Supporting Windows Clients During Coexistence


Supporting Windows Clients During Coexistence

While planning and implementing a migration, it important to review and determine the support requirements for domain clients. Ensuring effective Windows client network authentication and access to domain objects should be considered as important as upgrading domain servers.

When installing Windows Server 2003, the Windows Setup Manager prompts you that the Windows Server 2003 operating system does not support certain Windows clients. This is by design, because the Windows Server 2003 upgrades NTLM authentication from version 1 to NTLM version 2, thus disabling the ability for older Windows 95, Windows 98, and Windows NT 4.0 clients to access network resources without additional software to support connectivity to Active Directory.

There are two methods by which support for these clients can be enabled: installing the Active Directory Client and enabling support for NTLM V1 through the local server policies on the Windows 2003 domain controllers.

In addition to supporting legacy clients on the domain, another area to consider is authentication performance for existing clients during coexistence and domain controller upgrades.

Load Balancing Domain Authentication

As Windows Server 2003 domain controllers are implemented into a Windows NT domain, the first domain controller to be upgraded takes on the role of PDC emulator. Once upgraded, this single domain controller is now responsible for providing domain services to all domain controllers as well as the domain authentication to all existing Windows 2000 and Windows XP client systems accessing the domain.

Organizations with large numbers of Windows 2000 and Windows XP clients, as well as legacy clients such as Windows NT and Windows 98, can experience PDC locator overload in this configuration. PDC overload can affect performance of the PDC emulator and prevent proper network authentication to client systems as well as replication of network changes.

Avoiding PDC Emulator Overload

To avoid PDC emulator overload, install and configure additional Windows 2003 domain controllers and configure each to emulate Windows NT 4.0 domain services.


Also, upgrading client computers during a migration without adding additional domain controllers can affect PDC performance and load balancing.

Configuring PDC Emulation on Windows 2003 Domain Controllers

To configure a Windows Server 2003 domain controller to emulate Windows NT domain controllers, change the Registry of the domain controller to the following settings:

  1. Edit the Windows Registry on the server to be upgraded by selecting Start, Run. Type regedit and select OK.

  2. Edit the Registry key by selecting HKEY_LOCAL_MACHINE \SYSTEM CurrentControlSet\Services\Netlogon\Parameters.

  3. Add the REG DWORD "NT4Emulator" to the Registry key and add the REG DWORD value 0x1.

After the Server Upgrade Is Complete...

modify the server Registry and configure the Windows 2003 Server to perform Windows NT domain PDC emulation before running the Active Directory Installation Wizard.


Modifying the Registry Setting

Modifying the Registry setting will also modify the method in which the new Domain controller performs Domain Name System Lookups. After the Registry setting is in place, Windows Server 2003 domain controllers use the Windows NT 4.0compatible Locator process to performed Domain Name Systems lookups.

After all client upgrades are complete, modify the Registry setting on each domain controller to reverse the Registry setting change and enable the Windows Active Directory Internet Protocol Locator Process.


Supporting Windows 95, 98, and NT 4.0 Client Systems

Before upgrading to Windows Server 2003, client support and compatibility with Active Directory must be considered for legacy Windows clients. The Windows Server 2003 family of operating systems do not support Windows 95, Windows 98, or Windows NT 4.0 client systems and will not authenticate these clients to the domain after the presence of Windows NT domain controllers are eliminated.

To enable the ability for these client systems to authenticate and access domain resources, additional client software must be installed or domain controller configurations completed to support authentication. Review the methods by which support can be enabled for these clients and the specific features that each method provides. Determine which method best meets your migration needs and test the configuration in a lab environment before implementing.

Active Directory Client Extensions

The most common method of enabling support for client systems running nonsupport versions of Windows is to install the Microsoft Active Directory Client software.

Available for free download from Microsoft, the Active Directory Client installs the Active Directory extensions enabling support for Windows 95, Windows 98, and Windows NT Service Pack 6a systems in a Windows 2003 Active Directory environment.

By installing the Active Directory Client extensions, client support is enabled in the following areas:

  • NTLM version 2 Authentication. Support for improved authentication using NTLM version 2.

  • Site Awareness Support. This functionary allows client systems to authenticate to the domain, logging onto the most available and physically closest Windows 2003 domain controller to the client system. Also, client systems can now change the password on any Active Directory domain controller in the domain.

  • Active Directory Service Interfaces (ADSI). ADSI support provides client scripting ability often used to manage and retrieve information in Active Directory.

  • Distributed File Systems Support DFS fault tolerance. This function enables support for access Distributed File System (DFS) shares configured on the Windows 2003 Active Directory domain.

  • Active Directory Windows Address Book (WAB) property pages. Enabling WAB support allows clients authenticated to the domain to search active directory for user object retrieving information, such as addresses and phone numbers.

Enabling Client Support Without Active Directory Extensions

One other method of enabling support for legacy clients is to use the local domain controller policy on the Windows Server 2003 domain controller. When organizations want to support legacy clients in an Active Directory environment, authentication can be accomplished through configuration changes to the local domain controller policy by doing the following:

Download the Windows NT 4.0 SP6a Active Directory Client Extensions

The Windows NT 4.0 SP6a Active Directory Client Extensions can be downloaded from the Microsoft Web site at http://www.microsoft.com/ntworkstation/downloads/Other/adclient.asp.


  1. You can enable support by relaxing the NTLM version settings and modifying the Digitally Sign Communication Settings of the default policy as shown in Figure 14.4.

    Figure 14.4. Local domain controller security policy.

    graphics/14fig04.jpg

  2. To modify the local server policy, open the Administrator Tools and click the Domain Controller Policy Management Console.

  3. Expand the Local Policies and select Security Options in the left pane of the Policy Management Console.

  4. Modify the following settings as shown in Figure 14.4:

    • Microsoft Network Server: Digitally Sign Communication (always)Modify the setting to Disable.

    • Microsoft Network Server: Digitally Sign Communication (if Client Agrees)Modify the setting to Enable.

    • Network Security: LAN Manager Authentication LevelModify the setting to Send NM & NTLMUse NTLM Version Session Security if Negotiated.



Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net