Administrators in charge of a domain that uses Active Directory are usually pleased at the way AD can be used to manage both user accounts and machines. But the advantages of AD are limited to the machines that can use it: namely, Windows XP and Windows 2000. Windows 95/98/ME and NT 4.0 clients aren't supported by Active Directory, and so workstations with those operating systems are left out in the cold, so to speak, with only the most minimal compatibility. A common answer to such a problem is to upgrade the older clients, but if the money simply isn't there to do so, another strategy is in order.
To that end, Microsoft has released a set of Active Directory Client Extensions for Windows 95 (and its successors) and Windows NT 4.0. The Windows 95 version can be found on the Windows 2000 CD, in the CLIENTSWIN9X folder, and can be downloaded from Microsoft. You can also download the Windows NT 4.0 version.
Note that NT 4.0 clients must be running Service Pack 6a, and a version of Internet Explorer no earlier than 4.01.
This extension does not allow the listed operating systems to use all of Active Directory's functions, but it allows enough of a function set to meet most users' AD needs. (If you need more than the features supported by the patch, it's time to think seriously about upgrading at least a few of your clients.)
Here is a rundown of the features in the Active Directory Client Extensions patch:
- The ability to log onto domain controllers: This includes the ability to change passwords on
any Windows 2000 domain controller in the domain, rather than just the primary domain controller
for that domain (as was the case with NT 4.0 domains). Note that NT 4.0 clients and Win9x clients
will only be able to change their passwords at the PDC; you can't override NT 4.0 password behavior
by changing the password at the PDC with this patch.
- Windows Address Book (WAB) properties: This allows users to search for and change the
properties of user objects in AD through the Start -> Search system, and also allows for new
schema elements to be added to said user objects through the client (in the event they are needed).
- NTLM version 2 authentication: Clients with the patch can perform NTLM v2 authentication over
the network as well as version 1. Some of the changes in version 2 include encryption and hashing
of the password, case-sensitive passwords, and a number of other changes for security.
- The DFS fault tolerance client: This allows clients transparent access to Windows 2000
distributed file system (DFS) shares, as well as failover shares described through Active
- Active Directory Service Interfaces (ADSI): This allows Active Directory actions to be scripted (through the use of Windows Script Host or other scripting systems), and allows programmers a common API to Active Directory functions.
If you want to ensure that a given client can make use of many of these features, you must install it as a computer object in the relevant Windows 2000 domain. Since this is not done for Windows 9x systems by default, the administrator needs to take the time to add the computer(s) in question once they are patched, and make sure they are AD-aware.
The administrator should also be aware that there are several Active Directory features not supported through the Client Extensions:
- Kerberos support: Kerberos
security requires kernel-level extensions that are not available without a full OS upgrade.
policies: Windows 2000 group policies cannot be created or deployed for computer objects with
the Client Extensions; they have to be done manually. Windows NT 4.0 clients need to use the NT
administrative templates (.ADM files), and NT 4.0 System Policy Editor (POLEDIT.EXE) files; Windows
95 and 98 clients need to be managed manually with the System Policy Editor.
The Client Extensions cannot support IntelliMirror management; this is another OS-level feature
that cannot be supported without a full upgrade.
and Layer 2 Tunneling Protocol (L2TP)
support: Both of these features require the upgraded network stack available only in Windows 2000
and better, and cannot be provided through the Client Extensions. However, there is a separate
Microsoft client for providing IPsec and L2TP connectivity for Windows 95, 98, ME and NT 4.0, which
can be downloaded
- SPN or mutual authentication
Some caveats about usage are in order. When joining a newly-patched NT 4.0 machine to the domain, first try pre-creating the computer account for that machine with the SRVMGR program from the Windows 2000 domain controller. This may have to be done when merging an NT backup domain controller into a mixed-mode Windows 2000 Active Directory domain. Microsoft Knowledge Base article 242432 has more information on how to do this.
About the author: Serdar Yegulalp wrote for "Windows Magazine" from 1994 through 2001, covering a wide range of technology topics. He now plies his expertise in Windows NT, Windows 2000 and Windows XP as publisher of "The Windows 2000 Power Users Newsletter," writes technology columns for various TechTarget sites and serves as resident expert for SearchWin2000.com's Desktop Administration and Management Tools and Solutions Ask the Experts categories.
Web Links: Desktop Deployment and Migration
Check out our latest hand-picked desktop and migration links for information on diverse deployment topics, from XP upgrades to company laptop usage.
Web Links: Windows 9x
Still running Windows 9x computers? Allow us to help. Here you'll find the information you need to upgrade from Windows 98 to Windows XP, secure your Windows 95 and 98 computers and much more.
Web Links: NT Workstation
The granddaddy of Microsoft server operating systems reached the end of its lifespan, but it is still found in many IT shops. For those thinking now is the time to upgrade, our newest hand-picked NT links include NT to Active Directory upgrade pointers you won't want to miss. If you plan to stick with NT, you'll want to look at our other links to information on NT security, administration, monitoring and much more.
This was first published in October 2003