Error: 'Cannot add LDAP://ServerName/CN=user to CN=Group, because LDAP://ServerName/CN=user has not (NETIQKB8729)

  • 7708729
  • 02-Feb-2007
  • 16-Aug-2007


Domain Migration Administrator 6.x

Domain Migration Administrator 7.x

Error: 'Cannot add LDAP://ServerName/CN=user to CN=Group, because LDAP://ServerName/CN=user has not been migrated to the target domain. The user name could not be found.'


There are several possible causes for this error message.

  1. Replication issues in the Target Domain.
  2. The LDAP path for the Group (TargetAdsPath in the Migrated Objects table) may point to a different server than the one currently selected to perform the user migration. If this is the case, DMA looks for the group that the user is a member of, it then contacts the server specified in the LDAP path for the group information. While it is there DMA attempts to add the user to the group. Since the user was not created on that server first, DMA thinks the user does not exist. 
    • This could be a result of the target account being moved or renamed using Active Directory Users and Computers after migration.
    • This could be a result of a post process script that moved or renamed the account and did not update the DMA database. 


There are several possible workarounds that correspond to the previous causes.

  1. To workaround the replication issue:
    1. Add a key called Options.TargetServerOverride Settings table as described in the following KB article:
    2. Close DMA.
    3. Make a backup of the protar.mdb database.
    4. Using MS Access, open the Protar.mdb (C:Program FilesNetIQDMAProtar.mdb )
    5. Open the Migrated Objects table in the Protar.mdb.
    6. Perform a 'Find and Replace' on the TargetAdsPath in the Migrated Objects.
    7. Replace the servername (LDAP://servername/) with the name of the server that will be specified for the migrations.
    8. Make sure that the specified DC has been fully replicated to.
    9. Use that same server as the specified 'TargetServerOverride'
      • You can also specify the DC that is listed in the TargetAdsPath as the TargetServerOverride for your current migrations. Using this method, you will not need to perform the 'Find and Replace' on the database.
  2. Run the Refresh Migrated Object report as described in the following KB article:
    • What is the 'Refresh Migrated Objects' report? 
    • To resolve the issue that was the result of a script, add the following lines to your scripts:
      • Settings.put "CopiedAccount.TargetName", "CN=" & newName 'where newName is the new account name
      • Settings.put "CopiedAccount.TargetSam", "newName"  'if you have changed the target samAccountName

Additional Information

Formerly known as NETIQKB8729