Starting with the version 8.5 QMM RUM is now utilizing Microsoft NetJoinDomain function for computer move operations. This change was implemented in order to better handle Windows 7 operating systems and overall making the procedure more reliable and easier for troubleshooting.
Function creates log %WINDIR%\Debug\Netsetup.log on the computer being moved which is going to be very useful for troubleshooting. MigrationManagerAD User Guide mentions this log:
For troubleshooting purposes when moving computer to other domain, you can use the Netsetup.log file created in the %WINDIR%\Debug folder on the computer being moved between domains.
Please refer to this particular Microsoft article that has very detailed description of the log itself and all possible issues that can occur during domain join operation:
Format of Netsetup.log File
A typical line in Netsetup.log is formatted as follows:
<time-stamp> <function-name>: <description of operation>: <status code in hexadecimal code>.
An example is the following:
08/11 14:08:29 NetpJoinDomain: status of connecting to dc \\DC9: 0x0
The description of the join operation is usually self-explanatory. The status code is NET API_STATUS or a Win32 error code. A 0x0 code indicates success; any other code indicates an error.
Specific Join Issues
You might encounter problems when you join your computer to a domain. Even though these problems are reported as join problems, some of the most frequently reported ones are not related to the join process. Looking at the Netsetup.log is sufficient to quickly spot such cases.
The following are some of the most common errors that relate to join issues:
Failure to find or to connect to a domain controller.
Transient network conditions or having specified an incorrect domain name.
Failure to create a computer account.
The error code shown in Table10.6 comes under this category.
Table 10.6 "Failure to find a domain controllerError Code"
Description | Actual Error | Error Code |
Failure to find or connect to a domain controller. | ERROR NO SUCH DOMAIN | 1355 |
The following is an example of this error:
07/20 16:51:10 NetpDsGetDcName: trying to find DC in domain verylongdomain1, flags: 0x1020
07/20 16:51:11 NetpDsGetDcName: failed to find a DC having account A-USHAS2-80C$: 0x525
07/20 16:51:11 NetpDsGetDcName: failed to find a DC in the specified domain: 0x54b
07/20 16:51:11 NetpDoDomainJoin: status: 0x54b
The join process usually tries to find a domain controller that already has a computer account for the computer that is currently being joined to the domain. If such a domain controller is not found, it tries to find another domain controller. The preceding example shows that the join domain operation failed because a domain controller was not located for the specified domain.
To investigate further, run nltest /dsgetdc:<domain-name> and examine the output. If you still receive errors, either the domain really does not exist or there is a transient net error that is preventing domain controller discovery. By running Netdiag.exe and examining the output, you usually can determine the cause. A Failure to connect to a domain controller message usually means that transient net errors or insufficient credentials are the cause. Table 10.7 shows some error codes that come under this category.
Table 10.7 "Failure to connect to a domain controllerError Codes"
Description | Actual Error | Error Code |
Bad credentials. | ERROR_LOGON_FAILURE | 1326 |
Time skew that can cause failure of Kerberos authentication. | ERROR_TIME_SKEW | 1398 |
Failure to connect to a domain controller. | ERROR_ACESS_DENIED | 5 |
No domain controller found. | ERROR_NO_LOGON_SERVERS | 1311 |
The following is an example of this type of error code:
07/20 14:47:34 NetpDsGetDcName: trying to find DC in domain reskit, flags: 0x1020
07/20 14:47:50 NetpDsGetDcName:
failed to find a DC having account TO_A$: 0x525
07/20 14:47:50 NetpDsGetDcName: found DC \\reskit in the specified domain
07/20 14:47:50 NetUseAdd to \\reskit\IPC$ returned 1326
07/20 14:47:50 NetpJoinDomain: status of connecting to dc \\reskit: 0x52e
07/20 14:47:50 NetpDoDomainJoin: status: 0x52e
The previous example shows a failed attempt to find a domain controller having the account TO_A$. This is not a fatal error because the code then tries to find any domain controller in the specified domain. After a domain controller is found, an attempt is made to connect to it by using the credentials that are supplied. This attempt failed with error 0x52e (ERROR_LOGON_FAILURE). This indicates that the credentials that were supplied do not have sufficient access rights for connecting to the domain controller.
To investigate the problem of failing to find a domain controller, run an equivalent command from the command prompt to confirm the preceding analysis.
net use \\dcname\ipc$ /u:<domain\user> <password>
Note: You need to perform the net use if you failed to connect to the domain controller. If you failed to find the domain controller, you should perform nltest /dsgetdc: to try to locate the domain controller.
If this fails with the same error, a Network Monitor sniffer trace of the join operation would be helpful in diagnosing the failure.
If you receive the error Failure to create a computer account, it usually means that either the account already exists or that there are insufficient access rights available to the user who is trying to join. Table 10.8 shows the error codes that come under this category.
Table 10.8 "Failure to create a computer account"Error Codes Description | Actual Error | Error Code |
Computer account usually exists already, and security on that account does not allow you to join usually because the computer was joined previously by using different computer account credentials. | ERROR_ACCESS_DENIED | 5 |
The user has joined so many computers that he has exceeded the default per user computer quota (by default, 10). | ERROR_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED | 8557 |
The specified user already exists. | ERROR_USER_EXISTS | 2224 |
The following example indicates an access denied error.
08/11 14:08:30 NetpManageMachineAccountWithSid: NetUserAdd on \\DC9 for A-ERINCO-TBCB$ failed: 0x5
The following example indicates there is no error.
08/11 14:08:30 NetpManageMachineAccountWithSid: NetUserAdd on \\DC9 for A-ERINCO-TBCB$ failed: 0x8b0
08/11 14:08:30 NetpManageMachineAccountWithSid: status of attempting to set password on \\DC9 for A-ERINCO-TBCB$: 0x0
This is not an error because the NetUserAdd operation fails with 0x8b0 (NERR_UserExists), which indicates that the computer account already exists on that domain controller.
Note: Failure usually occurs when the account already exists. Error5 occurs if the user does not have access on the account, in which case an attempt is made to set a new password on the account that succeeds.
To investigate further, you have to acquire the security descriptor and view the permissions on the computer account object. You can use either the Active Directory User and Computers MMC console or the Ldp tool.