|Brien M. Posey|
I was one of the people fortunate enough to experiment with Windows XP during the early phases of its development. From the beginning, Windows XP seemed like it was destined to be the best version of Windows yet. When Microsoft finially released Windows XP to the public, I was at the computer store's midnight madness sale buying about ten copies for my home network. I rushed home to install the final release, and Windows XP was truly the operating system that I had hoped it would be. Then something happened. I installed Service Pack 1 and began to have a slew of problems.
Most of these problems were network related. File access became painfully slow. Half of the time, I couldn't even save files to a network drive without Windows timing out and/or corrupting the file that I was trying to save. Something in Service Pack 1 had turned this dream operating system into a nightmare.
Since the problems began, I have been advising all of my friends and clients not to install Service Pack 1. Unfortunately, this isn't always an option. While Service Pack 1 seriously degrades network performance and causes some problems, it fixes other problems. Fortunately, there's a way to fix the networking issue and restore your performance without having to uninstall the service pack.
Oddly enough, the fix must be applied to your Windows 2000 domain controllers rather than to Windows XP. That's good news for those of you who have large numbers of machines running Windows XP. The problem is that Windows 2000 and Windows XP both use SMB signing for security purposes. Unfortunately, the two different SMB signature formats are incompatible. Rumors on the Internet indicate that the problem will be fixed in the next Service Pack. In the mean time, there are a couple of ways to get around the problem.
The easiest way of getting around the problem is to simply disable SMB signing on your domain controllers. To do so, go to a domain controller and open the Active Directory Users and Computers console. After doing so, navigate to the Domain Controllers OU. Right-click on this OU and select the Properties command from the resulting shortcut menu. When you do, you'll see the Domain Controllers Properties sheet. Now, select the Group Policy tab. Select the Default Domain Controller Policy (or whatever group policy applies to the domain) and click the Edit button. Now, navigate through the policy to Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options. Finally, locate the following four policy settings and change them to Disabled:
- Digitally Sign Client Communications (Always)
- Digitally Sign Client Communication (When Possible)
- Digitally Sign Server Communication (Always)
- Digitally Sign Server Communication (When Possible)
Now, close the Group Policy Editor, click OK, and close Active Directory Users and Computers. After you apply the settings, wait for the next replication cycle to complete and the settings should take effect. If you don't want to wait five minutes for a replication cycle to complete, you can force a replication cycle to occur instantly by opening a Command Prompt window and entering the following command:
SECEDIT /refreshpolicy machine_policy /enforce
There are a couple of things that you need to keep in mind about the changes that I've shown you. First, the changes must be applied to each domain in your network. Second, the changes may not work until your clients and servers have been rebooted. The changes on my network worked without a reboot, but Microsoft has stated that a reboot may be necessary. Finally, in high security environments, disabling SMB signatures may be unacceptable. If this is the case, there's an alternative.
If you call Microsoft's Premier Support Service at (800) 936-4900, you can receive a patch to correct the problem. The phone call costs $245, billed to your credit card, but according to my sources, if you quote Knowledge Base article Q329170 and ask for the fix that addresses the problem, you won't be billed for the call. The patch corrects the LOCALSPL.DLL, PRINTUI.DLL, SPOOLSS.DLL, SPUNINST.EXE, SRV.SYS, SRVSVC.DLL, WINSPOOL.DRV AND WLNOTIFY.DLL files. The patch must be applied to any Windows 2000 Servers that interact with Windows XP clients. If the Microsoft Tech Support department asks what version of the files you need, you'll need the October 10, 2002 version or later.
About the author:
Brien Posey, CEO of Posey Enterprises, is a freelance technical writer and has been working with computers for about 15 years. Before going freelance, Brien served as the Director of Information Systems for a large, nationwide healthcare company. He has also served as a network engineer/security consultant for the Department of Defense. You can access Brien's Web site, which contains hundreds of his articles and white papers, at www.brienposey.com.
This was first published in January 2003