IIS 7.5 Windows Authentication not working (sometimes)

IIS 7.5 Windows Authentication not working (sometimes)

This is a weird one. We were happily running with Windows Authentication
on our intranet site until I demoted one of our domain controllers. Now
some workstations still work fine and are authenticated automatically, but
others cannot get authenticated at all. The browser prompts for
credentials and it doesn't matter what credentials you put in, it refuses
to authenticate. (401.1) The problem is per workstation. (I cannot get in
from my own workstation, but another works fine for me.) I have not yet
found a pattern of working vs non-working workstations. (Two identical
workstations in the same OU - one works and the other doesn't)
I've followed all the links on this article:
http://stackoverflow.com/questions/12517127/windows-authentication-not-working-in-iis-7-5
and have tried all the solutions suggested, with no luck. (Tried moving
NTLM to the top of the list, tried disabling loopback checking and strict
name checking) I've also compared HTTP headers between a working computer
and a non-working one, and they appear to all be the same. No relevant
entries in the Event Logs, except the Audit Failure in the Security Log
(Unknown user name or bad password, 0xc000006d, 0xc000006a) Kernel-mode
authentication is also disabled and extended protection is turned off.
As a workaround, we're running on Basic authentication which is working
fine. But I'd like to get Windows authentication working again.
Where should I try to look next?
Domain is 2003 with 2003 and 2008 R2 domain controllers. IIS server is
2008 R2 member server. Workstations are XP Professional SP3 32-bit and
Windows 7 Enterprise 64-bit SP1.