again. Any email messages contained within the folder are also deleted, however.

Related topics


Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
true
73010
false