Hello all,

Here's a problem I've been battling for a few weeks. I have an Active Directory domain with a trusting NT resource domain (ie. NT domain trusts AD domain). The users in the AD domain log on to NT4 PCs in the resource domain.

At each logon, the Kix cache has to be re-populated which delays logons significantly (obviously), especially over my slower links. So, upon more investigation I find that the "CacheAge" value is not being written to the TokenCache registry key, and it looks like the cached group list is incomplete (only grabbing about 2/3 of the groups). Essentially, Kix doesn't know it's supposed to be maintaining the cache because there's no CacheAge value, so it repopulates. If I force the CacheAge value to be there (through a reg hack), the logon speeds immediately get improve.

The Event Log on the NT4 PC has a corresponding error: "Event ID 1332. Failed to resolve SID(s) Error : No mapping between account names and security IDs was done. (0x534/1332)." My thoughts are the cache starts populating, Kix can't resolve the SID to an account name, so Kix aborts the caching process prior to writing the CacheAge value.

The NT workstations are using the resource domain's WINS and DNS. If I move the machine to the AD domain AND use the AD domain's DNS the cache gets populated, the CacheAge gets set and all is well.

I think it's a name resolution issue at the DNS in the resource domain, and Kix is only a symptom so that's where I'm focusing attention now. It has similarities to this recent thread. Anyone have any thoughts or seen behaviour like this?

Thanks,
Steve