Thursday, March 31, 2005

Using Active Directory Group Policy to Deploy SmbDeviceEnabled Registry Setting

I deployed a pair of firewall appliances onto our network using Network Address Translation (NAT). Soon after that, users start to report they encounter intermittent network problems. e.g. Corrupted word documnet, garbage data in files on file server, XP machines receive a "Write Delay Error" warning, corrupted Visual Source Safe database.

One thing in common is that the problems are all found when the connection is using Server Message Block (SMB) protocol.

Turns out there is a problem with SMB protocol running on NAT. Refer to Microsoft KB 301673 article for more detail. The work around is to change a registry setting so that NetBT protocol will be used. You can change it either on the client workstations or the servers side.

For us, since the client workstations may connect to more than one servers, and some of those servers are not managede by us (and as a result, they are outside our firewalls, we have to change the registry setting on the client side.

So, I used Active Directory Group Policy to help me to deploy the registry setting.
  • Create a custom Administrative Template as follows:

    CATEGORY "NetBT Settings"
    POLICY "SmbDeviceEnabled"
    KEYNAME "SYSTEM\CurrentControlSet\Services\NetBT\Parameters"
    EXPLAIN "This policy configures the registry value HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\SmbDeviceEnabled. You can disable this value to solve the problem of SMB using NAT. Refers to Microsoft KB 301673 for more information."
    VALUENAME "SmbDeviceEnabled"

  • Save the file as NetBT.adm.
  • In the Group Policy Editor, go to View menu | Filtering, uncheck the "Only show policy settings that can be fully managed" checkbox.
  • Then go to Computer Configuration | Administrative Templates, and use Add/Remove Template to add this NetBT.adm custom administrative template.
  • Now, under Administrative Template, a NetBT Settings category will appear.
  • Under this NetBT Settings category, double-click on SmbDeviceEnabled and change the status to Disable.
  • Close the Group Policy Editor to finish.
  • Link this group policy to the right OU to apply onto all the machines under it. (always do it on test machines first!)
  • Within 90 minutes (default time for Active Directory Group Policy refresh), the machines will obtain the new registry value.
  • You still have to reboot the machines to make the registry change effective.
One thing you have to know is that this kind of group policy is a tattoo type policy. The registry setting would not be changed back to the original value if you later on remove this group policy. To undo the change, you will have to explicitly change this group policy NetBT Settings to Enable.

No comments: