What database server/version are you using (assuming a version of SQL Server)?

Is there any relevant information in the database logs?

This may provide some direction: http://support.microsoft.com/?ID=kb;en-us;Q247931

The error in the SQL log says:
SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed. The Windows error code indicates the cause of failure. The logon attempt failed. [CLIENT: xxx.xxx.xxx.xxx]

Even though I set this box up as a domain controller, the SQL instance still shows as COMPUTERNAME\sqlinstance instead of DOMAINNAME\sqlinstance.

The more I look at it, I think it may be a problem with DNS name mismatches. When I enter my IP as the data source on the victim's server, it seems to do a reverse DNS lookup and connect via the DNS name, which doesn't match the Active directory domain name of the system. So, it will try to connect to something like d-127-0-0-1.comcast.net\sqlinstance instead of DOMAINNAME\sqlinstance.

On the actual SQL/AD server, if I try to log into via SQL Management studio to d-127-0-0-1.comcast.net\sqlinstance, it gives me the same "untrusted domain" error.

I tried adding d-127-0-0-1.comcast.net to the hosts file and pointing it back to the server, but no change.

Sorry if this post makes no sense - I've been going at it all day and may be a little loopy.

Thanks for the follow-up posts. I'm not familiar with this specific attack; sorry I can't be of more help.

If Cain's not seeing the hashes, they're probably not being sent. That's a basic exchange that Cain handles easily. I wouldn't spend time trying to find other tools; the problem probably lies elsewhere.