SMBv1 Registry Dependency Removal Impact

Shinz PK 31 Reputation points
2021-06-09T14:58:58.373+00:00

Hi All,

I have an SMBv1 Query, please help by answering.

Our 2008 R2 DCs are using SMBV1 - features installed + SMBV1 Protocol Enabled + Registry Dependencies for SMBV1 enabled at lanmanworkstation and lanmanserver. (lanmanserver depend= SamSS/Srv and lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi )

We are adding 2012 R2 Domain controller. For 2012 R2 the Default setting is (SMBV1 - features installed + SMBV1 Protocol Enabled. Registry Dependencies for SMBV1 is not enabled for lanmanworkstation and lanmanserver.

We have a legacy Environment involving 2000 and 2003 member machines, and few legacy applications. Question is, Can we keep the default 2012 R2 Settings , so SMBv1 will be enabled (Via feature and Protocol) however Registry Dependencies for SMBV1 will not enabled for lanmanworkstation and lanmanserver. What all would be the things to check to ensure it doesn't cause any issues to the existing environment/services/client machines. What is actually enabling/disabling these registry dependencies does.

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,579 questions
{count} vote

Accepted answer
  1. Sunny Qi 11,031 Reputation points Microsoft Vendor
    2021-06-10T09:33:30.327+00:00

    Hi,

    Thanks for posting in Q&A platform.

    I performed some research on these dependencies and didn’t found related official articles talking about this.

    I check related registry keys in the Windows Server 2012 R2 and found the default setting of value of these dependencies were shown as the following screenshots.

    104144-image.png

    104202-image.png

    My understanding is you want to keep these values as default settings. Based on my research, there were some similar cases related these service dependencies, such as SMBv1 was enabled on Windows server 2012R2 and there was a shared folder created on this server. There was an error occurred when accessed this shared folder from server 2003. The workaround is changing the value of DependOnService to SamSS Srv2 Srv on Server 2012 R2. Since we don’t have such windows 2003 server to test in our lab. I would suggest you could perform a test from your side.

    Scenario 1: keep the specific values as default settings.

    Create a shared folder on server 2012 R2, and then access this shared folder from legacy devices to see if there is any error occurred.

    If there was not any error occurred, then the default settings will not affect the shared folder connection.

    If the error occurred, please try to change the value of DependOnService to SamSS Srv2 Srv on Server 2012 R2 to see if the shared folder can be accessed.

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Anonymous
    2021-06-09T15:08:21.107+00:00

    Something here may help.
    https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3

    For a detailed analysis you may need to use wireshark or similar tools.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

  2. Shinz PK 31 Reputation points
    2021-06-14T18:40:42.803+00:00

    @Sunny Qi , Thanks , it actually helped. :-)

    Adding more what i got from my little research too, I Tested from Windows 2003 STD (Sp2)and I could access netlogon and Sysvol Shares hosted on a Windows 2012 R2 Domain Controller.( Where the default settings was on - SMBV1 - features installed + SMBV1 Protocol Enabled. Registry Dependencies for SMBV1 is not enabled for lanmanworkstation and lanmanserver. ) . In fact the testing worked from a windows 2000 Server(Sp4) too and i was able to access netlogon hosted on Windows Server 2012 R2 Domain controller.
    What all would be the things to check to ensure it doesn't cause any issues to the existing environment/services/client machines. Above test was enough for my case to test DC Functionality.
    For other 2012 R2 Member servers , we can also enable SMB1 Audit Logs by running Set-SmbServerConfiguration –AuditSmb1Access $true and then monitor the events 3000 under SMBServer - > Audit .
    What is actually enabling/disabling these registry dependencies does. - These dependencies are for the Windows services Server( LanmanServer) and Workstation.Netlogon on Domain controller is dependent on both of these. Adding SMBv1 Dependencies for LanmanServer will make any legacy OS (Example XP) connect to 2012 R2 domain controller by providing SysVol and Netlogon Share Access. Adding SMBv1 Dependencies for LanmanWorkstation will make 2012 R2 to connect to network /share which works through SMBV1 protocol.

    Server Service : Server Service, also known as LanmanServer, a component of the Microsoft Windows Server operating systems that allows a server to share files and print resources with clients over the network. When a redirector on a client requests a shared resource from a server, the Server service on the server responds and routes the resource to the client. Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

    Workstation : Workstation Service, also known as LanmanWorkstation, is a component of the Microsoft Windows Server operating systems that allows a client to request file and print resources from servers over the network. It Creates and maintains client network connections to remote servers using the SMB protocol. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.