How to enable Windows 98/ME/NT clients to logon to Windows 2003 based Domains

Article translations Article translations
Article ID: 555038 - View products that this article applies to.
Author: Yuval Sinay MVP
Expand all | Collapse all

SYMPTOMS

Most companies have legacy operating system like - Windows 98, that give them backward compatibility for legacy applications.The default settings of Windows 2003 domains prohibit the logon of these clients, to overcome this limitation, a change of behavior is needed.

CAUSE

By default, security settings on domain controllers running Windows Server 2003 are configured to help prevent domain controller communications from being intercepted or tampered with by malicious users. For users to successfully negotiate communications with a domain controller that runs Windows Server 2003, these default security settings require that client computers use both server message block (SMB) signing and encryption or signing of secure channel traffic. Clients that run Windows NT 4.0 with SP2 or earlier installed and clients that run Windows 95 do not have SMB packet signing enabled and cannot authenticate to a Windows Server 2003 domain controller.

RESOLUTION

  Clients Side:
 
Windows NT4
 
1. Install Windows NT4 Service Pack 6a.

2. Install Internet Explorer 6 with Service Pack 1 or higher.

3. Install DSCLIENT utility from Windows 2000 Server installation disk or from
 
       http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp
 
Note: For additional information about Active Directory Client extensions for Windows 95, Windows 98, and Windows NT 4.0,
         visit the following Microsoft Web  site:
         http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp
 
4. Enable NTLM 2 Authentication (please see "More Information" section for details).

5. Configure the workstation to use local WINS server.
 
6. Consider installing hotfix 275508:
 
     SMB Session Credentials Are Not Updated After Password Change Resulting in Account Lockout
 
     http://support.microsoft.com/kb/275508/ 
 
7. Configure the local DNS domain as DNS under TCP/IP properties.
 
 
Windows 98/ME
 
1. Install Internet Explorer 6 with Service Pack 1 or higher.

2. Install DSCLIENT utility from Windows 2000 Server installation disk or from
 
     http://support.microsoft.com/default.aspx?scid=kb;en-us;288358
 
Note: Please review the knowlagebase: "Directory Services Client Update for Windows 98" 323455:
 
     http://support.microsoft.com/default.aspx?scid=kb;en-us;323455
   
3. Enable NTLM 2 Authentication (please see "More Information" section for details).
 
4. Enable SMB Signing (please see "More Information" section for details).

5. Configure the workstation to use local WINS server.
 
6. Consider installing the hotfixes that descrive in:
 
    Service Packs and Hotfixes That Are Available to Resolve Account Lockout Issues

   http://support.microsoft.com/default.aspx?scid=kb;en-us;817701
 
7. Configure the local DNS domain as DNS under TCP/IP properties.
 
 
Note: If you are using Windows 95, please follow the knowlagebase bellow:
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;811497
 
Note: If the logon problem is'nt resolved, please review the following knowlagebase:
 
Problems logging on to a Windows 2000-based server or a Windows 2003-based server
http://support.microsoft.com/default.aspx?kbid=272594
 
 
DOS/Windows 95:
 
You may need to disable SMB sign in the domain.
The methood can create security bridge, and is'nt supported.
 
Modify Security Policies
 
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/en-us/Default.asp?url=/resources/Documentation/WindowsServ/2003/all/deployguide/en-us/dssbe_upnt_omte.asp
 
 
  Servers side:
 
1. Configure each server in the domain to use local WINS server.
 
2. If you are using Windows 2000 or higher DHCP server, make sure that the DHCP can register old clients.
 
3. Review: KB 898060
 
      http://support.microsoft.com/default.aspx/kb/898060
 
Note: Some articles recommend to disable SMB sign in the domain controller OU. Please avoid changing domain
          controllers policy, and specialy dont disable  SMB sign.
 
Note: Windows 98/ME clients have problem with computer names largers then eight characters. Please avoid
          using long computer names.
 
 

MORE INFORMATION

Error Message When Windows 95 or Windows NT 4.0 Client Logs On to Windows Server 2003 Domain
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;811497&FR=1&PA=1&SD=HSCH
 
How to Enable NTLM 2 Authentication
 
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q239/8/69.ASP&NoWebContent=1
 
Overview of Server Message Block signing
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;887429
 
Active Directory Client Extensions for Windows 95/98 and Windows NT 4.0
 
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp
 
How Windows 95 and Windows 98 Directory Services Client Uses Active Directory Site Information
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;249841
 
Windows 98/Me Client Cannot Change Password

http://support.microsoft.com/default.aspx?scid=kb;en-us;230059
 
Windows 2000 DNS White Paper
 
http://www.microsoft.com/windows2000/techinfo/howitworks/communications/nameadrmgmt/w2kdns.asp
 
Windows Server 2003 Server and Macintosh
 
http://www.macwindows.com/Win2003.html
 
User Cannot Log On for 45 Seconds After DSClient Is Installed
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;306651

Properties

Article ID: 555038 - Last Review: May 4, 2005 - Revision: 1.0
APPLIES TO
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
Keywords: 
kbpubtypecca kbpubmvp kbhowto KB555038
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com