VMware Cloud Community
Heartstealer
Contributor
Contributor
Jump to solution

Domain Administrator do not have Admin rights on Windows 2003 Servers attached to the DC (VMWARE ESX 3.5 and VC 2.5)

Hey Guys,

I have created a Virtual Machine(On VMWare ESX 3.5 using VC 2.5) Installed with 2003 Server R2 updated to SP2 converted to a VM template. Using the same template created 3(a,b & c) more boxes of same configuration. I powered all 3 of the boxes used NewSID to generate new SID on b and c boxes. Promoted a to a Domain Controller as x.com. Attached b and c to x.com as b.x.com and c.x.com (their FQDN is changed to this). I tried logging in to b and c with x\Administrator. However, I dont have any access rights ... I find it weird I am not able to even change the Date and Time. I tried same with a physical machine it worked for me. What is that I am doing wrong? Why this is not working in a Virtualized Environment?

Thanks in Advance.

Reply
0 Kudos
1 Solution

Accepted Solutions
kjb007
Immortal
Immortal
Jump to solution

From your description, you ran newsid after you were joined to the domain. This now has changed your sid, and your computer account is no longer valid in the domain, even though your machine account name matches the original object. Have you tried to login to the machine using the original account you used to login? Do you have the local admin password? If you do, you will need to use that and disjoin, and rejoin the domain.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB

View solution in original post

Reply
0 Kudos
7 Replies
COS
Expert
Expert
Jump to solution

You didn't mention you changed their IP Addresses so I am going to assume you did.

One mistake most new ESX admins make is not correct the time on the ESX server itself and set a time server to it. This will usually transfer to your guest VM of course. You probably should have made the correct time change before bringing up any of the cloned template machines as Domain controllers.

Change the ESX host time first, then I would try bouncing each Guset VM and at POST change the time in the BIOS. Of course it would be best to shut them all down first and bring them up one at a time and change the BIOS clock times.

Reply
0 Kudos
Heartstealer
Contributor
Contributor
Jump to solution

Currently my ESX shows time is stopped... So I have started the clock... on both ESX.... Do you want me to restart the VMs after this will it Sync the time and solve the issue or will I have to recreate the VMs from template? Or create the VMs from the Scratch? Thx a million COS for taking time to answer this Smiley Happy

Reply
0 Kudos
COS
Expert
Expert
Jump to solution

If you cinfigured your guest os's to synch to host (I can't remember exactly where this is done), theoretically it (guest OS's) will synch to the esx host. I would personally change each guest manually. If that doesn't work, a redeploy of your template simply because domain controllers are very pickey and stubborn.

Reply
0 Kudos
Heartstealer
Contributor
Contributor
Jump to solution

hello COS, I tried what you suggested. I went and updated DC and the Client manually and they both are showinng me same time now even the seconds are matching. Still they dont work. I guess I will have to redeploy them from the template? I really do not understand what is the problem under the hood. I will give you a much more clear explanation if you could make out from that.

I really appriciate you guys taking time in answering my questions and trying to find a resolution for my problem.

Let me tell you more clearly what I am doing:

Firstly I have a VMWARE ESX Server 3.5 where I have created a Virtual Machine of Windows 2003 Enterprise format. I then installed Windows 2003 Enterprise then Updated to Windows 2003 Enterprise R2 and then installed SP2.

I converted that box into a template.

I deployed 4 machines from that template same config... Name First: PDC, Second : ClusterHost then 3rd and 4th: SQLN1 and SQLN2.

I promoted PDC to a domain controller XDOH.com so it became PDC.XDOH.com

I promoted ClusterHost to an additional domain controller for XDOH.com so it became ClusterHost.XDOH.com

Then I added SQLN1 nd SQLN2 as member servers to XDOH.com by going to system properties --> domain membership to XDOH.com.

After then I created a user CSA added this user to Enterprise Admins (to be sure Smiley Happy ).

After then I came back to SQLN1 and tried logging in to XDOH domain as CSA then it throwed an error related to SID not allowing me to login. So I used newSID from MS site to change the SID.

After that i rebooted SQLN1 and logged in to XDOH domain as CSA. Then am trying to click date and time ... nope it dont work says you do not have access. I go to local users and groups to add CSA to Administrators ... I am able to see XDOH Domain I searched and found CSA clicked on add it added Apply gives me an access denied error.

1. I am able to login to the SQLN1 and SQLN2 as local admins.

2. The local admin group doesnt contain or I am not able to add any one from XDOH domain. To add to this if I login as a local admin XDOH domain do not show up if I try to add a user ... locations are limited to SQLN1 machine.

3. Ideally there should be a trust right when a machine gets added to the domain and if you can login to that machine with a domain user.

I am not sure if this has to do something with VMWARE Cloning clone.

Thanks a million once again.

Regards

Reply
0 Kudos
kjb007
Immortal
Immortal
Jump to solution

From your description, you ran newsid after you were joined to the domain. This now has changed your sid, and your computer account is no longer valid in the domain, even though your machine account name matches the original object. Have you tried to login to the machine using the original account you used to login? Do you have the local admin password? If you do, you will need to use that and disjoin, and rejoin the domain.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
Rumple
Virtuoso
Virtuoso
Jump to solution

Also make sure you did not rename and join the domain in a single step or else it will also not work correctly.

Texiwill
Leadership
Leadership
Jump to solution

Hello,

Moved to VI: VIrtual Machine and GUest OS forum.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos