none
SMB Server Configuration RRS feed

  • Question

  • I'm struggling to get a SMB Server Configuration using an elevated PowerShell command in Server 2016 Standard.

    Get-SmbClientConfiguration works just fine.

    Get-SmbServerConfiguration does not.

    I must be missing something, but hours of Googling is getting me nowhere.

    I have a raft of Warnings from Best Practices Analyser, all saying the SMB is not in default configuration and want to nail as many as possible, hence the need for the list.

    Any pointers would be greatly appreciated.

    Sunday, May 28, 2017 1:59 PM

All replies

  • I get two SMB warnings on my standard 2016 server;

    Warning Smb2CreditsMax should have the recommended value
    Warning Smb2CreditsMin should have the recommended value

    Do you get more than that? Also to me it seems odd I setup a new server and get these warning. Personally I do not worry about the warnings in the BPA, just take them one at a time as information.

    Get-SmbServerConfiguration works fine for me, so what happens when you run it?

    • Edited by -Mr Happy- Sunday, May 28, 2017 3:06 PM
    Sunday, May 28, 2017 3:06 PM
  • I get those two warnings also with BPA, and quite a few more besides.

    When I run Powershell as administrator I get the following.  (Having researched MSoft for System Error 1630, all it says is, "Data of this type is not supported")

    PS C:\Users\Administrator> Get-SMBServerConfiguration
    Get-SMBServerConfiguration : Data of this type is not supported.
    At line:1 char:1
    + Get-SMBServerConfiguration
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (MSFT_SmbServerConfiguration:ROOT/Microsoft/...erConfiguration) [Get-SmbSe
       rverConfiguration], CimException
        + FullyQualifiedErrorId : Windows System Error 1630,Get-SmbServerConfiguration

    Sunday, May 28, 2017 8:06 PM
  • Ok, so on my standard install the Get-SmbServerConfiguration works fine. So...

    The PowerShell error, is that full error? Is there a link \ command style line below for more info?

    (I have looked but at the moment cannot see what CIM Class \ Instance the Get-SmbServerConfiguration looks at beyond it looks at Win32_NetworkAdapterConfiguration)

    Can you post all the SMB warnings? Thinking they may give clues as to why it fails for you (might not be easy to do that copy the text from each one perhaps)

    What Roles and \ or Features have been added to the server?

    What third-party software (specifically file affecting software) has been installed?

    Sunday, May 28, 2017 9:38 PM
  • Sorry for the delay in replying - we're in GMT, UK

    Yes, that is the full error I get.

    Server is (or should be) a very simple, small setup for a company with fewer that 10 workstations.  It is set up to allow me VPN access from home or when travelling. 

    The only 3rd party software is ESET file server virus protection, and Sage 50 Accounts.

    Report below. ("[SERVER]" replaces real name)

    [SERVER] Warning All domains should have at least two domain controllers for redundancy Operation
    [SERVER] Warning AnnounceServer should be disabled Configuration
    [SERVER] Warning AsynchronousCredits should have the recommended value Configuration
    [SERVER] Warning AuthenticateUserSharing should be disabled Configuration
    [SERVER] Warning AutoDisconnectTimeout should have the recommended value Configuration
    [SERVER] Warning AutoShareServer should be enabled Configuration
    [SERVER] Warning AutoShareWorkstation should be enabled Configuration
    [SERVER] Warning CachedOpenLimit should have the recommended value Configuration
    [SERVER] Error DirectAccess: DirectAccess must be configured to accept client connections Configuration
    [SERVER] Error DNS: DNS servers on NIC1 should include the loopback address, but not as the first entry. Configuration
    [SERVER] Warning DNS: NIC1 should be configured to use both a preferred and an alternate DNS server Configuration
    [SERVER] Warning DNS: Root hint server 2001:500:a8::e must respond to NS queries for the root zone. Configuration
    [SERVER] Warning DurableHandleV2TimeoutInSeconds should have the recommended value Configuration
    [SERVER] Warning ForcedLogoff should be enabled Configuration
    [SERVER] Warning IrpStackSize should have the recommended value Configuration
    [SERVER] Warning KeepAliveTime should have the recommended value Configuration
    [SERVER] Warning Leasing should be enabled Configuration
    [SERVER] Warning MaxChannelPerSession should have the recommended value Configuration
    [SERVER] Warning MaxMpxCount should have the recommended value Configuration
    [SERVER] Warning MaxSessionPerConnection should have the recommended value Configuration
    [SERVER] Warning MaxThreadsPerQueue should have the recommended value Configuration
    [SERVER] Warning MaxWorkItems should have the recommended value Configuration
    [SERVER] Warning Mrxsmb20.sys should be set to start on demand Configuration
    [SERVER] Warning MultiChannel should be enabled Configuration
    [SERVER] Error Network Policy Server (NPS) should be configured as a network access server (NAS), or NPS should be configured with RADIUS clients. Configuration
    [SERVER] Warning Network Policy Server (NPS) should be configured to use more secure authentication methods. Configuration
    [SERVER] Warning OplockBreakWait should have the recommended value Configuration
    [SERVER] Warning PendingClientTimeoutInSeconds should have the recommended value Configuration
    [SERVER] Warning Previous Versions support for client computers running Windows 98 should be disabled Configuration
    [SERVER] Warning RRAS: IPv6 routing should be enabled on the RRAS server for routing protocols like DHCP Relay to run Configuration
    [SERVER] Warning RRAS: Only one certificate for IKEv2 should have IP security IKE intermediate in its EKU property Configuration
    [SERVER] Warning RRAS: The network interface NIC2 on the RRAS server should be enabled Configuration
    [SERVER] Warning RRAS: Use authentication protocols that are considered more secure than PAP, CHAP, or MS-CHAPv2 Configuration
    [SERVER] Warning ServerHidden should be enabled Configuration
    [SERVER] Warning Smb2CreditsMax should have the recommended value Configuration
    [SERVER] Warning Smb2CreditsMin should have the recommended value Configuration
    [SERVER] Warning SmbServerNameHardeningLevel should have the recommended value Configuration
    [SERVER] Warning Srv.sys should be running Configuration
    [SERVER] Warning StrictNameChecking should be enabled Configuration
    [SERVER] Warning The directory partition CN=Configuration,DC=NH26,DC=techno-vision,DC=co,DC=uk on the domain controller [SERVER].NH26.techno-vision.co.uk should have been backed up within the last 8 days Configuration
    [SERVER] Warning The directory partition CN=Schema,CN=Configuration,DC=NH26,DC=techno-vision,DC=co,DC=uk on the domain controller [SERVER].NH26.techno-vision.co.uk should have been backed up within the last 8 days Configuration
    [SERVER] Warning The directory partition DC=DomainDnsZones,DC=NH26,DC=techno-vision,DC=co,DC=uk on the domain controller [SERVER].NH26.techno-vision.co.uk should have been backed up within the last 8 days Configuration
    [SERVER] Warning The directory partition DC=ForestDnsZones,DC=NH26,DC=techno-vision,DC=co,DC=uk on the domain controller [SERVER].NH26.techno-vision.co.uk should have been backed up within the last 8 days Configuration
    [SERVER] Warning The directory partition DC=NH26,DC=techno-vision,DC=co,DC=uk on the domain controller [SERVER].NH26.techno-vision.co.uk should have been backed up within the last 8 days Configuration
    [SERVER] Warning The SMB 1.0 file sharing protocol should be enabled Configuration
    [SERVER] Warning The SMB 2.0 file sharing protocol should be enabled Configuration
    [SERVER] Warning TreatHostAsStableStorage should be disabled Configuration
    [SERVER] Warning ValidateAliasNotCircular should be enabled Configuration
    [SERVER] Warning ValidateShareScope should be enabled Configuration
    [SERVER] Warning ValidateShareScopeNotAliased should be enabled Configuration
    [SERVER] Warning ValidateTargetName should be enabled Configuration
    [SERVER] Error Web Application Proxy must be configured before it is used. Configuration

    Monday, May 29, 2017 2:53 PM
  • Your reply in good time, no rush here :) I am GMT, UK as well btw.

    Looking at your list of BPA Warnings and Errors 6 SMB warnings (as opposed to 2 in my standard server). To me ESET file server would perhaps be making the other changes as it is a file security product. Does not match BPA perhaps but you use ESET file server on this server.

    BPA imho should only be taken as advice, so what you do with that information is then down to you. I have seen that many warnings and errors on my 2016 servers and most I recognise and have seen. I only look at the errors (out of interest to me). So filter down to your errors start with them I would say. Looking at warnings in BPA is the path to madness imho :)

    The Get-SmbServerConfiguration error is seperate, perhaps caused by the network driver you have on this server that does not support something in CIM that command is looking at. Is that a Server 2016 driver for the NIC? Any update for that? (obviously changing the NIC over a VPN maybe a very bad idea especially if you do not have easy physical access to the server)


    Monday, May 29, 2017 4:24 PM
  • Many thanks again.  Just to be clear, I am working directly on the server, and occasionally with Remote Desktop from within the office when checking information. (Saves me going up and down stairs!)

    Backup overnight has at least resolved those messages.

    Something in my water suggests that, "mrxsbm20.sys should be set to start in demand" is relevant here, but I can find nothing on the 'net which specifically relates to Server 2016. And like the majority of BPA's "More information", they have not written the [bleeping] page yet!!

    Tuesday, May 30, 2017 8:41 AM
  • mrxsbm20.sys under it's Properties and Details is 'Longhorn SMB 2.0. Redirector' so related to 'The SMB 2.0 file sharing protocol should be enabled Configuration' I would say. Do not get those on my server so would think ESET File Security has turned off SMB 1 & 2 as would \ could be considered a security enhancement.
    Tuesday, May 30, 2017 6:10 PM
  • Well we did finally get a fix, but it took quite a while.  To cut to the chase, the Lanman part of the Registry was corrupt.  Microsoft (in Delhi!) had to delete that section, and replace it with one from a test system.

    It also turns out that we appear to be the first with the problem and since then there have since been a number of others.

    The clue - at least for us were the Powershell commands:

    Get-SmbClientConfiguration worked just fine.

    Get-SmbServerConfiguration did not.

    As soon as they uploaded the Registry fix, and re-booted the system, we were able to get the Get-SmbServerConfiguration to work again along with the relevant commands to amend.

    I also stated my annoyance at their Best Practices Analyser's where all too often the link: "More information about...." takes you to Windows Server Future Resources - dated August 2011.

    They have assured me that this has complaint has been escalated.


    George Bell

    • Proposed as answer by -Mr Happy- Tuesday, July 18, 2017 5:17 PM
    Tuesday, July 18, 2017 4:34 PM
  • I experienced a similar Error 1630 with Get-SmbserverConfiguration on a Windows Server 2012 R2, after I rolled out some Registry key changes to disable the SMB1 protocol. The error occurred after I followed this guide: https://support.microsoft.com/de-de/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows "Deaktivieren des SMBv1-Servers mithilfe der Gruppenrichtlinien".

    Thanks to the post from George Bell (see above) I could hunt down the issue.

    • I deleted the key HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 and
    • changed HKLM\SYSTEM\CurrentControlSet\services\mrxsmb10\Start from "4" to "2".

    This solved the issue. Afterwards I deinstalled the SMB1 feature via the Server Manager.




    • Edited by Tom Roida Sunday, September 10, 2017 3:48 PM
    Sunday, September 10, 2017 3:45 PM
  • So I ran into this today, root cause was when I added the GPO SMB1 = 0 setting .. I set it as String and not DWord. Once i changed it to DWORD the PS command worked fine.

    Cheers -

    Tuesday, July 10, 2018 3:12 PM