Get Help

AD FAQs – Windows Support

What versions of Windows are supported by AD?

The short answer is: any Windows OS from Win95 through WinXP. The more complete answer is that our deployment of Active Directory requires the use of Kerberos or NTLMv2 as authentication protocols which imposes some special requirements for using older Windows clients to authenticate to the AD.

Win9x and ME — Windows 9x and ME require installation of the directory service client on each down-level computer, to allow authentication via NTLMv2. You can download this client at dsclient_ntlmv2.exe.

WinNT SP6a — Although Windows NT SP6a can authenticate to the AD without modification, we strongly recommend that you install the dsclient_ntlmv2.exe (download from the link above) to take advantage of some important new features of Windows 2000 Active Directory.

Win2K and XP — Windows 2000 and XP are Kerberos-aware by design and require no modification to authenticate to the AD.

[return to top]

Where can I get the Directory Service Client for down-level clients?

The Directory Service Client is available from a share accessible to OU Administrators at \\adc1\ouadmin\Software\Directory Service Client. The file dsclient_ntlmv2.exe will run on Windows 9x, ME, and NT, and will install the client as well as a registry key to force NTLMv2 authentication. If you install just the dsclient from the Win2K CD or from Microsoft’s Web site, you will not be able to authenticate until you also set the LM compatibility level to NTLMv2. To read more about what the DS client does, see MS DS Client. To learn more about NTLMv2 registry settings, see Q239869.

[return to top]

How do I set my Win2K/XP machine to authenticate to the UNIX Kerberos realm bu.edu?

Windows 2000 and XP support the Kerberos protocol natively. To have a machine authenticate to bu.edu (the UNIX Kerberos realm), you can either deploy the link to the group policy “BU – deploy bu.edu” or run the installation package from \\adc1\ouadmin\Software\BU.EDU Cross Realm Client Install on the client. If you use the Group Policy “BU – deploy bu.edu”, the policy will install the client when machines in that OU are rebooted.

[return to top]

Why should a person authenticate to the UNIX bu.edu Kerberos realm rather than the domain AD?

When a new person receives a BU login name and Kerberos password, he or she is given a generic account in the Active Directory. AD passwords for generic accounts are long, random strings, not known to anyone. Generic accounts can still access AD resources by authenticating to the domain bu.edu (UNIX Kerberos realm) with the BU login name and Kerberos password. The AD domain has a one way trust to the UNIX bu.edu realm, which allows this to work. If a person needs to access lab resources but doesn’t need an OU administrator to set custom fields (e.g., loginscript, profilepath, E2K settings) then the default generic account is all that’s required. If these fields must be set, the person will have to run the departmental-specific WebNew to allow the OU admin access to these fields and to synchronize the Kerberos password down to the AD.

[return to top]

How can people connect to a file share on a member server?

Different versions of Windows require different configurations to be able to connect to a member server. People who need to connect to a member server must have their Kerberos password synchronized down to the AD. If you have set up a departmental WebNew with IT, people should use that Web site to synchronize their Kerberos passwords down to the AD. In the absence of departmental WebNew site, people can do this at www.bu.edu/computing/accounts/ad/kpw. After completion of the WebNew process, it takes about ten minutes for the password to replicate to all of the AD machines. Once the password has been synchronized, the person will be able to connect to a member server by following the instructions below.

A. From Windows XP:

  1. Go to Start Menu->Run and type \servername\share (replacing both with the appropriate values) and click “OK”.connect 1
  2. In the logon box that appears, enter ad\username (substituting your BU login name for username) and your BU Kerberos password. You should then be connected to your share.connect 2

B. From Windows 2000 and NT

  1. Go to Start Menu->Run and type \servername\share (replacing both with the appropriate values) and click “OK”.connect b1
  2. In the logon box that appears, enter ad\username (substituting your BU login name for username) and your BU Kerberos password. You should then be connected to your share.connect b2

C. From Windows 95, 98 and ME

  1. Download and install ADSetup9x.exe
  2. Download and install dsclient_ntlmv2.exe
  3. Reboot the system.
  4. On startup you should now see a domain logon window. Enter your BU login name and Kerberos password and click OK. If you hit cancel at this window you will not be able to connect to the server.
  5. Once at the desktop, go to Start Menu->Run and type in \servername\share (replacing both with the appropriate values) and click “OK”. You should then have access to your share.

[return to top]