Forum Discussion
Migrate a production environment from SMBv1 to SMBv2/v3
Hi everyone, I would like to get your help and advice in order to migrate successfully my production environment from SMBv1 to SMBv2/v3. In test, I'm able to implement this change but in production ...
Hi Bernard,
It’s always best go with the phase wise approach by scoping few servers from each site in the GPO which disables outdated protocols.
For example if we have 10 sites and each site has got 5 servers then we can scope at least 3 servers in the GPO which disables the vulnerable protocol, this way we will have other 2 servers to serve the requests if in case if anything breaks.
In my experience even after following this approach I ran into issues with printers and file servers.
Hence I would suggest you to list all the print servers n file servers to quickly turn on this protocols if anyone raises complaints.
Keep the rollback plan ready and share it with the concerned technical teams for a quick fix.
The most important lesson I learnt from this migration is:
In my case I used GPO preferences to delete registries on servers as a rollback plan but I realised the the quick workaround (in critical sites ) to bring back the service would be to login locally on the Server or use Powershell to delete the registries real quick before the GPO deletes it.
If you are using GP preferences for creation or deletion of registries take a special care of GPO tattooing issue to avoid delays in roll back if in case anything breaks.
Regards,
Manoj
It’s always best go with the phase wise approach by scoping few servers from each site in the GPO which disables outdated protocols.
For example if we have 10 sites and each site has got 5 servers then we can scope at least 3 servers in the GPO which disables the vulnerable protocol, this way we will have other 2 servers to serve the requests if in case if anything breaks.
In my experience even after following this approach I ran into issues with printers and file servers.
Hence I would suggest you to list all the print servers n file servers to quickly turn on this protocols if anyone raises complaints.
Keep the rollback plan ready and share it with the concerned technical teams for a quick fix.
The most important lesson I learnt from this migration is:
In my case I used GPO preferences to delete registries on servers as a rollback plan but I realised the the quick workaround (in critical sites ) to bring back the service would be to login locally on the Server or use Powershell to delete the registries real quick before the GPO deletes it.
If you are using GP preferences for creation or deletion of registries take a special care of GPO tattooing issue to avoid delays in roll back if in case anything breaks.
Regards,
Manoj
Hello Manoj94,
Thank to have take time to update my topic.
My environment doesn't have printers and file servers. it remains to me basically 2 questions:
=> Can we include domain controllers as file server if they only manage users/groups/Computer and GPO ? In conclusion can my domain communication be impacted ?
=> My servers communicate principaly through sftp/ssh or https/https, can these protocols be impacted too if I disable SMBv1 and enable requiresigning feature?
Thank you very much in advance for your support !
Thank to have take time to update my topic.
My environment doesn't have printers and file servers. it remains to me basically 2 questions:
=> Can we include domain controllers as file server if they only manage users/groups/Computer and GPO ? In conclusion can my domain communication be impacted ?
=> My servers communicate principaly through sftp/ssh or https/https, can these protocols be impacted too if I disable SMBv1 and enable requiresigning feature?
Thank you very much in advance for your support !