none
Windows Server 2012 and XP as a client

    Question

  • Hello everyone!

    I would definitely appreciate someone pointing me in the right direction. I have a very simple network, e.g. Windows Server 2012 as DC, Windows Server 2008 R2 as RDS and some Windows 7 and Windows XP as workstations.

    The problem is that all XP computers are experiencing several problems. There are userenv 1054, lsasrv 40960 and lsa 40961 events logged on them; those workstations experiencing slow logons, not applying group policies and unable to browse shares located on DC (they used for distributing some files via GP). All Windows 7 workstations, however, are working perfectly.

    Here’s what I’ve tried:

    - read http://technet.microsoft.com/en-us/library/dd560670%28v=ws.10%29.aspx and turned on DES in Kerberos Authentication for entire domain via GP;

    - read http://technet.microsoft.com/en-us/library/dd566199%28v=ws.10%29.aspx and disabled NTLM 128-bit minimum session security parameters for entire domain via GP;

    - tried to make XP Kerberos to use TCP instead of UDP as described in http://support.microsoft.com/kb/244474?wa=wsignin1.0

    All of these has no luck. XP clients are able to incredibly slow browse SYSVOL and NETLOGON, but unable to browse other shares, not apply GP, etc.

    Could anybody please give me some advice?

     

    Thanks in advance.

    Monday, February 25, 2013 9:04 PM

All replies

  • Have you checked DNS settings on Clients it should point to local DNS and make sure firewall is allowing the traffic

    Check for any group policy which you have set for configuration but that doesn't applies to windows XP

    Troubleshooting slow logons are kind of R&D process you will have to eliminate causes most of the possibilities are listed here in below URL's


    So you have a slow logon…? (Part 1)
    http://blogs.technet.com/b/askds/archive/2009/09/23/so-you-have-a-slow-logon-part-1.aspx


    So you have a slow logon…? (Part 2)
    http://blogs.technet.com/b/askds/archive/2009/09/24/so-you-have-a-slow-logon-part-2.aspx


    Windows Server Performance Team
    Help! I’m stuck at “Applying Computer Settings” …
    http://blogs.technet.com/b/askperf/archive/2008/10/14/help-i-m-stuck-at-applying-computer-settings.aspx

     

    Troubleshooting the intermittent slow logon or slow startup
    http://blogs.technet.com/b/instan/archive/2008/04/17/troubleshooting-the-intermittent-slow-logon-or-slow-startup.aspx

     

     

     

     

     

     

     

     

     

     

     


    Hope it helps __________________________ Best Regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, February 26, 2013 5:50 AM
  • Thank you for your answer.

    > Have you checked DNS settings on Clients it should point to local DNS and make sure firewall is allowing the traffic

    Of course. All clients receive all ipv4 settings via DHCP, the DNS server address is set to DC (e.g. that Server 2012), the DNS resolution works perfectly, including SRV records such as _kerberos._udp.domain.local.

    > Check for any group policy which you have set for configuration but that doesn't applies to windows XP

    Well, this is one of my troubles. All XP clients are unable to apply group policy while 7 clients are working properly.

    > Troubleshooting slow logons are kind of R&D process you will have to eliminate causes most of the possibilities are listed here in below URL's

    Thank you a lot for this URLs, but my very problem is not slow logon itself, but a Kerberos authentication issue. I am experiencing lsasrv 40960 "The Security System detected an authentication error for the server ldap/dca.acc.local. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)"." and lsasrv 40961 "The Security System could not establish a secured connection with the server ldap/dc.domain.local. No authentication protocol was available.", that says that XP's Kerberos seems to be unable to handshake with 2012 one. However, I've checked all URLs you gave to me and I'll use the last one to turn on userenv debug logging to try to gather additional information.

    I also must say that I've double-checked all network-related and hardware-related aspects. The problem lies somewhere in 2012's compatibility with XP because all Windows 7 clients that share the same network, hardware, settings etc. works fine.

    Thank you in advance for further advice.

    Tuesday, February 26, 2013 9:35 AM
  • There can be many reason for the errors & it might be the case we are only concentrating at DC with windows 2012, but issue is somewhere else. It can be antivirus, network connection, old drivers or patches missing. I haven't found any issue with XP system authenticating against Win 2012 DC. Why not enable userenv logging & see what it says. Also, take a look at the below article, if it applies. I can assume it can be due to security software & might be causing the communication blockage.

    http://support.microsoft.com/kb/885887

    http://blogs.technet.com/b/jhoward/archive/2005/04/20/403946.aspx

    UserEnv Debugging Line by Line

    http://blogs.msdn.com/b/richpec/archive/2009/07/20/userenv-debugging-line-by-line.aspx

    http://blogs.technet.com/b/ptsblog/archive/2011/11/14/performing-an-active-directory-health-check-before-upgrading.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, February 26, 2013 9:55 AM
    Moderator
  • Thank you for your answer!

    > It can be antivirus, network connection, old drivers or patches missing

    DC never had an antivirus and I've tried to disable and even uninstall antivirus from XP workstations. I have even tried a fresh XP installation. This is definitely not a network issue because Windows 7 clients located in the same physical and logical network are working properly. All drivers and patches on all systems are up-to-date. Moreover, since 100% Windows 7 clients are working properly and 100% XP clients share the same symptoms I am sure that I need to dig deeper into XP vs 2012 interaction.

    > Why not enable userenv logging & see what it says

    I will do it now and surely post here if there will be something interesting. Thank you a lot for the links; I'll follow them now.

    Tuesday, February 26, 2013 10:13 AM
  • I've also noticed a strange behavior. XP workstations cannot browse shares on 2012 DC, but they can browse shares on 2008 R2 RDS that is in the same domain with the same policies.


    Tuesday, February 26, 2013 1:55 PM
  • Could it be because of the system requirements? I don't see XP and older listed

    Supported Client operating systems

    Windows 8.1, Windows 8, Windows 7, Macintosh OS X versions 10.5 to 10.8.

    Wednesday, November 06, 2013 10:10 PM
  • Do you have client side extensions installed on XP machines..?? Do you have XP updated till SP3.?

    Hope it helps __________________________ Best Regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, November 07, 2013 9:54 AM