A session on how to modernise and cloud-integrate traditional files servers using Azure File Sync. The solution will introduce ransomware-resistant backup, disaster recovery, multi-location cloud sync, and tiered storage.

1. Digitally Transform (And Keep) Your
On-Premises File Servers
Aidan Finn
Azure MVP, Ireland
Principal Consultant, Innofactor Norway
Owner, Cloud Mechanix

2. About Aidan Finn
https://aidanfinn.com
@joe_elway
13 Year MVP
Azure, previously Hyper-V and
SCCM
Principal Consultant, Innofactor
Norway
https://innofactor.com
Owner, Cloud Mechanix –
http://cloudmechanix.com
Azure training around Europe
Next Class – ONLINE July 30th
“Securing Azure Services & Data Through
Azure Networking””
https://july302020.cloudmechanix.com/

3. File Servers – The Good & Bad

4. You’ve Moved to SharePoint Online – Right?
• It’s easy to migrate to SharePoint Online
• Not so quick there, jack-aroo!
• Everyone’s collaborating in the cloud
• We’d love to
• And all the file servers are gone
• Hmm … we need to talk

5. The File Server Plays a Critical Role
• Everywhere from small to large business
• Branch offices
• Because:
• Low client <> server latency
• They’re familiar
• You’ve got a continuing investment
• There are dependencies
• Sometimes the cloud offerings just aren’t (completely)
suitable

6. Old Problems Continue
• Synchronization
• Capacity issues
• Backup
• Disaster recovery

7. What If We Make the File Server Better?
• Synchronize through the cloud
• A “master” cloud replica
• Built on mature, mission critical, technology
• Reduce on-premises storage needs
• Without the users/applications noticing
• Permissions stay the same
• Move backup to the cloud
• Less on-premises infrastructure
• Automatic off-site backups
• Enable disaster recovery
• Recover in minutes

8. Azure File Sync

9. Azure File Sync (AFS)
• Synchronize through the cloud
• A “master” cloud replica in Azure Files (General Purpose Storage account)
• Built on Microsoft Sync Framework (7+ years in SQL Server)
• Reduce on-premises storage needs
• Cloud tiering, replacing files with reparse points (pointers)
• Permissions stay the same
• Move backup to the cloud
• Back done in the cloud
• Automatic off-site backups
• Enable disaster recovery
• Restore files/complete shares in minutes
• Creates reparse points on the new file server

10. Isn’t That StorSimple?
• StorSimple:
• Available as PAYG virtual appliance or expensive physical appliance
• Supports iSCSI/SMB LUNs
• Does all the above
• Major differences:
• StorSimple is block based / AFS is file based
• StorSimple is generic / AFS is specific to file servers
• StorSimple uses Azure blob storage / AFS uses Azure Files storage
• You must move data ON TO StorSimple / You put an AFS agent onto existing file
server
• When to use?
• AFS is for file servers
• You can migrate from StorSimple to AFS
• Contact AzureFiles@microsoft.com

11. Service Overview
SMB
NFS
Users
Applications
HQ
File Server
Azure Backup
Azure
File Share
File 1
File 2
File 3
Cloud Tiering
File 1
File 2
File 3
Rapid DR
Branch
File Server

12. The Components
D:Accounting
(Server Endpoint)
D:Sales
(Server Endpoint)
File Server
D:Marketing
(Server Endpoint)
Azure
General Purpose Storage
Account
Azure Files
Storage Sync Service
Accounting
Sync Group
Cloud Endpoint
Sales
Sync Group
Marketing
Sync Group
Cloud Endpoint
Cloud Endpoint
Accounting (Share)
Sales (Share)
Marketing (Share)
Azure
Backup
File Sync Agent
(Registered Server)
Tiering Policies

13. Deploying Azure File Sync

14. File Server Requirements
• OS:
• Windows Server 2012 R2 Full/Core
• Windows Server 2016 Full/Core
• Windows Server 2019 Full/Core
• RAM: 2GB or more
• Required for the StorageSync filter driver
• Ensure Hyper-V Dynamic Memory is set to 2GB Startup & Minimum
• Latest edition of Azure RM (until Dec 2020) or Az PowerShell modules
• Supports
• Traditional active/passive file server clusters
• DFS Namespace
• Anti-virus that respects the FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS attribute of cloud-tiered
files

15. Known Compatible AV Products
• Windows Defender
• System Center Endpoint Protection (SCEP)
• Test Third-Party AV:
• Azure File Sync Antivirus Compatibility Test Suite
• Check respect of
FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS attribute
Issue with MS AV products: https://docs.microsoft.com/en-us/azure/storage/files/storage-sync-files-planning#azure-file-sync-system-requirements-and-
interoperability

16. Encryption
• OK:
• BitLocker & similar disk-level encryption
• Azure Information Protection
• AD Rights Management Services
• File-level encryption
• Incompatible:
• EFS
• File system encryption
File
File System
Disk

17. Admin Interface
• Azure Portal
• Windows Admin Center
• V2.0 of AFS extension announced at Microsoft Ignite 2019
• PowerShell

18. Deploy The Azure Components
1. Create a Storage Sync Service
• In a region close to the on-premises file server(s)
• Reduce latency when retrieving cold/restored files
2. Create a storage account with Azure Files support
• Cannot use Blob/Tiering because AFS uses Azure Files shares
• GPv1, GPv2 or Premium Files
• GRS for Azure region disaster recovery
• Same region as the Storage Sync Service
3. Create a DELETE lock for the storage account
• Prevents accidental deletion of the storage account – not the
contents
• You’ll see why later (backups)

19. Azure File Shares
• Intended for system access
• For example, migrated legacy apps, Azure File Sync
• Not good for direct end user access
• Scalability
• 5 Tib 100 TiB per share *
• Depends on region and selected resiliency level
• 10k IOPS per Standard share
• 100k IOPS per Premium share
• 1 4 TiB max file size
• 100M items per share
• 5M items per directory
* https://docs.microsoft.com/en-us/azure/storage/files/storage-files-planning#regional-availability

20. Install the Storage Sync Service
1. Install the Azure RM or Az PowerShell modules on the file server
• “Latest released” version from GitHub
• Will require a reboot for new installations
2. Download the File Sync Agent from the Storage Sync Service
3. Install the File Sync Agent on the file server
• Choose if/when scheduled updates occur
4. Register with the Storage Sync Service
• Requires Azure credentials
• Set IE Enhanced Configuration == Off
• CSP subscriptions require a toggle to be set
• The file server appears as a registered server in Storage Sync Service

21. Synchronising Folders

22. The Pieces of Folder Synchronisation
• Server endpoint:
• A folder that is synchronised to Azure
• Storage account
• Provides the Azure Files service
• Cloud endpoint:
• An Azure Files share that is the cloud replica
• Sync group:
• Comprised of 1 cloud endpoint & 1+ server endpoints
• Many file servers can synchronise a single folder
• Replicates all files into Azure from the server endpoints
• Subject to allowed files
• Replicates all files to the server endpoints

23. Replication
• Remember:
• Everything in a server endpoint is replicated to Azure
• The Azure Files share becomes the master copy
• The file server is now a local hot-cache
• You can browse Azure Files shares:
• SMB connection: Requires authentication, doesn’t apply NTFS
permissions
• Azure Portal: Via storage account > Files
• Azure Storage Explorer: Free GUI tool
• Modifications on the file server are replicated to Azure ASAP
• Modifications in the cloud can take time to appear on prem
• Low priority task

24. Creating a Sync Group
1. Create a share in Azure Files
• Name has nothing to do with on-prem folder name
2. Create a Sync Group
• Name has nothing to do with on-prem folder name
3. Add a server endpoint
• Select the registered file server
• Enter the path
• Optionally enable cloud tiering (more later)

25. Adding a New File Server
• Extending replication from Server1 to Server2 via Azure
• Process:
1. Install the File Sync Agent on the file server & register it
2. Add a new server endpoint
3. The on-prem folder path/name on Server2 doesn’t need to match
Server1
4. The folder and files (reparse points) appear in minutes

26. Cloud Tiering

27. Saving Space on File Servers
• Cloud tiering is powered by a filter driver called StorageSync
• Tracks the temperature (usage) of files
• When enabled, it moves converts the coldest local replica files into reparse points
• A pointer to the cloud-replica of the file
• Additional attribute is associated with the file
• A = archive/synchronised
• P = Sparse
• L = Reparse point
• O = Offline
• Icon of the file changes
• File path/name/permissions do not change
• The file is downloaded from the cloud on demand – remember it is cold because it
is rarely (if ever) used

28. How Tiering Works
• Configured per server endpoint:
• D:SharesAccounting on Server1 has a tiering policy
• F:LocalSharesAccounting on Server2 has a different tiering policy
• G:Accounting on Server3 has no tiering policy
• A tiering policy:
• Enabled/Disabled
• Specifies what percentage of the volume should be free
• Date range – what age (days) files are tiered

29. Tiering – Overlapping Percentages
• All tiering policies on a single volume are based on largest free space wins:
• D:SharesAccounting = 10%
• D:SharesManagement = 20%
• D:OtherFolder = 30%
 Tiering will try to clear up 30% from the volume from the tiered folders

30. Tiering – Overlapping Policy Types
• All tiering policies on a single volume are based on largest free space wins:
• 30% free space
• Local retention = 30 days
• The volume is full
 The free space policy will always win
 Tiering will try to clear up 30% despite the age of hot files

31. Tiering Requirements
• Must be a data volume – not the OS drive
• A file must be 64 KiB+ to be eligible for cloud-tiering
• Cloud tiering is incompatible with Windows Server deduplication
• Cloud-tiered files will not be indexed by Windows Search
• Remember the 2 GiB RAM requirement for the Azure File Sync agent
• StorageSync filter driver will fail to work if it cannot get enough RAM
• You need some free space on the data volume
• How much – unknown at this time

32. Backup

33. How Azure Backup Works With AFS
• Today:
• Azure Backup is only an orchestrator
• No data stored in the Recovery Services Vault
• Generally Available
• What happens:
• Incremental snapshots of shares in the storage account
• Max 200 snapshots per share
• Does not consume from the limit of an Azure Files share
capacity
• Does have a storage charge

34. Caution!
• If you delete the storage account, you lose the backups
• Place a DELETE lock on the storage account
• Limit contributor/owner/admin access to the storage
account
• Consider
• Dedicated subscription
• Azure Privileged Identity Management

35. Backups
• Scheduled by the Azure Backup Recovery Services Vault
• Can also be triggered manually
• After setup, manage backup/restores via:
• Azure Files share
• Recovery Services Vault

36. Restores
• A thing of beauty:
• Done in the cloud
• Synchronises to server endpoints within a few minutes
• Reparse points (cloud tiering) by default, and files are downloaded on
demand
• Restore huge amounts “from the cloud” and be operational in
minutes – see ransom-ware recovery
• You can:
• Restore a file/files/complete share
• To original location or create a new copy
• Overwrite/skip existing copies

37. Process of Enabling Backup
1. Create a recovery services vault
• Same region as the general purpose storage account
• Setup alerting
• Configure LRS/GRS before registration
2. Add an Azure Files backup item
• Select the storage account
• Select share(s) from the storage account
3. Configure a backup policy
4. Check your logs after first backup

38. Self-Service Restore

39. AFS + Previous Versions
• Available from AFS Agent v9
• Must be enabled per volume
on the file server
• Import-Module
‘<SyncAgentInstallPath>StorageSync.Managem
ent.ServerCmdlets.dll’
• Enable-StorageSyncSelfServiceRestore –
DriveLetter D -Force
Folder
File A
File B
Volume D:
File Server
Folder
File A
File B
Volume D:
Azure File Sync
Folder
File A
File B
A tiered file holds a reference

40. Previous Versions
• User opens share in File Explorer
• Right-click a file
• Open Previous Versions
• Drag’n’drop old file version to replace current file

41. Disaster Recovery

42. Near Instant
• We’ve already discussed the process
• Add a new server endpoint
• You create a new file server
• Install the File Sync Agent & register it with the old Storage Sync
Service
• Edit the Sync Groups and add the new file server
• The shares will appear within a few minutes
• Recovered shares
• 100% cloud-tiered to begin with
• Files downloaded on demand
• Tiering will eventually cloud-tier any downloaded cold files when the
volume % limit is reached

43. Troubleshooting

44. Solving Problems
• Storage Sync Agent installation/upgrade logs:
• C:AfsAgentSetup
• C:AfsInstallerUpgrade
• Storage Sync Service:
• Registered Servers: Communications & agent version
• Sync Groups: File synchronisation
• Event Viewer
• AFS tools:
• FileSyncErrorsReport.ps1
• Debug-AFS … requires Import-Module .afsdiag.ps1

45. Usual Suspect – StorageSync Filter Driver
• Used by the Sync Service Agent when tiering is enabled
• Make sure StorageSync filter driver is OK – FLTMC Instances
• Have you enough RAM?
• Is the data volume full?
• 0x8e5e0211 and/or 0x80c8031a errors
• Have you on-prem backup?
• Have you checked your AV for respect of the “O” attribute?

46. FAQ

47. FAQ
• Is there file lock sync?
• No
• Is there support for Azure AD RBAC
• Yes
• But not recommended to use the cloud shares directly
• Can we use Private Link?
• Yes, requires private endpoints for AFS and for Azure Files
• Is there anti-virus for Azure Files?
• No
• AV on the file server
• Security Center Advanced Threat Protection for Azure Files

48. The File Server Awakens

49. The Rise of Replicas
• In my experience:
• Azure Backup was the biggest entry point to Azure (small/medium
business)
• It was non-disruptive
• Added life/value to file servers
• But it only dealt with backup
• Azure File Sync
• Deals with the reality that the file server is still alive
• Is the next big hybrid service
• Synchronisation, capacity, backup and DR solution
• Extremely valuable for large restores from the cloud
• Could be a killer for branch offices

50. Thank You!
Aidan Finn, Azure MVP
http://www.aidanfinn.com
http://www.innofactor.com
@joe_elway
Cloud Mechanix
Next Class – ONLINE July 30th
“Securing Azure Services & Data Through Azure
Networking””
https://july302020.cloudmechanix.com/