• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 11447
  • Last Modified:

Windows 95 clients logging into 2003 Active Directory

Hello,

I have searched high and low on this and many other sites for a resolution to this problem.  I have tried to use the registry fix mentioned on this and other sites, of course am using DSClient.  We have temporarily disabled SMB on the servers (roughly 20 servers acting as DC's in total in the domain).  We have created and removed AD sites, with no resolution.  Account Lockout has been increased (another temporary fix).

The scenario is that there are around 3000+ PC that cannot be upgraded to a new OS for another year.  These need to be able to log into the AD domain.  At each location which houses roughly 300+ Windows 95 computers there is a system running as a Global Catalog server.  When people try to logon, they will get, "The domain password you supplied is not correct, or access to your logon server has been denied."  After a few tries, they get locked out.  

It appears that they login to a primary DC that is housed in a central location in the MAN.  This is not a true WAN environment as they are all fiber connected with minimum bandwidth over ~30MB/sec.  

I am interested in any and all possible fixes people have tried for this scenario.  Please don't respond with "upgrade the OS" as that is not in the budget for a while.

Thanks!
0
trever_macpherson
Asked:
trever_macpherson
1 Solution
 
ahmedbahgatCommented:
but i'm sure that 95 os can not logon to active directory, i'm sure you get this message while setting up win2k3, possibly have an NT 4 machine as the domain controler to process the login and the 2k3 just stays as a member server until you have a budget for all the machines to be upgraded

cheers
0
 
trever_macphersonAuthor Commented:
Windows 95 can login to an Active Directory Domain.  DSClient is supposed to help with this.  In fact, many of the times we can log in from a Windows 95 system.  We have taken great pains to ensure that we can keep Windows 9x clients around until they meet their refresh cycle and still update to Active Directory.  This meant that we had to make a few changes, but in fact it is working.  The problem however is that login is erratic.  We can login at times, and at other times we cannot.  When we check an account that has failed login on the server,  it shows up as a bad login attempt and in fact that is typically the error we receive on the client side, however it has not been due to a bad username/password combination.  My thoughts on this have run everywhere from network pathing, hashing problems with passwords being sent via the network, improper synchronization between the 20+ Global Catalog servers, etc.  

I am really hoping for some assistance on this.  There has to be other people here that have run into similar circumstances.   The option to move to multiple domains based on NT4 is not an option, though it is not a bad idea.

If anyone knows where I can find a good document that discusses the differences in how Windows 95 and Windows 98 handles network login that might be of great help too, since the Windows 98 systems do not appear to have the same amount of difficulty, and those systems are often in the same area, on the same subnet, VLAN, even switch.  

For those that are interested, Microsoft has a document that covers Windows NT/Windows 98 network challenges in an Active Directory Domain titled, "The Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide".  Most of it reads very similar to a basic BS7799 document for small networks, however, it does have some ideas... unfortunately for me, I have tried all of the stuff in that guide.
0
 
ahmedbahgatCommented:
thanks for the info, learning everyday

cheers
0
[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

 
ahmedbahgatCommented:
possibly 2k3 has the filtering feature activated and this may decline 95 requests "just an idea" i have seen this a couple of days with NT workstations can not access 2k3 server and by disabling filtering the machines managed to access it

cheers
0
 
trever_macphersonAuthor Commented:
By filtering what are you referring to?  IP filters?  As far as IPSEC and Kerberos is concerned, that does not come into play here as W9x does not support IPSEC or Kerberos, so those features have been removed.  
0
 
alextesiCommented:
Check if your Server O.S. is able to be compatible with WinNT4.
On Win2K, if the O.S. is not in native mode it is possible.
I trought to do it and it run.

If your W2K3 have this facility you can try to do so, otherwise is it impossible.
0
 
gavin_wickensCommented:
I don't like it but disabling SMB appears to be the most effective method.  I have tried this on a small network, 1 DC 100ish clients (20ish win95) and all is OK.  No logon problems at all.  Dosen't answer your question but may be of use.
0
 
trever_macphersonAuthor Commented:
Unfortunately, disabling SMB was one of the first things we tried.  In the end to solve this problem we upgraded to Windows 98 which was a monumental task since over 2000 PCs had to be done.  Microsoft helped out with this in a combination of sales maneuvering, license changes and etc.  Kixtart was also deployed to force login server types, as well as registry hacks and a few other things.  The issue seems to be resovled for now, but now I have to roll this out over an additional 94 sites with several thousand other PC's.  Oh well... that is what they pay us the big bucks for :-).  
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now