I am a developer who is setting up a virtual domain environment of testing purposes and am having trouble with the setup.
I have created a new DC on a new Forest… call it dev.contoso.com. I have setup a virtual internal network for all machines that are going to be apart of this virtual test environment and have given each machine a static IP address in the 192.169.150.0 subnet. I have added machine1.dev.contoso.com to the domain dev.contoso.com. I have also provisioned a user account (adminuser) in the domain and made that user a member of Domain Admins group.
Upon logging into machine1 using my newly created Domain Admin account, I cannot access/run any files on machine1. When I go into the advanced permissions for the c:\ folder and goto properties -> Security Tab -> Advanced -> Effective Permissions and search for the dev\adminuser (mentioned above), I get an error saying:
Windows can't calculate the effective permissions for admin user
What do I need to do to get Administrative rights on Machine1? I am using Server 2008 R2 for both the AD controller and machine1.
Best Answer
Ok, after replaying all of this more than once, I looked at the logs closer after each step. This revealed and issue with the SID, and then it hit me! I need to have a different SID when you have cloned the domain controller. This article The Machine SID Duplication Myth by Mark Russinovich states you don't need to NewSid anymore. This is true based on the article which I read quite some time ago. However, this doesn't apply if you are working with an AD DC which some of the comments on that article suggest.
So, after rebuilding a new VM fresh with Server 2008 (instead of cloning from an original base VHD with Server 2008). Everything works as expected.