We’re using ADMT (Active Directory Migration Tool 3.2) these days as part of a restructuring exercise from a multi-domain forest to many single-domain forests.  That requires migration of users, groups but also computers from one forest to another (verified two-way external trusts are in place).  One issue we saw while migrating computers was that migration was failing with an error message:

“The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you”

We had Windows 2008 R2 Domain Controllers in both the source and target domains, which if you remember, switch off older cryptography algorithms while being promoted to become domain controllers.  For backward-compatibility, ADMT uses older mechanisms to migrate computers and consequently, fails when trying to create a secure channel to modify domain membership.  To be more specific, the NetJoinDomain function is used together with the NETSETUP_JOIN_UNSECURE option, which is rejected by the domain controllers in question.  This behaviour is by design and is documented here.

You might be able to use NetDOM or other third-party tools to migrate computers but if you prefer using ADMT, the fix is to modify the “Default Domain Controller Policy”.  Go to “Computer Configuration” –> Policies –> Administrative Templates –> System –> Net Logon.  Double-click “Allow cryptography algorithms compatible with Windows NT 4.0” and set it to “Enabled”.

Please note that if you still have Windows 2003 (or 2000) based domain controllers in your environment, you may get intermittent results due to the fact that those domain controllers don’t have this policy and therefore, allow these functions to continue.  So, if your ADMT is not pointing to a specific domain controller then it might intermittently try those domain controllers, in which case, the domain join function will be successful – complicating matters further!

Needless to say, there is a reason why the older cryptography algorithms are being disabled so once you’ve completed your migration, it will be good if you remember to set it to “Disabled”.

Hope this helps!