This may sound fairly straight forward...

So I am writing this in the aim to assist others that may fall into the same trap. Recently we installed a new domain controller into our office where we run up our PC's. Our old domain controller is in a COLO and is also the Certificate Authority server of a 2 tier PKI, the server still exists obviously. Now when we run up our PC's,  AD Sites and Services points us to our new domain controller (as expected)! And this is where the problem started...

When we joined our new PC's to the domain it's computer object was created on our closest new domain controller, then we logged straight in as a user and started our run up process. Now what was happening after you login a computer certificate is generated but because the computer name/object hasn't had time to replicate to the primary domain controller in our COLO with the certificate Authority, it can't associate the new cert that is created with the computer object. (User id's were allocated directly on the primary domain controller so they worked when their cert was generated during the login process)!

The kinds of errors we were seeing were:

Client certificate does not match AD account certificate - t16124$@localnet.com.au

Pretty obvious eh? But some pc's were working and some weren't and this was all coming down to timing based on AD replication and how many support calls we got between joining the domain and finally login in.

So I suppose where does this all fit in? Well if you are one that wants to turn on binary comparison and have multiple domain controllers remote from a single Cert Authority, you should probably prepare yourself for some certificate renew requesting. Also if you plan to put in place a domain controller closer to your location and it doesn't contain a certificate authority, allow the computer name to be replicated before logging in for the first time or just renew the certificate before deploying it out "happy company worker!"

Hope this helps someone out there!