ADMT moving computers access is denied

good afternoon,

i'm trying figure out how move computers forest forest b.  can move user accounts , groups fine.  computer account gets created when agent tries run error

local machine
    computer:   win7basecae.*domain name* (win7basecae)
        domain:     *domain name* (*domain name*)
        os:         windows 7 enterprise 6.1 (7601) service pack 1
2012-08-25 13:53:35 err3:7075 failed change domain affiliation, hr=80070005   access denied.
2012-08-25 13:53:35 wrote result file c:\windows\onepointdomainagent\000024_win7basecae.result
2012-08-25 13:53:35 operation completed.

i'm pretty sure dns configured correct have secondary zones set each corresponding domain.  think problem lies somewhere in access rights between source , destination domain.  i've read book , i'm still little confused.  can point me in right direction?

i have domain admin account in both source , destination , have added domain admin's group local administrators group on each dc each others domain admin group. 

thanks , help,

tim

i have figured out problem.

i had gp setting modified on target domain.  setting off(default behavior fixed problem)

microsoft network server: server spn target name validation level

policy setting controls level of validation computer shared folders or printers (the server) performs on service principal name (spn) provided client computer when establishes session using server message block (smb) protocol.

server message block (smb) protocol provides basis file , print sharing , other networking operations, such remote windows administration. smb protocol supports validating smb server service principal name (spn) within authentication blob provided smb client to  prevent class of attacks against smb servers referred smb relay attacks. setting affect both smb1 , smb2.

security setting determines level of validation smb server performs on service principal name (spn) provided smb client when trying establish session smb server.

options are:

off – spn  not required or validated smb server smb client.

accept if provided client – smb server accept , validate spn provided smb client , allow session established if matches smb server’s list of spn’s itself. if spn not match, session request smb client denied.

required client - smb client must send spn name in session setup, , spn name provided must match smb server being requested establish connection.  if no spn provided client, or spn provided not match, session denied.

default: off

windows operating systems support both client-side smb component , server-side smb component. setting affects server smb behavior, , implementation should evaluated , tested prevent disruptions file , print serving capabilities. additional information on implementing , using secure smb servers can found @ microsoft website  (http://go.microsoft.com/fwlink/?linkid=144505).

Windows Server  >  Directory Services