Subscribe
kds86
Accepted Solution

SVM error no netlogon servers after SMB change on both AD domain controllers

‎2017-05-19 07:55 AM

Labels:

In response to the recent WannaCry ransomware, I applied a change to both of our DCs (used this PS command: 

Set-SmbServerConfiguration -enableSMB1Protocol $false -confirm:$false ) in an effort to disable the vulnerable

SMB protocol. However, within minutes of making this change the NetApp sent me an urgent email stating:

 

Node: Storage-01

Severity: EMERGENCY

Message: secd.netlogon.noServers: None of the Netlogon servers configured for Vserver (SVM) are currently

accessible via the network.

 

I did not wait to see what impact this change had made on our environment, and so I immediately reversed this

changed on both DCs. 

 

I would like to know what "broke" because of this change, and then what needs to be changed on the NetApp to

make possible the disabling of the vulnerable SMB protocol on both of our DCs without it disrupting service in 

our environment.

Reply
0 Kudos
skneo

Re: SVM error no netlogon servers after SMB change on both AD domain controllers

‎2017-05-19 08:13 AM

http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-cifs%2FGUID-973C24E8-DF20-4EC8-8591-84AF9B4C902E.html

 

Enabling SMB2 connections to domain controllers

Reply
kds86

Re: SVM error no netlogon servers after SMB change on both AD domain controllers

‎2017-05-19 08:40 AM

Thanks for the quick and very helpful reply. I read the article and have only displayed the current settings so far. I noticed SMB1,2, 3 and 3.1 are enabled on the NetApp. Our two DCs show SMB 3.1 as the protocol they are using (in addition to SMB1 being enabled on them too), so I am wondering if the error that was generated when I disabled SMB1 on the two DCs essentially would have been informative only and not indicative of a complete break in connection with the DCs as it first appeared? Would the NetApp not have reverted to one of its other enabled SMB protocol versions to sustain its connection to the DCs? Would it not have "discovered" it could connect via SMB 3.1 and resumed normal operation with the DCs? If so, could I simply disable SMB1 on those DCs as before and simply ignore the alert from the NetApp?

Reply
0 Kudos
skneo

Re: SVM error no netlogon servers after SMB change on both AD domain controllers

[ Edited ]

‎2017-05-19 08:45 AM - edited ‎2017-05-19 08:53 AM

SMB1,2, 3 and 3.1 are enabled on the NetApp Controller for Clients Browse SMB Cifs this has nothing to do with the dc connection.

Dont mix client connections to storage for cifs services and netappcontroller as a client for dc connections.

Reply
0 Kudos
kds86

Re: SVM error no netlogon servers after SMB change on both AD domain controllers

‎2017-05-19 08:59 AM

Ah, thanks for pointing out the difference.

 

So, following the directions in the article, once I enable SMB2 on the NetApp, it will use SMB2 to communicate with the two DCs, right? Does enabling SMB2 on the NetApp also result in SMB1 being disabled as a protocol to use with DCs, or does it have to be explicitly disabled?

 

Last question, given the concern with this latest ransomware and SMB1, should SMB1 as it pertains to the client connections, also be disabled on the NetApp, and if so, how?

Reply
0 Kudos
skneo

Re: SVM error no netlogon servers after SMB change on both AD domain controllers

‎2017-05-19 10:10 AM

So, following the directions in the article, once I enable SMB2 on the NetApp, it will use SMB2 to communicate with the two DCs, right?

yes

 

Does enabling SMB2 on the NetApp also result in SMB1 being disabled as a protocol to use with DCs, or does it have to be explicitly disabled?

no you enable smb2 support only

 

if you show on fields after enable smb2 it is smb1-enabled-for-dc-connections = system-default and -smb2-enabled-for-dc-connections = true

 

you could but i have not try this

 

SMB2 Only

vserver cifs security modify -vserver netapp -smb1-enabled-for-dc-connections false

vserver cifs security modify -vserver netapp -smb2-enabled-for-dc-connections system-default

----

SMB1 / 2 abd 2 as default

vserver cifs security modify -vserver netapp -smb1-enabled-for-dc-connections true

vserver cifs security modify -vserver netapp -smb2-enabled-for-dc-connections system-default

 

 

Last question, given the concern with this latest ransomware and SMB1, should SMB1 as it pertains to the client connections, also be disabled on the NetApp, and if so, how?

i think netapp controllers not affected. if you sure that no old client or application need smb1 you can dissable smb1 but i think is not necessary.

Reply
MattT
NetApp

Re: SVM error no netlogon servers after SMB change on both AD domain controllers

‎2017-05-22 03:51 PM

It looks like the questions have been answered already.  I just wanted to make you aware that there is a bit of additional info on ONTAP and SMB 1.0 that can be had at the below link as long as you have a NetApp support site login.

 

https://kb.netapp.com/support/s/article/ka61A0000008a55/Is-it-possible-to-disable-SMB-1-0-in-ONTAP

 

Reply
0 Kudos
kds86

Re: SVM error no netlogon servers after SMB change on both AD domain controllers

‎2017-05-23 05:31 AM

Thanks Matt. Between this post and the latest reply to my support incident I think I have the answers I need.

 

I did try to access the link you provided but receive a message stating, "Sorry, you do not have access to NetApp's CRM (CE/PE) or Knowledge base."

I had the same problem when trying to access a link the support tech provided. In the end he simply attached a text file with the contents of the article.

 

Reply
0 Kudos