Another XP SP2 Issue

  • Thread starter Thread starter John Coutts
  • Start date Start date
J

John Coutts

Here is just another reason not to install SP2!

A customer was required to upgrade her W2K network to XP by the government
network that she was connected to. Her's is a small network (5 workstations)
that does justify installing a server. I ordered 3 new machines that came with
XP SP2, and I upgraded one of the other machines by installing a second hard
disk and retaining all her data on the original disk. After she was satisfied
that she had all of her old data transferred to the new disk, then I wiped the
old disk and installed it in the last computer. After I installed XP on the
last machine, none of the computers could browse the network.

According to MS article 188001, the Browser function that existed on all
Windows operating systems up to and including W2K has been replaced by Active
Directory. So according to this article, an all XP network has to run Active
Directory to get browser service.

Well, such is not the case. I installed another all XP network earlier, and it
browses just fine. The difference is that the ealier network only has SP1
installed.

Nice going Microsoft! Just another way to squeeze more money out of your
customers.

J.A. Coutts
 
Actually there are 2 things going on that you should now about.

1) There is a new and improved firewall in SP2 for XP. This baby is on by
default.
2) The Computer Browser service can't start when the firewall is on unless
some exceptions are made in the firewall.

So before you go slamming Microsoft that peer-to-peer network is not
existent, you might want to verify your facts first since SP2 is about
reducing the attack surface of Windows. (and yes, the price we pay for
security means knowing what to turn back on.)
 
Actually there are 2 things going on that you should now about.

1) There is a new and improved firewall in SP2 for XP. This baby is on by
default.
2) The Computer Browser service can't start when the firewall is on unless
some exceptions are made in the firewall.
Click to expand...
***************** REPLY SEPARATER *******************
Sorry, but one of the first things I did was disable that firewall (along with
that ridiculous Security Center service), because the network has a far better
firewall at the perimeter. The Computer Browser service is running on all the
machines, and I even went so far as to change the registry setting for the
Browser from Auto to Yes. I can still map network drives, but I can't browse
the network to make that selection. This is no problem for me, but the average
user doesn't even understand the diffierence between network name and login
name. I am advising all my customers to leave at least one older operating
system connected to their network to provide the browser service.

J.A. Coutts
 
In
John Coutts said:
***************** REPLY SEPARATER *******************
Sorry, but one of the first things I did was disable that firewall
(along with that ridiculous Security Center service), because the
network has a far better firewall at the perimeter. The Computer
Browser service is running on all the machines, and I even went so
far as to change the registry setting for the Browser from Auto to
Yes. I can still map network drives, but I can't browse the network
to make that selection. This is no problem for me, but the average
user doesn't even understand the diffierence between network name and
login name. I am advising all my customers to leave at least one
older operating system connected to their network to provide the
browser service.

J.A. Coutts
Click to expand...


It's interesting how certain parties are having trouble with SP2, but yet,
I've installed it on all my clients' machines with no problems. All I did
was turn off the firewall and it works like a charm.

Maybe you may have to detune your security policy settings since these
machines are in a workgroup: The tile of the article is deceiving, but it
works. I needed to do it to allow two XP machine to access each other, as
well as a DOS client to access it (for Ghosting).

555038 - How to enable Windows 98-ME-NT clients to logon to Windows 2003
based Domains:
http://support.microsoft.com/?id=555038

Ace
 
It's interesting how certain parties are having trouble with SP2, but yet,
I've installed it on all my clients' machines with no problems. All I did
was turn off the firewall and it works like a charm.

Maybe you may have to detune your security policy settings since these
machines are in a workgroup: The tile of the article is deceiving, but it
works. I needed to do it to allow two XP machine to access each other, as
well as a DOS client to access it (for Ghosting).

555038 - How to enable Windows 98-ME-NT clients to logon to Windows 2003
based Domains:
http://support.microsoft.com/?id=555038

Ace
Click to expand...
******************** REPLY SEPARATER ***********************
There's the key Ace. You left at least one older operating system connected to
the network to act as the Master Browser. It appears that XP/SP2 will find and
use a browser list on the network, but will not act as the Master Browser. I
have not had a problem with XP browsing a network until now. With all XP/SP2
machines on the network, none will browse. Add one W2K machine, and all of them
will browse. I tried using the LMHOSTS file, but to no avail.

J.A. Coutts
 
In
******************** REPLY SEPARATER ***********************
There's the key Ace. You left at least one older operating system
connected to the network to act as the Master Browser. It appears
that XP/SP2 will find and use a browser list on the network, but will
not act as the Master Browser. I have not had a problem with XP
browsing a network until now. With all XP/SP2 machines on the
network, none will browse. Add one W2K machine, and all of them will
browse. I tried using the LMHOSTS file, but to no avail.

J.A. Coutts
Click to expand...


Interesting. I have not seen this issue yet, nor have I tested it. I can
tell you that at my home, I have all XP Pro SP2 machines (no other OSs), and
I do not have a DC running. I can browse everyone just fine. The DOS OS is
just a bootable floppy when I want to Ghost a machine and is not running all
the time. But I did have a problem connecting from the floppy boot (using a
net use) to XP, but once I changed the two "Microsoft: Server always
sign...(required)" settings in the local policy to disabled, then I was able
to connect.

Have you tried to change those settings? Maybe (just maybe), the browser
service is not accepting broadcasts from anything because of SP2? And you're
saying forcing one of them to be a Master is not working?

Ace
 
I have noticed when i have a workgroup with static IP-adresses and no
DHCP-servers i have to turn on "NETBios over Tcp/Ip" instead of using the
default settings under Tcp/Ip configuration, advanced and "Wins" tab. Just a
shot in the dark... it solved my problem....

Good luck

Jon L.


"Ace Fekay [MVP]"
 
Here is another odd thing that I have noticed with SP2. Even though the
Computer Browser service is set to "Automatic", it does not get started until
the first successful netbios access. On my own SP1 Home machine, I have this
service disabled and it still browses an older network. What does this service
really do?

J.A. Coutts
*************** REPLY SEPARATER ***************
 
In
John Coutts said:
Here is another odd thing that I have noticed with SP2.
Even though the Computer Browser service is set to
"Automatic", it does not get started until the first
successful netbios access. On my own SP1 Home machine, I
have this service disabled and it still browses an older
network. What does this service really do?
Click to expand...

As long as there is at least one machine on the network with the computer
browser service running to act as Browse master, that is all you need. The
browser need not be running on all machines, only one.
In a domain the PDC or PDC emulator will force itself to be the browse
master.
 
In
John Coutts said:
Here is another odd thing that I have noticed with SP2. Even though
the Computer Browser service is set to "Automatic", it does not get
started until the first successful netbios access. On my own SP1 Home
machine, I have this service disabled and it still browses an older
network. What does this service really do?

J.A. Coutts
Click to expand...

Have you tried to disable those settings yet?

Ace
 
In

Have you tried to disable those settings yet?

Ace
Click to expand...
******************* REPLY SEPARATER *******************
I tried running the the Browstat utility, but it simple tells me what I already
know; there is no master browser on the network. XP SP2 will simply not provide
master browser service, and if there is no machine on the network prepared to
take on the task, you won't be able to browse the network

J.A. Coutts
 
In
John Coutts said:
I tried running the the Browstat utility, but it simple
tells me what I already know; there is no master browser
on the network. XP SP2 will simply not provide master
browser service, and if there is no machine on the
network prepared to take on the task, you won't be able
to browse the network

J.A. Coutts
Click to expand...

Have you tried checking the properties of File Sharing in the Windows
firewall exceptions list to see what ports are allowed?
It should be TCP 139 Any, TCP 445 Any, UDP 137 Any, and UDP 138 Any.
 
In
******************* REPLY SEPARATER *******************
I tried running the the Browstat utility, but it simple tells me what
I already know; there is no master browser on the network. XP SP2
will simply not provide master browser service, and if there is no
machine on the network prepared to take on the task, you won't be
able to browse the network

J.A. Coutts
Click to expand...

I see, so of course that won't work.

But I was asking about the SMB settings. Please try them. As I explained
earlier, they work for me between machines in a workgroup (or between DOS
and XP or W2003 machines) and toggle them back and forth all day long.

Back to the reg entries, did you also set IsDomainMaster = "True" on one
(only one) of the XP machines?
If you did or haven't tried it, please do so. Did that help?
Here are the settings...
=================================
Changes on the Server:
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \Browser
\Parameters]

MaintainServerList = "Yes"
IsDomainMaster = "True"

MaintainServerList controls if it should participate in the election at all.
The IsDomainMaster gives the computer a higher priority in the election.

Note to discover/detect the current master browser on the network use the
reskit tools browmon or browstat.

Changes at the workstation: (see registry location above)
MaintainServerList = "No"
IsDomainMaster = "False"
=================================


Also, have you tried Browcon:?
http://support.microsoft.com/default.aspx?scid=kb;en-us;818092

Ace
 
I see, so of course that won't work.

But I was asking about the SMB settings. Please try them. As I explained
earlier, they work for me between machines in a workgroup (or between DOS
and XP or W2003 machines) and toggle them back and forth all day long.

Back to the reg entries, did you also set IsDomainMaster = "True" on one
(only one) of the XP machines?
If you did or haven't tried it, please do so. Did that help?
Here are the settings...
=================================
Changes on the Server:
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \Browser
\Parameters]

MaintainServerList = "Yes"
IsDomainMaster = "True"

MaintainServerList controls if it should participate in the election at all.
The IsDomainMaster gives the computer a higher priority in the election.

Note to discover/detect the current master browser on the network use the
reskit tools browmon or browstat.

Changes at the workstation: (see registry location above)
MaintainServerList = "No"
IsDomainMaster = "False"
=================================
Click to expand...
**************** REPLY SEPARATER ******************
Already tried that. No effect.
***************************************************
Also, have you tried Browcon:?
http://support.microsoft.com/default.aspx?scid=kb;en-us;818092

Ace
Click to expand...
***************** REPLY SEPARATER *****************
I will take a look at it.
***************************************************
 
Have you tried checking the properties of File Sharing in the Windows
firewall exceptions list to see what ports are allowed?
It should be TCP 139 Any, TCP 445 Any, UDP 137 Any, and UDP 138 Any.
Click to expand...
************ REPLY SEPARATER *************
Firewall service is disabled. Correct me if I am wrong, but isn't port 445
supposed to be used for Smb only if netbios on ports 137 to 139 is not enabled.
 
I see, so of course that won't work.

But I was asking about the SMB settings. Please try them. As I explained
earlier, they work for me between machines in a workgroup (or between DOS
and XP or W2003 machines) and toggle them back and forth all day long.

Back to the reg entries, did you also set IsDomainMaster = "True" on one
(only one) of the XP machines?
If you did or haven't tried it, please do so. Did that help?
Here are the settings...
=================================
Changes on the Server:
[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services \Browser
\Parameters]

MaintainServerList = "Yes"
IsDomainMaster = "True"

MaintainServerList controls if it should participate in the election at all.
The IsDomainMaster gives the computer a higher priority in the election.

Note to discover/detect the current master browser on the network use the
reskit tools browmon or browstat.

Changes at the workstation: (see registry location above)
MaintainServerList = "No"
IsDomainMaster = "False"
=================================
Click to expand...
****************** REPLY SEPARATER ******************
I usually disable port 445 because a hacker managed to infiltrate this
particular network using port 445 from the private network (these machines are
connected to the public network behind a NAT router and to a private government
network with no local firewall). To make sure that the function of port 445 had
not changed (secondary SMB), I enabled it on all machines. I then changed the
browser settings on one machine to:
IsDomainMaster = "TRUE"
MaintainServerList = "Yes"

and left the rest at the default of:
IsDomainMaster = "FALSE"
MaintainServerList = "Auto"

Still no Master Browser service on the network.

J.A. Coutts
 
In
Firewall service is disabled. Correct me if I am wrong, but isn't
port 445 supposed to be used for Smb only if netbios on ports 137 to
139 is not enabled.
Click to expand...

XP should default to SMB, then NetBIOS in that order.
 
In
John Coutts said:
****************** REPLY SEPARATER ******************
I usually disable port 445 because a hacker managed to infiltrate this
particular network using port 445 from the private network (these
machines are connected to the public network behind a NAT router and
to a private government network with no local firewall). To make sure
that the function of port 445 had not changed (secondary SMB), I
enabled it on all machines. I then changed the browser settings on
one machine to:
IsDomainMaster = "TRUE"
MaintainServerList = "Yes"

and left the rest at the default of:
IsDomainMaster = "FALSE"
MaintainServerList = "Auto"

Still no Master Browser service on the network.

J.A. Coutts
Click to expand...

Hmm, unfortunate. We'll get to the bottom of this (hopefully). I forget now
if I had asked you (the thread is getting long...) if the firewall is
enabled on all machines, and if so, have you made an exception Rule to allow
F&P Services (assuming the Browser service is running)? GBrowser service is
dependent on F&P.

Ace
 
Hmm, unfortunate. We'll get to the bottom of this (hopefully). I forget now
if I had asked you (the thread is getting long...) if the firewall is
enabled on all machines, and if so, have you made an exception Rule to allow
F&P Services (assuming the Browser service is running)? GBrowser service is
dependent on F&P.

Ace
Click to expand...
*************** REPLY SEPARATER ****************
No Firewall on any machine. Firewall is at the network perimeter.
 
In
John Coutts said:
*************** REPLY SEPARATER ****************
No Firewall on any machine. Firewall is at the network perimeter.
Click to expand...

Interesting... the plot thickens.

I found this and was playing around with it a bit:
http://www.michna.com/kb/wxnet.htm

Here are some things I found that we should look at a little more closely or
at least confirm. I apologize if these seem to rudimentary, or that you may
have already gone over them. I think we both know and agree your current
setup should just work out of the box. Agreed? So there's something
hindering the service from operating on that one machine, or all of them
(for whatever reason). Also, most of the links I've found researching this
all point to the firewall service, but since you have it disabled on all
machines, I've been discarding those hits.
1.. Check all NetBIOS names for possible duplicates. For example, if the
workgroup name coincides with a user or computer name, this could cause the
problem. Try opening a command line window and issuing the command: net view
2.. Issue the command: net view \\computername, where computername should
be replaced with one of the names displayed with the simple net view
command. Check all names for possible duplication.
3.. Disable, better yet uninstall or upgrade, all antivirus software and
third party firewalls. Check to see if they perform network montoring.
4.. Rid the computer of adware and spyware.
5.. Repair the Winsock with the command: netsh winsock reset (This removes
all third party Layered Service Providers-LSPs.
6.. Computers running older operating systems than Windows XP may disturb
the computer browser system. If there are any devices on the network that is
capable of interfering, let's stop them as well.
7.. Make sure that the TCP/IP NetBIOS Helper service is running and has
the proper start type.
8.. Make sure MS Client & File and Print Sharing is enabled.
9.. Uninstall third party client software that can interfere with the
networking settings. Such software could have come with network adapters or
with a router.
10.. Force it to use NetBIOS over TCP/IP under NIC properties, IP
Properties, Advanced, WINS tab.
11.. I remember mentioning browcon.exe, but you didn't post any results or
if you have tried it, and assume you have already done so without the
desired results.
12.. Let's also take a look at browstat. It will show you if browsing is
enabled on the network and who the master browser is. You can download
Browstat from http://www.dynawell.com/reskit/microsoft/win2000/browstat.zip
or http://rescomp.stanford.edu/staff/manual/rcc/tools/browstat.zip. Here is
a link from Microsoft on it's use: http://support.microsoft.com/?kbid=188305


Here's another interesting thing I found as well:

*Begin procedure:
===================================
You have both the following symptoms:
a.. You can ping the computer by IP and by name.
b.. When you type on another computer, replacing computername with the
name of the inaccessible computer:
net view \\computername

you get one of the various "Error 5" error messages, like "System error 5
has occurred. Access is denied" or "Error 5: You do not currently have
access to this file. ..."

This is in some cases caused by a registry setting named RestrictAnonymous.
Go to the computer which you cannot access, start a registry editor and
change the following registry value.

HKEY_LOCAL_MACHINE
\SYSTEM
\CurrentControlSet
\Control
\Lsa
Value name: RestrictAnonymous
Value type: DWORD

If the value is 1 or even 2, change it to 0, reboot and retest. If the
problem is solved, leave the value at zero. If not, you can change it back
if you like.

*End of procedure.

===================================





Another interesting one:

*Begin procedure:

===================================

Another related and surprisingly frequent problem beside disabled NetBIOS
over TCP/IP is the setting of an unsuitable node type for Windows networks
(which use NetBIOS). If you don't see other computers in Network
Neighborhood or My Network Places, then this computer may have the wrong
node type. If you get error messages when you try to access another
computer, then you may have to walk over to that other computer and perform
the following steps there.

First check the node type by opening a command line window and typing the
command

ipconfig /all

This command reports the node type, among other information. It should be
Hybrid or Unknown, but not Point-to-Point (p-node, actually a mistaken
interpretation of Peer-to-Peer), because that would work only when a WINS
server is present.

If the node type is P-t-P, you can use regedit.exe to go to

HKEY_LOCAL_MACHINE
\System
\CurrentControlSet
\Services
\Netbt
\Parameters

and delete any of the two values NodeType and DhcpNodeType if they exist,
forcing Windows to fall back to its default node type, which should be
Hybrid. Reboot.

More details can be found in the following Microsoft Knowledge Base
article.

Default Node Type for Microsoft Clients
http://support.microsoft.com/?kbid=160177

*End procedure

===================================



Well, that's about it for right now. Other than this, I'm not sure what is
going on. Like I said, it should just work out-of-the-box.

Let me know what you find with the above information.

Thanks

Ace
 
Back
Top