The issue
The real issue is that you are still running Windows XP. The secondary issue is that you have Windows XP clients that cannot connect to a file share (NETLOGON) on a Windows Server 2012 R2 Domain Controller. If you try manually via \domaincontrollerNetlogon it will throw an error like "The specified network name is no longer available". Security wise & moral pressure wise I kind of think this drives home the message you need to get off Windows XP. But I realize you’re in a pickle so here’s the workaround/fix.
Root Cause & Fix
Windows XP talks SMB 1.0 and that’s it. If this is not offered by the server (file server or domain controller) we have a problem. Now if you installed new Windows Server 2012 R2 servers they do not deploy the SMB 1.0 feature by default. If you upgraded from Windows 2008 R2 (perhaps even over Windows 2012) to get to Windows 2008 (R2) this feature kept in place. Other wise you’ll need to make sure SMB 1.0 is installed, it often (always?) is. Just check.
However there is a big change between Windows Server 2008 R2/Windows 2012. The LanmanServer service has a dependency set to SMB 2.0 and no longer to SMB 1.0
This is what it looks like on a Windows Server 2012 (or lower) domain controller:
This is what it look like on a Windows Server 2012 domain controller
So we need to change that on Windows 2012 R2 to support Windows XP. We can do this in the registry. Navigate to
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerDependOnService
- Change SamSS Srv2 to SamSS Srv
- Restart the Server (Lanmanserver) service (it will restart the dependent services like netlogon, DFS Namespace, .. as well)
You’re XP clients should be able to authenticate again. You can test this by navigating to \domaincontrollerNetlogon on a XP client. This should succeed again.
If you have issues with Windows Server 2012 R2 file servers … this is also valid. When you do get rid of Windows XP. Go back to the original settings please 
.
If you want to read more on SMB read this blog Windows Server 2012 R2: Which version of the SMB protocol (SMB 1.0, SMB 2.0, SMB 2.1, SMB 3.0 or SMB 3.02) are you using? by Jose Barreto (File Server team at Microsoft)
Finally, get off XP!
I think I said it enough on twitter and my blog Legacy Apps Preventing Your Move From Windows XP to Windows 8.1? Are you worried about HeartBleed? Good! Are you worried about still being on XP? No? Well dump SSL and use clear text authentication as XP is a free fire zone anyway (as of April 8th 2014) and it’s just a matter of time before you’re road kill. Any company who has CIO/CTO/IT managers and other well paid functions and have let their organization be held hostage on XP (I’m not talking about a few PCs or VMs left and right) by legacy apps & ISV should realize they are the one who let this happen. Your watch. Your responsibility. No excuses.
Pingback: XP/2003 clients cannot run logon scripts from 2012 R2 U1 servers | HayesJupe's Blog
Thanks for this one. I guess it’s a case that some people can’t get of XP because they have some LOB applications that only support XP and it’s costly or not possible to update the app.
You are most welcome. That’s all true but the hard reality is that things are not getting better over time and what is hard now will the real tough in a few years, Dealling with life cycles & collateral damage if not done right is a major task for anyone in charge. Tech debt needs to be managed.
Thanks for that article. Does this works on a mixed Windows 7 / Windows XP environement ?
Yes, it will not break Vista, Windows 7, 8, 8.1 clients, it just makes W2K12R2 DC’s support SMB1 again which is what XP supports and connects to the NETLOGON share with.
Other article suggests adding SRV and not replacing the SRV2. Does this make sense?
Could be! I just peaked at a Windows 2012 server for the value and used that. Just using SRV doesn’t make you lose SMB 2 or 3, rather it defines the lowest version used. You can see this when you follow the dependency tree. So I’m not sure keeping SRV2 in there does anything for you or is required. But in the very recent MSFT fix out just recently they keep both in: KB 2976994 – Shared folder in Windows Server 2012 R2 or Windows 8.1 cannot be accessed by using SMB version 1 protocol: http://support.microsoft.com/kb/2976994, which is included in the August 2014 update rollup for Windows Server 2012 R2: http://support.microsoft.com/kb/2975719/
Cheers
Pingback: Windows Server 2012 R2: Which version of the SMB protocol (SMB 1.0, SMB 2.0, SMB 2.1, SMB 3.0 or SMB 3.02) are you using? | University of South Wales: Information Security and Privacy
There’s another thing that can bite you with 2012 R2 domain controllers and old SAMBA and Centrify devices called Resource SID Compression. It’s a new feature of Kerberos that needs to be turned off in order for the old stuff to authenticate, see this: http://support.microsoft.com/kb/2774190
… just like moving from old OS versions there is the need for vendors to keep their firmware up to date & functional in modern environments both for functionality and security.
NEED HELP . . . . I’m having a problem with my windows XP and Windows server 2012 r2. I cant ping my windows server 2012 r2 with my windows XP computer. I did what was instructed and still I cant ping my server. I have Change the SamSS Srv2 to SamSS Srv and smb 1 was installed already. Is there any other reasons why I cant ping my server??
NEED HELP . . . . I’m having a problem with my windows XP and Windows server 2012 r2. I cant ping my windows server 2012 r2 with my windows XP computer. I did what was instructed and still I cant ping my server. I have Change the SamSS Srv2 to SamSS Srv and smb 1 was installed already. Is there any other reasons why I cant ping my server??
Check the Windows 2012 R2 firewall settings to start with http://lmgtfy.com/?q=can%27t+ping+my+WIndows+2012+r2+server . There are many great technical support forums https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?category=windowsserver and they can provide a lot more assistance than one single blog can.