dietzmj
asked on
Issues disabling SMB 2.0 on Windows Server 2008
I need to try disabling SMB 2.0 and OpLocks on my Windows Server 2008 R2 domain controller. My company runs a FoxPro database application. Each user on each of my 3 application servers has there own copy of the application itself stored locally on the application servers, and access data shared by the domain controller/file server. These files often become locked -- the FoxPro application and Crystal Reports (which both access these database files) error out and say either the DBC (database container) is unavailable or that a specific DBF (database file) is unavailable. The only way to solve the problem is to disconnect all users from all of the application servers. This problem first started when we migrated from Windows Server 2003 Small Business to Windows Server 2008 R2.
It has been suggested that I disable SMB2 and OpLocks via the registry (HKLM/CurrentControlSet/Se
sc config lanmanworkstation depend= browser/mrxsmb10/nsi sc config mrxsmb20 start= disabled
Any ideas on why the files become inaccessible when SMB2 is disabled? Thanks!
It has been suggested that I disable SMB2 and OpLocks via the registry (HKLM/CurrentControlSet/Se
sc config lanmanworkstation depend= browser/mrxsmb10/nsi sc config mrxsmb20 start= disabled
Any ideas on why the files become inaccessible when SMB2 is disabled? Thanks!
This does not necessarily have to be SMB2. You should also check your antivirus and backup software settings. What exact changes did you do in registry?
OK, let suppose antivirus and backup is not the problematic part. You may read following page which (or the links on it) explains how to manage SMB2 and oplocks: http://fox.wikis.com/wc.dll?Wiki~OpportunisticLocking
SMB2 disabling should not hide network shares and Windows experts should explain why your server behaves this way.
We are using W2008 R2 with AD, SMB2 is switched off on bothe the server and workstations and everything works. The application is installed on client's PCs just data are accessed on network shares.
We are also using VFP as a COM server on the same W2008R2 and 100 concurrent users are working every day without problems. This environment is the most stable one for VFP apps. No DBF/index corruption for years!
So your server needs some fine tuning... You should apply some hot fixes as the first step.
Start here: OS combinations
http://www.caseware.com/support/caseknowledge/kb-271
and continue here: http://support.microsoft.com/kb/2473205
OK, let suppose antivirus and backup is not the problematic part. You may read following page which (or the links on it) explains how to manage SMB2 and oplocks: http://fox.wikis.com/wc.dll?Wiki~OpportunisticLocking
SMB2 disabling should not hide network shares and Windows experts should explain why your server behaves this way.
We are using W2008 R2 with AD, SMB2 is switched off on bothe the server and workstations and everything works. The application is installed on client's PCs just data are accessed on network shares.
We are also using VFP as a COM server on the same W2008R2 and 100 concurrent users are working every day without problems. This environment is the most stable one for VFP apps. No DBF/index corruption for years!
So your server needs some fine tuning... You should apply some hot fixes as the first step.
Start here: OS combinations
http://www.caseware.com/support/caseknowledge/kb-271
and continue here: http://support.microsoft.com/kb/2473205
ASKER
So this is an interesting development. I've noticed that when the file locking problem occurs, it only happens to ONE of the two application servers. Logging out all users on THAT application server resolves the issue for those users. The other application server is completely unharmed during the problem. This problem can happen to either server mind you, but only one at a time. If it was an SMB2/oplocks problem, it would happen to all users on all servers accessing that data... right?
If the application server is designed as a virtual machine on your server hardware then it has its own settings so the problem can happen to one application server only.
>This problem can happen to either server mind you, but only one at a time.
The problem doesn't happen instantly and often, so it's not wonder it happens to one server at a time, if you'd wait long enough, I'm sure you'd also get the case of both servers having the problem at the same time.
But the situation now is really unclear. If you have two application server, where is the data? On one of them? On both of them, seperate database or on a third file server or even on a SAN?
What is the server and what is the client needs to be viewed from the perspective of oplocks, and then you don't have the classic view of a client being a workstation with the user sitting at it and all other computers being server. Only the file server is the server in regard to oplocks.
An oplock is mainly a contact between the serving serving the file and a client accessing it to allow local caching, avoiding network traffic, unless a second client asks for the file and so changes must be committed before the second client can read the file as it actually is. If you have two application server reading the data they are clients to the file server, they are the direct clients to the file access.
So what is your real situation now? Where is the data?
In case of two databases, one on each application server, what are you surprised by?
Bye, Olaf.
The problem doesn't happen instantly and often, so it's not wonder it happens to one server at a time, if you'd wait long enough, I'm sure you'd also get the case of both servers having the problem at the same time.
But the situation now is really unclear. If you have two application server, where is the data? On one of them? On both of them, seperate database or on a third file server or even on a SAN?
What is the server and what is the client needs to be viewed from the perspective of oplocks, and then you don't have the classic view of a client being a workstation with the user sitting at it and all other computers being server. Only the file server is the server in regard to oplocks.
An oplock is mainly a contact between the serving serving the file and a client accessing it to allow local caching, avoiding network traffic, unless a second client asks for the file and so changes must be committed before the second client can read the file as it actually is. If you have two application server reading the data they are clients to the file server, they are the direct clients to the file access.
So what is your real situation now? Where is the data?
In case of two databases, one on each application server, what are you surprised by?
Bye, Olaf.
ASKER
Data is on the domain controller as a network share which is running Windows Server 2008 R2. For whatever reason, when I disable SMB2 on the DC, trying to boot up the DC causes it to say "Applying Computer Settings" indefinitely. I'd like to try disabling Oplocks on the DC just to see if it fixes the problem, but I can't even seem to do that without breaking the server. Any thoughts?
OK, if the error says "File is unavailable" (which is not the exact error description probably) then it means "It is impossible to open the file" and you should find what blocked the file access.
If the error mesage says File is in use by another user then it could point to SMB2 or oplocks. BUT it could also be antivirus or whatever else. What is the exact error message text?
You should also solve the boot impossibility with Microsoft support because it seems Windows Experts do not work so fast here and we (me and Olaf) are more FoxPro experts than Windows experts...
Your configuration is still unclear. You have one DC/file server and three app servers. Do they use some virtualization or do they have separate hardware each?
You could also test another configurations, e.g. copy the application to the client workstation or notebook. It should work with appropriate setup and existing shares. If the Windows XP client works but W7 client doesn't then it points to SMB2 again.
BTW, if Microsoft will attempt to refuse the support because of FoxPro usage just tell them this problem is common to shared file access and it can be reproduced on MS Access database and on shared MS Excel sheet probably...
If the error mesage says File is in use by another user then it could point to SMB2 or oplocks. BUT it could also be antivirus or whatever else. What is the exact error message text?
You should also solve the boot impossibility with Microsoft support because it seems Windows Experts do not work so fast here and we (me and Olaf) are more FoxPro experts than Windows experts...
Your configuration is still unclear. You have one DC/file server and three app servers. Do they use some virtualization or do they have separate hardware each?
You could also test another configurations, e.g. copy the application to the client workstation or notebook. It should work with appropriate setup and existing shares. If the Windows XP client works but W7 client doesn't then it points to SMB2 again.
BTW, if Microsoft will attempt to refuse the support because of FoxPro usage just tell them this problem is common to shared file access and it can be reproduced on MS Access database and on shared MS Excel sheet probably...
Well, in the first place you now have a Windows problem rebooting a server. What if you turn on SMB2 again and reboot? Is this boot failure really related to the registry changes? I can't imagine why this would need to (re)apply computer settings.
Bye, Olaf.
Bye, Olaf.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No other solutions worked.
I believe you will notice that the service "workstation" is nolonger running when you disable smb2 on the clients it does not look like you re-enabled smb1.
This will stop you from being able to map shared network drives.
you need to create a batch file that will be run as administrator on all clients with the following commands
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
sc.exe config mrxsmb10 start= auto
restart computer and you should be able to map your drives after this.
This will stop you from being able to map shared network drives.
you need to create a batch file that will be run as administrator on all clients with the following commands
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc.exe config mrxsmb20 start= disabled
sc.exe config mrxsmb10 start= auto
restart computer and you should be able to map your drives after this.
I can only assume you just worked on the server side. If you disable SMB2 on the server and have Win7 clients, they still are configured to use SMB2 and don't automatically fall back to SMB1, AFAIK. Vista clients were different.
There is a MS "Fix it" to disable SMBv2, that at least does anything you need to do for that matter, do that on both the server and clients. Still you also need to disable OpLocks afterwards: http://blogs.msdn.com/b/robmar/archive/2009/09/23/get-microsoft-fix-it-for-smb2-issue.aspx
To disable Oplocks from feedback I got it's best to use both keys to disable the request of oplocks on clients and the key to deny granting oplocks on the server. The keys are explaind here: http://support.microsoft.com/kb/296264/en-us
Bye, Olaf.