Just like users, machines have domain accounts. And just like user accounts, machine accounts have passwords. And just like user account passwords, machine account passwords expire (by default, every 30 days). Now, you don't normally notice any of this because machines automatically change their machine account passwords before they expire.
Well, you notice it when something gets messed up.
One way you can trigger a password mismatch is to roll back a VM past a password change point. The machine will roll back to using the old password, which is not the correct password any more.
Another way you can run into this is by leaving a machine off the network for a few months. The machine password on the domain will expire, and the machine will be locked out of the domain.
If you get into this state, the standard solution is to leave the domain, and then rejoin it.
Bonus reading: How to disable automatic machine account password changes. The article also describes why machine account passwords expire in the first place.