You want to disable the requirement for a global catalog server to be reachable when a user logs into a Windows 2000 domain.
Open the Registry Editor (regedit).
In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Control.
Right-click on LSA and select New Key.
Enter IgnoreGCFailures for the key name and hit enter.
Restart the server.
> reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA\IgnoreGCFailures /ve > shutdown /r
' This code enables the IgnoreGCFailres registry setting and reboots strLSA = "HKLM\SYSTEM\CurrentControlSet\Control\LSA\IgnoreGCFailures\" Set objWSHShell = WScript.CreateObject("WScript.Shell") objWSHShell.RegWrite strLSA, "" WScript.Echo "Successfully created key" WScript.Echo "Rebooting server . . . " objWSHShell.Run "rundll32 shell32.dll,SHExitWindowsEx 2"
With Windows 2000, a global catalog server must be contacted for every login attempt; otherwise, the login will fail (unless there is no network connectivity, which would result in a cached login). This is necessary to process all universal groups a user may be a member of. When a client attempts to authenticate with a domain controller, that domain controller contacts a global catalog server behind the scenes to enumerate the user's universal groups. See Recipe 7.9 for more details. If you have domain controllers in remote sites and they are not enabled as global catalog servers, you may run into a situation where users cannot login if the network connection to the network with the closest global catalog server fails.
Although there is a plausible workaround in Windows Server 2003 Active Directory (see Recipe 3.24), the only option you have available with Windows 2000 is to have the domain controllers ignore GC lookup failures. You can do this by adding an IgnoreGCFailures registry key under HKLM\SYSTEM\CurrentControlSet\Control\LSA on the domain controller(s) you want this to apply to. If you use universal groups in any capacity, having the domain controllers ignore GC failures can be very problematic because a user's token may not get updated with his universal group memberships. It may be useful, though, if you have branch-office sites where you cannot deploy domain controllers.
Recipe 3.24 for disabling the global catalog requirement for Windows Server 2003, Recipe 7.9 for enabling universal group caching, MS KB 216970 (Global Catalog Server Requirement for User and Computer Logon), and MS KB 241789 (How to Disable the Requirement that a Global Catalog Server Be Available to Validate User Logons)