Windows 95 and Windows NT 4.0 interoperability issues.
SUMMARY
Windows Server 2003 Domain Controllers implement default security settings that help prevent Domain Controller communications from being hijacked or otherwise tampered with. Certain downlevel Windows systems are not capable of meeting these security requirements and thus cannot communicate with Windows Server 2003 Domain Controllers without administrative intervention. Similarly, non-Windows systems that are not capable of meeting these security requirements will not be able to communicate with Windows Server 2003 Domain Controllers by default.
Affected Windows systems include Windows for Workgroups, Windows 95 machines that do not have the DS client pack installed, Windows NT 4.0 machines prior to Service Pack 4, and devices, including Pocket PC 2002 and previous versions, based on the Windows CE .NET version 4.1 or earlier. Affected non-Windows systems may include Apple Mac OS X and SAMBA clients.
SMB SIGNING
By default, Windows Server 2003 Domain Controllers require that all clients digitally sign SMB-based communications. The SMB protocol is used to provide file sharing, print sharing, various remote administration functions, and logon authentication for some downlevel clients. Windows for Workgroups, Windows 95 machines without the DS Client Pack, Windows NT 4.0 machines prior to Service Pack 3, and devices, including Pocket PC 2002 and previous versions, based on the Windows CE .NET version 4.1 or earlier are not capable of performing SMB signing and therefore cannot connect to Windows Server 2003 Domain Controllers by default. Similarly, non-Windows systems that implement the SMB protocol without supporting SMB signing will not be able to connect to Windows Server 2003 Domain Controllers by default. For example, Apple Mac OS X and other SAMBA clients may not support SMB signing. Check with your SMB client vendor to determine whether SMB signing is supported. If such clients cannot be upgraded to support SMB signing, then the SMB signing requirement can be removed by disabling the following security policy in the Default Domain Controller GPO on the domain controllers OU:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft Network Server: Digitally sign communications (always)
Detailed instructions on how to modify this setting are provided below.
Warning: Disabling this security setting exposes all of your Domain Controller communications to "man in the middle" types of attacks. Therefore it is highly recommended that you upgrade your clients rather than disabling this security setting. The DS Client Pack, necessary for Windows 95 clients to perform SMB signing, can be obtained from the \clients\win9x sub-directory of the Windows 2000 Server CD.
SECURE CHANNEL SIGNING
By default, Windows Server 2003 Domain Controllers require that all secure channel communications be either signed or encrypted. Secure channels are used by Windows NT-based machines for communications between domain members and domain controllers as well as between domain controllers that have a trust relationship. Windows NT 4.0 machines prior to Service Pack 4 are not capable of signing or encrypting secure channel communications. If Windows NT 4.0 machines prior to SP4 must join this domain, or this domain must trust other domains that contain pre-SP4 Domain Controllers, then the secure channel signing requirement can be removed by disabling the following security policy in the Default Domain Controller GPO:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain Member: Digitally encrypt or sign secure channel data (always)
Detailed instructions on how to modify this setting are provided below.
Warning: Disabling this security setting exposes secure channel communications to "man in the middle" types of attacks. Therefore it is highly recommended that you upgrade your Windows NT 4.0 machines rather than disabling this security setting.
MODIFYING THE DEFAULT DOMAIN CONTROLLER GPO
To ensure all domain controllers are enforcing the same SMB and secure channel signing requirements, define the corresponding security settings in the Default Domain Controller GPO as follows: