When you upgrade to Win2K, you should upgrade at least two domain controllers (DCs). Then, if you have to stop one Win2K DC, the other Win2K DC can act as the PDC to older NT 4.0 DCs. If you have only one Win2K DC and you have to stop it, you have to promote an NT 4.0 BDC to PDC. Doing so loses all Active Directory (AD) information, and you can't bring the Win2K DC back into the domain because a Win2K DC can't act as a BDC to an NT 4.0 PDC. The behavior you're encountering is actually a design "feature." The idea behind this feature was that the Win2K clients understand group policy concepts, so—where possible—they should log on to a Win2K DC. However, this feature causes the Win2K clients to use the Win2K DC for all authentication, which overloads the machine. Contact Microsoft Support Services and request hotfix Q284937. Applying this fix to the Win2K DCs should resolve this issue.