Here's the situation:
I have AD setup so that I have One forest with multiple trees for each building. ie... headhoncho.my.dist is the main parent with child domains off that like child1.elem1.my.dist at a Elementary school and child2.high.my.dist at a Secondary school. ( I know it's not flat, Im gonna move that way if I can fix my problem!)
So normally a secondary student logs into the high domain and accesses shares on the server child2. And this has worked well all around until about 4 months ago. When...
My issue is very complicated, the child2 server works in so much as it allows logins, allows access to shares, printing, apllies gpos, and does its job in general as long as you are a client. However, when you access the server locally you become limited but only partially. I can add and remove user accounts in AD, and access local admin (C$) shares on clients. I can NOT access GPO at all, I receive access denied. I can NOT access my own shares ie.. logged into child2 as Administrator of the domain but cant access \\child2\netlogon (or any share on any domain in my forest).
Permissions look fine, and a whoami returns high\administrator. I even tried bringing a DC up as a backup of the high domain and it inherits all the symptoms of child2. Please.... please.. helP ME!