the answer is simple, all SMB servers. Domain controllers are a good example, client computers and member servers use SMB to access SYSVOL and NETLOGON shares to apply group policy, so domain controllers are servers to audit. File and print servers also need to be audited.
In my scenario I have three concerned servers: DC01 and DC02 are domain controllers, MEM01 is a file server. All of them are running Windows Server 2012 R2.
To enable SMB v1 auditing on Windows Server 2012 R2 run the PowerShell command:
Set-SmbServerConfiguration -AuditSmb1Access $true
reference:https://azurecloudai.blog/2018/12/17/step-by-step-safely-disabling-smb-v1-from-your-production-environment/
Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
Hope this information can help you
Best wishes
Vicky