RE: [ActiveDir] Windows 2003 and Windows 98 clients

[Michael B. Smith]

Title: Message

http://support.microsoft.com/default.aspx?scid=kb;en-us;811497&Product=winsvr2003   According to this KB - either disabling the policy or installing the DSclient will work. My experiential evidence is that both are required (at least the dsclient from the w2k CD -- the new dsclient that PSS is shipping out may take care of it). From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2003 and Windows 98 clients Hmmm... Didn't know that about 2003. Then again, I don't have that domain set up yet here, either..     -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -----Original Message----- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 2:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2003 and Windows 98 clients I found that it is -- for Windows 95 on a Windows Server 2003 domain. From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 2:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2003 and Windows 98 clients DS Cleint isn't required for basic log in functionality.     -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -----Original Message----- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2003 and Windows 98 clients Per MS instruction to me yesterday, don't install the dsclient that comes on the Win2K CD. Instead, contact them for the latest version which apparently includes account lockout fixes (I'm still testing to see if that assertion is true)   <mc> -----Original Message----- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 12:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2003 and Windows 98 clients   In the Default Domain Controller Security Policy, and in the Domain Security Policy, you have to disable "Domain Member: Digitally encrypt or sign secure channel data (always)". And install the DSClient.    This is a security hole, by the way. Win95 is a real problem in a Win2003 AD environment. You can google for the technical explanation if you really want it. Has to do with private/public key pairs that Win95 cannot generate properly.   Win9x computers will never show in the Computers OU. They aren't domain members, they simply use the domain for authentication and access to resources (AAA).   From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 12:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2003 and Windows 98 clients I believe you're going to have to install the AD Client Extensions on those PCs.  You can find the software on the Windows 2000 CD.   Mike Thommes -----Original Message----- From: Steve Shaff [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 11:19 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Windows 2003 and Windows 98 clients Okay, I know that people are going to be like... "Windows 98, come on. Please join us in the Twentieth Century"!!!  But, we need to do testing on Windows98 for our product compatibility.   We just upgraded to Windows 2003 (2000 native) and now it appears that individuals that are running Windows 98,95,ME are not able to authenticate against the domain.  It just prompts them for the username, password and domain.  It just locks the account out after X tries, per our security policy.   We have also tried to use webmail, that previously worked on these PCs.  It prompts for the certificate (which is good), prompts for user/password/domain, then gives you an access is denied.  I think that all these problems with this "ancient" OS are related.   I have the PDC, RID and GC on a W2K3 DC and it appears to be running properly.   Any ideas? Thanks, Steve