Windows 2000-based member computers always authenticate with the PDC in a Windows NT 4.0 domain

This problem occurs when a Windows 2000-based computer is joined to a domain, and the join process caches the domain controller that was used to join the domain.

When the computer restarts for the first time after it joins the domain, the computer reads the cached information from the registry and then uses the cached domain controller to set up a security channel. This action makes sure that the computer communicates with the domain controller that has the correct account information. However, this cached information is not removed unless Kerberos authentication is used. Therefore, a Windows 2000-based host always uses the cached information to establish a security channel with the PDC.

In a Windows NT 4.0 domain, users, computers, and groups can only be created on the PDC of a domain. Therefore, all Windows 2000 clients that join a Windows NT 4.0 domain establish a security channel with the PDC on the first restart after the clients join the domain.

This behavior may contribute to the following problems:

• Higher network use occurs as Windows 2000-based member computers establish security channels and perform logon authentication exclusively with the Windows NT 4.0 PDC. Windows 2000-based member computers ignore local Windows NT 4.0 BDCs for logon requests in favor of the PDC across the wide area network (WAN).
• Higher CPU use and longer logon requests occur as Windows 2000-based member computers use the Windows NT 4.0 PDC exclusively for logon authentication. The PDC typically has the highest CPU and memory use of all domain controllers in a domain.

Cached information in the registry is used by the Net Logon service and Kerberos client components.

The expected behavior is that after Kerberos is finished with the cache info, it writes KerbIsDoneWithJoinDomainEntry in the \Netlogon\Parameters section of the registry. The Net Logon service is notified by the registry. The service deletes the cached information so that next time the service establishes the security channel, member computers use a generic domain controller that is discovered through the 1C query in Windows Internet Name Service (WINS).

However, when Windows 2000-based member computers are joined to a Windows NT 4.0 domain, Kerberos does not write KerbIsDoneWithJoinDomainEntry. Therefore, all Windows 2000-based member computers that join a Windows NT 4.0 domain always authenticate with the domain's PDC, unless the PDC is unavailable or unless the security channel is reset manually.

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: After Windows 2000 Service Pack 2 is installed on the member computer, the Net Logon service deletes the cached info without waiting for Kerberos when it joins Windows NT 4.0 domains.

To work around this problem, stop the Net Logon service on the PDC before the Windows 2000-based member computer starts. When you do this, the computer tries to authenticate with the PDC and then tries authentication with a BDC. After this behavior occurs, the computer uses expected behavior to find a domain controller for authentication instead of using the cached information.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section of this article. This problem was first corrected in Windows 2000 Service Pack 2.

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the following article number to view the article in the Microsoft Knowledge Base: