Forcing XP to authenticate on local DC

[n00blar]

I've done a search and wasn't able to find the appropriate answer to my question/issue.

Recently I added a DC (Win 2003) to one of my remote locations; however, users at this location are still being authenticated by the DC at the corporate LAN. I noticed that they're caching their LOGONSERVER even though I've manually set LOGONSERVER=\\NEWDC. At a restart this variable seems to get a new value, a cached value.

1.) How can I tell these computers (XP Pro SP1) to look for a DC (Win 2003) on their LAN rather than go across the WAN link? FYI, all my DC are Windows 2003.
2.) To minimize traffic on the WAN link should I setup the remote DC as a DNS and DHCP server? I have many remote locations and just want to make sure I deploy these servers in the proper way.

Thanks for your time.

 

[bcastner]

The process when the replication arrangments between DCs is established is automatic:

"When a client logs on or joins the network, the client must be able to locate a domain controller. The client sends a DNS Lookup query to DNS to find domain controllers, preferably in the client's own subnet. Therefore, clients find a domain controller by querying DNS for a record of the form:
_LDAP._TCP.dc._msdcs.domainname

After the client locates a domain controller, the client establishes communication by using Lightweight Directory Access Protocol (LDAP) to gain access to Active Directory. As part of that negotiation, the domain controller identifies which site the client is in, based on the IP subnet of that client. If the client is communicating with a domain controller that is not in the closest (most optimal) site, the domain controller returns the name of the client's site.

If the client has already tried to find domain controllers in that site (for example, when the client sends a DNS Lookup query to DNS to find domain controllers in the client's own subnet), the client uses the domain controller that is not optimal. Otherwise, the client performs a site-specific DNS lookup again by using the name of the optimal site. The domain controller uses some of the directory service information for identifying sites and subnets.

After the client locates a domain controller, the domain controller entry is cached. If the domain controller is not in the optimal site, the client flushes the cache after 15 minutes and discards the cache entry. The client then attempts to find an optimal domain controller in its own site.

After the client has established a communications path to the domain controller, the client can establish its logon and authentication credentials and, if necessary for Windows-based computers, set up a secure channel. The client then is ready to perform normal queries and search for information against the directory."

See: How Domain Controllers are Located in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;314861

 

[n00blar]

bcastner,

Thanks for your reply. I've read this document and done pretty much all that and followed several suggestions from other Microsoft's docs and my XP Pro workstations are still going across the WAN link to get authenticated. None of them are being authenticated by their local DC. I've confirmed that there is a SRV record in DNS that points to the new DC; I just can't figure out why the workstations insist on going across the wire.