Kerberos keytab file not working

Question

I have two AD domains and I'm trying to use NFS with Kerberos to both of them. Part of the procedure requires creating keytab files for the host and nfs principals for the client and server respectively. I am using the same batch files on both DCs to create the computer and user entries in AD as well as the keytab files. The keytab files from one of the ADs work just fine, but all of the keytab files from the other AD fail with:

rob@hostname: [NFS_Kerberos_Keytabs]$ kinit -V host/hostname.sub.dom.com@REALM.DOM.COM -k -t hostname_host_REALM.DOM.COM.keytab  
Using default cache: /tmp/krb5cc_1000
Using principal: host/hostname.sub.dom.com@REALM.DOM.COM
Using keytab: hostname_host_REALM.DOM.COM.keytab
kinit: Client 'host/hostname.sub.dom.com@REALM.DOM.COM' not found in Kerberos database while getting initial credentials

When setting this up I first created a computer entry in the database:

# extended LDIF
#
# LDAPv3
# base <cn=computers,dc=realm,dc=dom,dc=com> with scope subtree
# filter: (name=hostname)
# requesting: ALL
#

# hostname, Computers, realm.dom.com
dn: CN=hostname,CN=Computers,DC=realm,DC=dom,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: hostname
distinguishedName: CN=hostname,CN=Computers,DC=realm,DC=dom,DC=com
instanceType: 4
whenCreated: 20160128162300.0Z
whenChanged: 20160128162300.0Z
uSNCreated: 174308
uSNChanged: 174312
name: hostname
objectGUID:: jd23ti+U/USCbuyzfWj5rQ==
userAccountControl: 4128
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
localPolicyFlags: 0
pwdLastSet: 130984717800613071
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAAlHJ4KV3gLEfERwiPLDEAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: HOSTNAME$
sAMAccountType: 805306369
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=realm,DC=dom,DC=com
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Then I created a user entry:

# extended LDIF
#
# LDAPv3
# base <cn=users,dc=realm,dc=dom,dc=com> with scope subtree
# filter: (&(ObjectClass=person)(name=hostname host))
# requesting: ALL
#

# hostname host, Users, realm.dom.com
dn: CN=hostname host,CN=Users,DC=realm,DC=dom,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: hostname host
sn: host
givenName: hostname
distinguishedName: CN=hostname host,CN=Users,DC=realm,DC=dom,DC=com
instanceType: 4
whenCreated: 20160129074155.0Z
whenChanged: 20160309164621.0Z
displayName: hostname host
uSNCreated: 174516
uSNChanged: 179340
name: hostname host
objectGUID:: Uaw7Gk2n0keDHjIAiRaPqw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 131020165954163706
pwdLastSet: 131020155817310122
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAlHJ4KV3gLEfERwiPPjEAAA==
accountExpires: 9223372036854775807
logonCount: 4
sAMAccountName: hostname-host
sAMAccountType: 805306368
userPrincipalName: host/hostname.sub.dom.com@REALM.DOM.COM
servicePrincipalName: host/hostname.sub.dom.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=realm,DC=dom,DC=com
dSCorePropagationData: 16010101000000.0Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I then ran ktpass on the DC to create the keytab file:

C:\Users\rob.marshall>ktpass -princ host/hostname.sub.dom.com@REALM.DOM.COM -out hostname_host_REALM.DOM.COM.keytab -mapuser hostname-host@REALM.DOM.COM -mapOp set -crypto all -ptype KRB5_NT_PRINCIPAL +rndPass
Targeting domain controller: WIN-F2DD88GD7U9.realm.dom.com
Using legacy password setting method
Successfully mapped host/hostname.sub.dom.com to hostname-host.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to hostname_test04.keytab:
Keytab version: 0x502
keysize 70 host/hostname.sub.dom.com@REALM.DOM.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0xa219dcdc0d232a7f)
keysize 70 host/hostname.sub.dom.com@REALM.DOM.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xa219dcdc0d232a7f)
keysize 78 host/hostname.sub.dom.com@REALM.DOM.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x2c3d1d1cbf52afe3a7190bdaa0107fed)
keysize 94 host/hostname.sub.dom.com@REALM.DOM.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x4f4b4f5d3f401c7ef885c94989e5561cc74fa607b07c6135c78450625bfb007e)
keysize 78 host/hostname.sub.dom.com@REALM.DOM.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x11 (AES128-SHA1) keylength 16 (0x3704104525c61565296a343d6092209f)

Checking the keytab file:

rob@robs-ubuntu2: [NFS_Kerberos_Keytabs]$ klist -kte hostname_host_REALM.DOM.COM.keytab
Keytab name: FILE:hostname_host_REALM.DOM.COM.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 12/31/1969 19:00:00 host/hostname.sub.dom.com@REALM.DOM.COM (des-cbc-crc) 
   2 12/31/1969 19:00:00 host/hostname.sub.dom.com@REALM.DOM.COM (des-cbc-md5) 
   2 12/31/1969 19:00:00 host/hostname.sub.dom.com@REALM.DOM.COM (arcfour-hmac) 
   2 12/31/1969 19:00:00 host/hostname.sub.dom.com@REALM.DOM.COM (aes256-cts-hmac-sha1-96) 
   2 12/31/1969 19:00:00 host/hostname.sub.dom.com@REALM.DOM.COM (aes128-cts-hmac-sha1-96) 

Again I did the exact same thing (with the exception of the REALM) on another AD DC and the keytab files work fine. Any ideas on what I did wrong here? The AD keytabs that are NOT working are from a Windows system that says the edition is: "Windows Server Enterprise" with a copyright of 2007 and SP 1. The other is a Windows 2012 R2.

Thanks for any help,

Rob