Context:
- Windows server 2003 x64:
- On a VMWare ESX 3
- member of a domain
- has as primary DNS server the PDC, can see it (ping et al)
- can access a shared folder (even to a shared folder on the PDC) using credentials from the domain when logged on as a local admin
Problem:
- logging on the machine with the same domain credentials gets me an invalid user/password error.
I'm at a loss about where to start debugging this.
Any clues?
UPDATE:
I checked to PDC logs and I get
The session setup from computer 'VM' failed because the security database does not contain a trust account 'VM$' referenced by the specified computer.
USER ACTION If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem:
If 'VM$' is a legitimate machine account for the computer 'VM', then 'VM' should be rejoined to the domain.
If 'VM$' is a legitimate interdomain trust account, then the trust should be recreated.
So the actions to take now are clear. What's not clear to me is the cause for that and how to prevent further occurrences of it.
UPDATE 2: Yes, it is a clone, but I already had proceeded to part from and rejoin the domain.
Did you roll back to a prior snapshot on the VM in question? It sounds kind of like the error you get when you do that.
See this answer for the solution if this is what you did.
If it's a clone as you say then you really need to run sysprep on it, just unjoining and rejoing the domain isn't enough to fix the SID issue AFAIK.
There are VMware docs that explain where to put the sysprep binaries on the VC server so that when you clone a VM that the cloning process can automatically run a sysprep on the new VM for you. Unfortunately the docs could be better at explaining exactly what to do, this link explains somewhat better.
Check the time on your member server. If it is more than 5 minutes out with respect to the Domain Controller(s), AD authentication will fail (Kerberos relies on the time to be in sync between the client and the server).
Did you clone this server from another VM that was already joined to the domain? If so, you will need to disjoin and rejoin to get a new SID for the computer account.