SMB Shares stop responding in Server 2008

Seach for "disable SMB signing". Disable it if you are aware of the security risk.

 

 

If older databases are accessed from the shares, this hit me lately on Win 2008,(disabling opportunistic locking).

 

http://support.microsoft.com/kb/296264

Thanks, I will look into that.

I have also found this thread on Microsoft’s TechNet:

 

Help, very frustrating problem with shares in server 08

 

There it says that Symantec Antivirus (SAV) is also a potential candidate to cause this problem.

 

During my nightmare I had removed Symantec 10.2 client, this did nothing over a 4 day period.

I also had some servers on the network behave, but the majority were crippled, server reboots kept the network up from anwhere from 2 -8 hours, average 4 hours. As soon as I disabled opportuntistic locking (and a reboot), all issues disappeared.

 

Sorry it has taken so long but I needed to get clear on some details before replying.After informing myself about SMB signing I have checked the registry of both Win 2008 servers. I found that SMB signing was disabled on both of them. Then I checked our domain controllers. There the following keys for SMB signing where enabled:

Location: HKey_Local_Machine\System\CurrentControlSet\Services\LanManServer\Parameters. 

 

EnableSecuritySignature = 1 (enabled)

RequireSecuritySignature = 1     (enabled) 

 

Next I disabled both keys using the policy setting in the domain controller security policy under “Local Policies -> Security Options”.

Microsoft Network Server : Digitally sign Communications (always)

Microsoft Network Server : Digitally sign Communications (if client agrees)

 

After applying the Policy using Gpupdate both keys changed to: 

 

EnableSecuritySignature = 0    (disabled)

RequireSecuritySignature = 0     (disabled) 

 

First up everything seemed to work fine but now a few days later I had the same issue again forcing me to manually restart the server.

 

I checked the registry keys on the domain controllers again but they have not changed.

 

You also mentioned opportunistic locking earlier. Was that only in regard to older databases or is this something that is also worth trying when the server stops responding to any SMB requests from some clients?

 

Basically it is for programs with databases. Most new database programs are aware of the issue.

It will not hurt if you disable it, performance could go down a bit on oplock aware programs, not that I ever noticed any, can be reversed easily. reboot required

 

SMB signing issues can be instigated by other server with it enabled, same with opportunistic locking. My 2008 server, with the oplocks issue affected most of the servers on the network due to long packet delays.

 

If you have managed switches, have you checked all the ports for errors? On good cables you should have few if any errors over a weeks time. 

 

picking at straws... 

Are your bios setting exactly the same on both servers?

Firmware and drivers exactly the same?

Nic advanced setting the same?

Power saving setting off on server/network interface, any wks set to sleep/hibernated? Had an MS patch

change the power settings on a number of wks, even though a group policy was in place.

 

 

Thanks, unfortunately our switches are administered by a central ITS division but I will see if I can get in contact with them.

For now I have I have uninstalled Symantec Endpoint Protection (even though it was only running the Anti-Virus component) and replaced it with a trial version of AVG as it came up again in another forum.

 

See on Petri IT Knowlegebase:

http://www.petri.co.il/forums/showthread.php?t=25791

Symantec Endpoint, devil's spawn....

 

Sorry I did not catch this, I poorly assumed you were not using Endpoint..

 9 to 1 odds this is it

 

This could definitely cause the issue... inherited a hacked network which the hacker disabled endpoint at the server (made it look like it was not installed), but played with the setting before hand just to screw up the system. End result some of the wks had issues like yours, others were fine; on this network the inability to browse on some wks machines was the major issue. Basically I was going crazy for a days trying to figure out what was wrong. The hacker's tactics were great, this gave him an extra couple days before I found the network was hacked, infested with keyloggers, via a wireless connection. For others reading this, I still use Symantec, but for now I will not go above ver 10.2, no endpoint... I do not like being a beta tester

Looks like Symantec Antivirus and 2008 don't really match! About a week ago I replaced Symantec Endpoint Protection with a trial version of AVG and everything works fine since then. Before replacing it altogether I have tried the corporate version 10.2 of the product which resulted in the same issues. Also a minimal install of EndPoint Protection (only the Anti-Virus component) did not make things any better. It seems that whatever interferes with SMB is built into the core of the product. I will have to get in contact with Symantec to find out what they know.

Using 10.2 without Endpoint I have no issues but I have tried 11 on a few servers (2008 and 2003) and gave up... like the program was released as a beta. Each time I ended up calling Symantec, with their techs on line for hours, techs were very good but the java programming terrible.

My issue with 2008 involved "Opportunistic locking" being enabled as a default, as it should, as most newer database programs benefit from it. Ran into the issue before where it affected either just a database program or at worst a server. With 2008 it affected almost all server and wks on a network, symptoms unlike past experienced.

Glad you sorted it out. I think it is time for me to pull the plug on Symantec AV....supported it for many years but recent learning experiences have been to costly.

Interestingly enough in my case it did not matter whether I used 10.2 or EndPoint. Things only got better once I have removed it altogether and replaced it with a different product.

You are right about EndPoint Protection though. This product can seriously mess up any system it gets in contact with. When I tried it, it didn't take me long to realize that the administrative effort and lost time is probably not worth spending to configure all the extra features in the product. I ended up running just the Antivirus part on the server.

Symantec has an ego issue, the company still thinks they are the alpha male of the AV industry and can get away with poor programming/beta releases. Novell and IBM  had a similar attitude in the 80's/early 90's and lost billions. 

I finally got response from Symantec. Here are the details:

 

I've finished researching into this case. You can communicate the following to the customer

1. Symantec is aware of an issue very similar to what he is experiencing on his Windows 2008 server. There is a KB article acknowledging this Title: 'Windows Server 2008 drops network shares with Symantec Endpoint Protection client Auto-Protect enabled "Document ID: 2008061812370848"
> Web URL: http://service1.symantec.com/support/ent-security.nsf/docid/2008061812370848?Open&seg=ent
2. Symantec is planning to release a new version of SEP (MR3) to address this issue. The current ETA for MR3 is around mid Sept. 2008. If there is a delay caused by unforeseeable factor(s), we will notify the customer.
3. If the customer still has SEP or SAVCE installed on his Windows 2008, he can try to disable autoprotect to see if the issue disappears. This will also help us to verify his issue is exactly the same as what has been reported in other cases.

I hope that helps those that want to/ have to stick with Symantec for one or another reason.