Windows Server 2017 Efs Guide

Posted on  by  admin

Windows Offline Files have a bad reputation. Many an administrator can tell a story where Offline Files caused issues that sometimes even required a reinstallation of the affected PC. But Microsoft has gradually improved the functionality and ironed out many of the bugs. Today – in Windows 7 SP1 with all post-SP1 fixes – Offline Files is a technology that still has its problems, but can be used in production – if you are adventurous. This article lists the gotchas I am aware of. Please note: Although this article originally targeted Windows 7, most if not all of its content applies to Windows 8, too. Documentation If you want to know what is really going on under the hood, you are mostly on your own.

  1. Amazon Efs Windows Server
  2. Windows Server 2017 Efs Guidelines
  3. Windows Server 2012 R2 Efs

The documentation Microsoft provides is not detailed enough to implement Offline Files in larger production environments. Nor does it help much if things do not work the way you think they should be working. Configuration In enterprise environments, Offline Files are configured via Group Policy, the relevant node is Administrative Templates - Network - Offline Files. Caution: Most settings do not apply to Windows 7, but to older operating systems. In the computer part, only 10 out of the 28 settings are relevant to Windows 7. In the user part only 2 out of 15. Tip: Set a filter in Group Policy Management Console that only includes settings for Windows 7.

Logging Offline Files messages are logged to a well-hidden part of the event log only: Application and Services Logs - Microsoft - Windows - OfflineFiles. By default, only an Operational log is there, but if you enable Show Analytic and Debug Logs in View menu, you also get logs called Analytic, Debug and SyncLog. Each of those can be (and has to be) enabled separately. Out of these logs, SyncLog is the most interesting. In it you can find one entry per synchronized file. Analytic and Debug have always been empty during my tests. Readability of the logs generated by Offline Files is generally bad.

Many messages are cryptic and difficult to interpret. Architecture Modes: Online, Slow Link and Offline Offline Files have four modes of operation:. Online.

Slow link. Auto offline. Manual offline Offline Files transition between the three modes online, slow link and auto offline depending on connection speed. The user can always override the automatic mode selection by manually switching to manual offline mode. To determine the connection speed two pings with default packet size are sent to the file server.

If the average round-trip time is below 80 ms (Windows 7) or 35 ms (Windows 8), the connection is put into online mode, otherwise into slow link mode. The latency value of 35/80 ms is configurable through the Group Policy setting Configure slow-link mode. Initial & Logon Synchronization When a user first logs on to a computer, initial synchronization occurs in the background. Once the initial synchronization has completed, the offline files icon in the notification area of the system tray is displayed: Once initial synchronization has completed, logon synchronization is attempted 5 minutes after every logon. The default delay of 5 minutes can be changed by setting the following registry value: Key: HKEYLOCALMACHINE SOFTWARE Microsoft Windows CurrentVersion NetCache Value name: AgentFillPeriodMin Value type: REGDWORD Allowed value data: 1-1440 minutes Reads, Writes and Synchronization In online mode, changes to files are made on the file server as well as in the local cache (this induces a performance hit – see for details). Reads are satisfied from the local cache (if in sync). In slow link mode, changes to files are made in the local cache.

The local cache is background-synchronized with the file server every 6 hours (Windows 7) or 2 hours (Windows 8), by default. This can be changed through the Group Policy setting Configure Background Sync. In auto offline mode, all reads and writes go to the local cache. No synchronization occurs. In manual offline mode, all reads and writes go to the local cache.

No synchronization occurs by default, but background synchronization can be enabled through the Group Policy setting Configure Background Sync. Permissions Offline Files do not require any special permissions on the file server. The permissions listed in are, at best, misleading.

Specifically, Everyone, Local System and Creator Owner need not be granted permissions, neither on the share nor in the file system. Microsoft recommends, however, to only use Offline Files for paths where only one user has write access in order to prevent synchronization conflicts that invariably arise if multiple users can edit different copies of a document at the same time. The only valid multi-user scenario would be a read-only directory used to push out things like static documentation to the users. Permissions are synchronized to the offline cache, too. If a user has read access on the file server, he has read access in offline mode – nothing more. Cache size management Files that were cached automatically are removed on a least-recently used basis if the maximum cache size is reached. Files that were cached manually are never removed from the local cache.

When the total local cache size limit is reached and all files that were cached automatically have already been removed, you can not make files available offline until you specify a new limit or delete files from the local cache by using the Offline Files control panel applet. The default limit for the Offline Files cache size is 25% of the total disk space of the drive where the Offline Files cache is located (typically C: Windows CSC). The cache size can be configured through the Group Policy setting Limit disk space used by Offline Files. Encryption The Offline Files cache can be encrypted using EFS. If enabled, EFS encrypts the files on a per-user basis. If a user does not already have an EFS certificate, a new one will be generated on the fly. Caution: when a user’s password is reset, the EFS key is discarded and cached Offline Files become invalid: files that have not been synchronized yet are lost.

Everything else needs to be re-downloaded. Recommendations Network Share Configuration Availability of Offline Files can be controlled via caching options of network shares. Make sure that the Offline settings of the share are not configured to disable Offline Files.

Bad: No files or folders from the shared folder are available offline. Good: Only the files and folders that users specify are available offline.

Use with caution: All files and programs that users open from the share are automatically available offline. Optimize for performance has no effect on computers running Vista or newer If you are using DFS, make sure that the DFS root shares are configured correctly, too. Software Versions By all means, use the latest version of Windows and install every patch related to networking and Offline Files you can get your hands on. Microsoft releases new patches for Offline Files regularly.

Monitor the KB for new articles and subscribe to this blog’s feed:. If you have very long logon times in conjunction with folder redirection it might be due to a bug that is described in the Microsoft Knowledge Base article ( You encounter a long logon time after you enable the “Do not automatically make redirected folders available offline” Group Policy setting in Windows 7 or in Windows Server 2008 R2). Install the patch that is available on the article’s web page and the problem should go away.

Resetting the Offline Files Cache To reset the Offline Files cache open a shared network folder in Exlorer and select Tools / Folder Options / Offline Files. Press CTRL+SHIFT while clicking Delete Files. If you cannot access the Offline Files tab, use the following method to re-initialize the Offline Files cache (CSC) on the system.

Add the following registry subkey: Key: HKEYLOCALMACHINE SYSTEM CurrentControlSet services CSC Parameters Value name: FormatDatabase Value type: DWORD Value data: 1 Notes: The actual value of the FormatDatabase value is ignored. Reinitialization requires a restart. When the computer is restarting, the system will re-initialize the CSC and then delete the FormatDatabase value. Warning: All files in the cache are deleted and unsynchronized data is lost.

Design Flaws DFS When transitioning to an offline state, Offline Files always transitions entire path trees. This is especially bad if DFS is used, since it means that if domain.com dfs homes user1 is detected as being offline, the entire tree below domain.com dfs goes offline.

To work around that, configure a slow-link policy with values similar to the following:. domain.com dfs: Latency=32000. domain.com dfs homes: Latency=60 More information on this configuration can be found on the.

Initial Synchronization There is no visual feedback that indicates whether initial synchronization has completed. When a user gets a new laptop, there is no simple way for him to determine if all his data has been synchronized to the local disk. Only if manually initiating a synchronization via Sync Center one can be sure that everything is available locally. Offline Transition and File Server Load The only criterion used to determine the state of a network path is the connection speed (which is measured by sending two pings). There are cases, however, where a file server is so heavily loaded that it practically ceases serving files, all the while still answering pings quickly. In such a situation Offline Files remain in online mode.

As a consequence the files on the network path are inaccessible even though they could be served from the offline cache. Tools Robocache This tool needs still needs some polishing, but it looks promising. It can automate most administrative tasks related to Offline Files. Hi Great Article, Just one question regarding one of your recommendations to do with redirected folders and offline files. You say “If a user’s entire home directory is available offline and folders are redirected from the user profile to subfolders of the home directory, disable the setting in the folder redirection policy that automatically makes redirected folders available offline. Otherwise, the redirected folders would be available offline “twice”, which might confuse the operating system.” The setting I’m seeing in Group Policy under User policies Administrative Templates Folder Redirection is “do not automatically make redirected folders offline”.

Just to clarify are you suggesting disabling this setting or do you mean enabling this setting? Great artiicle, could someone clarify “In online mode, changes to files that are available offline are made in the local cache first.

The changes are then immediately synchronized to the file server” However according to.aspx#BKMKOptimized “In online mode, all modifications to a file or folder (write, open, or create) are applied to the network server first and then to the local cache” Also states that read requests are satisfied from the local cache first if the file in the cache is synchronized with the server. So.does this mean that in Online mode files are read from the cache first but then subsequently modified on the server then synced back to the local cache? Can some please confirm what the offline caching setting should be set to for the underlying folder acting as the DFSRoot on the DFS server?

For example: – I have a Domain namespace of “ Company.Local Private” – The corresponding folder on the DFS server is “D: DFSRoots PRIVATE” which is obviously shared. – The default Caching/Offline option is set to “Only the files and programs that users specify are available offline” Is this correct or should this be changed to “No files or programs. available offline” For your info: The target folders under “ Company.Local Private” i.e.

Amazon Efs Windows Server

“ Company.Local Private Homes” point to a share on a file server. That file servers share is set to “Only the files and programs that users specify are available offline” Servers are 2008R2 Clients Windows 7 sp1.

Peter or Helge, I’ve implemented the DFS 32000 ms Latency suggested in this article since my users were losing access to ALL DFS shares if they experienced any latency greater than the default 80 ms. It seams to be working, but I’m curious if either of you know how/where in the registry to confirm that this setting is being applied on the local users machine after receiving the changes via GPO (Running Windows 7 Pro and Server 2008 R2) Besides looking online for an answer, I’ve checked the following locations on the users machine: 1.

HKLM Software Microsoft Windows CurrentVersion NetCache (and any sub keys) 2. HKLM Software Microsoft Windows CurrentVersion Group Policy (and any sub keys) 3.

I searched the entire registry for the latency value of “320000” Any help you can provide would be greatly appreciated. Hi Helge Came across your site after a lot of searching, have this issue below with a user offline folder any suggestions. The problem is the offline files for his U / Home drive do not sync properly.

There is a GPO in place which auto maps the shared drives, folder redirection and a few other things. If you open his my documents which points to the U drive it lists all the folders but there are no files. If you go to the mapped drive the exact same thing happens. If you use start/run and go the server drive the files list fine and all data is there. So the mapped drives don’t work nor do the offline folders only a direct mapping.

The permissions on the files don’t seem to be correct and you are unable to copy the data to his machine. At the moment the GPO is unlinked and user is using his files saved directly to his pc. This is not safe because if he makes major changes and something happens to the laptop we have an issue. I cant see why the folder redirection does not want to sync properly. Any ideas, I would appreciate your advice.

Hi Helge Thanks for taking the time to write this it has been useful. I have been struggling with a silmilar problem to Darren. The root cause is the structure of the share on the server.

It is in the form Server Users$%username% At the level User$ on the server the users only have the right to list and traverse the folder structure. Because they do not have the right to read at the root of the structure offline files will not cache. You can not switch off make available offline or force a sync.

ServerGuide

Adding Read to the user rights fixes all these problems. But now all users personal folders are visible.

Any suggestions on the correct way to set permissions for home folders to use with offline folders? The option to share each home folder is so NT4.0 please someone have something better. I have random users going offline when trying to access a DFS share that is not enabled for Offline use. It all started when we started doing folder redirection for all our users for their Desktop and Documents. Folder redirection is accessed via the server name – Users UserFolderRedirection. The network file shares is published via DFS – mydomain.com files. We started tinkering with GPO’s and here are my settings – Configure slow-link mode – Enabled and UNC Path: users UserFolderRedirection / Latency = 50.

( I even tried UNC Path mydomain.com files Latency = 0 AND Latency 1000, nothing worked). Enable Transparent Caching – Enabled – 32000 Can you see anything why the files would go offline? I work at a company where the support group has enabled offline files for a lot of users since the dawn of time on both xp computers and 7. When migrating to new file servers on several locations, offline files was not handled properly and the pc’s would continue to think that the server is offline and let the user work on cached files indefinitely.

Managing all this is still a nightmare with dead pc’s, corrupt offline files cache and strange things happening all over. I would like to turn off the offline files feature everywhere, internet access everywhere has diminished the usefulness of this feature. However, I am concerned about data loss for people working from their offline files cache. What happens if I turn off offline files?. Will the offline files cached files disappear from the client?.

Windows Server 2017 Efs Guidelines

Will it sync back any files changed on the client to the server when people who has been out of office returns?. Any caveats? What is the best way of disabling offline files?. So far I have been using cscfix.vbs / csccmd.exe (7/xp versions) to handle server migrations, but it can also turn off the feature.

Group Policy? I am hoping Group Policy is the best way to go, but it depends on my question regarding data loss. Manually stopping offline files on the client and disabling the service. Shared folders? Why is it “bad” to turn it off from here? Availability of Offline Files can be controlled via caching options of network shares. Make sure that the Offline settings of the share are not configured to disable Offline Files.

Server

Bad: No files or folders from the shared folder are available offline I know I need to do some more testing, but I would love some feedback before my hair turns completely grey.Thanks!:). Changing the Offline Files target is indeed something that does not go down well at all. Using DFS namespaces to hide the real server name is very useful.

However, I can understand why you want to migrate away from Offline Files. Turning OF off is the simpler part (I would do it through Group Policy).

Ensuring that no data is lost is much more difficult. Imagine a user is working with data in the OF cache without even realizing it.

When you turn off that cache, the data is inaccessible (though not deleted, if I am not mistaken – you would have to delete the cache separately). I am afraid that if you want to guarantee that no data is lost you will have to write a script that performs a sync and only when that is successful turns OF off.

Of course instead of synchronizing to the file server – which may be slow or not work at all, depending on the state of OF – you could just copy the data to another location on the local hard drive. Great article, Question: How do you solved the issues on renaming users? With OF disabled (like VDI environments), the content is (stupidly) copied from the shared oldusername to shared newusername but if Offline Files is enabled, this process could take days or not be completed. Let me say that I’ve been implemented Folder Redirection + Offline Files + UE-V for the University I work and as you said, there are some critical mistakes and misinformation in the documentation I’ve found from MS.

This half-baked MS solution has also some remarkable design flaws in addition to what you mentioned: renaming users or deprovisioning process create very time consuming problems too because it didn’t work as expected Another BIG issue is that MS doesn’t provide neither, a comprehensive testing procedure nor process diagrams to provision, deprovision and renaming of users and computers All these issues caused a deployment delay longer than expected for our team. Now we are trying to minimize the issues on renamed users who log on machines with OF enabled (typically laptops or desktops).

Windows Server 2012 R2 Efs

Hi, Windows Offline files seems to detect a Slow Link transition pretty quickly and changes to Offline mode, but it seems rather slow detecting when the Slow Link transitions back to a Fast Link – is there any way to reduce the Slow/Fast Link Detection checking interval as I can’t find a Registry Key that controls this? Ie, if you pull the network, the machine pretty quickly switches to offline mode, but when you re-insert the network it seems to take 2 minutes to detect the re-connection before it switches to online mode. I would very much like to reduce this 2 minute interval to something more like 15 to 30 seconds – can this be done? Thanks and Regards Gary.

Coments are closed