Speeding up file copies to and from an SBS 2003 Server
SBS is the oddity of the Microsoft server line-up. Most of the advice around concentrates on the standalone versions of the products SBS contains, so it's sometimes hard to find good advice for its implementation.
One thing that people have noted following an upgrade from SBS 2000 to SBS 2003 is a decrease in the speed of file transfers. This is often down to the default setting for SMB signing. SMB signing protects your domain controllers from man in the middle attacks; attacks based around someone watching the traffic between a client and the server. In general, SMB signing is a good thing as it protects your network.
However, its use on SBS is maybe not such a good thing. By default, a Windows 2003 domain enables SMB signing on traffic to and from the domain controller only. The domain controller usually doesn't do anything other than act as a domain controller and perform a few network functions: DNS, WINS, DHCP, etc. SBS is different; it's a file server, a mail server, a proxy server, a web server and a domain controller.
Why does SMB signing affect network performance? Well, the principal reason is that the data gets serialised; packet 1 needs to arrive before packet 2. Microsoft security guru Jesper Johannson saw his SBS server go from managing a sustained file transwer speed of 1.74MB/s with SMB signing on to 4.27MB/s with it turned off)
So, if you are experiencing poor SBS file transfer speed, you may wish to turn of SMB signing. This is how you do it.
There are three steps are involved:
Disable SMB policies in the 'Default Domain Controller Policy".
Disable SMB policies in the 'Default Domain Policy'.
Apply the policies to the server and the workstations.
The four settings in each policy are:
Microsoft Network server: Digitally sign communications (always) - Disable
Microsoft Network server: Digitally sign communications (if client agrees) - Disable
Microsoft Network client: Digitally sign communications (always) - Disable
Microsoft Network client: Digitally sign communications (if server agrees) - Disable
Open the Group Policy Management tool from the Administrative tools and drill down until you see the link to the 'Default Domain Controllers Policy'. Right click the policy and select the Edit option. Once you have changed the settings in the 'Default Domain Controllers Policy' you must do this also for the 'Default Domain Policy'.
Once done, you either need to reboot the server twice, or push the policy application using 'gupdate /force /boot' and then reboot.
SBS is the oddity of the Microsoft server line-up. Most of the advice around concentrates on the standalone versions of the products SBS contains, so it's sometimes hard to find good advice for its implementation.
One thing that people have noted following an upgrade from SBS 2000 to SBS 2003 is a decrease in the speed of file transfers. This is often down to the default setting for SMB signing. SMB signing protects your domain controllers from man in the middle attacks; attacks based around someone watching the traffic between a client and the server. In general, SMB signing is a good thing as it protects your network.
However, its use on SBS is maybe not such a good thing. By default, a Windows 2003 domain enables SMB signing on traffic to and from the domain controller only. The domain controller usually doesn't do anything other than act as a domain controller and perform a few network functions: DNS, WINS, DHCP, etc. SBS is different; it's a file server, a mail server, a proxy server, a web server and a domain controller.
Why does SMB signing affect network performance? Well, the principal reason is that the data gets serialised; packet 1 needs to arrive before packet 2. Microsoft security guru Jesper Johannson saw his SBS server go from managing a sustained file transwer speed of 1.74MB/s with SMB signing on to 4.27MB/s with it turned off)
So, if you are experiencing poor SBS file transfer speed, you may wish to turn of SMB signing. This is how you do it.
There are three steps are involved:
Disable SMB policies in the 'Default Domain Controller Policy".
Disable SMB policies in the 'Default Domain Policy'.
Apply the policies to the server and the workstations.
The four settings in each policy are:
Microsoft Network server: Digitally sign communications (always) - Disable
Microsoft Network server: Digitally sign communications (if client agrees) - Disable
Microsoft Network client: Digitally sign communications (always) - Disable
Microsoft Network client: Digitally sign communications (if server agrees) - Disable
Open the Group Policy Management tool from the Administrative tools and drill down until you see the link to the 'Default Domain Controllers Policy'. Right click the policy and select the Edit option. Once you have changed the settings in the 'Default Domain Controllers Policy' you must do this also for the 'Default Domain Policy'.
Once done, you either need to reboot the server twice, or push the policy application using 'gupdate /force /boot' and then reboot.
