XP Pro workstation: "windows cannot connect to the domain"

This is a windows server 2003 network.  I have two XP Pro workstations that intermittently cannot authenticate to the domain.  If I login locally and browse entire network, I can see the domain, the server, and authenticate to the server.  If I go to control panel, system, I can change the network settings on the workstation to member of work group "ABC".  Reboot the system, then go back to control panel, system and change network settings back to member of domain "xyz.local" reboot and authenticate to the domain.  It's very strange that sometimes it works and sometimes it doesn't.  

All the workstations are setup for DHCP.  IPconfig /all shows three servers.  First one is IP address of server ( first, then lists IP address of comcast's DNS servers.  I can go to a DOS prompt and ping "xyz.local" and get a reply from the IP address of the server.  

This is perplexing!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

you cannot mix internal and external DNS servers on workstations.  In a domain, you need all your workstations to point to DNS servers on Domain Controlers for your domain.  All your workstations should be pointing to internal Domain Controllers.  If you would like, you can set up forwarders on your DNS servers.  This means that all DNS requests will be sent to your internal DNS servers.  If your DNS server cannot resolve the requested name, it will forward the request to the IP address of your choice (Comcast DNS servers).  This is the way it has to be.  Active Directory uses DNS servers for alot of different things and you can't guarantee which DNS server it will try, even if  its on the top of the list.  Worstations expect to find AD-specific information about your domain on their DNS servers.
Fatal_ExceptionSystems EngineerCommented:
Adam, again, pretty much covers your problem...  Always use internal DNS servers and only them for authentication..  never put an external puoblic DNS server on a client in a domain...

To enable forwarders, open your DNS Console on your DC, right click on your
ServerName, select Properties, Forwarders tab..  then place your external public DNS there...

Here is the proper way to configure DNS on 2003:


So many times have I gotten new clients because another so-called MS Server expert was hired to come in and configure their domain...  I am constantly amazed that these 'experts' do not understand the very basics of setting up a DC, and DNS....  But, hey, if they did know what they were doing, I guess I would not be needed, eh?  :)


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fatal_ExceptionSystems EngineerCommented:
thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.