Lift and Shift with NTFS permissions

%3CLINGO-SUB%20id%3D%22lingo-sub-1745615%22%20slang%3D%22en-US%22%3ELift%20and%20Shift%20with%20NTFS%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1745615%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20been%20tasked%20with%20looking%20into%20Azure%20File%20to%20gradually%20move%20our%20file%20server%20to%20the%20cloud.%26nbsp%3B%20This%20file%20server%20has%20well%20over%202%20million%20files%20and%20close%20to%205TB%20of%20Data.%26nbsp%3B%20The%20NTFS%20permissions%20are%20a%20mess%20in%20terms%20of%20broken%20inheritance.%26nbsp%3B%20I've%20gone%20though%20and%20setup%20a%20File%20share%20and%20had%20a%20look%20at%20File%20Sync%20and%20Azcopy%20appears%20to%20be%20for%20blob%20storage%20only%20right%20now.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20File%20sync%20it%20doesn't%20appear%20to%20carry%20over%20the%20NTFS%20permissions%20from%20my%20file%20server.%26nbsp%3B%20With%20the%20File%20share%20i%20went%20through%20the%20process%20of%20setting%20up%20Azure%20Share%20to%20use%20AD%20but%20ran%20into%20the%20issue%20of%20port%20445%20being%20blocked%20on%20my%20ISP.%26nbsp%3B%20I%20will%20have%20to%20look%20into%20the%20alternatives%26nbsp%3BAzure%20P2S%20VPN%2C%20Azure%20S2S%20VPN%2C%20or%20Express%20Route%20to%20tunnel%20SMB%20traffic%20over%20a%20different%20port.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%20simply%20will%20either%20option%20maintain%20the%20NTFS%20permissions%20from%20my%20file%20server%20to%20Azure%20cloud%20for%20when%20I%20eventually%20map%20that%20share.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1749524%22%20slang%3D%22en-US%22%3ERe%3A%20Lift%20and%20Shift%20with%20NTFS%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1749524%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F135045%22%20target%3D%22_blank%22%3E%40JWJ%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20azcopy%20tool%20(v10.6.0%2B)%20now%20preserves%20ACLs'%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-storage-azcopy%2Freleases%2Ftag%2Fv10.6.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2Fazure-storage-azcopy%2Freleases%2Ftag%2Fv10.6.0%3C%2FA%3E)%20and%20you%20can%20use%20it%20for%20files%2C%20not%20just%20blobs.%20Of%20course%2C%20you%20could%20use%20other%20tools%20like%20robocopy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20Files%20Sync%20preserves%20ACLs%20too%2C%20check%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Ffiles%2Fstorage-sync-files-planning%23file-system-compatibility%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20guide%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20a%20known%20problem%20that%20some%20ISPs%20are%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Ffiles%2Fstorage-files-networking-overview%23accessing-your-azure-file-shares%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eblocking%3C%2FA%3E%20TCP%2F445%20port.%26nbsp%3BThis%20practice%20originates%20from%20security%20guidance%20about%20legacy%20and%20deprecated%20versions%20of%20the%20SMB%20protocol.%20Although%20SMB%203.0%20is%20an%20internet-safe%20protocol%20(and%20Azure%20Files%20are%20only%20using%20this%20version)%2C%20older%20versions%20of%20SMB%2C%20especially%20SMB%201.0%20are%20not.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20correct%20that%20building%20a%20hybrid%20connectivity%20between%20Azure%20and%20your%20network%20(Express%20Route%20or%20S2S%20VPN)%20and%20enabling%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Ffiles%2Fstorage-files-networking-overview%23private-endpoints%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EPrivate%20Endpoints%3C%2FA%3E%20for%20Azure%20Files%20can%20mitigate%20this%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20also%20a%20general%20guidance%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fstorage%2Ffiles%2Fstorage-files-active-directory-overview%23preserve-directory-and-file-acls-when-importing-data-to-azure-file-shares%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Docs%3C%2FA%3E%20on%20how%20to%20preserve%20ACLs%20when%20importing%20data%20to%20Azure%20file%20shares.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1750410%22%20slang%3D%22en-US%22%3ERe%3A%20Lift%20and%20Shift%20with%20NTFS%20permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1750410%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F10907%22%20target%3D%22_blank%22%3E%40David%20Pazdera%3C%2FA%3E%26nbsp%3BThanks%20it%20does%20clarify%20a%20few%20things.%26nbsp%3B%20I've%20gone%20through%20some%20of%20the%20links%20you%20posted%20before.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20File%20Sync%20does%20not%20look%20like%20what%20we%20need.%20What%20we%20are%20trying%20to%20do%20is%20move%26nbsp%3B%20chucks%20of%20data%20(files%20and%20documents)%20to%20Azure%2C%20set%20the%20share%20permission%20to%20read%20only%20and%20maintain%20the%20existing%20NTFS%20permissions.%26nbsp%3B%20We%20would%20map%20that%20data%20stored%20and%20shared%20from%20Azure%20for%20end%20users.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebased%20on%20the%20articles%20and%20what%20you've%20said%2C%20once%20I%20get%20past%20the%20mapping%20of%20the%20file%20share%2C%20I%20can%20use%20Robocopy%20or%20azcopy%20to%20move%20my%20files%20over%20and%20it%20will%20maintain%20the%20permissions.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I've been tasked with looking into Azure File to gradually move our file server to the cloud.  This file server has well over 2 million files and close to 5TB of Data.  The NTFS permissions are a mess in terms of broken inheritance.  I've gone though and setup a File share and had a look at File Sync and Azcopy appears to be for blob storage only right now.

 

With File sync it doesn't appear to carry over the NTFS permissions from my file server.  With the File share i went through the process of setting up Azure Share to use AD but ran into the issue of port 445 being blocked on my ISP.  I will have to look into the alternatives Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port. 

 

My question is simply will either option maintain the NTFS permissions from my file server to Azure cloud for when I eventually map that share.

2 Replies

Hi @JWJ ,

 

The azcopy tool (v10.6.0+) now preserves ACLs' (https://github.com/Azure/azure-storage-azcopy/releases/tag/v10.6.0) and you can use it for files, not just blobs. Of course, you could use other tools like robocopy.

 

Azure Files Sync preserves ACLs too, check this guide.

 

It is a known problem that some ISPs are blocking TCP/445 port. This practice originates from security guidance about legacy and deprecated versions of the SMB protocol. Although SMB 3.0 is an internet-safe protocol (and Azure Files are only using this version), older versions of SMB, especially SMB 1.0 are not.

 

It is correct that building a hybrid connectivity between Azure and your network (Express Route or S2S VPN) and enabling Private Endpoints for Azure Files can mitigate this problem.

 

There is also a general guidance in Azure Docs on how to preserve ACLs when importing data to Azure file shares.

 

Hope this helps.

@David Pazdera Thanks it does clarify a few things.  I've gone through some of the links you posted before.

 

Azure File Sync does not look like what we need. What we are trying to do is move  chucks of data (files and documents) to Azure, set the share permission to read only and maintain the existing NTFS permissions.  We would map that data stored and shared from Azure for end users. 

 

based on the articles and what you've said, once I get past the mapping of the file share, I can use Robocopy or azcopy to move my files over and it will maintain the permissions.