The log contained this message:
The computer or domain SERVERNAME-APP trusts domain DEV. (This may be an indirect trust.) However, SERVERNAME-APP and SERVERNAME have the same machine security identifier (SID). NT should be re-installed on either SERVERNAME-APP or SERVERNAME.
Assess - obtain psgetsid from the sys internals sites then run it on both servers. This should confirm both systems have the same SID.
Resolve - http://www.brajkovic.info/windows-server-2008/windows-server-2008-r2/how-to-change-sid-on-windows-7-and-windows-server-2008-r2-using-sysprep/ has very clear instructions on how to run SYSPREP (included in 2008).
After sysprep I had to:
- connect via console
- click US
- provide host name
- activate it
- take it out of the domain it was in, reboot
- re-join to the domain, reboot