I have a fairly new, (march), install of server 2008. It was done by a technician, not myself, and he made it a child domain of a new forest. This is a new/test setup. This server is a DC for a the child domain. The parent DC is offsite and connects to the child via a fiber WAN. The problem is that when we isolate the LAN from the WAN forest no one but Administrator can login to computers linked to the LAN. Reconnect the LAN to the WAN, the child to the parent, and everything works after about 5 minutes. Any help would be appreciated. My first guess is that we made a mistake and should have made the second DC a root of it's own tree.

Is the new DC also a GC? A GC is required for logon (enumeration of Universal Groups to add to the token), so if the your DC is not a GC and another GC is not available then logons will fail. Solution is to make your new DC a GC or disable the requirement for a GC to be available by following this article: http://support.microsoft.com/kb/241789 Tony

It wasn't a GC but I made it one last week and I thought that would fix the problem. It didn't. I'll try disabling. Thanks.