After visiting several clients that had set up their own small Win2k Active Directory domains (with Win2k Professional...
as the workstation standard), I came across a common error made by novice administrators -- Win2k Pro took upwards of 2 minutes to actually log on to an Active Directory domain controller. Investigating further, I also found that each time the user logged in, an event was generated in the event log on the workstation.
Problem: In every case, the ISP's DNS entries had been assigned to the workstations (either manually, or by DHCP). Before Win2k was around, this setup would be 50% valid (caching on an internal DNS server would be preferred, as it generated less DNS resolutions outside of the LAN) and would be the setup seen in most IT shops.
Resolution: Assign the Win2k server running the DNS service on the internal LAN as the DNS server of all Win2k Professional clients. Then, on the internal DNS server, delete the "." zone, restart the service and add your ISP's DNS entries, so that the DNS server is not a DNS ROOT server, but instead a DNS FORWARDER. This will allow your internal DNS server to resolve internal as well as external queries for clients. (This will also result in DNS entries being cached for internal clients, and less outbound traffic for internet DNS queries).
Reason: Win2K Pro uses DNS to locate domain controllers (the new SRV records...Microsoft wasn't kidding when it said that Win2k relies heavily on DNS). The reason for the long logon is that the Win2k workstation is querying a non-Win2K DNS server for records that only exist in WIn2k compliant DNS servers.