Windows can join domain, but not authenticate
Windows machines could join the domain, but were unable to log in.
One other symptom was a "trust" error when you tried to add a user to the machine (part of the Network ID wizard). The machines did successfully join the domain, though.
DNS resolved forward and back by host name, domain name, and IP.
Finally resolved it by simplifying their name. They had things set to:
tiger.schoolname-HS.xxx.xxx.xx.xx
I changed everything to tiger.schoolname.lan and it was very happy.
I'm thinking the windows service simply couldn't handle the long domain name with multiple .xx.xx.xx even though dns was working properly.
They had spent hours troubleshooting, including completely rebuilding the server a couple of times and sorting each of the services through a fine toothed comb.
I'm hoping that might help someone out there.