Windows clients should only make a Net Logon locator request to real Active Directory DCs, not MIT KDCs. If this is not the case then it seems likely that this is a bug in the Windows Kerberos client. -- Luke