Hi all, A bit of a strange one: I migrated our small (125+ machines) network to Windows 2003 AD recently (AD is 2003 Interim w/ only 2k3 DC's and an NT4 BDC). The issue I'm seeing is that there are still some 30 machines that are still authenticating to the NT4 BDC and not to any of the two 2K3 DC's. For DNS on these clients, I have them pointing to DC1 only, and they STILL authenticate only to the NT4 BDC. What I've done as a "fix" is to remove the machine from the domain and re-join the domain. The machine then authenticates to one of the DC's. Am I missing anything here? I can't figure this one out. TIA, Gabe

Oh, as an addendum, the clients that are authenticating only to the BDC are XP and W2K machines. They all log into the domain just fine, but I'd really like them to point to either of the DC's and pop up in DNS.

The XP and w2k machines will try authenticate to the machine that is 'closest' to them on the network. Do you have multiple subnets? And did you configure and add the subnets in AD? Do you have a local DC for that subnet and what DNS server are they using?

Hi Glen... I was hoping you'd reply! We only have one subnet (.239.xxx). We have two local DC's for this subnet, and the clients point to DC1 and DC2 for DNS.

What you are seeing is not your fault and I don't think you are missing anything. Actually, you are being rather observent by noticing they are not being authentated by the PDCE (PDC Emulator) in w2k3. How do you know which machine they are authenticating too? SET L ? or some other means? What you are seeing is most likely that the XP and w2k machines have not 'discovered' the other DCs. In very simplified terms they have a DC they are happy with and keep using it. Removing and readding them to the domain is certainly a fix but if you have a lot of machines, that can be a pain. The reality is that in the long run, doing what you are doing by readding them to the domain might be your easies bet. Am I correct in assuming this used to be a NT4 domain? Check out Microsoft KB article number 309273 - it may help. I'm not sure what you mean about popping up in DNS. They should register themselves in DNS unless that problem is related to the first. Check out the article and if you stil have questions, post another message and we can go from there. Good luck.

Hi Glen, Thanks for your replies on my other thread! 1. Yes, the way I can tell what DC they're logging in to is with "set l". 2. Yes, this was an NT4 domain upgraded to a 2003 AD. I'm just a little surprised that they continue to point to the NT4 BDC when, in some cases, I've only put DC1 and DC2 IP addresses as their preferred and alternate DNS servers. I thought that would almost "force" the clients to find a W2K3 DC vs. continuing to authenticate to an NT4 BDC. Do you think at "some" point these clients will point to either DC1 or DC2? Authenticating to the BDC certainly doesn't seem to affect any of their access, so maybe it's not a huge deal. 3. When I said, "popping up in DNS", I was making the assumption that a workstation would only register itself in DNS if it was touching a W2K3 DC. I've noticed that my bosses machine, who is still authenticating to the NT4 BDC, is not in DNS and is not affected by a test GPO I've created (that works on the other machines that have authenticated to a DC). 4. A workstation HAS to touch a W2K3 DC in order for it to apply a GPO, right (versus authenticating to an NT4 BDC)? Gabe

You ask some good questions. I've never worked with NT BDC's in w2k too much so I can't speak from experience on this one but, you would need to have access to a w2k dc for the GPOs. If you already have 2 local DCs for 125 users do you really need those NT BDCs? You could stop the NETLOGON service on the BDCs and see if the XP clients will find the other DCs. Personally, I think I'd re-add the problem machines to the domain like you have been doing. In the long run I think that might server you best. Good luck with it.