The error
During a computer migration with AD (Active Directory Migration), you may encounter the following error in the error log file:
ERR3:7075 Failed to change domain affiliation, hr=80070791 Authentication failed because NTLM authentication has been disabled.
If you check the System log on the computer, you'll see an EventID 4097 - Net join:
The machine CLTADMT01 attempted to join the domain <domainname>\<computername>.<domain> but failed. The error code was 1937.
This code in the Microsoft documentation is:
ERROR_NTLM_BLOCKED
1937 (0x791)
Authentication failed because NTLM authentication has been disabled.
The root cause and the 'fix'
ADMT uses NTLMv1, so if you block NTLMv1, you can't use it anymore. It can be one of two things:
- You disable NTLMv1 registry/group policy => you need to reenable it.
- If you are using Windows 11 24H2 or Windows Server 2025 => I currently have no solution (If you have any further information, please share it in the comments). The worst part is that ADMT may not be starting with Windows11 24H2. . Indeed, starting with Windows 11, 24H2 and Windows Server 2025, NTLMv1 is. (https://learn.microsoft.com/en-us/windows/whats-new/removed-features). As far as understand, NTLMv1 is removed only for full installation. If you update from older versions of Windows 11, NTLMv1 is still enabled. Please note, I haven't tested this myself; I take this information from a Microsoft employee's comment in this Reddit post.
Comment
byu/Forn1catorr from discussion
insysadmin
Clap
Comments