Check out this white paper on the Windows 2000 authentication process: http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp. Microsoft usually recommends a T1-speed or better connection if you are going to be authenticating clients over a WAN link; however, your decision will need to be based on your actual network usage and traffic patterns. You can configure separate sites to fine-tune the way that network traffic is handled on your network. For example, any Software Installation and Folder Redirection settings will not take place over a link that you have designated as a "slow link." Your other option would be to place a local controller in heavily-used remote sites; this decision will need to be based on your ability to remotely secure and administer a machine in an off-site location.
This was first published in March 2004