Solved

Domain Migration Woes

Posted on 2008-10-17
24
8,108 Views
Last Modified: 2012-06-27
We are doing a domain migration from 2003 ad to 2008/2003 domain. but when i migrate over the users and their passwords everything works fine. when i try to migrate over the computers i get the following errors.

ERR3:7075 Failed to change domain affiliation, hr=800704f1   The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

I have also followed this to a T - http://www.petri.co.il/forums/showthread.php?t=26101

any help?
0
Comment
Question by:Wincit
  • 15
  • 8
24 Comments
 
LVL 1

Assisted Solution

by:panikfan1
panikfan1 earned 20 total points
ID: 22740835
What type of migration?  Inter or intra-forest?
Sounds like either a DNS or domain trust problem.
0
 
LVL 1

Author Comment

by:Wincit
ID: 22740876
internal the two domain controlers are sitting right next to each other.
first domain is winchester.com
the second domain is winchesterva.gov
i want to migrate winchester.com into winchesterva.gov
0
 
LVL 1

Author Comment

by:Wincit
ID: 22740888
i have checked and rechecked DNS and NSLOOKUP they can all see the domains and ping everything. I have removed and recreated the trust and it was created succesfully (spelling)
0
 
LVL 1

Author Comment

by:Wincit
ID: 22740904
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22740952
If they are different domains, make sure that you have cross-domain admin rights for the account you are using to authenticate for the migration.
0
 
LVL 1

Author Comment

by:Wincit
ID: 22740990
in winchester.com i have placed the admin for winchesterva.gov into the builtin\admins group and vice versa.
 
for extra measures i have also done this with domain admins. as well.
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22741086
If you are using ADMT to do the migration, I know I have had issues with that in the past as well. The computer accounts don't seem to move over as easily as the users and groups do.
Check your DNS also and make sure that you have secondary zones for each of the domains on your DNS server so that lookups can be accomplished for each respective domain.
0
 
LVL 1

Author Comment

by:Wincit
ID: 22741177
as stated earlier, both DNS zones have a secondary zone of each other. Winchester.com has a secondary zone of winchesterva.gov and vice versa. I can ping the domain names from each domain. and NSLOOKUP i did as the document said.
nslookup
set all
winchester.com - shows all the ip address correctly
winchesterva.gov - shows all the ip address correctly
(same for both domains)
0
 
LVL 1

Author Comment

by:Wincit
ID: 22741215
i do apologize, the winchester.com nslookup changed on me. It is not showing the correct information, how do i change this information?
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22741245
What do you mean it changed on you?
0
 
LVL 1

Author Comment

by:Wincit
ID: 22741271
Either i typed the command wrong and it displayed what i though it should be displayed or the information changed in it.
 
when i do a NSLOOKUP and do the following
set all
winchesterva.gov its showing me that the ip address for winchesterva.gov is 208.69.32.*** it should be 10.65.0.63 (interal) how do i change that?
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22741354
If you have two NIC's you can go into the settings on each NIC and make sure your public is not registering that connection to DNS.
You will also have to go into your DNS server and change the zone record for that server to point to the private IP instead of the public.
0
Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

 
LVL 1

Author Comment

by:Wincit
ID: 22741498
the DNS records are correct i can't figure out where its getting that 208 number. I have a winchesterva.gov secondary zone and its acting like its not reading from it. Argghh!! i hate dns :(
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22741527
Do you have the winchesterva.gov dual-ip'd?
If so, the secondary IP on the same NIC will register in DNS
0
 
LVL 1

Author Comment

by:Wincit
ID: 22741914
took me awhile but nslookup is showing the correct information, however i still get the error in the domain migration.
0
 
LVL 1

Author Comment

by:Wincit
ID: 22741920
winchesterva.gov is not dual.
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22742012
0
 
LVL 1

Author Comment

by:Wincit
ID: 22742097

< 1. I can migrate users without a hitch but after they log in the SID History thing does not work so they cannot access any of the shares or applications they would normally have access to>
 
To let migrated users still access their original resources on source domain, we need to disable security identifier (SID) filter quarantining for an external trust by using the Netdom.exe tool.
 
To disable SID filter quarantining
To disable SID filter quarantining for the trusting domain, open a Command Prompt.
Type the following command, and then press ENTER:
Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No /userD:domainadministratorAcct /passwordD:domainadminpwd
 
More information, please visit:
 
Disable SID filter quarantining
http://technet.microsoft.com/en-us/library/cc772816.aspx 
 
 
I already did this.
 

< I can't use ADMT to migrate workstations.>
 
Please check if you have disabled firewall on client PC. If so, please explicitly add user account that you use to migrate workstation to local administrators group and test the result.
 
I alredy did this, i have put the winchesterva.gov admin into local admin. and made sure the firewall was off.
0
 
LVL 1

Author Comment

by:Wincit
ID: 22742108
Try enabling the use of NT4 compatible encryption algorithms on the 2008 domain controller policy.  I had to do this in my 2003 -> 2008 migration to get things to work.

http://support.microsoft.com/kb/942564

trying this right now and it did not help
0
 
LVL 1

Author Comment

by:Wincit
ID: 22742124
from the Target domain i can ping the test machine im trying to bring over. and i cann also get into the admin share with out any problems (does not prompt me).
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22742256
0
 
LVL 1

Author Comment

by:Wincit
ID: 22742921
It seems that now the computer is doing everything it even reboots automatically. But when i log in its still giving me a new profile.
 
i had already read that post, didn't work for me.
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22743091
It will give you a new user profile because you aren't migrating the sids over for the user accounts that you are migrating.
In order for the profile to stay the same, the user SID has to be migrated with the account.
0
 
LVL 1

Accepted Solution

by:
Wincit earned 0 total points
ID: 22743120
i selected to migrate over sids for users and groups. i have used netdom to stop sid quarintine....what else do i have to do?
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now