Supporting Windows Clients During CoexistenceWhile planning and implementing a migration, it important to review and determine the support requirements for domain clients. Ensuring effective Windows client network authentication and access to domain objects should be considered as important as upgrading domain servers. When installing Windows Server 2003, the Windows Setup Manager prompts you that the Windows Server 2003 operating system does not support certain Windows clients. This is by design, because the Windows Server 2003 upgrades NTLM authentication from version 1 to NTLM version 2, thus disabling the ability for older Windows 95, Windows 98, and Windows NT 4.0 clients to access network resources without additional software to support connectivity to Active Directory. There are two methods by which support for these clients can be enabled: installing the Active Directory Client and enabling support for NTLM V1 through the local server policies on the Windows 2003 domain controllers. In addition to supporting legacy clients on the domain, another area to consider is authentication performance for existing clients during coexistence and domain controller upgrades. Load Balancing Domain AuthenticationAs Windows Server 2003 domain controllers are implemented into a Windows NT domain, the first domain controller to be upgraded takes on the role of PDC emulator. Once upgraded, this single domain controller is now responsible for providing domain services to all domain controllers as well as the domain authentication to all existing Windows 2000 and Windows XP client systems accessing the domain. Organizations with large numbers of Windows 2000 and Windows XP clients, as well as legacy clients such as Windows NT and Windows 98, can experience PDC locator overload in this configuration. PDC overload can affect performance of the PDC emulator and prevent proper network authentication to client systems as well as replication of network changes. Avoiding PDC Emulator Overload To avoid PDC emulator overload, install and configure additional Windows 2003 domain controllers and configure each to emulate Windows NT 4.0 domain services. Also, upgrading client computers during a migration without adding additional domain controllers can affect PDC performance and load balancing. Configuring PDC Emulation on Windows 2003 Domain ControllersTo configure a Windows Server 2003 domain controller to emulate Windows NT domain controllers, change the Registry of the domain controller to the following settings:
After the Server Upgrade Is Complete... modify the server Registry and configure the Windows 2003 Server to perform Windows NT domain PDC emulation before running the Active Directory Installation Wizard. Modifying the Registry Setting Modifying the Registry setting will also modify the method in which the new Domain controller performs Domain Name System Lookups. After the Registry setting is in place, Windows Server 2003 domain controllers use the Windows NT 4.0compatible Locator process to performed Domain Name Systems lookups. After all client upgrades are complete, modify the Registry setting on each domain controller to reverse the Registry setting change and enable the Windows Active Directory Internet Protocol Locator Process. Supporting Windows 95, 98, and NT 4.0 Client SystemsBefore upgrading to Windows Server 2003, client support and compatibility with Active Directory must be considered for legacy Windows clients. The Windows Server 2003 family of operating systems do not support Windows 95, Windows 98, or Windows NT 4.0 client systems and will not authenticate these clients to the domain after the presence of Windows NT domain controllers are eliminated. To enable the ability for these client systems to authenticate and access domain resources, additional client software must be installed or domain controller configurations completed to support authentication. Review the methods by which support can be enabled for these clients and the specific features that each method provides. Determine which method best meets your migration needs and test the configuration in a lab environment before implementing. Active Directory Client ExtensionsThe most common method of enabling support for client systems running nonsupport versions of Windows is to install the Microsoft Active Directory Client software. Available for free download from Microsoft, the Active Directory Client installs the Active Directory extensions enabling support for Windows 95, Windows 98, and Windows NT Service Pack 6a systems in a Windows 2003 Active Directory environment. By installing the Active Directory Client extensions, client support is enabled in the following areas:
Enabling Client Support Without Active Directory ExtensionsOne other method of enabling support for legacy clients is to use the local domain controller policy on the Windows Server 2003 domain controller. When organizations want to support legacy clients in an Active Directory environment, authentication can be accomplished through configuration changes to the local domain controller policy by doing the following: Download the Windows NT 4.0 SP6a Active Directory Client Extensions The Windows NT 4.0 SP6a Active Directory Client Extensions can be downloaded from the Microsoft Web site at http://www.microsoft.com/ntworkstation/downloads/Other/adclient.asp.
|