Finding the KDC

When the Kerberos SSP wants to send an initial authentication request to the KDC in a user's account domain, it must locate a domain controller for that domain. It finds the domain controller by using the domain controller locator. For more information about the locator, see "Active Directory Logical Structure" in this book.

The locator can only find KDCs that are in Active Directory–based domains. When computers that are running Windows 2000 participate in other Kerberos realms, the Domain Name System (DNS) names for KDC servers must be stored in the client computer's registry. The Kerberos SSP looks in the registry for the DNS domain name of the user's Kerberos realm and then resolves this name to an Internet Protocol (IP) address by querying a DNS server.