One thing in common is that the problems are all found when the connection is using Server Message Block (SMB) protocol.
Turns out there is a problem with SMB protocol running on NAT. Refer to Microsoft KB 301673 article for more detail. The work around is to change a registry setting so that NetBT protocol will be used. You can change it either on the client workstations or the servers side.
For us, since the client workstations may connect to more than one servers, and some of those servers are not managede by us (and as a result, they are outside our firewalls, we have to change the registry setting on the client side.
So, I used Active Directory Group Policy to help me to deploy the registry setting.
- Create a custom Administrative Template as follows:
CATEGORY "NetBT Settings"
EXPLAIN "This policy configures the registry value HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\SmbDeviceEnabled. You can disable this value to solve the problem of SMB using NAT. Refers to Microsoft KB 301673 for more information."
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
- Save the file as NetBT.adm.
- In the Group Policy Editor, go to View menu | Filtering, uncheck the "Only show policy settings that can be fully managed" checkbox.
- Then go to Computer Configuration | Administrative Templates, and use Add/Remove Template to add this NetBT.adm custom administrative template.
- Now, under Administrative Template, a NetBT Settings category will appear.
- Under this NetBT Settings category, double-click on SmbDeviceEnabled and change the status to Disable.
- Close the Group Policy Editor to finish.
- Link this group policy to the right OU to apply onto all the machines under it. (always do it on test machines first!)
- Within 90 minutes (default time for Active Directory Group Policy refresh), the machines will obtain the new registry value.
- You still have to reboot the machines to make the registry change effective.