I am mugging up on Kerberos and wonder if anyone can confirm if I am barking up the right tree with any of my points. Can you nice folks confirm or comment on my points? 1) User ticket: I presume that if a user logs on to a domain and then for what ever reason cannot renew the ticket the user will be unable to access network resources? 2) Presumably a kerboros ticket can be renewed by any domain controller? Or does it have to be the originating DC where the ticket came from?

From what I gather kerberos is how 2003 authenticates users and services with the two types of tickets for Active Directory. What you said is correct if one assumes default settings and not a mixed environment. I don't know why you wouldn't be able to renew other than setup logon hours or system time being off. Someone might know how that could happen. Poor networks? I think the 2003 doesn't have the pdc setup rather a system of AD servers that can allow authentication. There is a thing on MS site about preventing too many users from trying to get authentication from one controller and how to adjust settings to spread out the load. I am still trying to learn all of this myself.