Sharing problems Windows server 2016, SMB?

Cristian Karlsson 21

I'm having problems with my clients SMB share ever since a power outage, even though it's connected to UPS and never shut off.

We are running this server as a Hyper-V host for 4 virtual servers, all of which are backed up to a Netgear ReadyNAS 2120.

I can browse to the NAS interface

I can ping the NAS using both IP and hostname.

But I can't access it trough file explorer and therefore Veeam can't access the backup repository.

I can't access other SMB shares on the fileserver or even the fileserver.

All other servers are working fine, they can access all shares, the NAS and the other servers.

The other servers can access the Hyper-V host.

I've uninstalled SMB1 feature and reinstalled it.

Tried turning off the firewall.

Tried editing the SMB in regedit.

Tried every suggestion Google can provide.

I still feel like it's a SMB issue I'm not able to find.

I'm grateful for any and all suggestions!

Accepted answer

Gary Nebbett 5,721 Reputation points

2021-04-06T20:08:14.653+00:00
Hello @Cristian Karlsson ,

Considering the potential implications of the STATUS_NOINTERFACE error, I would suggest changing the "start" trace commands to this:

New-NetEventSession -LocalFilePath ([System.IO.Path]::GetFullPath("why.etl")) -Name NoSMB Add-NetEventPacketCaptureProvider -Level 255 -SessionName NoSMB Add-NetEventProvider -Name "Microsoft-Windows-SMBClient" -Level 255 -SessionName NoSMB Add-NetEventProvider -Name "Microsoft-Windows-DNS-Client" -Level 255 -SessionName NoSMB Start-NetEventSession -Name NoSMB Add-EtwTraceProvider -Guid {F818EBB3-FBC4-4191-96D6-4E5C37C8A237} -MatchAny 0xFFFFFFFFFFFFFFF -Level 255 -SessionName NoSMB Add-EtwTraceProvider -Guid {E4AD554C-63B2-441B-9F86-FE66D8084963} -MatchAny 0xFFFFFFFFFFFFFFF -Level 255 -SessionName NoSMB

This adds the MRxSMB and MRxSMB20 WPP ETW providers. I believe that mrxsmb.sys handles the WSK requirements of the SMB driver; adding mrxsmb20.sys tracing might add some more context to the trace data.

There is no need to change the "stop" trace commands.

Gary
Please sign in to rate this answer.
Cristian Karlsson 21 Reputation points

2021-04-07T07:20:44.777+00:00

I can start a NetEventSession but then fail with the rest of the cmdlets.

At line:1 char:1

Add-NetEventPacketCaptureProvider -Level 255 -SessionName NoSMB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CategoryInfo : InvalidArgument: (MSFT_NetEventPacketCaptureProvider:root/StandardCi...CaptureProvider)
[Add-NetEventPacketCaptureProvider], CimException

FullyQualifiedErrorId : MI RESULT 4,Add-NetEventPacketCaptureProvider

Same for NetEventProvider

Gary Nebbett 5,721 Reputation points

2021-04-07T07:36:25.513+00:00

Hello @Cristian Karlsson ,

OK, let's try a different method and a slightly different set of providers. Create a file (named, for example, "providers.lst") and save these five lines in it:

Microsoft-Windows-SMBClient Microsoft-Windows-DNS-Client Microsoft-Windows-TCPIP {F818EBB3-FBC4-4191-96D6-4E5C37C8A237} 0xFFFFFFFFFFFF 255 # mrxsmb {E4AD554C-63B2-441B-9F86-FE66D8084963} 0xFFFFFFFFFFFF 255 # mrxsmb20

The command to start this trace is:

logman start nosmb -ets -pf providers.lst -o why.etl

As before, logman stop nosmb -ets stops the trace.

Gary

Cristian Karlsson 21 Reputation points

2021-04-07T09:07:44.127+00:00

Thanks alot Gary, I really appreciate your assistance in this!

Here's a link to the why2.etl

https://goprofessionalswedenab-my.sharepoint.com/:u:/g/personal/cristian_goprofessional_se/Ea7RW3kEaGtIiszJ8Ae58AUBuIk7A0IXmx3UxNaDIhQ0aQ?e=cZPUac

Gary Nebbett 5,721 Reputation points

2021-04-07T11:14:25.51+00:00

Hello @Cristian Karlsson ,

There were no useful new hints in the trace - just confirmation that the first relevant event is a report of the STATUS_NOINTERFACE error code. I suspect that the interesting events (and the cause of the problem) happens when the SMB drivers start (and fail to register with WSK) and not when we try to use SMB.

When you looked in the Event Viewer, did you check for unusual events following a system restart (when the SMB drivers are loaded)? It might be worth checking the System and Application logs again and the SMBClient logs in the "Applications and Services Logs" branch (if present in Windows Server 2016).

Gary

Cristian Karlsson 21 Reputation points

2021-04-07T12:56:25.277+00:00

SOLVED!

This pointed me in the right direction. Under SMBClient/connectivity logs I found alot of errors with ID 30800.
I started going through ways to solve this and found that the service "TCP/IP NetBIOS Helper" had somehow been disabled. I started the services and everything works as supposed.

Thank you so much Gary and everyone else that helped!
Sign in to comment

6 additional answers

Gary Nebbett 5,721 Reputation points

2021-04-06T12:41:25.373+00:00

Hello @Cristian Karlsson ,

The first thing that I would do is to use Event Tracing for Windows (ETW) to trace the Microsoft-Windows-SMBClient provider. It may be that your problem happens before this provider has anything useful to report, but that would at least help to divide the search space for the problem cause.

One way of creating a trace is to use the logman command. Start a trace with the command:

logman start nosmb -ets -p Microsoft-Windows-SMBClient -o why.etl

Then reproduce the problem and finally stop the trace with the command:

logman stop nosmb -ets

You can then either analyze the trace file (why.etl) yourself or make it available here via a URL to OneDrive, Google Drive, etc..

Gary
Please sign in to rate this answer.
Cristian Karlsson 21 Reputation points

2021-04-06T13:20:41.607+00:00

Thanks Gary!

I've created a trace, but I can't quite understand it so here it is:

https://goprofessionalswedenab-my.sharepoint.com/:u:/g/personal/cristian_goprofessional_se/ERQleeg0Je9KpCPI6SaPpLwByL9dZOQcJDAbaiY0NPeeWg?e=flHEcG

Gary Nebbett 5,721 Reputation points

2021-04-06T13:34:56.717+00:00

Hello @Cristian Karlsson ,

Here is an image of the content of the trace:

It is a bit confusing: two messages about being unable to resolve a name within a few microseconds of each other, one of the names being an IP address!

Let's see what results the tests suggested by @MotoX80 produce...

Gary

Gary Nebbett 5,721 Reputation points

2021-04-06T19:01:20.86+00:00

Hello @Cristian Karlsson ,

There is perhaps a useful hint in this trace and it may be consistent with your description of how the problem arose.

The status code in the initial failure is 3221226169 = 0xC00002B9 = STATUS_NOINTERFACE. I noticed this earlier but did not give it much thought. Having just research the status code STATUS_NOINTERFACE, it seems to be much more specialized than I thought. here is a short extract from some Microsoft documentation:

When a WskCaptureProviderNPI call fails with status code STATUS_NOINTERFACE, the WSK application can use a call to WskQueryProviderCharacteristics to query the range of WSK NPI versions supported by the WSK subsystem.

This might be hinting that the SMB driver is having difficulty using WSK (Winsock Kernel) for any network task, including name resolution, because it failed to register as a client.

This is outside of my experience, but I will continue to research as much as possible.

Gary
Sign in to comment
MotoX80 32,076 Reputation points

2021-04-06T13:29:22.23+00:00
I'd start with testing connectivity to a Windows server. In Powershell run:

Test-NetConnection -ComputerName xxxxxx -CommonTCPPort SMB net.exe view \\xxxxxx

Are you able to connect? Do you see the share names? What error message do you get?

Did you check the security eventlog to look for logon errors? Are your Active Directory domain controllers alive and well?

nltest.exe /server:xxxxxx /SC_QUERY:YourDomainName

Maybe try other nltest commands to verify that AD authentication is working.

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731935(v=ws.11)
Please sign in to rate this answer.
Cristian Karlsson 21 Reputation points

2021-04-06T14:17:22.46+00:00

Thanks Moto!

I ran the test you suggested and also a Dcdiag where it failed a DNS test.
Here are all the results:

Test-connection
ComputerName : dc1
RemoteAddress : 192.168.0.15
RemotePort : 445
InterfaceAlias : Lan Port 1 Svart
SourceAddress : 192.168.0.3
TcpTestSucceeded : True

net.exe view
system error 53
The network path was not found

SC_QUERY
Flags: 30 HAS_IP HAS_TIMESERV
Trusted DC Name \DC1.xxx.xxx
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

SC_VERIFY
Flags: b0 HAS_IP HAS_TIMESERV
Trusted DC Name \DC1.xxx.xxx
Trusted DC Connection Status Status = 0 0x0 NERR_Success
Trust Verification Status = 0 0x0 NERR_Success
The command completed successfully

Dcdiag
TEST: Delegations (Del)
Error: DNS server: dc01.xxx.xxx. IP:<Unavailable> [Missing glue A record]

also: I cannot see any share names - network path not found, no errors in eventlog.

Gary Nebbett 5,721 Reputation points

2021-04-06T14:40:31.717+00:00

Hello @Cristian Karlsson ,

In the Microsoft-Windows-SMBClient test, the name KDBNAS and the IP address 192.168.0.7 appear. What name/address did you use when creating the trace - the name or the address?

Can you repeat the Test-NetConnection -ComputerName xxxxxx -CommonTCPPort SMB using the same name/address that you used in the Microsoft-Windows-SMBClient test in place of xxxxxx?

Gary

Cristian Karlsson 21 Reputation points

2021-04-06T14:50:39.383+00:00

Yes I used that address to test the connection for the trace, i tested with a DC because Moto asked me to test connectivity to a Windows server.

When I run the command using the same name as I did with the trace I get this output:
ComputerName : kbdnas
RemoteAddress : 192.168.0.7
RemotePort : 445
InterfaceAlias : Lan Port 1 Svart
SourceAddress : 192.168.0.3
TcpTestSucceeded : True
Sign in to comment
Dave Patrick 426.1K Reputation points MVP

2021-04-06T14:34:07.3+00:00

Please run;

Dcdiag /v /c /d /e /s:%computername% >c:\dcdiag.log
repadmin /showrepl >C:\repl.txt
ipconfig /all > C:\dc1.txt
ipconfig /all > C:\dc2.txt
ipconfig /all > C:\problemworkstation.txt

then put unzipped text files up on [OneDrive][1] and share a link.
Please sign in to rate this answer.
Cristian Karlsson 21 Reputation points

2021-04-06T15:16:34.407+00:00

It's a bit confusing that DC2 is named DC03, we recently aquired this customer and sorting all that out is going to be my headache after fixing this backup issue.

The files are here:
https://goprofessionalswedenab-my.sharepoint.com/:f:/g/personal/cristian_goprofessional_se/EgFWXCcRwG9Nie2XAv9i1rsB89YIXk7D8S6wYd_RBl6mDQ?e=RQcdVz

Dave Patrick 426.1K Reputation points MVP

2021-04-06T15:29:30.58+00:00

On DC1 add own static ip address (192.168.0.15) listed for DNS then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon
service

On DC03 add own static ip address (192.168.0.10) listed for DNS then do ipconfig /flushdns, ipconfig /registerdns, restart the netlogon
service

I'd work through the event logs on each and correct any errors found. I didn't bother translating them because here they're logged without the source and event IDs

At some point I'd recommend migrating sysvol replication from older FRS technology to DFSR
https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

--please don't forget to Accept as answer if the reply is helpful--

Cristian Karlsson 21 Reputation points

2021-04-07T07:25:28.067+00:00

I took the above steps on both DCs, nothing in the eventlogs.

But I guess you refer to the errors in the dcdiaglog? I have my work cut out for me there :)

The sysvol replication migration will be done when adding a new DC and demoting the DC03, but I want a functioning backup before I dare proceed with the rest of the decluttering of this domain.
Sign in to comment
MotoX80 32,076 Reputation points

2021-04-06T14:54:19.137+00:00

Hmmm, DNS errors in the etl trace and dcdiag.... But Test-Netconnection was able to resolve dc1.

Random thoughts: What device is not on the UPS and got rebooted when you lost power and might impact networking? Is DC1 your DNS server? Are you using fixed IP addresses or DHCP? Does NSLOOKUP resolve names correctly? You shouldn't have to uninstall/reinstall anything to recover from a power outage. Have you just rebooted any (all?) of the machines? Did you check the security/system eventlogs?

Sorry for the odd set of thoughts, just trying to figure out where I'd look next.
Please sign in to rate this answer.
Cristian Karlsson 21 Reputation points

2021-04-06T15:22:24.217+00:00

At this point I welcome all thoughts! They are sure to be better than mine :)

All devices were connected to the UPS, so none should have been affected in theory.
DC1 is the DNS, yes.
Static IPs on all servers and NAS
NSLOOKUP resolves correctly, I asked both DC
I've rebooted the problem server and the NAS, neither of the DC
Nothing in the logs
Sign in to comment