Although running Windows 9x or NT clients in an Active Directory environment is possible, these older operating systems will not be able to take advantage of Active Directory features unless you install Microsoft’s Active Directory client extension (Dsclient.exe), also called the Directory Services Client. Even then their functionality will be limited, but some functionality is better than none. Here’s a rundown on exactly what the Dsclient can and cannot do, along with instructions on where to obtain versions for both Windows NT and Windows 9x.

Obtaining and installing Dsclient.exe
Microsoft’s Active Directory client extension comes in two versions: one for Windows 95/98 and one for Windows NT. The Windows NT version requires Windows NT 4.0 Service Pack 6a and Internet Explorer 4.01 or later. The Windows 9x version requires Windows 95, 98, or 98 Second Edition with Internet Explorer 4.01 or later. (I have seen some reports that the Windows 9x version can be used with Windows Me, but I cannot confirm this.)

You can download the Windows NT version directly from Microsoft and you can find the Windows 9x version on any Windows 2000 Server, Advanced Server, or DataCenter installation CD in the \CLIENTS\WIN9x directory. The Windows 9x Dsclient.exe file is 2.95 MB and the NT version is 1.48 MB. To install the client, copy the Dsclient.exe self-extracting executable installation file to an appropriate workstation and double-click it. The installation wizard will then quickly walk you though the installation process.

Updated Windows 9x Dsclient available
Since the Active Directory client extension’s initial release, Microsoft has discovered a few minor bugs and released an update in the form of a hot fix. You can obtain this update by contacting Microsoft’s Product Support Services by phone. Although a support call to Microsoft usually costs around $200, if you ask the service representative specifically for the update and not technical assistance, he or she will usually waive the charges. Click here for a list of Microsoft Product Support Services phone numbers and rates or here for more information about acquiring the updated Windows 9x Dsclient.

Supported Active Directory features
Site awareness
Normally, during the logon, Windows 9x/NT clients contact a random domain controller for authentication. Furthermore, if the user needs to change his or her password, the password change is performed on the Windows 2000 Server that’s acting as the domain’s primary domain controller (PDC) emulator. The new password is then replicated to the other domain controllers.

After installing Dsclient.exe, however, Windows 9x/NT clients become site aware. This means that rather than picking a random domain controller for authentication, the client uses site information to log on to the nearest domain controller. Likewise, users can update passwords on any domain controller, not just the PDC emulator.

Active Directory service interfaces (ADSI)
The Active Directory client extension supports ADSI, which is mainly a benefit to developers. This feature makes it is possible to write a script that interacts with the Active Directory, and run that script on a Windows 9x/NT machine.

DFS fault tolerance
In Windows 2000, a DFS tree can have multiple replicas of a data set. The idea is that if one server fails, another server can take over and the clients will never know that the main server hosting the data has failed. To be able to take advantage of DFS failover, the client must be installed as a computer object in the Active Directory, and the Active Directory client extension makes this setup possible.

Active Directory Windows address book (WAB) property pages
The Active Directory client extension makes it possible for users to access user information directly from the Active Directory and to make changes to that information (assuming that they have the rights). This includes information like addresses and phone numbers.

NTLM Version 2 authentication
The Active Directory client extension offers support for NTLM 2 authentication. This provides greater security during authentication. Click here for more information on enabling NTLM 2 authentication once you have installed the Active Directory client extension.

Unsupported Active Directory features

  • Kerberos
    The Active Directory client extension will not support Kerberos-dependent authentication on Windows 95, 98, or NT clients because these operating systems lack the appropriate files to interact with the Kerberos protocol.
  • Group Policy and Intellimirror
    The Active Directory client extension does not allow Windows 9x/NT to take advantage of Intellimirror or Widows 2000 Group Policy technology.
  • IPSec and L2TP
    If you want to use a Windows 9x/NT client to access a VPN, the VPN must use the PPTP protocol. The Active Directory client extension does not support newer, VPN-related protocols, such as IPSec and L2TP.
  • SPN and mutual authentication
    Finally, the Active Directory client extension does not support Service Principle Name (SPN) or mutual authentication.