Supporting Clients with Windows Server 2003

One of the first things you see when promoting a server to Windows 2003 is the warning regarding client support for Windows 95 and Windows 98 as shown in the Figure 15.4. This message dialog informs you at the time of upgrade that these client operating systems will no longer be available to authenticate to the domain after the upgrade is complete.

Figure 15.4. Operating system compatibility notice.

graphics/15fig04.jpg

This screen informs you that these client operating systems will no longer be able to authenticate; this is because the NTLM version is upgraded during the upgrade of the Windows 2000 domain to Windows 2003.

Understanding Windows 2003 Client Capability

To enable these client systems to authenticate and access domain resources, additional client software must be installed or domain controller configurations completed to support authentication.

The most common method of enabling support for client systems running nonsupport versions of Windows is to install the Microsoft Active Directory Client Software.

Available for free download from Microsoft, the Active Directory Client installs the Active Directory extensions enabling support for Windows 95, Windows 98, and Windows NT Service Pack 6a systems in a Windows 2003 Active Directory environment.

By installing the Active Directory Client extensions, client support is enabled in the following areas:

NTLM version 2 Authentication Support for improved authentication using NTLM version 2.
Site Awareness Support This functionary allows client systems to authenticate to the domain logging onto the most available and physically closest Windows 2003 domain controller to the client system. Also, client systems can now change passwords on any Active Directory domain controller in the domain.
Active Directory Service Interfaces (ADSI) ADSI support provides client scripting capability often used to manage and retrieve information in Active Directory.
Distributed File Systems Support DFS fault tolerance This function enables support for access Distributed File System (DFS) shares configured on the Windows 2003 Active Directory domain.
Active Directory Windows Address Book (WAB) property pages Enabling WAB support allows clients authenticated to the domain to search Active Directory for user object, retrieving information such as addresses and phone numbers .

Enabling Legacy Client Support

There are two methods you can use to enable legacy client support; the first is to install the Active Directory client software on each Windows NT and Windows 9X client.

The other method is to relax the security setting on the local default domain security policy.

When software updates cannot be installed on legacy clients before an upgrade to Windows 2003, you can provide support for these clients by disabling the SMB service in the local domain controller Group Policy.

To disable SMB signing and enable support for legacy clients, open the local domain controller policy, you will see a screen similar to the one shown in Figure 15.5.

Figure 15.5. Default domain controller security settings screen.

graphics/15fig05.jpg

To provide support for legacy clients, complete the following steps:

Expand the Local Policies and select Security Options in the left pane of the Policy Management Console.
Modify the following settings:
- Microsoft Network Server: Digitally Sign Communication (always)Modify the setting to Disable
- Microsoft Network Server: Digitally Sign Communication (if Client Agrees)Modify the setting to Enable
- Network Security: LAN Manager Authentication LevelModify the setting to Send NM & NTLMUse NTLM version session security if negotiated

When Domain Controllers Are Not in the Default Domain Controllers

If the domain controllers being modified are not located in the default domain controllers organizational unit container, the policy must link the organizational unit with the domain controller, which will authenticate where the legacy client resides.