Sharing problems Windows server 2016, SMB?

Question

question

CristianKarlsson-0763 asked Apr 6, '21 CristianKarlsson-0763 commented Apr 7, '21

Sharing problems Windows server 2016, SMB?

I'm having problems with my clients SMB share ever since a power outage, even though it's connected to UPS and never shut off.

We are running this server as a Hyper-V host for 4 virtual servers, all of which are backed up to a Netgear ReadyNAS 2120.

I can browse to the NAS interface

I can ping the NAS using both IP and hostname.

But I can't access it trough file explorer and therefore Veeam can't access the backup repository.

I can't access other SMB shares on the fileserver or even the fileserver.

All other servers are working fine, they can access all shares, the NAS and the other servers.

The other servers can access the Hyper-V host.

I've uninstalled SMB1 feature and reinstalled it.

Tried turning off the firewall.

Tried editing the SMB in regedit.

Tried every suggestion Google can provide.

I still feel like it's a SMB issue I'm not able to find.

I'm grateful for any and all suggestions!

windows-server-2016

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2021-04-06T20:08:14.653Z

GaryNebbett answered Apr 6, '21 CristianKarlsson-0763 commented Apr 7, '21

Hello @CristianKarlsson-0763,

Considering the potential implications of the STATUS_NOINTERFACE error, I would suggest changing the "start" trace commands to this:

 New-NetEventSession -LocalFilePath ([System.IO.Path]::GetFullPath("why.etl")) -Name NoSMB
 Add-NetEventPacketCaptureProvider -Level 255 -SessionName NoSMB
 Add-NetEventProvider -Name "Microsoft-Windows-SMBClient" -Level 255 -SessionName NoSMB
 Add-NetEventProvider -Name "Microsoft-Windows-DNS-Client" -Level 255 -SessionName NoSMB
 Start-NetEventSession -Name NoSMB
 Add-EtwTraceProvider -Guid {F818EBB3-FBC4-4191-96D6-4E5C37C8A237} -MatchAny 0xFFFFFFFFFFFFFFF -Level 255 -SessionName  NoSMB
 Add-EtwTraceProvider -Guid {E4AD554C-63B2-441B-9F86-FE66D8084963} -MatchAny 0xFFFFFFFFFFFFFFF -Level 255 -SessionName NoSMB

This adds the MRxSMB and MRxSMB20 WPP ETW providers. I believe that mrxsmb.sys handles the WSK requirements of the SMB driver; adding mrxsmb20.sys tracing might add some more context to the trace data.

There is no need to change the "stop" trace commands.

Gary

· 5

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CristianKarlsson-0763 · Apr 07, 2021 at 07:20 AM

I can start a NetEventSession but then fail with the rest of the cmdlets.

At line:1 char:1
+ Add-NetEventPacketCaptureProvider -Level 255 -SessionName NoSMB
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (MSFT_NetEventPacketCaptureProvider:root/StandardCi...CaptureProvider)
[Add-NetEventPacketCaptureProvider], CimException
+ FullyQualifiedErrorId : MI RESULT 4,Add-NetEventPacketCaptureProvider

Same for NetEventProvider

0 ·

GaryNebbett CristianKarlsson-0763 · Apr 07, 2021 at 07:36 AM

Hello @CristianKarlsson-0763,

OK, let's try a different method and a slightly different set of providers. Create a file (named, for example, "providers.lst") and save these five lines in it:

 Microsoft-Windows-SMBClient
 Microsoft-Windows-DNS-Client
 Microsoft-Windows-TCPIP
 {F818EBB3-FBC4-4191-96D6-4E5C37C8A237} 0xFFFFFFFFFFFF 255 # mrxsmb
 {E4AD554C-63B2-441B-9F86-FE66D8084963} 0xFFFFFFFFFFFF 255 # mrxsmb20

The command to start this trace is:

logman start nosmb -ets -pf providers.lst -o why.etl

As before, logman stop nosmb -ets stops the trace.

Gary

0 ·

CristianKarlsson-0763 GaryNebbett · Apr 07, 2021 at 09:07 AM

Thanks alot Gary, I really appreciate your assistance in this!

Here's a link to the why2.etl

https://goprofessionalswedenab-my.sharepoint.com/:u:/g/personal/cristian_goprofessional_se/Ea7RW3kEaGtIiszJ8Ae58AUBuIk7A0IXmx3UxNaDIhQ0aQ?e=cZPUac

0 ·

Show more comments

Answer 2 · 2021-04-06T12:41:25.373Z

GaryNebbett answered Apr 6, '21 GaryNebbett commented Apr 6, '21

Hello @CristianKarlsson-0763,

The first thing that I would do is to use Event Tracing for Windows (ETW) to trace the Microsoft-Windows-SMBClient provider. It may be that your problem happens before this provider has anything useful to report, but that would at least help to divide the search space for the problem cause.

One way of creating a trace is to use the logman command. Start a trace with the command:

logman start nosmb -ets -p Microsoft-Windows-SMBClient -o why.etl

Then reproduce the problem and finally stop the trace with the command:

logman stop nosmb -ets

You can then either analyze the trace file (why.etl) yourself or make it available here via a URL to OneDrive, Google Drive, etc..

Gary

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CristianKarlsson-0763 · Apr 06, 2021 at 01:20 PM

Thanks Gary!

I've created a trace, but I can't quite understand it so here it is:

https://goprofessionalswedenab-my.sharepoint.com/:u:/g/personal/cristian_goprofessional_se/ERQleeg0Je9KpCPI6SaPpLwByL9dZOQcJDAbaiY0NPeeWg?e=flHEcG

0 ·

GaryNebbett CristianKarlsson-0763 · Apr 06, 2021 at 01:34 PM

Hello @CristianKarlsson-0763,

Here is an image of the content of the trace:

It is a bit confusing: two messages about being unable to resolve a name within a few microseconds of each other, one of the names being an IP address!

Let's see what results the tests suggested by @MotoX80 produce...

Gary

0 ·

image.png (151.1 KiB)

GaryNebbett GaryNebbett · Apr 06, 2021 at 07:01 PM

Hello @CristianKarlsson-0763,

There is perhaps a useful hint in this trace and it may be consistent with your description of how the problem arose.

The status code in the initial failure is 3221226169 = 0xC00002B9 = STATUS_NOINTERFACE. I noticed this earlier but did not give it much thought. Having just research the status code STATUS_NOINTERFACE, it seems to be much more specialized than I thought. here is a short extract from some Microsoft documentation:

When a WskCaptureProviderNPI call fails with status code STATUS_NOINTERFACE, the WSK application can use a call to WskQueryProviderCharacteristics to query the range of WSK NPI versions supported by the WSK subsystem.

This might be hinting that the SMB driver is having difficulty using WSK (Winsock Kernel) for any network task, including name resolution, because it failed to register as a client.

This is outside of my experience, but I will continue to research as much as possible.

Gary

0 ·

Answer 3 · 2021-04-06T13:29:22.23Z

MotoX80 answered Apr 6, '21 CristianKarlsson-0763 commented Apr 6, '21

I'd start with testing connectivity to a Windows server. In Powershell run:

 Test-NetConnection -ComputerName xxxxxx -CommonTCPPort SMB
 net.exe view \\xxxxxx

Are you able to connect? Do you see the share names? What error message do you get?

Did you check the security eventlog to look for logon errors? Are your Active Directory domain controllers alive and well?

nltest.exe /server:xxxxxx /SC_QUERY:YourDomainName

Maybe try other nltest commands to verify that AD authentication is working.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731935(v=ws.11)

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CristianKarlsson-0763 · Apr 06, 2021 at 02:17 PM

Thanks Moto!

I ran the test you suggested and also a Dcdiag where it failed a DNS test.
Here are all the results:

Test-connection
ComputerName : dc1
RemoteAddress : 192.168.0.15
RemotePort : 445
InterfaceAlias : Lan Port 1 Svart
SourceAddress : 192.168.0.3
TcpTestSucceeded : True

net.exe view
system error 53
The network path was not found

SC_QUERY
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \\DC1.xxx.xxx
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

SC_VERIFY
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \\DC1.xxx.xxx
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully

Dcdiag
TEST: Delegations (Del)
Error: DNS server: dc01.xxx.xxx. IP:<Unavailable> [Missing glue A record]

also: I cannot see any share names - network path not found, no errors in eventlog.

0 ·

GaryNebbett CristianKarlsson-0763 · Apr 06, 2021 at 02:40 PM

Hello @CristianKarlsson-0763,

In the Microsoft-Windows-SMBClient test, the name KDBNAS and the IP address 192.168.0.7 appear. What name/address did you use when creating the trace - the name or the address?

Can you repeat the Test-NetConnection -ComputerName xxxxxx -CommonTCPPort SMB using the same name/address that you used in the Microsoft-Windows-SMBClient test in place of xxxxxx?

Gary

0 ·

CristianKarlsson-0763 GaryNebbett · Apr 06, 2021 at 02:50 PM

Yes I used that address to test the connection for the trace, i tested with a DC because Moto asked me to test connectivity to a Windows server.

When I run the command using the same name as I did with the trace I get this output:
ComputerName : kbdnas
RemoteAddress : 192.168.0.7
RemotePort : 445
InterfaceAlias : Lan Port 1 Svart
SourceAddress : 192.168.0.3
TcpTestSucceeded : True

0 ·

Answer 4 · 2021-04-06T14:34:07.3Z

DSPatrick answered Apr 6, '21 CristianKarlsson-0763 commented Apr 7, '21

Please run;

Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\problemworkstation.txt

then put unzipped text files up on [OneDrive][1] and share a link.

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CristianKarlsson-0763 · Apr 06, 2021 at 03:16 PM

It's a bit confusing that DC2 is named DC03, we recently aquired this customer and sorting all that out is going to be my headache after fixing this backup issue.

The files are here:
https://goprofessionalswedenab-my.sharepoint.com/:f:/g/personal/cristian_goprofessional_se/EgFWXCcRwG9Nie2XAv9i1rsB89YIXk7D8S6wYd_RBl6mDQ?e=RQcdVz

0 ·

DSPatrick CristianKarlsson-0763 · Apr 06, 2021 at 03:29 PM

On DC1 add own static ip address (192.168.0.15) listed for DNS then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon
service

On DC03 add own static ip address (192.168.0.10) listed for DNS then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon
service

I'd work through the event logs on each and correct any errors found. I didn't bother translating them because here they're logged without the source and event IDs

At some point I'd recommend migrating sysvol replication from older FRS technology to DFSR
https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

--please don't forget to Accept as answer if the reply is helpful--

0 ·

CristianKarlsson-0763 DSPatrick · Apr 07, 2021 at 07:25 AM

I took the above steps on both DCs, nothing in the eventlogs.

But I guess you refer to the errors in the dcdiaglog? I have my work cut out for me there :)

The sysvol replication migration will be done when adding a new DC and demoting the DC03, but I want a functioning backup before I dare proceed with the rest of the decluttering of this domain.

0 ·

Answer 5 · 2021-04-06T14:54:19.137Z

MotoX80 answered Apr 6, '21 CristianKarlsson-0763 commented Apr 6, '21

Hmmm, DNS errors in the etl trace and dcdiag.... But Test-Netconnection was able to resolve dc1.

Random thoughts: What device is not on the UPS and got rebooted when you lost power and might impact networking? Is DC1 your DNS server? Are you using fixed IP addresses or DHCP? Does NSLOOKUP resolve names correctly? You shouldn't have to uninstall/reinstall anything to recover from a power outage. Have you just rebooted any (all?) of the machines? Did you check the security/system eventlogs?

Sorry for the odd set of thoughts, just trying to figure out where I'd look next.

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CristianKarlsson-0763 · Apr 06, 2021 at 03:22 PM

At this point I welcome all thoughts! They are sure to be better than mine :)

All devices were connected to the UPS, so none should have been affected in theory.
DC1 is the DNS, yes.
Static IPs on all servers and NAS
NSLOOKUP resolves correctly, I asked both DC
I've rebooted the problem server and the NAS, neither of the DC
Nothing in the logs

0 ·

Answer 6 · 2021-04-06T15:53:03.383Z

GaryNebbett answered Apr 6, '21

Hello @CristianKarlsson-0763,

Can you make another trace, this time incorporating two more providers? We will need to use a different technique, since one of the providers needs to be started in a special way.

In a PowerShell windows, first issue the five commands:

 New-NetEventSession -LocalFilePath ([System.IO.Path]::GetFullPath("why.etl")) -Name NoSMB
 Add-NetEventPacketCaptureProvider -Level 255 -SessionName NoSMB
 Add-NetEventProvider -Name "Microsoft-Windows-SMBClient" -Level 255 -SessionName NoSMB
 Add-NetEventProvider -Name "Microsoft-Windows-DNS-Client" -Level 255 -SessionName NoSMB
 Start-NetEventSession -Name NoSMB

Now reproduce the problem and, afterwards, issue the two commands:

 Stop-NetEventSession -Name NoSMB
 Remove-NetEventSession

The resulting why.etl file can be shared, as before.

The NetEventPacketCaptureProvider provider (Microsoft-Windows-NDIS-PacketCapture) can generate a lot of trace data, so the trace should be kept as short (in time) as possible.

Gary

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 7 · 2021-04-07T06:57:15.383Z

SunnyQi-MSFT answered Apr 7, '21

Hi,

Thanks for posting in Q&A platform.

Please try the following method:

Open local group policy editor, change the "Restrict NTLM: Outgoing NTLM traffic to remote servers" settings to "Allow all". The path in the local Group Policy Editor is:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

If the issue still cannot be resolve, please understand analyze the ETL trace is beyond our forum support level, I would suggest you could contact Microsoft technical support for more deeper investigation of the ETL trace results.

Also, in this way, they can have a clear picture about your issue and your environment by phone communication and live share session.
You may find phone number for your region accordingly from the link below:
https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

Best Regards,
Sunny

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

image-2.png (104.5 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

question