Network Overview Hi, I have a Windows 2003 Domain with Windows XP SP3 workstations. Main location A has two domain controllers (one physical running Windows 2003 and one virtual running Windows 2008 R2), Exchange 2007 (Outlook Anywhere enabled) and File Server. IP's 172.25.x.x. Secondary location B has one domain controller (Windows 2003) as there are less than a dozen users. This DC serves as a File Server as well. IP's 198.168.x.x. Each site has it's own internet access connection dedicated to a site-to-site VPN. No ports are being blocked. Problems 1. When logging on with some domain accounts that normally log on at location A, when logging on at location B onto a Windows XP workstation, it can take 20 minutes before the desktop finally appears. When logging on using a local, non-domain user, the desktop comes up in 10 seconds. 2. Other users log on normally at location B and the desktop appears in 10 seconds or so. However, when they start Outlook (Exchange Server is in location A), it can take 5 minutes before Outlook is fully connected and online with Exchange. Troubleshooting Errors on Workstation - Event ID: 13 Source: AutoEnrollment Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied. Source: AutoEnrollment. Event ID: 13 - Windows System Event The Security System could not establish a secured connection with the server DNS/chia.arin.net. No authentication protocol was available. Time: 4:00:48. Source: LSASRV. Category: SPNEGO (Negotiator). Event ID: 40961. - Windows System Event The Security System detected an attempted downgrade attack for server cifs/x.x.local. The failure code from authentication protocol Kerberos was "No authority could be contacted for authentication. (0x80090311)". Source: LSASRV. Category: SPNEGO (Negotiator). Event ID: 40960. - Windows System Event The Security System could not establish a secured connection with the server ldap/xxx.xx.local/x.local@x.LOCAL. No authentication protocol was available. Source: LSASRV. Category: SPNEGO (Negotiator). Event ID: 40960. - The description for Event ID 40960 from source LSASRV cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: ldap/x.x.local/x.local@x.LOCAL Kerberos "No authority could be contacted for authentication. (0x80090311)" the message resource is present but the message is not found in the string/message table - On the domain controller at location B, when logging on with some domain accounts that normally log on at location A, the desktop comes up in a few seconds. First Resolution There was no reverse DNS lookup on location B's domain controller so that's been added. However, the above problems continue. What else should I check?