Inconsistent Authentication for Domain Users

[tech80524]

Hi all, I am running into a strange issue with authenticating domain users using Radius or NT Authentication.

Background:
Previously, SoftEther VPN server ran on a DC running Windows Server 2012, and there were zero authentication issues with Active Directory users.
Currently, SoftEther VPN runs on a dedicated Hyper-V VM running Windows Server 2016. This machine is domain-joined, and DNS is pointed to two DC's on the network, and the server behaves normally as any domain-joined PC would.

The issue:
Some AD users authenticate with zero issues, as before.
Some AD users are unable to authenticate using Radius or NT. The VPN client just keeps asking for a password.
There seems to be no rhyme or reason as to why some users authenticate successfully and others are rejected.

What I have checked/tried:
The VPN server has been set up from scratch twice, with the same result both times.
Previously, I promoted the VPN server to Read-Only Domain Controller and verified AD replication was working, but no luck.
Logged audit failures in the DC's Event Viewer reference the VPN server as the workstation and show Kerberos trust relationship failed.
Domain accounts are not locked out after failed connection attempts, as they normally would be if bad credentials were used too many times.
The AD user accounts all have consistent settings applied, except for groups depending on the user's job function.
For one user whose connection failed, I tried creating a new domain account, which was still rejected.
For one user whose connection failed, I verified credentials and successfully logged into the VPN server where that user had never logged in before.

Workaround (hopefully temporary): I set up and forwarded a dedicated port to the DC for users with issues - users without issues log into the new VPN server with no problems.

Any ideas? Ideally, we want to keep all VPN functions off the domain controller and use only the dedicated server. Thanks for your help!