Installing Continuity Engine on Windows Servers configured to allow SMBv3 connections only
Summary
This knowledgebase article provides information regarding the installation of Continuity Engine on Windows Servers configured to allow SMBv3 connections only
Foreword
Allowing SMBv3 only client connections is a custom configuration performed on a Windows Server (starting with 2012). By default. Windows Server (i.e. 2019) is configured allow SMB 3.1.1 or 2.0. When a connection to an SMB server is established, the client will negotiate which protocol versions are available on both sides and then use the highest possible version. Thus, Engine Management service (client) and Engine target (server) will agree on using SMBv2, which works for the default SMB server configurations.
Continuity Engine vs. SMBv3
Situation / Verdict
Continuity Engine Management Service cannot install or upgrade target servers configured to allow SMBv3 connections only. This means target server was configured to allow only SMBv3 encrypted connections to ALL its encrypted shares. To check this, on the target server verify the following SMB server properties via PowerShell:
PS C:\Users\Administrator> Get-SmbServerConfiguration | Select RejectUnencryptedAccess
RejectUnencryptedAccess
-----------------------
True
PS C:\Users\Administrator> Get-SmbServerConfiguration | Select EncryptData
EncryptData
-----------
True
Reason
EMS current design combined with SMB functionality
Even if the actual OS has SMBv3 capabilities (these are present since WS2012), EMS remote execution code is using SMBv2 to access target server. EMS creates a random name folder inside C:\Windows\Temp where it copies all the tools needed for validation/install/upgrade. Because only SMBv3 client connections are accepted, the SMBv2 client initiated access is not authorized, hence Engine validation/install/upgrade fails.
Workaround
Configure target server to temporary allow SMBv2 while Engine is being installed or upgraded, by either of the following:
- set all shares as unencrypted
Set-SmbServerConfiguration –EncryptData $false
allow unencrypted access
Set-SmbServerConfiguration –RejectUnencryptedAccess $false
Once Engine is installed or upgraded you my safely revert to allow only SMBv3 connections:
set all shares as encrypted
Set-SmbServerConfiguration –EncryptData $true
reject unencrypted access
Set-SmbServerConfiguration –RejectUnencryptedAccess $true
Related articles
Applies to
Continuity Engine 9.x (and later)
Related Articles
Accessing the Continuity Engine Servers
This article introduces the Neverfail Continuity Engine Management IP addressing. It allows you to manage your Neverfail Continuity Engine servers even when they are in a passive role. Continuity Engine employs 2 or 3 servers working together. One ...
Continuity Engine Product Architecture
Learning objectives At the completion of this session, you should be able to: Identify major components of the Neverfail Continuity Engine product architecture. Describe major component configuration. Identify advantages of the Neverfail Continuity ...
Reference: Continuity Engine Product Architecture
Summary This Quick Reference provides an overview of the key concepts and components of Neverfail Continuity Engine product architecture: More Information Key Concepts and Components Component / Concept Description Active-Passive Server Pair ...
Continuity Engine Troubleshooting - Two Active or All Passive Servers
This session introduces you to resolving unexpected occurrences where two servers are active or all the servers are passive. Neverfail Continuity Engine is designed to operate with one server active, while the other server or servers are passive. ...
Continuity Engine Switchover/Failover Processes
This article discusses Switchovers and Failovers, their similarities and differences. It also discusses a condition called False Failover, which can result in a Split Brain Syndrome. Learning objectives At the end of the session you should be able ...