If your Windows 2000 Server is performing Network Address Translation (NAT), or Internet Connection Sharing (ICS), all down-level clients who try to log onto the domain will receive:
A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on may not be available.
In addition, if any domain controller is behind a NAT server, you won't be able to establish inter-domain trusts.
NOTE: The error message may vary, but in all cases, it is a Netlogon process.
Windows 2000 clients and domain controllers don't have this problem, because Windows 2000 doesn't use Netlogon for domain logons.
NOTE: You will experience GPO assignment problems with Windows 2000 clients, because direct hosting of SMB over TCP/IP is carried inside the NetBIOS header.
NOTE: NET USE works because the NetBIOS header contains the client name.
You can workaround this problem by creating a Routing and Remote Access (RRAS) Virtual Private Network (VPN) tunnel for Netlogon traffic.
