Disabling SMBv1 per Microsoft's recommendation breaks Active Directory..
After the recent WannaCry ransomware outbreak online our organization decided to take Microsoft's advise and disable SMBv1 via GPO on our domain. Shortly there after I discovered that our on-prem AD was no longer syncing with O365. After digging into the problem I was able to determine that Active Directory breaks without SMBv1.
Root Cause:
Disabling SMBv1 causes the windows service 'workstation' to fail.
From The Event Log:
“The Workstation service depends on the SMB 1.x MiniRedirector service which failed to start because of an error: The service cannot be started. either because it is disabled or because it has no enabled devices associated with it.”
The workstation service is a dependency of the 'netlogon' windows service. So without the workstation service running netlogon fails as well.
This causes AD to be broken (This is visible while attempting to view AD in Server Manager on the Domain Controller).
Which ultimately caused our Azure AD Synchronization to fail.
This is something fundamentally flawed with Windows in my honest opinion.
What makes this situation even worse and embarrassing is that Microsoft's recommendation is to disable SMBv1 in the first place..
https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
https://redmondmag.com/articles/2017/05/18/more-advice-on-disabling-windows-smb-1.aspx
After speaking with O365 support about this issue I was directed to voice my opinion here in uservoice. I understand that this is more of an engineering problem anyways. I just thought someone needed to hear about this.
I hope you guys are able to get this information to whoever needs to see it!
Thanks!
--Marcus
Marcus Peterson
shared this idea
3 comments
-
wayne
commented
To disable the SMBv1 client, the services registry key needs to be updated to disable the start of MRxSMB10 and then the dependency on MRxSMB10 needs to be removed from the entry for LanmanWorkstation so that it can start normally without requiring MRxSMB10 to first start.
Note that MRxSMB10 won't exist on newer clients anyway, just older clients that used smb v1.
-
LUVoice
commented
I had a problem when I followed the instructions for registry, because I missed also removing the LanManWorkstation's (service "Workstation") dependency on SMB1 (listed as mrxsmb10 in registry - driver "SMB 1x MiniRedirector").
Once I fixed the service dependency, things started working. This all happened when I was testing disabling SMB1 on a workstation (Win 7). I looked at the documentation again and realised I'd followed the Server instructions, that disregarded any SMB1 dependencies. So I had to fix the dependency on my workstation to make it work. It's OK now.
However, just because you're updating a server, it may also be using LanManWorkstation service and relying on the SMB1 service, so you probably should check the Workstation instructions too, and look for any dependency.
Best to check for any SMB1 dependencies before disabling SMB1:
sc.exe enumdepend mrxsmb10
For completeness, here is the 'how to' article I was refering to:
https://support.microsoft.com/en-au/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows -
Fred Speece
commented
Is this just disabling SMB1 on domain controllers and/or just on the AD Connect server? I assume you mean ADconnect when you say "Azure AD Synchronization to fail"
I think SMB1 can be disabled on all client machines win7+ (unless you have files shares running SMB1).many other useful articles out there but here is one https://www.pdq.com/blog/disable-smbv1-considerations-execution/