The Contact PDC on logon failure machine setting should be configured correctly. Defines whether a domain controller (DC) should attempt to verify with the PDC the password provided by a client if the DC failed to validate the password. Contacting the PDC is useful in case the client's password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC is located over a slow WAN connection Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Net Logon\Contact PDC on logon failure (2) KEY: HKLM\Software\Policies\Microsoft\Netlogon\Parameters\AvoidPdcOnWan