Trouble disabling SMB1 and SMB2 on Windows Server 2008 and 2016

Hello,

For testing the performance of a legacy database application (.DBF files) I need to temporarily disabe SMB2 and 3 on WS 2008 R2 and WS 2016 (standard editions) and turn off opportunistic locking (Oplocks.)

I have researched it a but can’t seem to get it to work – links to some related articles below.

On the servers I think I just need to disable SMB2 since MS states SMB3 is automatically disabled when SMB2 is because they share the same stack.

What I’ve found is that the following procedure done on the server should work but it does not seem to.

1.      Reboot

2.      Show SMB1 running:
C:\ >sc query mrxsmb10
SERVICE_NAME: mrxsmb10
TYPE               : 2  FILE_SYSTEM_DRIVER
STATE              : 4  RUNNING
                        (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0

3.      Show SMB2 running
C:\ >sc query mrxsmb20
SERVICE_NAME: mrxsmb20
TYPE               : 2  FILE_SYSTEM_DRIVER
STATE              : 4  RUNNING
                         (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0

4.      Update the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB2
REG_DWORD: 0 = Disabled

5.      Reboot

6.      Show that SMB2 is still running
C:\ >sc query mrxsmb20
SERVICE_NAME: mrxsmb20
TYPE               : 2  FILE_SYSTEM_DRIVER
STATE              : 4  RUNNING
                        (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0

For disabling Oplocks (which seems to be forced to enabled in SMB2) I made the following registry changes:

HKLM\SYSTEM\CurrentControlSet\services\mrxsmb\Parameters\OplocksDisabled REG_DWORD 0x1

HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters\EnableOplocks REG_DWORD 0x0

I do not know how to test if these settings are effective.

Thanks,
Tim

Links:

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows

https://support.microsoft.com/en-us/help/296264/configuring-opportunistic-locking-in-windows

https://www.experts-exchange.com/questions/28100582/Issues-disabling-SMB-2-0-on-Windows-Server-2008.html
Tim CallahanPrincipalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pcelbaCommented:
The first link is descriptive enough and it seems you are mixing server and workstation, ie. Registry entry change disabled the SMB on the server but the sc query displays status of the workstation...

To stop SMB2/3 on workstation you have to disable the appropriate windows service and restart.

To stop SMB2/3 on the server update registry (or use PowerShell commands) and restart.

SMB1 and oplocks are slightly different but again they are described sufficiently.

BTW, I would guess no disk mapping will be available when you disable both SMB1 and SMB2
0
Tim CallahanPrincipalAuthor Commented:
Thanks. I was able to do this on Windows Server 2016 using Powershell:

Detect: Get-SmbServerConfiguration | Select EnableSMB2Protocol
Disable: Set-SmbServerConfiguration -EnableSMB2Protocol $false
Enable: Set-SmbServerConfiguration -EnableSMB2Protocol $true

However these are not available for Windows Server 2008.

If I understand you correctly for Windows Server 2008 I should just make the above three registry changes.

Is there a way to detect that SMB2 is disabled on the 2008 server once these changes are made? That would help to know for sure.
0
pcelbaCommented:
Yes, Get-SmbServerConfiguration Cmdlet is available in Server 2012, 2016, Win 8, Win 10 (https://technet.microsoft.com/en-us/library/jj635723.aspx)

What I would guess:
Powershell commands should update the registry as if you were updated it directly in Regedit. And the way how to detect it is to read the registry after restart.

Of course, you may use PowerShell to update the registry as described e.g. here: http://www.dataease.com/test_article_view/?ArticleID=00128&field1=00128
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim CallahanPrincipalAuthor Commented:
In reading more carefully, I see that the powershell commands I need are in the docs as you first indicated and that they are registry edit commands as you say (which I list here for completeness.)

Detect: Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}
Disable: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 –Force
Enable: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 1 –Force

Thanks, Tim
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.