RE: Can win9x clients connect to new 2003 domain
From: Bob Qin [MSFT] (bobqin_at_online.microsoft.com)
Date: 11/17/04
- Next message: Bob Qin [MSFT]: "RE: Corruption of ADMT translated profile"
- Previous message: Rebecca Chen [MSFT]: "RE: SUS server size"
- In reply to: Jerryboz: "Can win9x clients connect to new 2003 domain"
- Next in thread: Jerryboz: "RE: Can win9x clients connect to new 2003 domain"
- Reply: Jerryboz: "RE: Can win9x clients connect to new 2003 domain"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 17 Nov 2004 09:09:00 GMT
Hi JerryBoz,
Thanks for your posting here. Please see my comments inline...
Question 1: When the new 2003 forest/domain is in native mode, is it still
possible for win9x or NT4 clients without DSCLIENT to authenticate on the
2003 domain??
--- Downlevel clients (such as Windows 9x/NT) will still authenticate to
Windows Server 2003 via NTLM. DSClient adds support for NTLM version 2
which is a more secure form of NTLM authentication. For added security, it
is best if all Windows 95 and Windows 98 clients install the DSClient.
In addition, you may have to turn off SMB Signing in the default DC policy
but this was not recommended. Please refer to the following document for
more information.
823659 Client, service, and program incompatibilities that may occur when
you
http://support.microsoft.com/?id=823659
Question 2: Can the win9x or NT4 clients without DSCLIENT work with the
data on the new DC's and still access files on the NT4 domain??
--- Yes, you need to migrate user SID history during User account migration
and keep the domain trusts there.
Question 3: if question 1 and 2 are not possible what can we do to make it
work??
--- /
Question 4: can y2k and XP clients who will be move to join the new 2003
domain connect to the old NT4 domain to access the data still left on that
domain??
--- Yes. In fact, sIDHistory is used as a transitional tool intended to
preserve access permissions until security on resources can be translated.
The SIDHistory is stored on the new user account in the domain where the
user was migrated. When user access is evaluated, SIDs from the ACLs and
the access token are compared to find a match.
Moving the clients to new 2003 domain does not touch the ACLs on the file
server at all. The users will still have access through the SIDHistory.
Wish the information helps.
Regards,
Bob Qin
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
From: "=?Utf-8?B?SmVycnlib3o=?=" <Jerryboz@discussions.microsoft.com>
Subject: Can win9x clients connect to new 2003 domain
Date: Tue, 16 Nov 2004 06:49:11 -0800
Newsgroups: microsoft.public.windows.server.migration
Hello a'm Jerry Boz and have the following situation:
I have 9 resource domains (each on a different location connected by
a 128
or 256 WAN link) and 1 master domain (2Mb WAN link). All domains are
NT4 with
1 PDC on the resource locations and 1PDC and 2 BDC and 1 central
exchange 5.5
server and internet connection with firewall on the master domain.
(all the
current hardware of the PDC's do not support windows server 2003)
200 clients (mostly win95 and NT and some XP) and 250 users on the
master
domain and approx. 240 global groups.
We want to migrate from NT4 (10 domains) to 2003 with 1 domain. And
leave
the NT4 working as it is until all client are upgraded to XP (time
approx. 6
months)
Recently we bought 2 new IBM x235 servers (not NT4 compatible).
On these server we want to install a fresh copy of Windows 2003 and
make
them DC's for the new 2003 domain with AD and 1 new 2003 Exchange
server.
Next we want to make a 2way trust between the NT4 domain and the
Yk203
forest/domain.
Next we want to copy all the user and groups from NT4 to the new 2003
domain
with AD with the ADMT2 tool. It seems that ADMT works only with the
2003 AD
in native mode.
Question 1: When the new 2003 forest/domain is in native mode, is it
still
possible for win9x or NT4 clients without DSCLIENT to authenticate on
the
2003 domain??
Question 2: Can the win9x or NT4 clients without DSCLIENT work with
the data
on the new DC's and still access files on the NT4 domain??
Question 3: if question 1 and 2 are not possible what can we do to
make it
work??
Question 4: can y2k and XP clients who will be move to join the new
2003
domain connect to the old NT4 domain to access the data still left on
that
domain??
Please forgive me my poor english.
With regards
JerryBoz
- Next message: Bob Qin [MSFT]: "RE: Corruption of ADMT translated profile"
- Previous message: Rebecca Chen [MSFT]: "RE: SUS server size"
- In reply to: Jerryboz: "Can win9x clients connect to new 2003 domain"
- Next in thread: Jerryboz: "RE: Can win9x clients connect to new 2003 domain"
- Reply: Jerryboz: "RE: Can win9x clients connect to new 2003 domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
