Q. All my Windows 2000 Server and Windows 2000 Professional domain member computers authenticate with only the PDC in my Windows NT Server 4.0 domain. How can I make them also authenticate with the BDCs?

A. Authentication traffic should be distributed between the PDC and BDCs in your NT domain. However, a problem in Win2K causes all Win2K-based computers to always authenticate with the PDC. The problem occurs because when a Win2K machine joins the NT domain, the system initially creates a secure channel to the PDC, which is cached in the registry as the domain controller (DC). Because NT 4.0-based domains don't use Kerberos, the Netlogon process, which looks for the registry value KerbIsDoneWithJoinDomainEntry written by the Kerberos authentication subsystem, never clears the cached DC value. Thus, the Win2K machines will always communicate with the PDC and ignore all available BDCs, which causes overloads on the PDC.

Microsoft fixed this problem in Win2K Service Pack 2 (SP2). As a workaround, you can stop the Netlogon service on the PDC. Then, when the clients fail to connect, they'll search for an alternative DC, which will remove the PDC from its cache.