SQL Server hitting the network for NT account verification has got to be a factor in here somewhere. I am by no means conversant with the subject, but if you're granting SQL Login access to NT security groups, SQL has to be going out to the network to check what groups a login attempting to establish a connection is a member of. Heck, it would probably have to do that if you granted access rights to any groups, just to make sure all rights are properly applied.

(Presumably, if you permit direct access to NT users and only NT users, the NT security token presented to SQL Server would be sufficient authentication--but that is a presumption.)

Darn good questions relating to the DCs. Any network gurus out there?

Philip