So I have some RHEL 7.3 virtual machines that were on Redhat IDM/IPA domain.  I cloned them, renamed them, new IP's etc, and uninstalled the IPA client successfully.

I then joined them to our AD domain using realm join like I have other machines.  I matched settings in sssd.conf and nsswitch.conf and I can kinit and id users without any issues.

My problem is that nobody can log into using their AD credentials because access is based on GPO and for some reason this server isn't able to get the GPO:

(Thu Feb 23 14:15:23 2017) [sssd[be[]]] [ad_gpo_access_send] (0x0400): service sshd maps to Remote Interactive
(Thu Feb 23 14:15:23 2017) [sssd[be[]]] [ad_gpo_connect_done] (0x4000): server_hostname from uri:
(Thu Feb 23 14:15:23 2017) [sssd[be[]]] [ad_gpo_connect_done] (0x0400): sam_account_name is LA-1QGLSESGAP01$
(Thu Feb 23 14:15:23 2017) [sssd[be[]]] [ad_gpo_site_name_retrieval_done] (0x0040): Cannot retrieve master domain info
(Thu Feb 23 14:15:23 2017) [sssd[be[]]] [ad_gpo_process_som_done] (0x0040): Unable to get som list: [2](No such file or directory)
(Thu Feb 23 14:15:23 2017) [sssd[be[]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.

Server is in an OU that is covered by my access policy GPO.  GP Modeling shows that the correct policy would apply.

I'm stumped.