Solved

Windows 95 clients logging into 2003 Active Directory

Posted on 2004-09-23
8
11,434 Views
Last Modified: 2013-12-23
Hello,

I have searched high and low on this and many other sites for a resolution to this problem.  I have tried to use the registry fix mentioned on this and other sites, of course am using DSClient.  We have temporarily disabled SMB on the servers (roughly 20 servers acting as DC's in total in the domain).  We have created and removed AD sites, with no resolution.  Account Lockout has been increased (another temporary fix).

The scenario is that there are around 3000+ PC that cannot be upgraded to a new OS for another year.  These need to be able to log into the AD domain.  At each location which houses roughly 300+ Windows 95 computers there is a system running as a Global Catalog server.  When people try to logon, they will get, "The domain password you supplied is not correct, or access to your logon server has been denied."  After a few tries, they get locked out.  

It appears that they login to a primary DC that is housed in a central location in the MAN.  This is not a true WAN environment as they are all fiber connected with minimum bandwidth over ~30MB/sec.  

I am interested in any and all possible fixes people have tried for this scenario.  Please don't respond with "upgrade the OS" as that is not in the budget for a while.

Thanks!
0
Comment
Question by:trever_macpherson
8 Comments
 
LVL 16

Expert Comment

by:ahmedbahgat
ID: 12157251
but i'm sure that 95 os can not logon to active directory, i'm sure you get this message while setting up win2k3, possibly have an NT 4 machine as the domain controler to process the login and the 2k3 just stays as a member server until you have a budget for all the machines to be upgraded

cheers
0
 
LVL 1

Author Comment

by:trever_macpherson
ID: 12164262
Windows 95 can login to an Active Directory Domain.  DSClient is supposed to help with this.  In fact, many of the times we can log in from a Windows 95 system.  We have taken great pains to ensure that we can keep Windows 9x clients around until they meet their refresh cycle and still update to Active Directory.  This meant that we had to make a few changes, but in fact it is working.  The problem however is that login is erratic.  We can login at times, and at other times we cannot.  When we check an account that has failed login on the server,  it shows up as a bad login attempt and in fact that is typically the error we receive on the client side, however it has not been due to a bad username/password combination.  My thoughts on this have run everywhere from network pathing, hashing problems with passwords being sent via the network, improper synchronization between the 20+ Global Catalog servers, etc.  

I am really hoping for some assistance on this.  There has to be other people here that have run into similar circumstances.   The option to move to multiple domains based on NT4 is not an option, though it is not a bad idea.

If anyone knows where I can find a good document that discusses the differences in how Windows 95 and Windows 98 handles network login that might be of great help too, since the Windows 98 systems do not appear to have the same amount of difficulty, and those systems are often in the same area, on the same subnet, VLAN, even switch.  

For those that are interested, Microsoft has a document that covers Windows NT/Windows 98 network challenges in an Active Directory Domain titled, "The Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide".  Most of it reads very similar to a basic BS7799 document for small networks, however, it does have some ideas... unfortunately for me, I have tried all of the stuff in that guide.
0
 
LVL 16

Expert Comment

by:ahmedbahgat
ID: 12165365
thanks for the info, learning everyday

cheers
0
 
LVL 16

Expert Comment

by:ahmedbahgat
ID: 12165381
possibly 2k3 has the filtering feature activated and this may decline 95 requests "just an idea" i have seen this a couple of days with NT workstations can not access 2k3 server and by disabling filtering the machines managed to access it

cheers
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:trever_macpherson
ID: 12168346
By filtering what are you referring to?  IP filters?  As far as IPSEC and Kerberos is concerned, that does not come into play here as W9x does not support IPSEC or Kerberos, so those features have been removed.  
0
 
LVL 1

Expert Comment

by:alextesi
ID: 12181119
Check if your Server O.S. is able to be compatible with WinNT4.
On Win2K, if the O.S. is not in native mode it is possible.
I trought to do it and it run.

If your W2K3 have this facility you can try to do so, otherwise is it impossible.
0
 
LVL 2

Accepted Solution

by:
gavin_wickens earned 500 total points
ID: 12410704
I don't like it but disabling SMB appears to be the most effective method.  I have tried this on a small network, 1 DC 100ish clients (20ish win95) and all is OK.  No logon problems at all.  Dosen't answer your question but may be of use.
0
 
LVL 1

Author Comment

by:trever_macpherson
ID: 12410913
Unfortunately, disabling SMB was one of the first things we tried.  In the end to solve this problem we upgraded to Windows 98 which was a monumental task since over 2000 PCs had to be done.  Microsoft helped out with this in a combination of sales maneuvering, license changes and etc.  Kixtart was also deployed to force login server types, as well as registry hacks and a few other things.  The issue seems to be resovled for now, but now I have to roll this out over an additional 94 sites with several thousand other PC's.  Oh well... that is what they pay us the big bucks for :-).  
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now