[7075]S32022: Failed to change domain affiliation, hr=80070005 Access is denied. (NETIQKB7873)

  • 7707873
  • 02-Feb-2007
  • 16-Aug-2007

Resolution

fact
Domain Migration Administrator 7.1

symptom
[7075]S32022: Failed to change domain affiliation, hr=80070005   Access is denied.

cause

Possible Causes:

  1. There is an issue in DMA 7.1 which will result in an 'Access is Denied' messge when trying to change domain affiliation on NT 4 machines.
  2. The DMA logon account OR the account specified in the migration wizard does not have the correct permissions to contact the Target domain and change the affiliation of the workstation.
  3. A source account has been specified in the migration wizard AND security translation has been set to and performed in 'Replace' mode. The source Domain Admins have been removed and the target Domain Admins have been added to the Administrator Local Group on the migrated machine. This could cause the account used by the agent to be denied access.
  4. The ability to join a computer to the domain had been removed from the Administrators Local Group.
  5. The PDC Emulator is not the DC that DMA used to create the computer account and you are migrating an NT 4.0 machine.


fix

Matching Fixes:

  1. Install DMA Hotfix 22291. This issue was orginally addressed in Hotfix 14252 which is included in Hotfix 22291.
  2. Verify that the account used to logon to the DMA console and specified as credentials in the migration wizard is a local administrator on the workstation being migrated and has full control on the target OU.  When replacing an existing computer account that is located in another OU, the logon/specified account must have full control on the OU that contains the computer account being replaced. For example, the computer account was migrated to OU 'A' in the first migration. Now, the computer account is being re-migrated to OU 'B', the logon/specified account must have full control on OU 'A'.
  3. Perform the security translation in 'Add' mode first and then 'Replace' mode after the machine has been joined to the target.
  4. Verify that the account specified in the migration wizard has the right to add workstations to the domain.  This can be configured in Group Policy from the Domain Security Policy Microsoft native tool.
    • Please check the following group policy setting:
      Start / Programs / Administrative Tools / Domain Security Policy /
      Windows Settings / Security Settings / Local Policies / User Rights Assignment / Add workstations to domai
    • Detailed troubleshooting of group policy is beyond the scope of Tech Support.
  5. Use the procedure described in NETIQKB925 to point the DMA console to the PDC Emulator for creation of the computer accounts.


Additional Information

Formerly known as NETIQKB7873