1

On a new AD, I have joined a local computer (W2008 Server R2) to the domain.

After the reboot, I could not log with the domain administrator account to the machine.

Using the local admin, the "Domain Admins" group is not shown in the 'Administrators' group.

enter image description here

If I do try to add the domain admins group to the local administrators group, I get the error: "Domain Admins" is already a member of the group "Administrator".

enter image description here

The machines are VM template based.

Saariko
  • 1,791
  • 13
  • 45
  • 73
  • 1
    Never use a template or a clone without running Sysprep. I can't tell you the number of quirks I've run into because of the omission of running Sysprep. – joeqwerty Dec 13 '12 at 14:22

3 Answers3

3

Your error description suggests you did not run sysprep /generalize for your template to ensure that a new SID is being generated for each created VM instance.

As in this case you would have a number of domain members with identical local SIDs, it would lead to a number of identification oddities in AD - including the "Domain Admin not Local Admin" phenomenon.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
  • Ancient history, I was working with a lab enviornment and was thoroughly stuck... this post and psgetsid from sysinternals helped me find the issue here. I completely forgot I cloned the machine. – mgjk Jan 21 '20 at 11:22
0

I would suggest there are two immediate possibilities, either the server did not join the domain correctly or your template is incorrect.

Have you checked the event logs on the server and on the DCs to see if nay errors have been produced?

Tubs
  • 1,194
  • 3
  • 11
  • 19
0

You have more machines on the esxi with the same SID then you have the above behaviour. Run sysprep with the option generalize. That;s the way I solved it.

Andre
  • 1