Share via

Domain controller using SMB1

Kamran Ahmed 271 Reputation points
2020-11-26T15:15:02.893+00:00

Hi,

Part of a remediation task I'm disabling SMB1 on domain controllers, i have enabled SMB1 auditing and found that there are several domain controllers trying to access another domain controller using SMB1? I have looked through the logs but can't find anything obvious, is there a reason why a domain controller behave this way?

Thanks in advance.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,417 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,066 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vicky Wang 2,646 Reputation points
    2020-11-27T07:55:37.943+00:00

    the answer is simple, all SMB servers. Domain controllers are a good example, client computers and member servers use SMB to access SYSVOL and NETLOGON shares to apply group policy, so domain controllers are servers to audit. File and print servers also need to be audited.

    In my scenario I have three concerned servers: DC01 and DC02 are domain controllers, MEM01 is a file server. All of them are running Windows Server 2012 R2.

    To enable SMB v1 auditing on Windows Server 2012 R2 run the PowerShell command:

    Set-SmbServerConfiguration -AuditSmb1Access $true

    reference:https://azurecloudai.blog/2018/12/17/step-by-step-safely-disabling-smb-v1-from-your-production-environment/

    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.

    Hope this information can help you
    Best wishes
    Vicky

    1 person found this answer helpful.
    0 comments
  2. Dave Patrick 4.3L Reputation points MVP
    2020-11-26T15:21:29.23+00:00

    What operating systems are involved? Something here may help.
    https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  3. Kamran Ahmed 271 Reputation points
    2020-11-26T15:29:23.38+00:00

    These are Windows Server 2008 R2 and 2012 R2 with 2008R2 domain/forest functional level.
    I have followed that document and it is useful for setting up auditing which i have but i can't see anything obvious on the domain controllers, there are no shares except netlogon and sysvol.

    In the screenshot the client address is the hostname of the domain controller.

    43050-smb1.jpg

    0 comments
  4. Dave Patrick 4.3L Reputation points MVP
    2020-11-26T15:40:08.32+00:00
    0 comments
  5. Thameur-BOURBITA 32,606 Reputation points
    2020-11-27T22:15:47.893+00:00

    Hi,

    *Part of a remediation task I'm disabling SMB1 on domain controllers, i have enabled SMB1 auditing and found that there are several domain controllers trying to access another domain controller using SMB1? *

    Check if you have also disabled also smbv1 client on each domaine controller, you can refer to the following link to get more details about how disable and enable smbv1 client:

    detect-enable-and-disable-smbv1-v2-v3

    Please don't forget to mark this reply as answer if it help you to fix your issue

    0 comments