Compatibility with previous operating systems
By default, security settings on running Windows Server 2003 are configured to help prevent domain controller communications from being intercepted or tampered with by malicious users. To successfully negotiate communications with a domain controller running Windows Server 2003, these default security settings require that client computers use both signing, and or signing of secure channel traffic.
The following Windows-based operating systems do not have built-in support for SMB signing or secure channel encryption and signing:
- Windows for Workgroups
- Windows 95
- Windows NT 4.0
The following table lists the required actions that you need to perform to enable client computers running any of these operating systems to successfully log on to the domain and access domain resources.
| For client computers running |
You need to |
| Windows for Workgroups |
Upgrade the operating system. |
| Windows 95 |
Upgrade the operating system (recommended), or install the Active Directory client. For more information about the Active Directory client, see Active Directory clients. |
| Windows NT 4.0 |
Upgrade the operating system (recommended), or install 4 (or later). Service Pack 3 provides support for SMB signing, but it does not support encryption or signing of secure channel traffic. |
SMB signing
By default, domain controllers running Windows Server 2003 require that all clients digitally sign SMB-based communications. The SMB protocol provides file sharing, printer sharing, various remote administration functions, and logon for some clients running older operating system versions.
Client computers running Windows for Workgroups, Windows 95 without the Active Directory client, and Windows NT 4.0 Service Pack 2 (or earlier) do not support SMB signing, and, therefore, they cannot connect to domain controllers running Windows Server 2003 by default.
Although it is not recommended, you can prevent SMB signing from being required on all domain controllers running Windows Server 2003 in a domain. For more information, see To prevent domain controllers from requiring SMB signing.
Secure channel encryption or signing
Domain controllers running Windows Server 2003 require that all secure channel communications be either encrypted or signed. Windows NT-based computers use secure channels for communications between clients and domain controllers, and between domain controllers that have a .
Client computers running Windows NT 4.0 Service Pack 3 (or earlier) do not support signing or encrypting secure channel communications, and, therefore, they cannot connect to domain controllers running Windows Server 2003 by default.
Also, any trusts established between domains with domain controllers running Windows NT 4.0 Service Pack 3 (or earlier) and domains with domain controllers running Windows Server 2003 might fail. If one domain contains a domain controller running Windows NT Service Pack 3 (or earlier) and the other domain contains a domain controller running Windows Server 2003, clients might have problems accessing located in the other domain.
Although it is not recommended, you can disable the secure channel requirement for all domain controllers running Windows Server 2003 in a domain. For more information, see To prevent domain controllers from requiring secure channel signing or encryption.
Note
- If you install Windows Server 2003 domain controllers in your domain (one or more), they will not affect the security settings on domain controllers running Windows 2000 Server.
