You experience a long delay when you log on to a domain through a NAT server (843427)
The information in this article applies to:
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows XP Professional
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Server
SYMPTOMSYou may notice a delay when you log on to your domain
account, and the logon may revert to NTLM authentication. This behavior occurs
when the following conditions are true:
- You try to use Kerberos to log on to your domain
account.
- The only domain controller that is available to service
your logon is on the other side of a Network Address Translation
(NAT).
CAUSEThis behavior occurs when the NAT does not translate the
netlogon packet. When the DsGetDcName function is invoked, the address that the NAT returns in the
DOMAIN_CONTROLLER_INFO structure is the real IP address of the domain
controller.RESOLUTIONTo resolve this behavior, you must configure the network so
that NAT does not deal directly with the netlogon
packets. For additional information about configuring NAT, click the
following article numbers to view the articles in the Microsoft Knowledge Base:
172227
Network Address Translators (NATs)
can block Netlogon traffic
317509 Windows 2000 NAT Editors WORKAROUNDTo work around this behavior, you must configure a domain
controller to be local to the clients so that NAT does not handle the netlogon
packet.STATUS This
behavior is by design.
| Modification Type: | Major | Last Reviewed: | 7/6/2004 |
|---|
| Keywords: | kbNAT kbKerberos kbnetwork_RouterIssues kbprb KB843427 kbAudITPRO |
|---|
|