Monday, May 10, 2010

ADMT: Failed to change domain affiliation, hr=800704f1 The system detected a possible attempt to compromise security.

We have been testing out migrations from several domains into our main domain and discovered the following issue when we would go to migrate computer accounts:

ERR3:7075 Failed to change domain affiliation, hr=800704f1 The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

This error does not impact moving groups or users. During our search for the resolution we found a lot of people saying you should use the KB article 942564: (http://support.microsoft.com/kb/942564) to resolve the issue by adjusting the cryptography algorithms to becompatible with Windows NT 4.0.

Looking deeper into that solution we decided that all we where really doing was lowering the level of security on our domain and we wanted to avoid that.

Fortunatly we read a little further down and discovered the KB article 944043 (http://support.microsoft.com/kb/944043/) which talks about the domain having 2008 Read Only Domain Controllers which we do not have so I overlooked that solution.

Further research showed that the KB 944043 should be used any time your domain is PREPARED for a 2008 RODC. The solution was presented here: http://blogs.technet.com/askds/archive/2009/10/19/admt-rodc-s-and-error-800704f1.aspx

So if you want to keep your 2008 domain at a higher level of security and bring in those computers from another domain check out KB 944043, grab those patches and see if it resolves the issue for you!

3 comments:

Unknown said...

Another nice MS feature. Thanks for the prompt was really bugging me how XP SP3 machines would not migrate to our new 2008 Domain.

Likewise we are not implementing RODCs but it would appear XP needs to know about them as you say.

Running this patch on all machines and they migrate perfectly.

Virtual-TSM said...

This is Toufique> Hey Charles . . thanks for listing it here. You saved my precious time and effort . . I have been struggling with this weired error since days.

Good, now we will move with our Domain migration.

Virtual-TSM said...

I think, there was nothing left unchecked . . DC, DNS, DHPC, Client / server host file, Permissions . . . and the stupid thing is the agent operation log file was getting cleared from my client.

Nor Microsoft provides clear answers to it. . .