If the domain is in native mode, is it any problem for a Win98 workstation to join the domain? Now I have a Win98 workstation, even joining the domain, it can't authenicate the user account.
mixed mode was for backward compatibility with NT4 servers
native mode would mean that NT4 servers cannot be used in the domain and it is a 2000 native domain.
I don't believe a win98 pc could join the domain as it would be the weakest link in the native 2000 AD security "Work to live, don't live to work"
"The problem with troubleshooting is that sometimes it shoots back"
Sorry Immacola but you are incorrect 95/98/NT4.0 machines can join a 2000 domain you just need to download Active Direcory Client Extensions.
Although with there clients you will net be able to use the full benefit of active directory such as Kerberos support, intelli mirror, ipsec but if you have system policies from NT4.0 you could get the machines to use these.
I think I understand that you can't add a Win98 machine without the client extensions, but what if the Win98 PC is already a member of the domain when you convert to native mode? Will that render the PC unable to log on?
While I'm asking, what are the ramifications of going to native mode? My bosses have been hesitant to make the move, but now I have a security situation that would be best implemented in native mode. All of our domain controllers are Win2k, but we do have member servers and computers that are WinNT and Win98. I think I understand the concepts here, but I need ammo!
Windows 9x machines CANNOT be part of a domain, neither NT 4 or Windows 2000. The USER can have an account and logon to the domain but the actual PC can't be a member in the way NT4 Workstation/server and Windows-2000 Workstaion/Server are. With a Windows 2000 Machine (or NT) you can make the actual workstation a member of the domain, the PC is then effectively a client as well as the user who logs on. With Windows 9x ONLY the user logs on NOT the machine.
Are you sure? Then why would they make AD Client extensions? From my understanding, you need a computer account as well as a user account to log onto a Windows 2000 native domain, and with the AD Client Extensions for Win9.x you are able to create a computer account.
Well, this is a tough argument, it depends on your personal definition of "joining" a 2K domain...
But, for my money, I'm going with ADB. 9X machines cannot insert themselves as members of AD, and to me, that's what joining is...
Now, as for the DS client, that was created to give downlevel clients the ability to:
1- Find a DC in their Site for the user to authenticate to.
2- use NTLM v2 authentication
3- use Dfs shares
So, it's really got nothing to do with joining a domain.
I don't think there is any argument. The act of joining a Microsoft domain creates a workstation account in the domain security database (NT 4 or AD). Windows 9X boxes do not have the option to join a domain and thus those accounts are not created.
I would argue that Win9X machines can "take part" in the domain, in as much as they provide the user with a platform upon which to authenticate to the domain. However, it is correct to say that they are not a part of the domain.
As bronto mentioned, without the DS client, Win9X boxes have trouble with AD authentication and other AD specific functionality which was not around when their internal Windows Networking Client was programmed.
I know that Win98 clients simply log on to the domain and are not "joined" to the domain in the way that a Win2k/WinXP client does. I think my question was whether or not it was possible for a Win98 client to connect to a native mode domain. As it turns out, I was able to test this in a lab environment, and it works without the client extensions. So that part has indeed been solved. Now on to the next part of the question.
We have a multitude of other systems that I can't easily test in a lab. Linux/Unix/Sun systems, AS/400, Macintosh, Maxtor NAS, etc. I am pretty well convinced that these systems are accessed on a per-use basis (with the exception of NAS). For instance, if I have a Win2k client who uses a terminal window on AS/400, they have to authenticate using credentials on that AS/400. Likewise for Mac users. Active Directory plays no role in that interaction. My bosses here in Dilbert-land are concerned that flipping the switch to native mode will prevent users on these systems from connecting to network resources and a variety of other issues. I say no, but I am having trouble getting concrete answers. I am tempted to burn up a $245 Microsoft call on this to cover my behind, but I'd hate to do that if it's not necessary.
So 9.x clients do not need a computer acount in AD? However they still authenticate with a user account? (I've yet to read up on the whole security and authentication chapters - kerberos, handshaking, etc.)
Can 9.x clients still access shares within the domain?
2000 Pro and XP clients NEED a computer account in AD though right?
Ughhh.
~So much to learn, so little patience. Living 5 years ahead of myself... working a job 5 years behind. So so lost...~
oops, sorry Bronto, missed the part obout dfs shares. Thanks Jeff for going into a little more detail for me.
I appreciate everyone's patience in explaining things to me, even when they are not my questions.
You guys are like my teachers that I can go to with questions
I still have lots to learn, but I'll get there some day
I hope.
How does a Win9x client with the AD client find a local DC? I have had a problem for ages that although isn't critical it is rather annoying. When a Win9x client boots it attempts to locate a local DC through DNS but doesn't ask for the fully qualified DNS name - If my NetBIOS domain name is say 'DOMAIN' and my FQDN is 'DOMAIN.CO.UK' I would expect the client to do a DNS lookup for a local DC, as in - 'site._sites.dc._msdsc.domain.co.uk', what it ACTUALLY sends is a request for 'site._sites.dc._msdcs.domain' and doesn't use the DNS suffix. I am using DHCP but I have tried setting DNS manually, setting the Domain on the client to be 'DOMAIN.CO.UK' (obviously this doesn't work). The DNS server sends a recusive lookup for the unknown local domain so the client pauses whilst it gets an answer back, the DNS server responds with a 'NO' or nack or whatever, then the client tries WINS lookup and then works.
What is annoying is the pause whilst it tries lookup for the wrong DNS name.
Obviously this doesn't happen for Win2K clients, I haven't tried with NT4.0 and the AD Client extensions.
yeah, that's one of the shortcomings of the DS client. It does a NetBios lookup of the domain name...
there's a couple things you could try to speed up the login:
1) Disable Recursive queries (which you may not want to do)
2) Create a bogus zone on your name server using the NetBios name of your domain and leave it empty. this way, the server will respond immediately with NXDOMAIN and the client will go right to WINS...
Its a bit of a shortcoming with the Win9x client then isn't it? Why did MS even bother to make the client do a DNS lookup? How does a Win9x client find a DC in its local site then? I thought this was one of the 'big' things about the client; the ability to logon to any DC and make changes to any writeable DC, as opposed to only the PDC (as in NT 4.0 domains).
I am currently using your second suggestion (bogus DNS zone), I also tried creating duplicate entries in this Zone to see if the client could be 'fooled', but no luck....
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.