We recently came across some strange issues with virtual machines in a domain, where the SQL and SharePoint Servers were joined to the domain, however they were not authenticating regular domain users correctly. Domain users could log onto the machine, however the SharePoint people picker, SharePoint managed accounts, and SQL itself could not authenticate anyone except the administrator account. You could browse to SharePoint locally from the SharePoint box, but could not get past the authentication prompt from any remote boxes. We also saw the following error in certain places in SharePoint:
“Some or all identity references could not be translated”
The systems were up to date on updates and hotfixes, and the applications appeared to be configured correctly. The problem in the end turned out to be that the servers all had the same SID and were joined to the domain with different computer names, but the same SID. This led to the unpredictable domain authentication issues that we were seeing.
For anyone in this situation on Windows 2008 Server R2 machines, don’t run the “NewSID” tool. That will blue screen the server, and you’ll have to restore from a backup or rebuild the box. Instead, you can use sysprep to change the SID of the machines, even after the machines are fully configured (though it’s best to use it before configuring machines).
You should backup the machines before makiong any changes. We were able to do the following sequence on the servers to fix the authentication issues:
1) Use the PSTools (psgetsid) to view the current machine’s SID, available here:
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx
2) Disconnect the machine from the domain and place in a workgroup.
3) Delete the computer account from Active Directory.
4) Run sysprep on the Windows 2008 R2 server from this path:
/System Drive/Windows/system32/sysprep/sysprep.exe
Click the “Generalize” box, which creates the new SID, leave the other options as is, and press OK.
5) Once the machine reboots and runs through some Windows dialogs, use psgetsid again to verify that the SID has changed. Rejoin the server to the domain, and then verify that the apps are all working as they should, and that the authentication issues are gone.