Windows Server 2016 and Win XP client ??

Hi all,

We're in the process of  upgrading our environment and looking forward for it but due to our particular environment we can't get everything we want.  I manage a closed area environment and we have a number of legacy hardware in place.
We're currently running Win2008 and 2003 servers and now must upgrade all to Win2016 server.  
We would like to remove Windows XP completely from our environment but at this time we just can't.
Now my question is, can I add WinXP machines to Windows Server 2016 domain and be happy ever after?
We plan to move to Win10 soon but it will be a slow process and can't wait till it happens.
Please share your experience and whether or not it's doable. Thanks.
timnjohnsonInformation Security EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daryl BamforthTechnical ExpertCommented:
All doable, they will add as usual, shouldn't have any issues.
0
ITSysTechSenior Systems AdministratorCommented:
It will work good except the GPO templates in Windows 2016 will not work correctly because they are missing somethings for XP.  You will be fully functional using XP on a Windows 2016 server except for the full use of  GPO templates.
0
Daryl BamforthTechnical ExpertCommented:
Just ensure that your XP clients only pull GPOs with XP settings in. Depends how your OUs are set up, but you can drop them all in a OU and only link the XP based GPOs there.
1
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

timnjohnsonInformation Security EngineerAuthor Commented:
Hi Daryl Bamforth,  
Your answer sounds good but one question remains- Our XP machines haven't been patched for years and wondering whether that would cause issues with SRV 2016?
0
ITSysTechSenior Systems AdministratorCommented:
Server 2016 will work fine despite the patches just like Windows Vista on Server 2016 will work except the GPO templates will not be fully functional.
1
Cliff GaliherCommented:
XP does *not* play well with server 2016 in a domain environment.  You may have *some* success, but many of the security protocols that XP supported have been cracked (think 3DES instead of AES-256), and XP has never been patched to support newer protocols, and old protocols were dropped from 2016.

You get weird errors, random authentication errors, and all around bad things when you try to get these two to play long term.  I suspect the previous answers were based on "common knowledge" and not actual experience. I can tell you affirmatively that this is not the case. From real world experience.
1
timnjohnsonInformation Security EngineerAuthor Commented:
I think based on the responses I'm getting, creating a separate GPO for XP clients to pull from will take care of the functionality issue.
0
timnjohnsonInformation Security EngineerAuthor Commented:
Cliff Galiher,

Do you think this is a bad idea and not worthy trying?  I don't want to misguide the management and so if this will be an on going problem I would rather not recommend it.
0
Cliff GaliherCommented:
For both practical reasons (random errors, unmanageable problems), and for security reasons (one compromised XP machine can compromise your entire network), I'd never do this.

Yes, XP is in *RARE* cases a necessary evil.  I still see manufacturing machines driven by XP.

But where they are used, they should be isolated. Never a member of the domain. Never on the business network.  Separate network (or VLAN) with no internet access and no access to normal network traffic.  Even better if they can be run standalone with no network at all.
0
Daryl BamforthTechnical ExpertCommented:
User has already stated that he needs to continue using the XP machines for the time being until they can move to windows 10. Is it ideal? Of course not. Are there additional risks? Absolutely. But he has also stated he manages a closed environment. In this scenario he will be able to get on until he can upgrade to Windows 10.

So, separate OU and lock them down as much as possible.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
timnjohnsonInformation Security EngineerAuthor Commented:
Thanks all for taking the time and giving me ideas on how to go about.  
This will help when discussing with the management and explaining the risks and the mitigation process.  Risks are always there but sometimes you dance with what you have.  Thanks all.
0
Cliff GaliherCommented:
If it's a closed environment then joining the domain would usually not even be a concern. And that doesn't address the practical incompatibilities of the two OSes being so far apart. You chose to focus and nitpick one small part of my larger argument and I stand by my assessment.
0
Cliff GaliherCommented:
Put another way, if there were absolutely no options/choices then there would be no reason to ask a question at all. The OP would've just the only thing available to them. That the question was asked means *some* wiggle room is available, and making the *right* decision requires information. And while not ideal, blatant misinformation can make for bad decision making.  That was the goal of my answer. I don't see the reason for the attack.
0
timnjohnsonInformation Security EngineerAuthor Commented:
Given our current environment, creating a separate GPO for XP clients is a good option and it will buy us time as we move to Win10.
Daryl, great job and thanks for your time.
0
Daryl BamforthTechnical ExpertCommented:
@Cliff Galiher I am bemused that you felt under attack, considering the strong wording of most of your posts. But I apologise that you felt under attack, that was not the intent of my post. I was highlighting elements of the timnjohnson's scenario that you appeared to have missed.

I completely agree that in ideal circumstances you would build a big fire and sacrifice anyone who even dared suggest the continued use of XP. In the real world, however, which I can assure you many of the experts on here have significant experience in, we have to deal with business scenarios which fly in the face of ideal circumstances. It appeared to me that timnjohnson's was one of these, he seemed aware of the need to divest of XP at the earliest opportunity and was asking about the ability to continue to manage his XP estate through 2016. Yes there are caveats, but yes it is perfectly possible to do so. At no point did I offer any misinformation, blatant or otherwise..
0
Cliff GaliherCommented:
You keep implying that I said get rid of XP *period. *  Reread my posts. I gave examples where it wasn't possible. Other options include truly isolated network. Or standalone machines on no network. That's real world advice. I disagree with basically everything you said, and mixing 2016 is not a player in those scenarios and shouldn't be.  But so be it. I have zero interest in continuing the argument either. Let the OP choose what advice to follow.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.