Error: 'Failed to change domain affiliation [hr=8007003a].... specified server cannot perform the re (NETIQKB34789)

Document ID:7734789
Creation Date:02-Feb-2007
Modified Date:07-Dec-2007
- Micro Focus Products:
  Domain Migration Administrator

Resolution

fact
Domain Migration Administrator 7.x

symptom
Error: 'Failed to change domain affiliation [hr=8007003a].... specified server cannot perform the requested operation'.

symptom
When I migrated a computer I got an error that the computer cannot be added to the domain.

cause
The computer cannot locate the appropriate DNS record to join the new domain.

fix

When a Windows 2000 or later computer joins a new Windows 2000 or later domain, it queries DNS for a _LDAP._TCP.dc._msdcs.domainname DNS record. If DMA is having trouble changing domain affiliation for a computer, use the following nslookup commands on the the computer you want to migrate to ensure it can resolve DNS queries to the target domain.

To use nslookup to verify DNS resolution:

At a Windows command prompt, enter the following command:
nslookup

The nslookup command begins a session displaying the > prompt, and returns the following type of information where myDNSserver.domain.com is the fully qualified domain name of the DNS server for the domain, and 10.10.10.10 is the IP address of the DNS server:

Default Server: myDNSserver.domain.com
Address: 10.10.10.10
Enter the following commands to set the query type to SVR (service location resource records):

> set q=srv
Enter the following command to locate the LDAP record for the domain name:

> _ldap._tcp.dc._msdcs.myDNSserver.domain.com
Enter the following command where myDNSserver.domain.com is the fully qualified domain name returned from the query in Step 3.

> myDNSserver.domain.com
Review the output of the previous domain name query and determine if further action is needed depending on the success of the query:

If the query succeeds: Review the SRV resource records to determine if all domain controllers for your Active Directory domain are included and registered with valid IP addresses.

If the query fails: Continue troubleshooting dynamic update or DNS server-related issues to determine the exact cause of the problem and to ensure the target domain controller has the appropriate DNS lookup information available.

note

Note:
The nslookup command-line administrative tool helps you test and troubleshoot DNS servers. The nslookup command-line tool offers the ability to perform query testing of DNS servers and obtain detailed responses as the command output. This information is useful in troubleshooting name resolution problems, verifying that resource records are added or updated correctly in a zone, and debugging other server-related problems.

note

For more information about troubleshooting DNS resolution problems, see the following Microsoft Knowledge Base or TechNet articles:

Error Message "Network Name Is No Longer Available" Joining Windows XP Domain
http://support.microsoft.com/?kbid=293403
How Domain Controllers Are Located in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;247811
To verify the DNS resource records needed to join an Active Directory domain using nslookup
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/70919369-262d-491d-89d9-c45d7654b32c.mspx

Additional Information

Formerly known as NETIQKB34789