Solved

Domain Migration Woes

Posted on 2008-10-17
24
8,095 Views
Last Modified: 2012-06-27
We are doing a domain migration from 2003 ad to 2008/2003 domain. but when i migrate over the users and their passwords everything works fine. when i try to migrate over the computers i get the following errors.

ERR3:7075 Failed to change domain affiliation, hr=800704f1   The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

I have also followed this to a T - http://www.petri.co.il/forums/showthread.php?t=26101

any help?
0
Comment
Question by:Wincit
  • 15
  • 8
24 Comments
 
LVL 1

Assisted Solution

by:panikfan1
panikfan1 earned 20 total points
ID: 22740835
What type of migration?  Inter or intra-forest?
Sounds like either a DNS or domain trust problem.
0
 
LVL 1

Author Comment

by:Wincit
ID: 22740876
internal the two domain controlers are sitting right next to each other.
first domain is winchester.com
the second domain is winchesterva.gov
i want to migrate winchester.com into winchesterva.gov
0
 
LVL 1

Author Comment

by:Wincit
ID: 22740888
i have checked and rechecked DNS and NSLOOKUP they can all see the domains and ping everything. I have removed and recreated the trust and it was created succesfully (spelling)
0
 
LVL 1

Author Comment

by:Wincit
ID: 22740904
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22740952
If they are different domains, make sure that you have cross-domain admin rights for the account you are using to authenticate for the migration.
0
 
LVL 1

Author Comment

by:Wincit
ID: 22740990
in winchester.com i have placed the admin for winchesterva.gov into the builtin\admins group and vice versa.
 
for extra measures i have also done this with domain admins. as well.
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22741086
If you are using ADMT to do the migration, I know I have had issues with that in the past as well. The computer accounts don't seem to move over as easily as the users and groups do.
Check your DNS also and make sure that you have secondary zones for each of the domains on your DNS server so that lookups can be accomplished for each respective domain.
0
 
LVL 1

Author Comment

by:Wincit
ID: 22741177
as stated earlier, both DNS zones have a secondary zone of each other. Winchester.com has a secondary zone of winchesterva.gov and vice versa. I can ping the domain names from each domain. and NSLOOKUP i did as the document said.
nslookup
set all
winchester.com - shows all the ip address correctly
winchesterva.gov - shows all the ip address correctly
(same for both domains)
0
 
LVL 1

Author Comment

by:Wincit
ID: 22741215
i do apologize, the winchester.com nslookup changed on me. It is not showing the correct information, how do i change this information?
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22741245
What do you mean it changed on you?
0
 
LVL 1

Author Comment

by:Wincit
ID: 22741271
Either i typed the command wrong and it displayed what i though it should be displayed or the information changed in it.
 
when i do a NSLOOKUP and do the following
set all
winchesterva.gov its showing me that the ip address for winchesterva.gov is 208.69.32.*** it should be 10.65.0.63 (interal) how do i change that?
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22741354
If you have two NIC's you can go into the settings on each NIC and make sure your public is not registering that connection to DNS.
You will also have to go into your DNS server and change the zone record for that server to point to the private IP instead of the public.
0
 
LVL 1

Author Comment

by:Wincit
ID: 22741498
the DNS records are correct i can't figure out where its getting that 208 number. I have a winchesterva.gov secondary zone and its acting like its not reading from it. Argghh!! i hate dns :(
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22741527
Do you have the winchesterva.gov dual-ip'd?
If so, the secondary IP on the same NIC will register in DNS
0
 
LVL 1

Author Comment

by:Wincit
ID: 22741914
took me awhile but nslookup is showing the correct information, however i still get the error in the domain migration.
0
 
LVL 1

Author Comment

by:Wincit
ID: 22741920
winchesterva.gov is not dual.
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22742012
0
 
LVL 1

Author Comment

by:Wincit
ID: 22742097

< 1. I can migrate users without a hitch but after they log in the SID History thing does not work so they cannot access any of the shares or applications they would normally have access to>
 
To let migrated users still access their original resources on source domain, we need to disable security identifier (SID) filter quarantining for an external trust by using the Netdom.exe tool.
 
To disable SID filter quarantining
To disable SID filter quarantining for the trusting domain, open a Command Prompt.
Type the following command, and then press ENTER:
Netdom trust TrustingDomainName /domain:TrustedDomainName /quarantine:No /userD:domainadministratorAcct /passwordD:domainadminpwd
 
More information, please visit:
 
Disable SID filter quarantining
http://technet.microsoft.com/en-us/library/cc772816.aspx
 
 
I already did this.
 

< I can't use ADMT to migrate workstations.>
 
Please check if you have disabled firewall on client PC. If so, please explicitly add user account that you use to migrate workstation to local administrators group and test the result.
 
I alredy did this, i have put the winchesterva.gov admin into local admin. and made sure the firewall was off.
0
 
LVL 1

Author Comment

by:Wincit
ID: 22742108
Try enabling the use of NT4 compatible encryption algorithms on the 2008 domain controller policy.  I had to do this in my 2003 -> 2008 migration to get things to work.

http://support.microsoft.com/kb/942564

trying this right now and it did not help
0
 
LVL 1

Author Comment

by:Wincit
ID: 22742124
from the Target domain i can ping the test machine im trying to bring over. and i cann also get into the admin share with out any problems (does not prompt me).
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22742256
0
 
LVL 1

Author Comment

by:Wincit
ID: 22742921
It seems that now the computer is doing everything it even reboots automatically. But when i log in its still giving me a new profile.
 
i had already read that post, didn't work for me.
0
 
LVL 4

Assisted Solution

by:ckozloski
ckozloski earned 160 total points
ID: 22743091
It will give you a new user profile because you aren't migrating the sids over for the user accounts that you are migrating.
In order for the profile to stay the same, the user SID has to be migrated with the account.
0
 
LVL 1

Accepted Solution

by:
Wincit earned 0 total points
ID: 22743120
i selected to migrate over sids for users and groups. i have used netdom to stop sid quarintine....what else do i have to do?
0

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now