Active Directory and Win98 and NT 4.0 clients

  • Thread starter Thread starter Lamar Thomas
  • Start date Start date
L

Lamar Thomas

If I upgrade my NT 4.0 domain to Win. 2003 AD and raise the functional level
will my Win 98 and NT 4.0 client still be able to logo onto the domain? I
thought I read somewhere that I had to install some software to make them
able to see AD objects or something. Thanks for any input.


Lamar
 
Lamar Thomas says...
If I upgrade my NT 4.0 domain to Win. 2003 AD and raise the functional level
will my Win 98 and NT 4.0 client still be able to logo onto the domain? I
thought I read somewhere that I had to install some software to make them
able to see AD objects or something. Thanks for any input.


Lamar
Click to expand...
Hello Lamar,

your NT and W98 Workstations will be working, the only thing you have to take
care of is the increased security. The domain and/or forest functional level
does not effect clients or member server - it's just for the DCs.

However, to enable your clients to work with the AD Domain in a more performant
way MS recommends to install the Active Directory Client (it's different
between NT and W9x).

http://support.microsoft.com/?id=288358
http://support.microsoft.com/?id=323466

Gruesse - Sincerely,

Ulf B. Simon-Weidner
 
Lamar Thomas said:
If I upgrade my NT 4.0 domain to Win. 2003 AD and raise the functional level
will my Win 98 and NT 4.0 client still be able to logo onto the domain? I
thought I read somewhere that I had to install some software to make them
able to see AD objects or something. Thanks for any input.
Click to expand...

Yes (to the functional level change.) Functional levels are
practically unrelated to "client machines". Native mode and
such are about DCs (no BDCs allowed) and new features
of AD being enabled.

One big caveat: When you have Win2003 DCs the older
clients (NT, 9x) may initially have trouble authenticating or
accessing resources since the DEFAULT for Win2003
DCs is to require "SMB signing."

Add the DCClient (aka: Active Directory Client Upgrade)
and/or the latest NT service packs to these machines to allow
them to participate.
 
Herb Martin said:
Yes (to the functional level change.) Functional levels are
practically unrelated to "client machines". Native mode and
such are about DCs (no BDCs allowed) and new features
of AD being enabled.
Click to expand...

If the 2003 Domain is in Native Mode older clients like Win95 and DOS Client
will not connect. If it is left in compatibility mode (2000 mode) the old
clients will connect fine. We have old DOS clients here, a Teleprompter,
Doppler Radar equipment (we're a TV Station). We upgraded our Domain from
2000 to 2003, and the functional level remained in the mode compatible with
2000 because for a period of time there was both 2000 DCs and 2003DCs
running at the same time. However after removing the last 2000 DC I left the
funtional level where is was and did not change it,..if I had elevated it
then our older equipment would no longer be able to authenticate.
 
If the 2003 Domain is in Native Mode older clients like Win95 and DOS
Client
will not connect. If it is left in compatibility mode (2000 mode) the old
clients will connect fine.
Click to expand...

I have never heard this, but then Win95 and DOS clients aren't
common around here. Do you have any references for this?

It certainly isn't true of 9x or NT clients.

The problem is likely SMB signing, not Native mode.

Native mode really doesn't affect the clients - unless you have
some other evidence.....
 
Herb Martin said:
It certainly isn't true of 9x or NT clients.
Click to expand...

That's true. It is the case with Win95 and older and Nt4 prior to SP3.
The problem is likely SMB signing, not Native mode.
Click to expand...

I believe it is related to SMB signing but that there may be a difference in
the way that is handled in a 2003 domain running in 2000 compatibility mode.
This whole thing was not an issue in a 2000 Domain but obviously it is with
2003, yet I have left our system in 2000 mode even after the last 2000 DC
was removed and all our old DOS systems are perfectly happy,..and I
certainly didn't do anything special to accomidate them apart from just not
advancing the domain to 2003 mode. I made no adjustment to how SMB signing
is handled,...I didn't even know about it untill way after our system was
setup as it is.

Here's the only article I know of, and you are probably already aware of it.
It may not fully explain my situation, but my results can't be ignored. I
am confident that if I bumped the system up to 2003 mode those old clients
would immediately no longer function with the 2003 domain.

811497 - Error Message When Windows 95 or Windows NT 4.0 Client
Logs On to Windows Server 2003 Domain
http://support.microsoft.com/default.aspx?scid=kb;en-us;811497
 
See this article for details about compatibility issues:
Client, Service, and Program Incompatibilities That May Occur When You
Modify Security Settings and User Rights Assignments:
http://support.microsoft.com/default.aspx?scid=kb;en-us;823659

The increased security in Win2003 will affect clients due to vSMB signing
and vDC access policies. vWin9x and Windows NT4 pre-SP4 require to make
changes to the default policies:
- vDisable SMB signing
v- Network access, allow anonymous SID look-up

This is fully documented in the deployment kit and the above KB article.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------
 
Back
Top