I came across a problem recently when a colleague was building a virtual Windows Server environment, and was reminded of it the other night when on a webcast with Exchange MVPs, when one of the attendees said he was hitting issues with Exchange 2007 servers not finding the Active Directory properly.
The solution lay at the heart of how the VM environment had been built - using a single source "base" OS image which was then configured to join the domain and had Exchange installed on it, for each machine in the environment.
If you're building a multi-machine environment, it saves a lot of time if you build a single image and make sure it's all patched up through Windows Update etc, then it's just a matter of installing the Exchange (or whatever) servers once you've joined a copy of the VM into the domain.
Trouble is, when you install a new server (such as the base OS build), it creates a unique Security Identified (SID) which stays the same even if the machine is renamed and domain membership changed - whilst you'll typically be able to join a cloned machine into the same domain, and it might look like it's working OK, numerous strange things can happen - making it look as if the trust between the machine and domain is broken, or having problems authenticating to resources.
NewSID is a free tool that Mark Russinovich developed while at Winternals/SysInternals, and is now available from Microsoft since the acquisition of Mark's company. The trick is to run NewSID on your cloned machine before joining the domain, and it will create a new, random, SID which means you won't get clobbered later on with the kind of problems described above.
(NB: It's worth noting that NewSID isn't supported for production use - for that, you should really SysPrep the machines instead).