SymptomsContainer which is member of AD domain does not allow to log in using RDP.
Exported from the container system events contain the following error:
Log Name: System
Date: 26/06/2009 11:36:17 AM
Event ID: 3210
Task Category: None
This computer could not authenticate with \\server.domain.local, a Windows domain controller for domain domain, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.
CauseThe issue is caused by a duplicated SID of a container which was cloned being member of AD domain. To avoid SID conflicts in AD domain it is strongly recommended to clone containers before joining them to AD domain.
ResolutionTo fix the issue it is necessary to perform the following steps:
1. Install Windows2003 Support tools from Windows CD;
2. Verify that the problem computer account exists in Active Directory Users and Computers;
3. Remove the problem computer account:
netdom remove [MACHINE_NAME] /Domain:[DOMAIN_NAME] /UserD:[DOMAIN_ADMIN] /PasswordD:* /UserO:[LOCAL_ADMIN] /PasswordO:*
4. Restart the problem container
vzctl restart [CT_ID]
5. Login via RDP to the container as local admin;
6. Join the container back to the domain from the active RDP session.