Sharing

SMB in Clusters

The Cluster Operating System Rolling Upgrade feature of Windows Server 2016 allows you to upgrade clustered servers directly to Server 2016 from Windows Server 2012 R2. However, the cluster stays in Cluster Compatibility Mode (CCM) after this action and continues to use SMB 3.0.2 to communicate, even with servers based on Windows Server 2016 or workstations with Windows 10. Microsoft refers to the technology as "Cluster Dialect Fencing." If local shares are available on a cluster node, Windows Server 2016 uses SMB 3.1.1, even if CCM is active for the cluster. However, in this case, shares on the cluster, for example, over a Scale-Out File Server (SOFS), are handled with SMB 3.0.2. However, once you start using Windows Server 2016 mode, the SOFS also uses the new SMB 3.1.1.

For the cluster to use the new SMB 3.1.1 protocol, all the cluster nodes must be operated on the basis of Windows Server 2016. Compatibility mode is then disabled. As long as the cluster is in compatibility mode with Windows Server 2012 R2, file shares are integrated with the cluster using SMB 3.0.2 (e.g., for a SOFS). Only after the migration does the cluster change to Windows Server 2016 mode. You can check the cluster version as follows:

> Get-Cluster | Select UpdateFunctionalLevel

Additionally, SMB 3.1.1 supports improved failover behavior between cluster nodes when deployed on clustered file servers. In doing so, Windows Server 2016 takes into account the user and server SMB sessions and keeps them when virtual file servers are moved between cluster nodes.

Managing SMB Access to Nano Server

SMB access is not active by default on Nano Server. Although Nano Server also uses SMB 3.1.1, all access is blocked until you allow it. You can use Nano Server to access shares via the network and access the C$ share to copy files to the server. This is particularly important if you subsequently want to join a domain with the server or use it for exchanging data.

For successful access, you must enable the firewall rule for SMB access by file and printer sharing in the Nano Server Recovery Console. To do so, press the F4 key. You can then configure the domain entry for Nano Server.

Locating and Disabling SMB 1.0

Because Windows Server 2003 and Windows XP are no longer officially supported, there is no reason to use SMB 1.0 on the network. However, Windows Server 2016 still has an option for doing so. If you no longer want SMB 1.0 to be used, you can remove its functions from Windows Server 2016; computers with Windows Server 2003 and Windows XP, then, would no longer be able to connect to the server via SMB. Because these connections can be hijacked quite easily, you thus have increased security. To use PowerShell to remove SMB 1.0 from Windows Server 2016, enter:

> Remove-WindowsFeature FS-SMB1

Windows Server 2016 lets you monitor whether clients still attempt to use SMB 1.0 to access the server. In this case, the server switches to the insecure SMB 1.0 mode for the connection. You can enable monitoring in Windows Server 2016 with PowerShell as follows:

> Set-SmbServerConfiguration -AuditSmb1Access $true

Finally, entering

> Get-WinEvent -LogName Microsoft-Windows-SMBServer/Audit

lets you discover whether any clients are still running Windows Server 2003 or Windows XP on the network.