My organization used to have a Windows 2000 Server Ed. Domain Controller with DNS role also installed. It serviced 5 other servers and about 15 workstations. A few months ago, the motherboard went out and as it was a fairly old server anyway, my supervisor proposed we install a newer version of Windows Server (finally!) on an Intel NUC5i3MYHE we had just purchased, with the intent of installing some light server roles on it (fileserver, DNS, internal webserver, etc.).
The install of Server 2012 R2 on the box went smoothly, as did adding AD DS and DNS roles, and promotion to domain controller (since the existing domain was now offline due to the old server failure, I set the new DC up as the same domain name, and selected the option "New Forest" during dcpromo.exe).
The first time I put the new DC on the LAN, we had problems with people not being able to log into their computers. I realized my mistake (I have a pretty hectic avg. workday), not setting up the User Accounts in AD, and so promptly took it offline, at which time my end-users were able to log back into their workstations using their old accounts (cached on their local computers as "Offline Files"). For the record, I have not set up forward and reverse lookup zones in DNS yet. As I understand, I need AD DS working first and it is apparently not working (100%, anyway).
A couple days later, I got everyone set up with their same usernames they had had before the original DC crashed, with some requiring new passwords to meet complexity requirements. Here's where the snag is.
The EU's who already had passwords that met the complexity requirements had no problems logging in using their classic passwords. But for those whose password was required to change, they get a message when logging in w/ their old account, something to the effect of "Please lock this computer and sign in using the current domain credentials," which they try, but their machines (XP SP3 and W7, Pro Eds) will not let them in w/ the newly-created passwords, using their classic usernames.
I really do not want to set up a whole new round of usernames and passwords for each user, but I fear that the ones whose passwords did not change aren't logging into the new DC at all, but rather their old "Offline Files," and the users whose passwords did change, are able to access Desktop/My Docs, but only by entering their classic password and accessing the locally cached offline files as well.
FWIW, I noticed in my event log on the new server, Error ID 4013, which I found some info on here: https://technet.microsoft.com/en-us/library/cc735842(v=ws.10).aspx
...but when I follow the link for AD DS Troubleshooting found there, it takes me to a generic "Windows Server 2003/2003 R2 Retired Content" page, which is peculiar because it was a 2012 R2 machine that generated Error ID 4013 and yes, it was the correct one on the link (matched verbiage from my server).
I have tried logging in and out several times on several workstations, w/ various credentials and no luck, I can only get on the domain w/ the old passwords. If anyone can point me in the right direction, I'd be very grateful, I really don't deal w/ AD DS that much as my role in the company has shifted over the years from Network Admin to more of a Web Dev kind of role. I have Event Logs I can give you all, if that will help, the other warnings were RE: ADWS (Web Services) which I'm not sure is helpful, so I didn't include it, but let me know! Thanks in advance for your suggestions!