Slow Logon to Windows 2000 Domains

On a Win2k domain slow logon and DNS error problems are almost always a combination of:

1. Autosensing failure between switch and workstation NIC; you can use this matrix for some hints as to how to force the workstation nic settings:
[tt]
Workstation Switch Result

Forced Half Forced Half Works
Forced Full Forced Full Works
Auto Auto Maybe
Forced Full Auto NO
Auto Forced Full NO
Forced Half Forced Full NO
Forced Full Forced Half NO

[/tt]
2. DNS resolution issues.

Slow logons from XP to a win2000 domain usually indicate a DNS misconfiguration issue. While the following is not a fix-all for all AD-domain problems, it is an absolute requirement that DNS is set up correctly before it will work properly. If your DNS is not set up like this, then you will experience slow logon and other DNS problems. XP differs from previous versions of windows in that it uses DNS as it's primary name resolution method for finding domain controllers:
[color green]How Domain Controllers Are Located in Windows XP[/color]
http://support.microsoft.com/default.aspx?scid=kb;en-us;314861

If DNS is misconfigured, XP will spend a lot of time waiting for it to timeout before it tries using legacy NT4 sytle NetBIOS. (Which may or may not work.)

1. Ensure that the XP clients are all configured to point to the local DNS server which hosts the AD domain. That will probably be the Win2k server itself. They should NOT be pointing to an ISP's DNS server. An 'ipconfig /all' on the XP box should reveal ONLY the domain's DNS server. You should use the DHCP server to push out the local DNS server address.

2. Ensure DNS server on win2k is configured to permit dynamic updates. Ensure the win2k server points to itself as a DNS server using 127.0.0.1 as the DNS address.

3. For external (internet) name resolution, specify your ISP's DNS server not on the clients, but in the forwarders tab of the local Win2k DNS server. On the DNS server, if you cannot access the 'Forwarders' and 'Root Hints' tabs because they are greyed out, that is because there is a root zone (".") present on the DNS server. You MUST delete this root zone to permit the server to forward unresolved queries to yout ISP or the root servers. Accept any nags etc, and let it delete any corresponding reverse lookup zones if it asks.

The following articles may assist you in setting up DNS correctly:
[color green]Setting Up the Domain Name System for Active Directory[/color]
http://support.microsoft.com/default.aspx?scid=kb;en-us;237675

[color green]HOW TO: Configure DNS for Internet Access in Windows 2000[/color]
http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

3. Asynchronous processing of logon commands.

You may experience extremely long delays (up to 5 minutes) when logging into domains using Windows XP Pro. This is caused by the asyncronous loading of networking during the boot up process. This speeds up the login process in a stand-alone workstation by allowing the user to log in with cached logon credentials before the network is fully ready.

To disable this "feature" and restore your domain logons to their normal speed, open the MMC and add the group policy snap-in. Under Computer Configuration-->Administrative Templates-->System-->Logon, change "Always wait for the network at computer startup and logon" to ENABLED.

This can be fed to clients via a group policy from a Windows 2000 server by upgrading the standard policy template with the XP policy template. Since this is an XP only command, non-XP systems will ignore it in a domain distributed group policy.