Files 4.

Nutanix Files User Guide

November 29, 2021
Contents

Introduction to Nutanix Files...................................................................................5

Files Deployment....................................................................................................................................................... 7
Port Requirements.....................................................................................................................................................7
Prerequisites................................................................................................................................................................. 7
Upgrades...................................................................................................................................................................... 12
Installing (or Upgrading) Files................................................................................................................12

Files Overview.............................................................................................................. 15
File Server View in Prism......................................................................................................................................15
Files Console.............................................................................................................................................................. 18
Dashboard View............................................................................................................................................18
Monitoring View............................................................................................................................................19
Shares View................................................................................................................................................... 25
Data Management View........................................................................................................................... 29
Alerts & Events View.................................................................................................................................29
Tasks View......................................................................................................................................................32
Configuration View..................................................................................................................................... 33
File Analytics.............................................................................................................................................................35

File Server Management......................................................................................... 36

Creating a File Server........................................................................................................................................... 36
Deleting a File Server................................................................................................................................53
File Server Updates................................................................................................................................................54
Updating the Network Configuration................................................................................................. 55
Scaling FSVMs.............................................................................................................................................. 58
Updating Memory and vCPU Resources........................................................................................... 59
Updating File Server Basics................................................................................................................... 60
Logging Onto A File Server VM........................................................................................................................ 61
Changing an FSVM Password.................................................................................................................61
Setting Timezones...................................................................................................................................... 62
Starting a Files Cluster......................................................................................................................................... 62
Stopping a Files Cluster...........................................................................................................................63

Share and Export Management...........................................................................64

Creating a Share (SMB)........................................................................................................................................65
Creating an Export (NFS).....................................................................................................................................71
Creating a Multi-Protocol Share or Export.................................................................................................. 80
Multi-Protocol Support for Files........................................................................................................... 87
Modifying a Share or Export..............................................................................................................................89
Deleting a Share or Export.................................................................................................................... 90
Accessing Home Shares........................................................................................................................................ 91
Accessing User Home Shares (Advanced)....................................................................................... 92
Continuously Available Shares (SMB Only)..................................................................................................92
Enabling Continuous Availability.......................................................................................................... 92
Connected Shares................................................................................................................................................... 93
Connecting a Share....................................................................................................................................93

ii
 Disconnecting Shares................................................................................................................................94
Nested Shares and Exports................................................................................................................................ 94
Durable SMB File Handles...................................................................................................................................96
Managing Limited Local Users (SMB Only)................................................................................................. 96
Configuring Backup for Distributed Shares................................................................................................. 97
Enabling SMB Symlinks........................................................................................................................................ 98
Setting Directory-Level Quotas.........................................................................................................................99

Directory Service and Domain Management................................................100

Joining a Domain.................................................................................................................................................. 100
Leaving a Domain.................................................................................................................................................. 101
Updating Domain Name System (DNS) Entries....................................................................................... 102
Disjoint Domains....................................................................................................................................................106
Configuring Disjoint Domains.............................................................................................................. 106
Updating Directory Services.............................................................................................................................107
Setting AD Machine Account Password Expiry............................................................................ 107
Authentication.........................................................................................................................................................108
Authorization...........................................................................................................................................................108

User Management.....................................................................................................110
User Mapping........................................................................................................................................................... 110
Configuring User Mapping.......................................................................................................................111
Managing Roles........................................................................................................................................................117
Managing REST API Roles...................................................................................................................... 118
Authorizing a REST API User................................................................................................................ 118
Quotas......................................................................................................................................................................... 119
Managing Quotas........................................................................................................................................121

Files Options...............................................................................................................125
Cloning........................................................................................................................................................................125
Cloning a File Server................................................................................................................................125
Encryption................................................................................................................................................................. 127
Files Data Collection.............................................................................................................................................127
Access-Based Enumeration (SMB only)....................................................................................................... 127
File Blocking............................................................................................................................................................ 128
Blocking Files on a File Server............................................................................................................ 128
Antivirus (AV) Scanning (SMB Only)............................................................................................................ 129
Configuring Antivirus Scanning (SMB Only)................................................................................... 131
Antivirus Tab................................................................................................................................................132
Files REST APIs...................................................................................................................................................... 134

Performance Optimization....................................................................................135
Managing Performance Optimization............................................................................................................135
Unblocking Rebalancing......................................................................................................................... 138
Workload Optimization....................................................................................................................................... 138
Modifying the Workload Type..............................................................................................................138
File System Compression................................................................................................................................... 139

Data Management................................................................................................... 140

Data Protection and Recovery........................................................................................................................ 140
Configuring Disaster Recovery............................................................................................................. 141

iii
 Activating Disaster Recovery............................................................................................................... 144
High Availability......................................................................................................................................................147
Smart Tiering........................................................................................................................................................... 147
Self-Service Restore..............................................................................................................................................147
Enabling Self-Service Restore.............................................................................................................. 148
Adding Snapshot Schedules.................................................................................................................149
Retrieving Files (SMB Only)...................................................................................................................151
Retrieving Files (NFS Only)................................................................................................................... 151
Deleting SSR Snapshots.......................................................................................................................... 151
Setting Custom Snapshot Times.........................................................................................................152

Security Hardening.................................................................................................. 153

Troubleshooting.........................................................................................................157
Invalid Mounts After Authentication Change............................................................................................. 157
Client Access Denial (NFS Protocol)............................................................................................................. 157
Clients Cannot Mount Shares........................................................................................................................... 157
Client Side Network Mapping...........................................................................................................................157
Connecting to Authentication Services........................................................................................................158
Constraint Violation.............................................................................................................................................. 158
DNS Missing SRV Records................................................................................................................................. 158
Domain Controller Issues....................................................................................................................................158
Finding IP Addresses........................................................................................................................................... 158
Identifying the Share Owner.............................................................................................................................159
Invalid Credential................................................................................................................................................... 159
NLM Locks................................................................................................................................................................ 159
Network Cannot Expand.................................................................................................................................... 159
NTLM Authentication Issues............................................................................................................................. 160
Share Copying........................................................................................................................................................ 160
Stale Statistics........................................................................................................................................................ 160
Time Difference...................................................................................................................................................... 160
Unsuccessful Authentication.............................................................................................................................. 161

Copyright..................................................................................................................... 162
INTRODUCTION TO NUTANIX FILES
Nutanix Files (Files) is a software-defined, scale-out file storage solution that lets you share files
in a centralized and protected location to eliminate the requirement of a third-party file server.
Files uses a scale-out architecture that provides file services to clients through the Server
Message Block (SMB) and Network File System (NFS) protocols. Files combines one or more
file server VMs (FSVMs) into a logical file server instance sometimes referred to as a Files
cluster. You can create multiple file servers within a single Nutanix cluster.
Files creates a volume group (VG) for every FSVM to provide stable storage for persistent
states and audit events. During a service outage, the states, storage, and events of a VG fail-
over to another FSVM. Files also creates a dedicated container for every file server instance. If
you choose to delete a file server, you can delete the container in Prism the fact.

Tip: Solutions Documentation offers tech notes that include performance best practices,
sizing recommendations, migration guidance, and an in-depth technical overview of Files
architecture.

Files offerings also include File Analytics, for statistics and monitoring of file servers, and the
Files Manager for a unified control plane of all file servers. For more information on these
products, see the File Analytics Guide and the Files Manager Guide.

Figure 1: File Server Components

File Shares and Exports

Shares (SMB) and exports (NFS) encapsulate file directories. There are two types of shares or
exports:
Distributed: A distributed share ("home") or export ("sharded") spreads data across all of the
FSVMs on the file server to improve performance and scalability of client connections.

Files |  Introduction to Nutanix Files | 5

 Figure 2: Distributed Share or Export

Standard: A standard share ("general purpose") or export ("non-sharded" or "non-distributed")

contains all of the data on a single FSVM. A standard share or export serves data and
connections from a single FSVM.

Figure 3: Standard Share or Export

Features
Files includes the following salient features:

• SMBv2, SMBv3, NFSv3 and NFSv4 protocol support.

• Multi-protocol support, see Multi-Protocol Support for Files on page 87.
• AHV and ESXi hypervisor support.
• High Availability for both VMs and data, see High Availability on page 147.
• Load balancing through scale-up and scaleout, see Performance Optimization on page 135.
• Data management including tiering and disaster recovery. See Data Protection and Recovery
on page 140 and the Files Manager Guide for share-level data replication with SmartDR.
You can also use Files storage for the deployment of Kubernetes clusters on Karbon using the
CSI Volume Driver. Refer to Karbon and CSI Volume Driver documentation for details.

Files |  Introduction to Nutanix Files | 6

 For a description of features added with every major Files release, refer to the Nutanix Files
Release Notes.

Networking
Files uses storage and client networks.

• Storage network: The storage network enables communication between the FSVMs and the
Controller VMs.
• Client network: The client network enables communication between the clients and the
FSVMs, allowing clients to access the Files shares. Files also uses the client network to
communicate with the directory services.

Figure 4: Files Networking

Files Deployment
Files deployment overview and requirements.
To deploy Files in a Nutanix cluster, do the following:
1. Satisfy the prerequisites and port requirements, see Prerequisites on page 7 and Port
Requirements on page 7.
2. Install the Files software, see Installing (or Upgrading) Files on page 12.
3. Create a file server instance (Files cluster), see Creating a File Server on page 36.
4. Create one or more file shares (SMB) or exports (NFS), see Share and Export Management
on page 64.

Port Requirements
Files has various firewall requirements depending on the protocols and services being used.
The Port Reference provides detailed port information for Nutanix products and services,
including port sources and destinations, service descriptions, directionality, and protocol
requirements.

Prerequisites
Review this section carefully to ensure you have satisfied the prerequisites before attempting to
deploy Files.

Files |  Introduction to Nutanix Files | 7

Requirements
Do the following before deploying Files.

• Configure and define the storage network.

• Configure and define the client network.
• Have at least one network (two networks recommended).
• Set up a network time protocol (NTP) server.
• If you use Active Directory for user authentication, have credentials of the domain
administrator or a user with delegated permissions.
• If using SMB shares, enable the distributed file system (DFS) for Windows clients (on by
default).
• If you plan to use LDAP for NFS with permissions required for search, have credentials of the
bind distinguished name (DN).
• [ESXi clusters only] register all ESXi host nodes in the AOS cluster to the same vCenter.
• Have an assigned iSCSI Data Services IP configured for the clusters.

Limitations
File servers require the following minimum configurations.

• A minimum of four vCPUs per host.

• A minimum of 12 GiB of memory per host.
• For each file server, the number of CVMs must equal to or be greater than the number of file
server VMs (FSVMs) to ensure availability if there is a node failure.

Note: Refer to Files Release Notes for release-specific details on supported configurations and
software compatibility.

Network Requirements
The storage network requires at least one more IP address than the number of FSVMs. The
client network requires the same number of IP addresses as the number of FSVM nodes.

• Storage network: Number of FSVMs + 1 (available IP addresses)

• Client network: Number of FSVMs
Single-FSVM deployments require one IP address for the storage network and one IP address
for the client network.
If the client and storage networks are separate, they must be on different subnets. If you use
the same network for both client and storage, then IP addresses must be unique. Clients on the
same subnet as the storage network cannot access the shares or exports.

Required Information
Collect the following information before deploying Files.

Files |  Introduction to Nutanix Files | 8

Table 1: Network Time Protocol

NTP Server Used for the time synchronization between the file
server and AD service.

Table 2: Domain Name System

DNS server names Files uses DNS to resolve FSVM names and access
external services.

Table 3: Active Directory (Optional)

Active Directory (AD) Windows AD domain name.

AD admin account Admin with domain administrator or delegated
permissions.

Table 4: LDAP (Optional)

LDAP URI LDAP server name or IP address (with optional port

number).
Base DN Distinguished name of the entry where to start the
search for records.
Bind DN Distinguished name of entry to use to perform search
(optional when anonymous bind is disallowed).
Bind password Password to use for bind DN.

Table 5: iSCSI Data Services

iSCSI data services IP address Files uses iSCSI to connect the storage to the FSVMs.
See the Nutanix Volumes Guide for more information
about iSCSI storage.

Table 6: Managed Networks

Storage network The VLAN that connects the Controller VM to the

FSVM.
Client network The VLAN that connects the FSVM to the AD and
DNS.

Files |  Introduction to Nutanix Files | 9

Table 7: Unmanaged Networks

Storage network gateway
Storage network subnet
Storage network IP address range
Client network gateway
Client network subnet
Client network IP address range
The VLAN that connects the Controller VM to the
FSVM.
The storage network subnet value.
If there is more than one FSVM, the number of IP
addresses is the total number of FSVMs (one FSVM
per node) plus one more address. For example, in a
three-node cluster you will need four IP addresses,
and in a four-node cluster you will need five. Single-
FSVM deployments require only one storage network
IP address.
VLAN connects the FSVM to the AD and DNS.
Subnet of client network.
One IP address for each FSVM in the file server. For
example, a three FSVM file server needs three IP
addresses.

Table 8: Active Directory Parameters

Provide the following parameters to join the domain.

Element Definition Required

Domain Name The fully qualified domain name. Required
Organizational unit Optional
Note: By default, Files creates the
computer account in the Computers
container.
The forward slash (/) is not
allowed in the organizational unit.

The organizational unit (OU) contains the

computer account Files creates. List the
AD users permissions for the machine
account on the OU.
In an organization with complex
hierarchies, create the computer account
in a specified container by using a
forward slash mark to denote hierarchies
(for example, organizational_unit/
inner_organizational_unit).
Password The password for the account used to Required
connect to the AD server. Files uses the
password to authenticate to AD and to
create the Files computer account.

Files |  Introduction to Nutanix Files | 10

Element Definition Required
Preferred domain controller Optional
Note:

• Files does not support read-

only domain controllers
(RODC) for joining domains
because RODC cannot create
machine accounts.
• If the preferred domain
controller is not reachable, the
enabling AD operation fails.

Files discovers a local domain controller

for all communications. If you do not
configure Files to a specific site, then it
uses a domain-level domain controller.
This parameter lets you specify a
preferred domain controller Files uses for
the join domain operation. The preferred
domain controller must be reachable
and allow write access privileges to the
domain controller.
User name The user name that authenticates on Required
the Active Directory on the domain.
A domain user authenticates to the
file server on the domain controller
and creates Files computer accounts,
related SPN entries, and Files DNS
entries (when using Microsoft DNS). If
you are in the same domain, you can
use the user principal name (UPN) or
SamAccountName. If you are outside of
the domain but in the same forest, then
use the UPN.

Note:

• Files only allows the "at"

symbol (@) symbol to specify
the domain. Files does not
allow UPNs with multiple
@ symbols. For example,
"[email protected]"
is valid but
"user@[email protected]"
is not valid.
• Files does not allow the
forward slash (/) and the
backward slash (\) in the UPN.

Files |  Introduction to Nutanix Files | 11

Upgrades
Upgrade Files and the required components using the Life Cycle Manager.
Nutanix recommends performing Files upgrades during non-business hours. Upgrading Files
can cause a brief FSVM downtime and temporary disconnection of connected clients.
Starting with AOS 5.17 and Life Cycle Manager (LCM) 2.3.1.1, perform Files upgrades through
LCM. For earlier versions, see Installing (or Upgrading) Files on page 12.
Upgrading Files requires upgrading to a compatible AOS and File Server Module (FSM) version
in LCM. The FSM manages the Files life-cycle and encompasses the Files GUI components. Files
relies on AOS for some control plane components.

Tip: The Nutanix Files Release Notes provide details on updates in each Files and FSM version.

To check the current version of Files or the FSM, and to upgrade to later versions, perform the
inventory check in LCM. For steps on performing inventory and upgrades in LCM, refer to the
Life Cycle Manager Guide.

Installing (or Upgrading) Files

Install or upgrade the Files software from the Nutanix portal for use.

About this task

Follow the steps as indicated to upgrade Files through Prism. For upgrades with AOS 5.17 or
later and Life Cycle Manager (LCM) 2.3.1.1 and later, perform inventory and upgrades in LCM
(refer to the Life Cycle Manager Guide).

Note:

• [ESXi only] When performing one-click hypervisor upgrades that have Files, disable
the anti-affinity rules on all FSVMs. After the hypervisor successfully upgrades,
enable the anti-affinity rules on the FSVMs.
• ESXi hosts that belong to multiple vSphere clusters or are deployed across multiple
datacenters might experience limitations. See KB 5369 for more information.

Procedure

1. Log into the Prism web console with your credentials.

2. Click the gear icon > Upgrade Software.

3. In the Settings menu, click Upgrade Software.

4. In the Upgrade Software window, select the File Server tab.

Files |  Introduction to Nutanix Files | 12

5. Complete the upgrade process.

» Download the Files version you want to upgrade to (step 6).

» Upload the Files binary from a different source (continue to step 7).

Figure 5: Upgrade Software: File Server tab

6. To download software, click the Download button for the target upgrade version.

a. Once the download is complete, click Continue.

b. In the New File Server: Pre-check dialog box, review the requirements and best practices.
c. Click Continue.
d. In Upgrade Software window, click the Upgrade button.
Existing file servers upgrade to the selected Files version. This upgrade takes a few
minutes. Once the upgrade is complete, a message indicates the number of file servers
successfully upgraded.

Figure 6: File Server: Upgrading

Files |  Introduction to Nutanix Files | 13

7. To upgrade using uploaded software, click the upload the File Server binary link, and
perform the following steps as indicated.

a. File server metadata file: click the Choose File button and select the target Files
metadata file.

Figure 7: Upload Software Binary

b. File server binary file: click the Choose File button and select the target Files binary file.
c. To upload the upgrade files, click the Upload Now button.
Existing file servers upgrade to the selected Files version. This upgrade takes a few
minutes. Once the upgrade is complete, a message indicates the number of file servers
successfully upgraded.

Files |  Introduction to Nutanix Files | 14

FILES OVERVIEW
Manage file servers and shares from the Files Console and the File Server view in Prism Element
(PE).
The Files Server view in Prism Element is the landing page for Files. The File Server view
provides an overview of your file servers on a PE cluster and basic file server management
options.
The Files Console is a GUI for comprehensive management of file servers and shares. To access
the Files Console from File Server view in PE, click Launch Files Console next to the target file
server.

File Server View in Prism

The File Server view in Prism Element provides basic information about each file server in the
cluster.
To get to the File Server view, select File Server from the pull-down list in Prism Element.

File Server View Layout

The File Server view includes the following sections and options:

• Action buttons to create a file server (see Creating a File Server on page 36), to configure
the network (see Updating the Network Configuration on page 55), and to deploy File
Analytics (see File Analytics).
• An entities table displays information about each file server. You can filter the table contents
by entering a string in the search field located above the table.

Note: The Recommendations column is disabled. See Recommendations in the Files Console
dashboard.

• A File Summary pane displays high-level details about file servers on the cluster, and, after
selecting a file server, the File Server Details pane displays summary information for that file
server.
• A gear icon with options to download the table content in the CSV or JSON format.
• A list of operations to perform on the file server that includes the following: Launch Files
Console (see Files Console on page 18, Clone (see Cloning on page 125), Update (see
File Server Updates on page 54), Protect (see Data Management on page 140), and
Delete (see Deleting a File Server on page 53). You can perform some of these operations
through the Files Console.

Note: The values for the parameters do not account for features applied by AOS or space used
at the storage container level.

Files |  Files Overview | 15

 Figure 8: File Server View

Details Pane
Selecting a file server in the table presents detailed information in the File Server Details pane.
The following tables describe the fields.

Table 9: File Server Details Fields

The parameters described in this table represent values from the perspective of the file server.

Parameter Description Values

Name The file server name. (name)

DNS domain name The name of the domain that the file server is (DNS domain name)
registered to. "Not Protected" indicates that
the file server is not currently in a protection
domain.

Files |  Files Overview | 16

Parameter Description Values

Open connections The number of open connections. (integer)

Share/Export Count The total number of shares or exports. (integer)

Space used The total amount of storage space used within xx [GiB|TiB]
the file server currently.

Space used by The amount of space used within the file xx [MiB|GiB|TiB]
snapshots server to store snapshots currently.

Total available space The amount of available (unused) storage xx [MiB|GiB|TiB]

space currently on the file server.

Size The size of the file system of the file server. xx [TiB]

Protection domain The name of the protection domain that (protection domain
includes this file server. Clicking the name name)
displays the Data Protection view for that
protection domain. "Not Protected" indicates
that the file server is not in a protection
domain. See the Data Protection and Recovery
with Prism Element guide for information on
protection domains.

Storage container The name of the storage container of the file (storage container
server. Clicking the name displays the Storage name)
Container view for that storage container.

Protocol The protocols used by the file server. SMB, NFS, or both

SMB directory service The SMB protocol always uses Active Active Directory
Directory as the directory service.

NFS directory service The NFS protocol has multiple options for the Unmanaged, Active
directory service. Directory, or LDAP

Client-side network The name of the network used by clients. (network name)

Storage network The name of the network used for storage. (network name)

Memory Used memory. GiB

CPU Total CPUs. Numerical

Data reduction ratio Data reduced using file-system-level x:x (numerical)

compression, deduplication, and erasure
coding.

Data savings Amount of data saved using file-system- MiB

level compression, deduplication, and erasure
coding.

Alerts Tab
The Alerts tab displays a table of alerts for the selected file server. You can also see alert details
in the Files Console, see Alerts & Events View on page 29.

Files |  Files Overview | 17

 Events Tab
The Events tab displays a table of events for the selected file server. You can also see events
details in the Files Console, see Alerts & Events View on page 29.

Files Console
The Files Console provides administrative tools and dynamically updated information for a
single file server and its shares.
Access the Files Console from the File Server view in Prism Element (PE) or from the Files
Manager (FM) in Prism Central (PC).
The Files Console consists of the following primary tabs:

• The Dashboard tab is the home page in the files console provides an overview of file server
dataDashboard View on page 18.
• The Shares tab provides detailed information on every share on the file server, see Share
Details View on page 27.
• The Data Management tab provides options for configuring disaster recovery, self-service
restore, and Smart Tiering, se Data Management on page 140.
• The Alerts & Events tab provides details of file server events and alerts on the file server with
an option to acknowledge each occurrence, see Alerts & Events View on page 29.
• The Tasks view displays a list of recent tasks and the current status of each task, s Tasks
View on page 32.
• The Configuration tab includes configuration options for the file server and a Platform view
that provides a configuration summary, see Configuration View on page 33.

Dashboard View
This Dashboard view is the landing page in the Files Console.

Dashboard
The Dashboard tab includes the following elements.

• A Capacity Summary pane that visualizes the data usage on the file server.
• A File Server Health pane indicates the health status of the file server.
• A Performance Summary pane that consists of a graph that displays current throughput,
current total IOPS, and current latency data.
• A Data Lens pane indicates whether you have or have not enabled Data Lens on the file
server, see the Nutanix Data Lens User Guide for more details.
• A top Top Shares pane includes a drop-down option to sort top-shares by storage used,
connections, and files.
• A Features pane that lists the features enabled on the file server.
• A Recommendations pane lists recommendations for improving the file server performance.

Files |  Files Overview | 18

 Figure 9: Dashboard View

Monitoring View
The Monitoring tab includes subtabs with granular monitoring details.

Usage Tab
The Usage tab displays these graphs.

• The Storage Used graph displays a rolling time interval monitor of the storage space used
for data and snapshots on the file server. Hovering over the data displays the value for the
time specified on the horizontal axis. To isolate a data set, check or uncheck the Spaced
Used by Dataset and Space Used For Snapshots boxes.
• The Open Connections graph displays a rolling time interval monitor of the number of open
connections on the file server.
• The Number of Files graph displays a rolling time interval monitor of the total number of
files in the file server. Hovering over the data displays the value for the time specified on the
horizontal axis.
• The Top Shares by Current Capacity graph indicates the top shares using the most storage
capacity.
• The Top Shares by Current Connections graph indicates the top shares with the most
current open connections.

Files |  Files Overview | 19

Pull down lists above the graphs let you sort the data. You can select the time interval (last
week, last 24 hours, last 6 hours, or last 3 hours). You can also select to display data for all
shares or for specific shares.

Figure 10: File Server Usage Tab

Performance Tab
The Performance tab includes the following elements.

• The Latency graph displays average latency across a rolling time interval monitor. Hovering
over the data displays the value for the time specified on the horizontal axis. Selecting the
Show I/O and Metadata Breakdown option above the graphs adds Write Latency, Read
Latency, and Metadata Latency data set options.
• The Throughput graph displays average throughput. Hovering over the data displays the
value for the time specified on the horizontal axis. Selecting the Show I/O and Metadata
Breakdown option above the graphs adds Write Throughput and Read Throughput data
options.
• The IOPS graph displays total I/O operations per second. Hovering over the data displays
the value for the time specified on the horizontal axis. Selecting the Show I/O and Metadata
Breakdown option above the graphs adds Write IOPS, Read IOPS, and Metadata IOPS data
options.
• The Top Shares by Current Latencypane displays the shares with the most latency.
• The Top Shares by Current Throughput pane displays the shares with the most throughput.
• The Top Shares by Current IOPS pane displays the shares with the most I/O operations per
second.

Files |  Files Overview | 20

Pull-down lists above the graphs let you sort the data. You can select the time interval (last
week, last 24 hours, last 6 hours, or last 3 hours), and you can select to display data for all
shares or for specific shares.

Figure 11: File Server Performance Tab

Antivirus Tab

Note: This tab is only visible with SMB or multi-protocol shares.

The Antivirus tab displays antivirus scanning information (see Antivirus (AV) Scanning (SMB
Only) on page 129) in a set of subtabs:
The ICAP Servers tab displays a pane that lists the configured ICAP servers and panes with the
following details:

• The All ICAP Servers pull-down list lets you choose to scan data for all ICAP servers or for a
specific server based on its IP address.
• The ICAP Server pane indicates the scanned server.
• The Connection Status pane indicates whether the server connected to Files.
• The Number of Shares pane indicates the number of shares and exports scanned.
• The Average Latency graph displays the average response latency.
• The Files Scanned and Data Processed switches reveal the Files Scanned or the Data
Processed graphs. The Files Scanned graph displays the number of files scanned by the
server. The Data Processed graph displays the amount of data processed by the server.

Files |  Files Overview | 21

 Figure 12: Antivirus Tab: ICAP Servers

The Reports tab provides two tables, one summarizing the latest scan and a second listing
the identified threats. The following table describes the fields. The first table provides a scan
summary, which includes the following fields:

• Scan Period: the antivirus scan period (24, six, or 3 hours).

• Total Files Scanned: the number of files scanned.
• Threats Detected: the number of threats detected. The Events table details each threat.
• Files Cleaned: the number of files cleaned.
• Files Quarantined: the number of files quarantined.

•
The second table provides event details, which include the following columns:

• Share/Export: the name of the share or export in which the affected file resides.
• File Path: the path to the affected file.
• Threat Description: describes the detected threat.
• ICAP server: the IP address of the ICAP server that detected the threat.

Files |  Files Overview | 22

• Time: the time when the threat Files detected the threat.
• Action Taken: the action taken to address the threat (quarantined, unquarantined, reset).

Figure 13: Antivirus Tab: Reports

Quarantined Files and Unquarantined Files tabs include tables that describe each of the
quarantined or unquarantined files and an action pull-down menu.

Table 10: Quarantine Fields

Parameter Description Values

Share/Export name The name of the share or export where the (name)
affected file resides.

File path The path to the affected file. (file path)

Threat description Describes the detected threat. (text string)

ICAP server The name of the ICAP server that detected (server name)
the threat.

Files |  Files Overview | 23

 Parameter Description Values

Scan time The time when the file was quarantined (time)
(unquarantined).

Figure 14: Antivirus Tab: Quarantined Files

File Server VMs

The File Server VMs tab displays the following graphs:

• The Load Average graph displays a rolling time interval monitor of the CPU usage on the file
server as a percentage of total available CPU. Placing the cursor anywhere on the horizontal
axis displays the value then.
• The Memory Usage graph displays a rolling time interval monitor of the memory usage on
the file server in GB. Placing the cursor anywhere on the horizontal axis displays the value
then.
You can select the time interval (last week, last 24 hours, last 6 hours, or last 3 hours). You can
also select to display data for all shares or for specific shares.

Figure 15: File Server Usage Tab

Files |  Files Overview | 24

Shares View
The Shares tab in the Files Console.
The Shares view provides a list of all shares on the file server. Clicking a share name in the share
table goes to the share details views, which includes several more tabs: Summary, Snapshots,
Quota Policies, Antivirus, and Metrics. (Continue to the next sections for more details on the
additional tabs).
The Shares tab includes the following elements.

• The Create a New Share action button.

• A table with information on each share on the file server. By default, the table displays the
General view; use the View By dropdown menu to switch the table to the Metrics view.
The General view consists of information described in the following table.

Table 11: Shares - General

Column Description
Name The name of the share or export. Clicking the
share opens the share Summary in the share
details view.
Share/Export path The file path to the share or export.
Protocol type The primary protocol of the share or export
(NFS or SMB).
Share type The data distribution type of the share.
Standard shares and exports contain all data
on a single FSVM. Distributed shares and
exports load balance data across all FSVMs of
the file server.
Share protection The disaster recovery policy status on the
share. See Data Protection and Recovery on
page 140.
Self-service restore The status of self-service restore for the share
or export (enabled or disabled). See Self-
Service Restore on page 147.
Compression The status of file-system level compression:
the green checkmark icon indicates enabled
compression, and the gray x icon indicates
disabled compression. See File System
Compression on page 139

Files |  Files Overview | 25

 Figure 16: Shares- General

The Metrics view consists of the following columns and details:

Table 12: Shares- Metrics

Column Description
Name Name of the share.
Share/Export path Path to the share or export.
Space used The sum of space used by data, space used
by snapshots (logical), and space used by file
metadata.
Space used by snapshots The space used by self-service restore
snapshots.
Connections The average number of open connections on
the share.
IOPS The average number of input and output
operations per second.
Throughput The average throughput.
Latency The average latency.

Files |  Files Overview | 26

 Figure 17: Shares - Metrics

Share Details View

Clicking the name of a share in the Files Console opens the share details view, which includes
several tabs that detail share properties and operations.
The share details view consists of the Summary, Snapshots, Quota Policies, Antivirus, and
Metrics tabs.

Summary
The Summary tab includes the following elements:

• An Actions dropdown menu includes options to update some of the share configurations.
• A Capacity Summary pane visualizes the share capacity used by snapshot and actual data.
• A Share Properties pane includes details on the configuration of the share (see the "Share
Properties" table for more details).
• A Performance Summary pane consists of a graph that displays current throughput, current
total IOPS, and current latency data.
• A Features pane lists the features enabled on the share.

Table 13: Share Properties

Parameter Description Values

Name The share or export name. (share/export name)

Description The description of the share provided during (description text)

share creation.

Share path The file path to the share or export. (share path)

Mount path The mount path to the share or export. (mount path)

Files |  Files Overview | 27

Parameter Description Values

Primary protocol The primary protocol of the share. [NFS | SMB]

Multi-protocol access Indicates the multi-protocol access status on [enabled | disabled]

the share.

Share type The data distribution type of the share. [standard |

Standard shares and exports contain all data distributed]
on a single FSVM. Distributed shares and
exports load balance data across all FSVMs of
the file server.

Share compression The status of file-system level compression, [enabled | disabled]

see File System Compression on page 139

Blocked file types The status of file blocking, see File Blocking on [enabled | disabled]
page 128.

Message encryption Indicates enabled SMB3 message encryption. [enabled | disabled]

See, Encryption on page 127.

File system Indicates enabled file-system level [enabled | disabled]

compression compression. See File System Compression on
page 139

Snapshots
The Snapshots tab includes a table that displays all snapshots of the share. The table includes
column with the following details:

• The Create Time indicates the time that Files took the snapshot.
• The Snapshot ID indicates the unique identified for the snapshot.
• The Total Space indicates the size of the snapshot.
• The Reclaimable Space indicates the amount of space that you can recover by deleting the
snapshot.

Figure 18: Snapshots

Quota Policies
The Quota Policies tab includes a New Quota Policy button and a table that displays all quota
policies on the share.

Files |  Files Overview | 28

 Antivirus
The Antivirus tab includes the following subtabs: Infected Files, Quarantined Files,
Unquarantined Files.
The Infected Files tab includes a list of infected files.
The Quarantined Files tab includes a list of infected files.
The Unquarantined Files tab includes a list of files that were previously quarantined. An
administrator removed the file from quarantine. An unquarantined file typically indicates a false-
positive.

Metrics
The Metrics tab includes two more tabs: Usage and Performance.
The Usage tab includes the following dynamically updated graphs:

• Storage Usage: Displays the amount of storage used over time.

• Open Connections: Displays the number of open connections over time.
• Number of Files: Displays the number of files on the share over time.
The Performance tab includes an option to Show I/O and Metadata Breakdown and the
following dynamically updated graphs:

• Latency: Displays latency on the share over time.

• Throughput: Displays throughput on the share over time.
• IOPS: Displays the number of input and output operations per second over time.

Data Management View

Manage file server data in the Data Management view.

The Data Management view consists of the following subtabs.

• The Protection tab includes more tabs for Disaster Recovery and Self-Service Restore.

• In the Disaster Recovery tab, configure Smart disaster recovery (DR) or protection-
domain-based DR. See Data Protection and Recovery on page 140.
• In the Self-Service Restore tab, configure snapshot schedules. See Self-Service Restore
on page 147.
• The Smart Tiering tab, includes an option to configure Smart Tiering using Data Lens. See
Smart Tiering on page 147.

Alerts & Events View

The Alerts & Events tab in the Files Console.

The Alerts & Events view consists of the Alerts and the Events tab.

Alerts Tab
The Alerts tab includes the following elements:

• A search bar to filter by alert name.

Files |  Files Overview | 29

• A table displaying a list of recent alerts.

Table 14: File Server Alerts Fields

Parameter Description Values

(selection box) To select the alert, click this box. Clicking n/a
the Acknowledge or Resolve buttons
acknowledges or resolves all the selected
alerts.

Title Description of the alert. (string)

Impact type Displays the impact category. [availability | capacity|

configuration |
performance]

Acknowledged Displays the acknowledgment status. [auto | yes | no |

(unspecified)]

Resolved Displays the resolution status. [auto | yes | no |

(unspecified)]

Source entity Displays the entity name (File Server) to (entity name)
which this alert applies. Clicking the name
displays the details for that file server.

Severity Displays the severity level of this condition. Critical, warning,

There are three levels: informational
Critical
A "critical" alert is one that requires
immediate attention, such as a failed
Controller VM.
Warning
A "warning" alert is one that might need
attention soon, such as an issue that
could lead to a performance problem.
Informational
An "informational" alert highlights a
condition to be aware of, for example,
a reminder that the support tunnel is
enabled.

Create time Displays the date and time when the alert (time and date)
occurred.

Files |  Files Overview | 30

 Figure 19: Alerts

The Events tab displays a table of events across all file servers. The following table describes
the event table fields.

Table 15: File Server Events View Fields

Parameter Description Values

Title Displays the event title and indicates related (message text)
entities.

Entities Displays the type of entity (File Server, [share, file server]
Share) to which the event applies. A comma-
separated list appears if it applies to multiple
entities. Clicking the entity name displays the
details for that file server, share, or export.

Event type Displays the category for the event. [storage, user action]

(create time) Displays the date and time when the event (time and date)
occurred.

Files |  Files Overview | 31

 Figure 20: Events Tab

Tasks View
The Tasks view in the Files Console.
The Tasks view indicates the tasks running on the file server and includes the following
elements:

• A tasks table that lists each administrative operation initiated on the file server.
• A filters menu to filter using pre-configured filters.

Figure 21: Tasks View

The following tables describe the columns in the Tasks table.

Files |  Files Overview | 32

 Table 16: Table

Column Description Values

Task description Describes the operation that (name of operation such as
triggered the task. "create share")
Percent Indicates the current (0%-100%)
completeness of the task as a
percentage.
Status Indicates the status of the [succeeded, running, failed,
task. queued]
Create time Indicates when the task (x) [seconds, minutes, hours,
began. days]
Duration Indicates how long the task (x) [seconds, minutes, hours,
has been running. days]

Configuration View
The Configuration view in the Files Console.

The Configuration view includes the following tabs:

• Authentication
• Blocked file types
• Manage roles
• Update DNS entries
• Antivirus
• Platform
The Platfrom view includes the following elements:

• An Update drop-down menu includes options to update file server basics, scale up/ scale
down, and update the DNS and NTP servers.
• The Configuration Summary provides details about the configuration of the file server.
• The Files Cluster diagram provides a visual diagram of the file server configuration.

Files |  Files Overview | 33

 Figure 22: Platform View

Table 17: Configuration Summary

Parameter Description
Name The name of the file server.
Version The Files version.
File Server VMs Number of file server VMs on the file server.
Memory Maximum configured memory.
CPU Maximum configured CPU.
Protocol The primary protocol and, when applicable,
the secondary protocol (see Multi-Protocol
Support for Files on page 87).
SMB directory service The configured directory service for SMB
shares.
NFS directory service The configured directory service for NFS
shares.
DNS domain name The name of the domain name system (DNS)
for the file server.
Protection domain The name of the protection domain.
Storage container The name of the storage container.

Files |  Files Overview | 34

 Parameter Description
Client network The name of the client network.
Storage network The name of the storage network.
Internal IPs The internal IP addresses of the file server.
External IPs The external IP addresses of the file server.
Virtual IPs The virtual IP addresses of the file server.
Total capacity The maximum capacity for the file server.
Data savings The amount of data saved on the file server.

File Analytics
File Analytics provides data and statistics on the operations and contents of a file server.
Once deployed, Files adds a File Analytics VM (FAVM) to the Files cluster. A single FAVM
supports all file servers in the cluster, but you must enable Analytics separately for each file
server. Files protects the data on the FAVM and keeps it in a separate volume group.
For deployment steps and administrative guidance, refer to the File Analytics Guide.

Files |  Files Overview | 35

FILE SERVER MANAGEMENT
Create a file server and manage its configuration.
Creating and managing a file server requires administrator privileges. You can perform most
file server management tasks in the File Server view in Prism Element and through the Files
Console. You can start, stop, and manage file server VMs (FSVMs) through the VM tab in Prism
Element, see "VM Management" in the Prism Web Console Guide for more details.
A file server usually consists of three or more FSVMs combined into a logical group. You cannot
reduce file servers of three FSVMs, and you cannot expand single-FSVM file servers.
Single-FSVM deployments have the following limitations:

• No High Availability (HA) support. Single-FSVM deployments do not include other FSVMs
that an out-of-service FSVM can fall back on, see High Availability on page 147.
• No distributed share support. Since distributed shares and exports spread data across
multiple FSVMs, single-FSVM deployments only support standard shares.

Important: When the file server capacity or the container capacity reaches 100 percent, all
shares or exports within the file server become read-only and Files blocks write privileges. Prism
displays alerts when the file server capacity or the container capacity reaches 90 percent and
when either reaches 100 percent capacity.

Creating a File Server

Follow the procedure to create a file server with one or multiple file server VMs (FSVMs).

About this task

Note: Provide two static IP addresses for each new FSVM, one for the client-side network and
one for the storage network.

Procedure

1. Go to the File Server view in Prism Element (PE) (see File Server View in Prism on page 15)
and click the + File Server button.

Figure 23: + File Server button

2. If a New File Server: Pre-Check window appears, review the displayed information and
address any unsatisfied prerequisites before continuing.
Files checks your current environment and either verifies it satisfies the prerequisites or
identifies where it does not meet the requirements (see Prerequisites on page 7). A blue
check mark indicates a satisfied prerequisite. Any unchecked items need attention. The

Files |  File Server Management | 36

checks are for the Files software version, available data services IP addresses, available
networks, and (in the ESXi case) whether vCenter registered the cluster.

Note: To use the high-availability (HA) and DRS features, add all ESXi hosts under the same
ESXi cluster and place one FSVM per ESXi host.

Figure 24: New File Server: Pre-Check Window

Files |  File Server Management | 37

3. The Create File Server window appears and displays the Basics tab. Do the following in the
indicated fields:

Figure 25: Create File Server: Basics Tab

a. Name: Enter a name for the file server.

Clients use the file server name to access the file server. The fully qualified name (file
server name + domain) must be unique.
b. DNS Domain: Enter a fully qualified domain.
c. File Server Storage: Enter the file server total storage size (minimum 1 TiB).
d. Capacity Configuration: Files automatically recommends the number of file server VMs,
vCPUs per VM, and memory per VM. Review the performance values (connections and
throughput) and then do one of the following:

Files |  File Server Management | 38

 Note: For single-FSVM deployments, the number of suggested FSVMs is always one.

• If you are satisfied with the recommended configuration, click Next button.
• To change the configuration, click Customize. The File Server Capacity Configuration
window displays. To change the configuration based on performance requirements,
enter the target number of connections and throughput amount (in MBps) in the SMB
Concurrent Connections and NFS Throughput in MBps fields and then click Save.

Figure 26: File Server Capacity Configuration window

• To manually specify the FSVM parameters, clickCustomize > Configure manually. The
File Server Capacity Configuration window displays. Enter the number and capacity of
the FSVMs in the Number of File Server VMs, VCPUs Per VM, and Memory Per VM (in
GIB) fields, and then click Save.

Figure 27: File Server Capacity Configuration window

4. In the Client Network tab, do the following in the indicated fields:

Note: If clients or the AD domain controllers are in the same subnet as the controller VM
(CVM) or the storage network, configure the same client-side and storage-side networks.
Otherwise, use separate client and storage networks. If you use the same network for both

Files |  File Server Management | 39

 clients and storage, use unique IP addresses; otherwise clients on the same subnet as the
storage network cannot access the shares.

a. VLAN (AHV) or Port Group (ESXi): Select the target VLAN or port group from the drop-
down list.
After selecting the target, configured network parameters display if the target is a
managed network.

Figure 28: Client Network Details (managed VLAN)

b. For unmanaged networks, the following fields appear:

• Subnet Mask: Enter the subnet mask value.

• Gateway: Enter the IPv4 gateway IP address.
• # IP addresses required: Click the + IP Addresses button to display a row for entering
IP addresses. Enter the starting IP address in the From field, the ending IP address in

Files |  File Server Management | 40

 the To field, and click Save. (Usually, Files requires three IP addresses. Files requires
one IP address for single-FSVM deployments.)
• Add IPv6: Check this box to enable the IPv6 protocol.
• Prefix Length: Enter an integer for the prefix length (the default IPv6 prefix is 64).
• Gateway: Enter the alpha-numeric, colon-separated IPv6 gateway address.
• Click the + IP Addresses button to display a row for entering IP addresses. Enter the
starting IP address in the From, and enter the total number of IP addresses in the No.
of IPs field (usually Files requires three IP addresses). Click Save.

Files |  File Server Management | 41

 Figure 29: Client Network Details (unmanaged VLAN)
c. DNS Resolver IP: Enter IP addresses for one or more DNS servers (IPv4 only). Use a
comma-separated list for multiple entries.

Files |  File Server Management | 42

 Note: The DNS Resolver IP and the NTP servers fields can pre-populate based on the
target VLAN or port group.

d. NTP Servers: Enter the server names or IP addresses for the NTP servers. Use a comma-
separated list for multiple entries.
e. When all the entries are correct, click Next.

Files |  File Server Management | 43

5. In the Storage Network tab, do the following in the indicated fields:

Figure 30: Create File Server: Storage Network Tab

a. VLAN (AHV) or Port Group (ESXi): Use the pull-down list to select the desired VLAN or
port group for the storage network.
Once you select the target, if the target is a managed network, Files displays configured
network parameters.

Figure 31: Storage Network Details (managed VLAN selected)

b. For unmanaged networks, the same fields appear as for the client network (Subnet Mask,
Gateway, and # IP addresses required). Enter the appropriate values for the storage
network. In this case, Files normally requires four IP addresses.

Files |  File Server Management | 44

 c. When all the entries are correct, click Next.

6. In the Directory Services tab, select one or more protocols to use (check the Use SMB
Protocol box, Use NFS Protocol box, or both boxes).

Note: You can skip this step and select the protocols later, but you cannot use the file server
until this step is complete.

Note: Files supports using LDAP for AD.

Figure 32: Create File Server: Directory Services Tab

Files |  File Server Management | 45

7. If you selected the SMB protocol, do the following in the indicated fields:

Figure 33: SMB Fields

a. Active Directory Realm Name: Enter the Active Directory realm name for join domain
operations.
b. Username: Enter an AD username in the domain|username format or in the UPN format
username@ADrealm. You must have an administrator account or the following required
permissions for the relevant AD organizational unit (OU) realm:

• Create computer objects

• Read/Write service principal names

Note:

• Do not remove the file-server computer object in AD, as that can cause file-
server services to be disrupted.
• If the DNS domain name of the file server is different from the AD domain
name, the following permission is also required:

• Read/Write DNS host name

c. Password: Enter the password for the username.

Files |  File Server Management | 46

d. Make this user a File Server admin: Check this box if you want to make this user an
administrator for the file server.
e. Show Advanced Options (optional): Check this box to display three more fields to enter
your preferred domain controller and organizational unit name for identification purposes.
f. [advanced option] Preferred Domain Controller: Specify a domain controller for join-
domain operations in a multi-DC Active Directory configuration. Files discovers and uses a
site local domain controller by default.
g. [advanced option] Organizational Unit: Enter your preferred organizational unit name.
Files creates the machine account in the "Computers" OU container by default. If there is a
Sub-OU field, use the following format: parentcompanyOU/sub-ou1/sub-ou2/sub-oux.

Note: The default machine account password expiry period is 0, meaning the password
does not expire. To update the machine account password expiry period, see Setting AD
Machine Account Password Expiry on page 107.

h. [advanced option] Overwrite Existing Files Machine Account (if present): Check this box
to overwrite an existing machine account during the join-domain operation if one exists
with the same name as the file server.
i. [advanced option] Add Files Server DNS Entries Using the Same Username And
Password: Check this box to use AD credentials for adding DNS entries.
Ensure that the AD user account has DNS admin rights (when using Microsoft DNS).

Files |  File Server Management | 47

8. If you selected the NFS protocol, select the authentication method to use from the pull-
down list in the User Management and Authentication field and then do the following:

Figure 34: NFS Fields (Unmanaged + advanced options)

a. User Management and Authentication: Unmanaged: If you select unmanaged as the

authentication method, there is nothing else to specify here.
b. User Management and Authentication: LDAP: If you select LDAP as the authentication
method, there are several more fields:

Files |  File Server Management | 48

 Figure 35: NFS Fields (LDAP)

• LDAP details: This section displays available LDAP (and LDAPS) servers. If there is
no data or the target server is not listed, click the + New LDAP Server button. A line
appears in the table. Enter the URI address for the server in the Server URI column

Files |  File Server Management | 49

 and then click Save in the Action column for that row. Repeat for any additional LDAP
servers. For LDAPS servers, use the LDAPS format ldaps://ldap-servername.company.com:port.
• Base DN: Enter the base distinguished name (search starting point).
• Bind DN (optional): Enter the distinguished name at which to bind to the server.
• Bind password: Enter the bind password.
If you configured LDAP or LDAPS settings, you may skip the next step.
c. User Management and Authentication: Active Directory: If you select Active Directory as
the authentication method, there are several extra fields:

Note: When NFS uses AD, you do not need to configure user mapping for multi-protocol
access.

Figure 36: NFS Fields (Active Directory)

• Enable Identity Management for Unix (RFC 2307): Check this box if you have RFC
2307 configured for Active Directory.
• Active Directory Realm Name: Displays the Active Directory realm name (read-only).

Note: If you previously configured SMB, the following fields do not appear because
they are already configured for the SMB protocol.

• Username: Enter an AD username in the domain|username format or in the UPN format

username@ADrealm. You must have an administrator account or the following required
permissions for the relevant AD organizational unit (OU) realm:

• Create computer objects

Files |  File Server Management | 50

 • Read/Write service principal names

Note: If the DNS domain name of the file server is different from the AD domain name,
the following permission is also required:

• Read/Write DNS host name

• Password: Enter the password for the user.

• Show Active Directory Advanced Options (optional): Check this box to display the
following three more fields.
• Preferred Domain Controller: Specify a specific domain controller for join-domain
operations in a multi-DC Active Directory configuration. Files discovers and uses a site
local domain controller by default.
• Organizational Unit: Enter your preferred organizational unit name. Files creates the
machine account in the "Computers" OU container by default.

Note: The default machine account password expiry period is 0, meaning the password
does not expire. To update the machine account password expiry period, see Setting
AD Machine Account Password Expiry on page 107.

• Overwrite Existing Files Machine Account (if present): Check this box to overwrite an
existing machine account during the join-domain operation if one exists with the same
name as the file server.
d. Show NFS Advanced Options (optional): By default Files supports both NFSv3 and
NFSv4 protocols for exports. Check this box to modify the default NFS protocol version
for all exports on the file server.

• Enable NFSv3 by default for all exports: Un-check to disable NFSv3 by default for all
exports.
• Enable NFSv4 by default for all exports: Un-check to disable NFSv4 by default for all
exports.
• In the NFSV4 Domain field, enter the NFSv4 domain name. Files uses the DNS domain
name to map NFSv4 names to UIDs and GIDs; clients and servers must agree on the
mapping.
e. When all the fields in the Directory Services tab are correct, click Next.

Files |  File Server Management | 51

9. In the Summary tab, review the displayed information.

Figure 37: Create File Server: Summary Tab

a. Review and verify the file server information you entered.

b. The default protection domain name is NTNX-file_server_name, but you can change that name
by entering a new name in the Protection Domain Name field.
c. When all the information is correct, click Create.
Creating the file server begins. You can monitor progress through the Tasks page. (Either
select Tasks from the main menu or click the tasks icon and then the View All Tasks link.)

Figure 38: Task Dashboard

What to do next

• If you choose to add DNS entries, see Updating Domain Name System (DNS) Entries on
page 102.

Files |  File Server Management | 52

 • On deployments using the ESXi hypervisor, disable VM monitoring. See the VMware vSphere
documentation for procedures describing how to enable or disable VM monitoring.

Deleting a File Server

Delete a file server in Prism.

About this task

Do not delete FSVMs or power off a file server prior to deleting in. If you delete FSVMs, you will
need to force delete the file server.
To delete a file server, do the following:

CAUTION: Deleting a file server is permanent, and none of the deleted files can be recovered.

Procedure

1. Go to the File Server view (see File Server View in Prism on page 15), select the target file
server, and click the Delete action button.

2. In the dialog box, choose one of the following options:

» Retain all the related entities.

» Delete specific related entities.
Deleting a file server deletes all the underlying user data related to that file server. However,
depending on your AOS version, you may not see the option to delete the storage container
and protection domain created for that file server. You can delete that storage container and
protection domain manually.

Files |  File Server Management | 53

 3. Click the Delete button.

Figure 39: Delete Window

a. If you decide to delete specific related entities, choose which entities to delete from the
following options (otherwise continue to the next step):

• Snapshots, schedules, and protection domain

• Container

4. (Optional) delete file server DNS entries. Click Open DNS settings, see Updating Domain
Name System (DNS) Entries on page 102.

5. Click Delete.

File Server Updates

Update or expand the configuration of an existing file server.
You can modify an existing file server in the following areas:

• Update the name, domain, or storage capacity, see Updating File Server Basics on
page 60.
• Update the number of file server VMs (FSVMs), see Scaling FSVMs on page 58.

Note: You cannot update the number of FSVMs on single-FSVM deployments.

Note: Number of CVMs must be equal to or greater than the number of FSVMs.

• Update the vCPU count and memory size for each FSVM, see Updating Memory and vCPU
Resources on page 59.

Files |  File Server Management | 54

 • Update the network configuration (client network, storage network, domain name server
(DNS), NTP server).

• Go to the file server dashboard (see File Server View in Prism on page 15), select the
target file server, and click Network Config. Follow the steps as indicated in File Server
Updates on page 54.
• Update blocked file types, see Blocking Files on a File Server on page 128.

Updating the Network Configuration

Change the client or storage network IP address configuration of a file server (also referred to
as "re-IP").

Before you begin

Stop a file server before updating the network to reduce traffic during the update process, see
Stopping a Files Cluster on page 63.

About this task

To configure a virtual network for guest VMs, see "Configuring a Virtual Network for Guest VM
Interfaces" in the Prism Web Console Guide. To modify network connections, see "Modifying
Network Connections" in the Prism Web Console Guide.
To update the client or storage network configuration, follow the steps as indicated.

Note: Updating the network configuration requires a temporary downtime. Nutanix recommends
performing network updates during off-peak hours.

Procedure

1. In the file server view, select the target file server.

2. In the options bar go to Update > Network Configuration.

Files |  File Server Management | 55

3. Do the following in the Update File Server Network window.

Note: You can change the client network, storage network, DNS, and NTP IP addresses for a
file server VM. This lets you move a file server from one data center to another. If you intend
on changing the domain, you must un-join the domain first.

a. In the Client Network tab, verify or update the client network details (VLAN, IPv6
(optional), DNS, and NTP entries) as needed and click Next.
See Creating a File Server on page 36 for more information about these fields.

Note: If you change the client network configuration, click the file server DNS entries
link and delete the existing DNS entries (see Updating Domain Name System (DNS)
Entries on page 102).

Files |  File Server Management | 56

Files |  File Server Management | 57
 b. In the Storage Network tab, verify or update as needed the storage network details and
then click the Save button.
See Creating a File Server on page 36 for more information about these fields.

Figure 41: Update File Server Network: Storage Network tab

Note: If the network update operation is unsuccessful, use the original IP address details and
try the update operation again.

Scaling FSVMs
Add or remove file server VMs (FSVMs) on your file server.

About this task

File Server Management on page 36 describes restrictions for increasing and reducing the
number of FSVMs. Do the following to change the number of FSVMs.
The following limitations apply to changing the number of FSVMS:

• You cannot reduce file servers of three FSVMs.

• You cannot expand single-FSVM deployments.

Files |  File Server Management | 58

 • Single or dual-node AOS clusters only support single-FSVM deployments.

Procedure

1. In the Files Console, go to Configuration > Platform.

2. Click Update > Scale Out / Scale In.

The Scale Out or Scale In window appears.

3. Under New Capacity, enter an integer for the new number of FSVMs.

4. Review the settings in the Client Network and Storage Network sections.

Note: For information on configuring network settings, see the client network and storage
network sections in Creating a File Server on page 36.

5. Click Update.

Updating Memory and vCPU Resources

Change the vCPUs and memory resources per FSVM.

About this task

Follow the steps as indicated to update the memory and vCPU capacity.

Note: Reducing the configuration of a filer server causes system downtime.

Procedure

1. In the Files Console, go to Configuration > Platform.

2. Click Update > Scale Up / Scale Down.

The Scale Out or Scale In window appears.

Files |  File Server Management | 59

 3. Do the following in the Updated Configuration section.

a. In the vCPUs field, select the target (total) number of vCPUs for each FSVM in the cluster.

Figure 42: Scale Up/ Scale Down File Server

b. In the Memory dropdown, select the target (total) number of memory (GiB) for each
FSVM in the cluster.
c. Click Update.

Updating File Server Basics

Update the name, the domain, and the size of a file server.

About this task

Context for the current task

Procedure

1. In the Files Console, go to Configuration > Platform.

2. Click Update > File Server Basics.

The File Server Basics window appears.

3. Do the following in the indicated fields:

Tip: Before changing the file server or domain name, click the Leave Domain link to leave the
current domain (see Leaving a Domain on page 101). Changing a file server name does
not remove existing DNS entries, which you must remove manually.

a. To change or update the file server name, enter the new name in the File Server Name
field.
b. To change the DNS domain name, enter the new name in the Domain field.

Tip: After changing the file server or domain names, delete any old DNS entries from the
DNS servers, add the new DNS entries (see Updating Domain Name System (DNS)

Files |  File Server Management | 60

 Entries on page 102), and update the Directory Services configuration as needed (see
Updating Directory Services on page 107).

c. To change the size of the file server, enter a value in the File Server Size (Logical) field.

Note: You cannot reduce the size of the file server. This operation does not impact current
client connections.

4. When the entries are correct, click the Update button.

Logging Onto A File Server VM

The following procedures describes how to SSH onto a file server VM (FSVM).

About this task

Procedure

1. Retrieve the IP address for the FSVM.

a. SSH onto the CVM.

b. Enter the CVM password.
c. List the FSVM IPs.
nutanix@cvm$ ncli fs ls

FSVM IPs appear in the following format Nvm IP Addresses: internal IP,external IP.

2. SSH onto the FSVM using the internal IP.

nutanix@cvm$ ssh internal_ip_address

Changing an FSVM Password

Steps for updating the password of a file server VM (FSVM).

About this task

Follow the steps as indicated.

Procedure

1. Log on to a file server VM with SSH.

2. Change the nutanix password.

nutanix@fsvm$ sudo passwd nutanix

3. Respond to the prompts, providing the current and new nutanix user password.
Changing password for user nutanix.
Old Password:
New password:
Retype new password:

Files |  File Server Management | 61

 passwd: all authentication tokens updated successfully.

The password must meet the following complexity requirements:

• At least 8 characters long

• At least 1 lowercase letter
• At least 1 uppercase letter
• At least 1 number
• At least 1 special character
• At least 4 characters difference from the old password
• Should not be among the last 10 passwords
The operation updates the password of every FSVM on the file server.

Setting Timezones

About this task

Set the time to your timezone for all the FSVMs.
This time zone persists across all FSVMs when Files upgrades.

Procedure

1. SSH into any FSVM in your cluster.

2. Get the timezone for your region. The command returns your timezone into a region and city
format.
nutanix@fsvm$ afs fs.get_timezone

Note: To list all available timezones, see the contents of the zoneinfo file for the desired region
using the ls /usr/share/zoneinfo/regioncommand.

3. Set the timezone according to the output.

nutanix@fsvm$ afs fs.set_timezone "region_name/city_name"

Replace region_name and city_name with the region and city name specified in the timezone
output. For example, afs fs.set_timezone Asia/Kolkata.

Starting a Files Cluster

Start a Files cluster on a CVM using the commands listed in this topic.

About this task

A deployed filer server creates multiple file server VMs (FSVMs) on the cluster. A Files cluster is
a set of FSVMs. To start a Files cluster, do the following:

Procedure

1. Using SSH, log on to a Controller VM of the Nutanix cluster that deployed Files.

2. Get a list of file servers.

nutanix@cvm$ afs info.fileservers

Files |  File Server Management | 62

 3. Choose to start a single file server or all file servers.

» Start a single file server.

nutanix@cvm$ afs infra.start fs_names

Replace fs_names with the name of a single file server or with a comma-separated list of
multiple file servers.
» Start all file servers.
nutanix@cvm$ afs infra.start *

Note: For steps on stopping and starting a Nutanix cluster, see "Node Management" in the
administrative guide for the target hypervisor.

Stopping a Files Cluster

Stop a Files cluster using the listed commands.

About this task

Before you stop a Nutanix cluster that is running Files, first stop the Files cluster (set of file
server VMs running on the nodes). To stop a Files cluster, do the following:

Procedure

1. Using SSH, log on to a Controller VM of the Nutanix cluster that is running Files.

2. List file server names.

nutanix@cvm$ ncli file-server list

3. Stop a single file server.

nutanix@cvm$ afs infra.stop fs_name

Replace fs_name with the name of the file server.

Files |  File Server Management | 63

SHARE AND EXPORT MANAGEMENT
Shares and exports have a variety of configurations. Review this section before creating a share
or export.
You can create file shares (SMB), exports (NFS), or multi-protocol shares for a file server.
You have the option of creating distributed or standard shares and exports. A distributed share
or export is the repository for the personal files of a user, and a standard share is the repository
shared by a group. A distributed share or export distributes data across all file server VM
(FSVM) in a cluster, while standard shares store all data on a single FSVM. You can store files in
the root directory of a distributed NFS share but not in the root directory of a distributed SMB
share.
To create a share or export, see one of the following.

• Creating a Share (SMB) on page 65

• Creating an Export (NFS) on page 71
• Creating a Multi-Protocol Share or Export on page 80

Limitations
The following limitations apply to shares and exports.

• Distributed shares are only available on deployments of three or more FSVMs.

• Do not use Windows Explorer to create new top-level directories, as you then cannot
rename any folders created with the default New Folder name (see Troubleshooting on
page 157).
• Windows clients do not support using UTF8 encoding for naming files and directories on
NFSv3 exports.
• You cannot access top-level directories (TLDs) or shares through the FSVM short name.
• You cannot modify TLDs from Mac clients.
• Refer to "System Limits" in the Nutanix Files Release Notes for a list of additional limitations.
• Nutanix does not support mounting NFS shares on ESXi hypervisors.

Permissions
The following default permissions apply on distributed and standard shares.

• Distributed shares/exports:

• Domain administrator: Full access

• Creator owner: Full access (inherited only)
• Domain user: Read only
• Standard shares/exports:

• Domain administrator: Full access

• Domain user: Full access
• Creator owner: Full access (inherited only)

Files |  Share and Export Management | 64

Creating a Share (SMB)
About this task
Create an SMB share.

Note: Files does not support mounting SMB shares on Linux clients. Use multi-protocol shares
instead, see Creating a Multi-Protocol Share or Export on page 80.

Procedure

1. Go to the Shares view in the Files Console and click Create a New Share.

Figure 43:

Files |  Share and Export Management | 65

2. The Create a Share window appears and displays the Basics tab. Do the following in the
indicated fields:

a. Name: Enter a name for the share.

Note the following naming conventions:

• Files does not allow the following names:

• Global
• Printers
• admin$ (reserved)
• ipc$ (reserved)
• homes (reserved)
• Names are not case-sensitive.
• Each name must be unique.
• Files allows unicode characters.
• Maximum name length is 80 characters.
• A blank space or space character cannot appear as the first or last character in the
name.
• Names that end with the $ are hidden shares.
b. Description (optional): Enter a description for the share.
c. Share path (optional): You can create nested shares by specifying the path. Nested shares
inherit some properties from the parent directory. See Nested Shares and Exports on
page 94 for details.
d. Max Size (optional): Enter the maximum share size in GiB, see "System Limits" in the
release notes for details.
Leaving the field blank means there is no upper limit to the size of the share. Enter a value
here if you want to set an upper size limit. Once the limit is set, it cannot be increased.
Setting a value changes the capacity from the client view.
e. Primary Protocol Access: Select the SMB (Ideal for Windows Clients) option.
f. Enable multi-protocol access for NFS clients: Check the box to enable the multi-protocol
feature. Follow the steps in Creating a Multi-Protocol Share or Export on page 80 to
configure multi-protocol settings. Otherwise, continue to the next step.

Note: For information on the multi-protocol feature, see Multi-Protocol Support for
Files on page 87.

g. Click Next.

Files |  Share and Export Management | 66

Figure 44: Create a Share: Basics tab

Files |  Share and Export Management | 67

3. In the Settings tab, do the following in the indicated fields:

a. Check the Use "Distributed" share type instead of "Standard" to create a distributed
share:

Note: Shares on single-FSVM deployments are standard by default.

• A Distributed share, also known as a home share, load-balances user data across
multiple FSVMs by distributing top-level directories.
• A Standard share, also known as a general-purpose share, serves data and connections
from a single FSVM.
A distributed share is frequently used as the repository for the personal files of a user,
while a standard share is frequently the repository shared by a group.

Tip: When using a distributed share for user profiles, facilitate better load distribution by
creating a top-level directory (TLD) for each user.

b. Enable Self Service Restore: Check this box to enable snapshots of the share contents,
see Self-Service Restore on page 147.
c. Enable File System Compression: Check this box to save space and reduce data on
the share through in-line compression of written data, see File System Compression on
page 139.

Note: Enabling compression at the container level makes the Enable File System
Compression option unavailable. The option does not appear on clusters upgraded from
earlier versions that do not support file system compression.

d. Blocked File Types: Check this box to block files with specific character patterns in their
names, see File Blocking for more information.
A field appears for blocked file types. Enter a comma-separated list of character patterns
of directories and file names blocked from the share.
e. Enable Access Based Enumeration (ABE): Check this box to restrict user access when
browsing the contents of top-level directories to only those files and folders that they
have access permissions for, see Access-Based Enumeration (SMB only) on page 127.
f. Encrypt SMB3 Messages: Check this box to enable message encryption between the file
server and client. See Encryption on page 127.
g. Click Next.

Files |  Share and Export Management | 68

Figure 45: Create a Share: Settings tab

Files |  Share and Export Management | 69

4. In the Summary tab, review the configuration of the share in the indicated sections:
The Basics section includes the following details:

• Share Name: The name of the new share.

• Share Path: The file path to the new share.
• Primary Protocol: SMB protocol.
• Multi-Protocol Access: Disabled
• Share or Export Type: Distributed or standard share.
• Self Service Restore: Enabled or disabled.
• Share Compression: Enabled or disabled.
• Blocked Files Types: Enabled or disabled. When enabled, the number of blocked file types
appears. Clicking the number displays the file type.
The Protocol Access section includes the following details:

• Authentication: Authentication type (Kerberos, AD, etc).

• Client Access: Read-write.

Note: For SMB shares, SMB client access is always read-write. Access-control lists (ACLs)
specify user and group access permissions.

• ABE: (Access-based enumeration) enabled, disabled, or n/a.

• Message Encryption: Enabled or disabled.

Files |  Share and Export Management | 70

 Figure 46: Create a Share: Summary tab

5. When all the information is correct, click the Create button.

What to do next
Map the newly created share in your name-space.

Creating an Export (NFS)

Administrators can create exports using the file server dashboard.

About this task

Follow the steps as indicated to create an export (NFS share).

Note: Files does not support mounting NFSv4 exports on Windows clients. Use NFSv3 exports
or multi-protocol shares.

Files |  Share and Export Management | 71

Procedure

1. Go to the Shares view in the Files Console and click the Create a New Share.

Figure 47: + File Server button

Files |  Share and Export Management | 72

2. The Create a Share window appears and displays the Basics tab. Do the following in the
indicated fields:

a. Name: Enter a name for the share.

Note the following naming conventions:

• Files does not allow the following names:

• Global
• Printers
• admin$ (reserved)
• ipc$ (reserved)
• homes (reserved)
• Names are not case-sensitive.
• Each name must be unique.
• Files allows unicode characters.
• Maximum name length is 80 characters.
• A blank space or space character cannot appear as the first or last character in the
name.
• Names that end with the $ are hidden shares.
b. Description (optional): Enter a description for the share.
c. Share path (optional): You can create standard nested shares by specifying the path.
Nested shares inherit some properties from the parent directory. See Nested Shares and
Exports on page 94 for details.
d. Max Size (optional): Enter the maximum share size in GiB, see "System Limits" in the
release notes for details.
Leaving the field blank means there is no upper limit to the size of the share. Enter a value
here if you want to set an upper size limit. Once the limit is set, it cannot be increased.
Setting a value changes the capacity from the client view.
e. Primary Protocol Access: Select the NFS option.
f. Enable multi-protocol access for SMB clients: Check the box to enable the multi-protocol
feature. Follow the steps in Creating a Multi-Protocol Share or Export on page 80 to
configure multi-protocol settings. Otherwise, continue to the next step.

Note: For information on the multi-protocol feature, see Multi-Protocol Support for
Files on page 87.

g. Click Next.

Files |  Share and Export Management | 73

Figure 48: Create a Share: Basics tab

Files |  Share and Export Management | 74

3. In the Settings tab, do the following in the indicated fields:

Figure 49: NFS Export Settings Tab

a. Check the Use "Distributed" share type instead of "Standard" to create a distributed
export:

Note: Exports on single-FSVM deployments are standard by default.

• A Distributed share, also known as a home share, load-balances user data across
multiple FSVMs by distributing top-level directories.
• A Standard export, also known as a general purpose or non-distributed export, serves
data and connections from a single FSVM

Files |  Share and Export Management | 75

 A distributed export is frequently used as the repository for the personal files of a user,
while a standard export is frequently the repository shared by a group.

Tip: When using a distributed export for user profiles, facilitate better load distribution by
creating a top-level directory (TLD) for each user.

b. Enable Self-Service Restore: Self-service restore lets you restore files from previous
snapshots, see Self-Service Restore on page 147.
c. Enable Compression: Check this box to save space and reduce data on the share through
compression, see File System Compression on page 139.

Note: Enabling compression at the container level makes the Enable File System
Compression option unavailable. The option does not appear on clusters upgraded from
earlier versions that do not support file system compression.

d. Blocked File Types: Check this box to block files with specific character patterns in their
names, see File Blocking for more information. After checking the box, a field appears for
blocked file name patterns. Enter a comma-separated list of character patterns blocked
from the export.

Note: Blocking extensions at share level overrides the blocked extensions defined at file
server level.

e. Authentication: Select the authentication method from the pull-down list.

Note: Files does not support Kerberos 5, Kerberos 5i, and Kerberos 5p with the NFSv3
protocol.

The options are None, System, Kerberos 5, Kerberos 5i, and Kerberos 5p.

Note: Changes to the authentication method can result in invalid mounts. Resolve the
issue by remounting the authentication type as a value for parameter sec in the mount

Files |  Share and Export Management | 76

 command on the client. Example: "-o sec=krb5" if you change the export authentication type
to Kerberos 5.

f. Default Access (For all clients): Select the default access permissions from one of the
following in the pull-down list:

• Read-Write: Client can mount the export and write to it.

• Read-Only: Client can mount the export and read data but not write to it.
• No Access: Client cannot mount the NFS export nor read or write from it.
Use one of the following formats:

• Absolute IPs (for example 129.144.0.0)

• Hostname of client (for example client.domain.com)
• CIDR format for specifying subnets (for example 129.144.0.0/24)
• Netgroups (for example @it_admin)
• Wildcards (for example clients*.domain.com)

Note: Files supports Netgroups to handle client access. Netgroups can limit access to
hosts, but Files does not support Netgroups that limit access to users.

g. + Add Exceptions (optional): If you want to refine the read and write permissions (more
than just the default), click the +Add Exceptions link.
Clicking the +Add Exceptions link displays two more fields for the two non-default
permission options. For example, if you selected Read-write as the default access, fields
for Client with read-only access and Clients with no access appear. In these fields, enter
a comma separate list of clients for the specified access permission level. Exceptions take
precedence over the default, so any client listed in one of the exception fields gets that
level of permission instead of the default permission.

Note: For IPv4 clients, exceptions can be complete IP addresses, wildcards, or subnets. For
IPv6 clients, Files only accepts complete IP addresses as exceptions.

Note: If you add or remove a client from a Netgroup, it reflects on the client after 30
minutes.

CAUTION: If a client IP address matches more than one exception rule, the client may
experience access issues.

h. Squash: Select the squash value from the pull-down list. The squash option controls the
access privileges of root client users (users with UID 0). The None value gives root users
super-user access privileges to the export, letting them create, edit, and delete files from

Files |  Share and Export Management | 77

 any user. The Root Squash value disables super user access and maps all roots users to
anonymous users. The All Squash value maps all users to anonymous ones.
i. Override anonymous IDs for squashing: check this box to enter anonymous user identifier
(UID) and group identifier (GID) value other than the default value. Both the anonymous
UID and GID default have a default value of -2.

• Anonymous UID: Enter the anonymous user identifier value for the export.
• Anonymous GID: Enter the anonymous group identifier value for the export.
You can map regular users to anonymous ones to restrict access to the NFS export.
Setting the NFS authentication type to None maps all client users to anonymous ones.

4. Click Next.

Files |  Share and Export Management | 78

5. In the Summary tab, you will see the following details in the indicated fields:
The Basics section includes the following details:

• Share Name: The name of the new export.

• Share Path: The file path to the new export.
• Primary Protocol: NFS protocol.
• Multi-Protocol Access: Disabled
• Share or Export Type: Distributed or standard share.
• Self Service Restore: Enabled or disabled.
• Share Compression: Enabled or disabled.
• Blocked Files Types: Enabled or disabled. When enabled, the number of blocked file types
appears. Clicking the number displays the file type.
The Protocol Access section includes the following details:

• Authentication: Authentication type (System or none).

• Client Access: Read-write or read-only.
• Squash: All squash, root squash, or none.

Files |  Share and Export Management | 79

 Figure 50: Create an Export: Summary tab

6. When all the information is correct, click the Create button.

Creating a Multi-Protocol Share or Export

Create a multi-protocol share or export.

About this task

For information on the multi-protocol feature, see Multi-Protocol Support for Files on
page 87. Perform the following steps as indicated to create a multi-protocol a share or
export.

Files |  Share and Export Management | 80

Procedure

1. In the Basics tab, do the following in the indicated fields:

a. Name: Enter a name for the share or export.

Note the following naming conventions:

• Files does not allow the following names:

• Global
• Printers
• admin$ (reserved)
• ipc$ (reserved)
• homes (reserved)
• Names are not case-sensitive.
• Each name must be unique.
• Files allows Unicode characters.
• Maximum name length is 80 characters.
• You cannot use a blank space or space character as the first or last character in the
name.
• Names that end with the $ are hidden shares.
b. Description (optional): Enter a description for the share or export.
c. Share path (optional): You can create standard nested shares by specifying the path.
Nested shares inherit some properties from the parent directory. See Nested Shares and
Exports on page 94 for details.
d. Max Size (optional): Enter the maximum size in GiB, see "System Limits" in the release
notes for details.
Leaving the field blank means that there is no upper limit to the size of the share or
export. Enter a value here if you want to set an upper size limit. After setting the limit it
cannot be increased.
e. Primary Protocol Access: Choose SMB (Ideal for Windows Clients) or NFS as the primary
protocol.
f. Enable multi-protocol access: Check the box to enable the multi-protocol feature.
g. Click the Next button.

Files |  Share and Export Management | 81

2. In the Settings tab, do the following in the indicated fields:

a. Check the Use "Distributed" share type instead of "Standard" to create a distributed
export:

Note: Exports on single-FSVM deployments are standard by default.

• A distributed export, also known as a sharded export or home share, load balances
user data across multiple FSVMs.
• Astandard export, also known as a general-purpose share or export, for any other
purposes.
b. Enable Self Service Restore: Self-service restore lets you restore files from previous
snapshots, see Self-Service Restore on page 147.
c. Enable File System Compression: Check this box to save space and reduce data on
the share through inline compression of written data, see File System Compression on
page 139.

Note: Enabling compression at the container level makes the Enable File System
Compression option unavailable. The option does not appear on clusters upgraded from
earlier versions without file system compression support.

d. Blocked File Types: Check this box to specify blocked file types, see File Blocking on
page 128.
e. Do the following in the SMB Protocol Access section.

• Enable Access Based Enumeration (ABE) (SMB only) enable ABE by checking this
box. ABE restricts access when browsing the contents of the top-level directories
(TLDs) to only those files and folders that you have access permission for, see Access-
Based Enumeration (SMB only) on page 127.
• Encrypt SMB3 Messages: Check this box to enable message encryption between the
file server and client. See Encryption on page 127.

3. In the NFS protocol section, do the following.

a. Authentication: Select the authentication method from the pull-down list.

The options are None, System, Kerberos 5, Kerberos 5i, and Kerberos 5p.

Note: Files does not support Kerberos 5, Kerberos 5i, and Kerberos 5p with the NFSv3
protocol.

Note: Changes to the authentication method can result in invalid mounts. Resolve the
issue by remounting the authentication type as a value for parameter sec in the mount

Files |  Share and Export Management | 82

 command on the client. Example: "-o sec=krb5" if you change the export authentication type
to Kerberos 5.

b. Default Access (For All Clients): Select the default access permissions from one of the
following options in the pull-down list:

• Read-Write: Clients can mount the export and write to it.

• Read-Only: Clients can mount the export and read data but not write to it.
• No Access: Clients cannot mount the NFS export nor read or write from it.

Note: Files supports Netgroups to handle client access. Netgroups can limit access to
hosts, but Files does not support Netgroups that limit access to users.

c. If you want to refine the permissions (more than just the default), add exceptions in the
provided fields.
For example, if you selected Read-Write as the default, lines for Read-Only and No
Access appear. In these fields, enter a comma separate list of clients for that access
permission level. Exceptions take precedence over the default, so any client listed in one
of the exception fields gets that level of permission instead of the default permission.
Use one of the following formats:

• Absolute IPs (for example 129.144.0.0)

• Hostname of client (for example client.domain.com)
• CIDR format for specifying subnets (for example 129.144.0.0/24)
• Netgroups (for example @it_admin)
• Wildcards (for example clients*.domain.com)

Note: If you add or remove a computer from a Netgroup, it reflects on the client after 30
minutes.

d. Squash: Select the squash value from the pull-down list. The squash option controls the
access privileges of root client users (users with UID 0). The None value gives root users
super-user access privileges to the export, letting them create, edit, and delete files from

Files |  Share and Export Management | 83

 any user. The Root Squash value disables super user access and maps all roots users to
anonymous users. The All Squash value maps all users to anonymous ones.
e. Override anonymous IDs for squashing: check this box to enter anonymous user identifier
(UID) and group identifier (GID) value other than the default value. Both the anonymous
UID and GID default have a default value of -2.

• Anonymous UID: Enter the anonymous user identifier value for the export.
• Anonymous GID: Enter the anonymous group identifier value for the export.
You can map regular users to anonymous ones to restrict access to the NFS export.
Setting the NFS authentication type to None maps all client users to anonymous ones.
f. In the Multi Protocol Access section, check the box for the settings that you would like to
enable:

• Allow simultaneous read access to the same files: Clients from either protocol can
perform simultaneous reads.
• Allow symlink creation from NFS clients: This option only appears if SMB is the
primary protocol.

Note: On SMB clients, NFS client-created symlinks appear as regular objects (files or
directories).

g. Click Next.

Files |  Share and Export Management | 84

Figure 51: Settings Tab

Files |  Share and Export Management | 85

4. In the Summary tab, review the configuration of the share in the indicated sections:
The following details appear in the Basics section:

• Share Name: The name of the new export.

• Share Path: The file path to the new export.
• Primary Protocol: NFS protocol.
• Multi-Protocol Access: Enabled.
• Share or Export Type: Distributed or standard share.
• Self Service Restore: Enabled or disabled.
• Share Compression: Enabled or disabled.
• Blocked Files Types: Enabled or disabled.
The Protocol Access section includes the following details:

• Authentication: Authentication type (Kerberos, AD, and so on).

• Client Access: Read-write.

Note: For SMB shares, SMB client access is always read-write. Access-control lists (ACLs)
specify user and group access permissions.

• ABE: (Access-based enumeration) enabled, disabled, or n/a.

• Message Encryption: Enabled or disabled.
The Multi Protocol Access section includes the following details:

• Allow simultaneous read access to same files: Disabled or enabled.

Files |  Share and Export Management | 86

 Figure 52: Create an Export: Summary tab

5. When all the information is correct, click the Create button.

What to do next
To configure user mapping between NFS and SMB users, see User Mapping on page 110.

Multi-Protocol Support for Files

Multi-protocol support for Files provides SMB and NFS clients read-and-write access to the
same share or export.
When you choose a native protocol for the share, SMB or NFS, the protocol determines access-
control options for that share or export. You can then manage all access-control options using
the native protocol. Once you create a share or export, you cannot change the native protocol.
Consider the following protocol-specific options and caveats before deciding on a primary
protocol.

Authentication
SMB clients have only one authentication type, Active Directory (AD), that they can use to
access exports. NFS clients can access SMB shares using AD, LDAP, system, or unmanaged
protocols. Files uses the native protocol to authenticate all non-native shares.

Files |  Share and Export Management | 87

Authorization
Files uses user mapping to map IDs and user or group names, which authorizes access to
shares and exports from native and non-native protocols. Configure user mapping when the
NFS authentication of a multi-protocol share is not Kerberos (when NFS uses Kerberos, the
users and groups for NFS and SMB are the same).
An IT administrator must configure user mapping, see User Mapping on page 110.

Access-Based Enumeration
Files supports access based enumeration (ABE) for native and non-native SMB shares.

Access Control Lists (ACLs)

ACLs are stored in the format of the native protocol. Modify ACLs using the native protocol.
NFS clients do not honor share-level ACLs. When you create an object using a non-native
protocol client, the object inherits access control details from the parent folder.

Alternative Data Stream (ADS)

Files supports alternative data streams (ADS) for native and non-native SMB shares.

Antivirus
Files supports antivirus protection on native and non-native SMB shares.
If you access a file that has a virus through an NFS client-created symlink or hard-link, only the
path of the first access appears in the quarantine table.

Audit
Files supports audits for native and non-native shares.

Backup and Restore

Files supports back-up and restore only using the native protocol.

CAUTION: Backup using a non-native client can result in metadata and ADS loss.

Change Notifications
There is no directory change notification support across protocols. Namespace changes made
to a share from one protocol take up to a minute to reflect for a client of the second protocol.

Concurrent Access
Files supports concurrent read-access but not concurrent write-access for multi-protocol
shares.

High-Availability
Files equips multi-protocol enabled shares and exports with high-availability. Files does not
honor the NFS grace period on SMB clients.

Namespace Compatibility
Since all SMB lookups are case insensitive, and all NFS lookups are case-sensitive, SMB clients
can encounter multiple objects with the same name string but different cases.
NFS clients can create multiple files on SMB shares that use the same name-string but different
cases. This leads to issues for Windows clients that find files with the same name but in

Files |  Share and Export Management | 88

 different cases. Files maps NFS objects with illegal or special characters in the namespace to a
new SMB name.

Quota
Files supports quota, see Quotas on page 119.

Stats
Files combines stats for native and non-native shares.

Symlinks
NFS clients can create symlinks on native and non-native NFS shares and follow them using a
native or non-native protocol.

Limitations

• Files silently ignores permission change requests for non-native protocol clients.
• NFS file or directory names that include trailing spaces are treated as illegal characters on
SMB namespaces.
• Native SMB shares cannot enable the NFS squash option.
• NFS users might not see ownership details on native SMB shares. For NFS users, default
owner and group on native SMB shares appears as root/root. However, SMB users see the
default owner and group as BUILTIN administrators.
• Template mapping ignores the domain of users and groups.
• Files does not support multi-protocol compatibility for legacy NFS exports.
• When SMB clients create share objects on non-native shares, the objects derive the mode
information from their parent share.
• If SMB is the primary protocol, you can only apply a quota to SMB users.

Modifying a Share or Export

Modify or delete a share or an export.

About this task

You can update or delete a share from the Shares tab in the Files Console. Note the following
limitations for modifying a share or export:

• Clusters created using earlier versions of Files might not support some new features.
• When renaming a share or export, access to the old name remains if you maintain the
existing connection. Close and reopen the browser or CLI to no longer see the old name.

Note: See Explicit Paths for Shares and Exports for a list of modifiable features on shares
and exports with explicit paths.

Procedure

• In the Files Console, select the target entry in the share table of the Shares tab.

Files |  Share and Export Management | 89

 • In the row for the selected entry, click three dots menu following.

» Click Delete, to delete the share (you do not need to proceed to the next steps).
» Click Update to modify the settings of the share or export. Proceed to the next steps for
directions.
» Click Add Quota Policy to add a user or group quota to the share, see Quotas on
page 119.
• To update the share, follow the steps as indicated.

a. In the Basics or Settings tab, update one or more values accordingly.

Note: When renaming a share or export, access to the old name remains as long as the
existing connection is maintained. Close and reopen the browser or CLI to no longer see
the old name.

See the Creating a Share (SMB) on page 65, Creating an Export (NFS) on page 71,
or Creating a Multi-Protocol Share or Export on page 80 for details about each field.

Figure 53: Update Share Window

b. When all the values are correct, click Update (Summary tab).

Deleting a Share or Export

Delete a share or an export through the Files Console.

Files |  Share and Export Management | 90

 About this task

Warning: Deleting a share or export is permanent, and the deleted share or export cannot be
recovered.

To delete a share or export, do the following:

Procedure

1. Remove the share or export contents and disconnect all clients. (All directories and files
within the share/export should be deleted.)

2. In the Files Console, select the target entry in the share table of the Share tab.

3. In the row for the selected entry, click three dots menu > Delete.

CAUTION: When deleting a share or export with an explicit path, the data and storage is not
removed, see Nested Shares and Exports on page 94.

Note: All shares and exports with explicit paths must be deleted before deleting the parent
share.

Accessing Home Shares

Access home directories without requiring the physical distributed share or export in the profile
location.

Before you begin

Confirm the following:

• Home directories are top-level directories in the distributed share

• Home directories have the required permissions

About this task

Home directories are a type of distributed share. Files supports the following CLI commands for
FSVMs at the distributed share location. Files automatically enables distributed share support.
If the user profile exists in one of the distributed shares, access the distributed share directly
using the universal naming convention (UNC) path.

Note: If your home directory exists in multiple distributed shares, Files matches to the first share
created chronologically.

Distributed shares appear with other shares in Files when enumerating shares on the file server.
Files enables distributed home share support by default.
Access home directories using the UNC path \\Files_server\SamAccountName (instead of \
\Files_server\home_share\SamAccountName).

Procedure

1. To enable distributed home share support:

nutanix@fsvm$ afs smb.set_conf “enable user homes” yes section=global

Files |  Share and Export Management | 91

 2. To enable dollar user distributed share access.
nutanix@fsvm$ afs smb.set_conf “template user homeshare” “%U$” section=global

Accessing User Home Shares (Advanced)

This topic outlines advanced options for accessing home directories without requiring the
physical distributed share with the profile.

About this task

Before you begin

Ensure that you have met the requirements, see Accessing Home Shares on page 91.

Procedure
To configure preferred home shares.
nutanix@fsvm$ afs smb.set_conf “preferred home shares” “home-share1, home-share2” section=global

Replace home-share1 and home-share2 with the names of the homes shares.

Continuously Available Shares (SMB Only)

Persistent file handles facilitate continuous availability (CA) for SMB shares.
During a disruption of service, SMB shares remain continuously available by using the persistent
file handles and the high-availability features. Persistent file handles reduce the period of
data unavailability by automatically reconnecting users to the file service in-use before the
disruption.
Files stores open lock information on persistent volume groups available of every FSVM in
the cluster. During a fail-over, the fail-over FSVM can access the volume group. Persistent file
handles let clients wait to reconnect without notifying the user about the connection failure. As
a result, disruptions are seamless to users and applications.

Note: During a lock protection interval, Files does not prevent NFS clients from accessing the
file. Files only prevents SMB clients from accessing files during the disconnected state.

Note: The periodic handler cleans up stale locks for the disconnected persistent file handles
every 24 hours.

Synchronous writes on CA shares may impact performance. Nutanix recommends continuous

availability for shares with less metadata and more I/O intense workloads, such as VHD or
VHDx based profile disks, where performance impact is minimal.

Enabling Continuous Availability

Enable continuous availability (CA) on an SMB share.

About this task

Follow the steps as indicated.

Procedure

1. To confirm the status of continuous availability, replace the share-name and check the share
profile.
nutanix@fsvm$ afs share.list sharename=share-name

Files |  Share and Export Management | 92

 2. Replace the share-name and enable continuous availability on the share.
nutanix@fsvm$ afs share.edit share-name continuous_availability=true

What to do next
Check the status of continuous availability by repeating the command in step 1.

Connected Shares
Connect standard or distributed shares in the namespace of another standard or distributed
share.
Connecting shares creates a unique, continuous namespace. Use connected shares to distribute
data across multiple FSVMs from a specified directory.
Distributed shares let you only shard data on the top-level directory (TLD) level. To shard data
from a lower-level directory, connect shares by submounting a distributed share onto the path
of another share or export. Files distributes that data from the mount point across multiple
FSVMs. The distribution of data achieves load balancing.
The connected, continuous namespace lets you have different settings within the namespace,
such as directory-level quotas. For more details on directory-level quotas, see Setting
Directory-Level Quotas on page 99. Rather than connecting existing shares, you can also
create a new share with an explicit path, see Nested Shares and Exports on page 94.

Note: For multi-protocol enabled shares, a submount point can apply to multiple directories due
to the case-sensitive NFS behavior and case-insensitive SMB behavior. As a result, Files uses all
directories with the same name but different cases as submount points.

Connected Share Limitations

The following limitations apply to custom-level sharding:

• The submount path cannot point to the root of a parent share.

• The submount path cannot contain snapshots.
• The submount path on a parent share must be empty before configuring submounts.
• Both parent and child shares must use the same type of NFS authentication.
• Nutanix does not allow nesting submounts. For example, if you have a child share child1
submounted on the submount path /parent/dir1/dir2/child1, you cannot submount child2
anywhere on the path.
• Nested shares and submounted child shares cannot have the same directory hierarchy.
• Stale locks for disconnected persistent file handles get cleaned up every 24 hours.

Connecting a Share
Shard a standard share or export.

About this task

Submount a distributed share onto a standard share to connect shares.

Files |  Share and Export Management | 93

 Procedure

1. Replace submount-path with the file path to the mount point from the standard share. Replace
child-share-name.
nutanix@fsvm$ afs share.edit child-share-name submount_path=submount-path

2. List the connected shares.

nutanix@fsvm$ afs share.list_all_submounted_shares

Disconnecting Shares
Disconnect connected shares or exports.

About this task

To disconnect a child share from a parent share, update the mount point of the child share.

Procedure

1. Replace child-share-name with the name of the child share.

nutanix@fsvm$ afs share.edit child-share-name submount_path=''

2. List all child shares connected to a parent share.

nutanix@fsvm$ afs share.list_submounted_shares parent-share-name

Note: Due to caching issues, child shares and exports can still appear as mounted.

What to do next
For NFS, remount the parent share on the client.

Nested Shares and Exports

Use nested shares and exports to hide share paths or restrict access to parts of a tree.
Unless specified, Files creates shares and exports with an implicit path ( the /share-name). To
create a share or export with a different path, use the Share Path field to specify an explicit
path for the share. Specifying an explicit path creates a nested share or export. The explicit
path for the nested share must begin with the parent share or export (for example, to create an
explicit path for share1 you can specify the explicit path /share1/dir1/dir2). Child shares and exports
are nested under the parent shares.
To connect existing shares, see Connected Shares on page 93.

Files |  Share and Export Management | 94

 Figure 54: Shares and Exports with Explicit Paths

The following rules and limitations apply for creating, deleting, or modifying shares and exports
with explicit paths:

• New nested shares and exports cannot start with the name of another share or export
created using an explicit path.
• Explicit paths must start with the forward-slash (/) character.
• When you create a share or export, an explicit path must contain a parent share or parent
export name and the directory path (do not use the root directory).
• Files does not support changed file tracking (CFT) backup for nested shares and exports.
• When you enable or disable multi-protocol on a parent share, the action reflects for all
nested shares or exports for that parent.
• Nested shares and exports inherit both the primary and secondary protocols, which you
cannot modify at the nested-share level.
• The share path is case-sensitive for the NFS protocol.
• When you delete any of the directories in an explicit path, the path becomes inaccessible.
• Namespace changes under the root of the nested share do not appear immediately when
accessed through the parent share path.
Consider the following recommendations:

• Delete all nested shares and exports before deleting the parent share.

Files |  Share and Export Management | 95

 • When a path becomes inaccessible after the deletion of a directory in an explicit path, you
can recover the path by creating a directory with the same name.

Feature Modification
You can modify some of the properties of nested shares. Most of the time you cannot modify
inherited properties. Refer to the following table for modification options.

Table 18: Nested Share Modification Options

Feature Default State Modification

SMB access based Disabled Enabled

enumeration
(ABE)
NFS advanced Enabled Enabled
settings
Add quota policy Disabled Disabled
AV settings Inherited from parent Disabled

Durable SMB File Handles

Durable handles facilitate seamless SMB client reconnection.
Files enables durable handles for SMB shares automatically. Durable handles let SMB clients
survive a temporary client-side connection loss after opening a file, allowing transparent client
reconnection within a timeout. Files does not support durable file handles for directories or
alternate data stream (ADS) files.
Durable handle reconnection times increase when a previous session, with multiple durable
handles, must flush data and metadata before re-establishing the connection.

Managing Limited Local Users (SMB Only)

Add limited local users to your file server.

About this task

You can add limited local SMB users to a file server for SMB share access using the command
line or using the Microsoft Management Console (MMC) Local Users and Groups snap-in.
If you add a limited local user using the MMC Local Users and Groups snap-in, MMC adds the
user to the built-in Local Users group. Users in the built-in Local Users group inherit default
permissions from the group, refer to Microsoft documentation for steps on adding local users
using the MMC.
Manually add users to a group with the desired permissions, or browse and assign permissions
using the Local Users and Groups snap-in.
Limited local user management includes the following limitations:

• Files permits a maximum of 100 limited local users per file server.
• Limited local users cannot access non-native shares.
• Files does not support user-mapping for limited local users.

Files |  Share and Export Management | 96

 • Files does not support quota for limited local users.
• Files does not support renaming local users.
• Files does not support limited local users not joined to a domain or standalone fileservers.
The file server must join an AD domain.

Attention: Limited local users is an SMB-only feature.

The the commands as indicated to manage limited local users.

Procedure

• To add a limited local user, use the following command:

nutanix@fsvm$ afs user.add limited-localuser-name

• To add a limited local user to a limited local group, use the following command:
nutanix@fsvm$ sudo net sam addmem 'group-name' 'file-server-name\user-name'

Note: You can add local users to local groups, which are in BUILTIN\Users and BUILTIN
\Administrators.

• To list limited local users, use the following command:

nutanix@fsvm$ afs user.list

• To edit a limited local user, use the following command:

nutanix@fsvm$ afs user.edit limited-localuser-name

• To delete a limited local user, use the following command:

nutanix@fsvm$ afs user.delete limited-localuser-name

Configuring Backup for Distributed Shares

Specify a backup server for distributed shares and exports.

About this task

Third-party solutions do not automatically back up distributed shares. Follow the steps as
indicate to update the backup configuration syntax and allow the backup of distributed shares
and exports.

Procedure

1. Check the global backup configuration.

nutanix@fsvm$ afs smb.get_conf "backup hosts"

2. Update the backup configuration.

» Add a backup server by replacing backup-server-ip with the IP address for the backup server.
nutanix@fsvm$ afs smb.set_conf "backup hosts" backup-server-ip section=global

» Remove a backup server.

nutanix@fsvm$ afs smb.del_conf "backup hosts" section=global

Files |  Share and Export Management | 97

 3. Validate changes to the backup configuration.
nutanix@fsvm$ afs smb.get_conf "backup hosts"

Enabling SMB Symlinks

Enable symlink support over the SMB protocol.

About this task

A symbolic link (also known as a symlink or a soft link) is a file type that contains a path to a
target file or directory.
Although symlink support is enabled by default, Files requires enabling the following link
configurations on Windows clients to use symlinks on SMB shares:

• Remote-to-remote
• Remote-to-local

Note: By default, remote to local and remote to remote symlinks are disabled on Windows
clients. To enable, symlink access on Windows clients, use the following command.
> fsutil behavior set SymlinkEvaluation R2R:1 R2L:1

SMB clients must have symlink access enabled to access symlinks and follow the
targets.

Files does not support the following functionalities for symlinks:

• Directory symlinks at the root of distributed shares.

• Alternate data streams (ADS).
• Durable or persistent file handles.
• Opportunistic locks (oplocks) and leases.
• There is no interoperability support between SMB and NFS on Multi-protocol shares for
symlinks with absolute targets.

Note: Hycu does not support symlinks. Commvault does not support cross-share symlinks.

Procedure

1. Disable symlink support on the file server.

nutanix@fsvm$ afs smb.set_conf "enable smb symlinks" "False" section=global

Disabling SMB links only prevents the creation of new symlinks. Existing symlinks remain
accessible.

2. Enable symlink support on the file server.

nutanix@fsvm$ afs smb.set_conf "enable smb symlinks" "True" section=global

Disabling SMB links only prevents the creation of new symlinks. Existing symlinks remain
accessible.

Files |  Share and Export Management | 98

Setting Directory-Level Quotas
Set a directory-level quota by connecting shares.

About this task

Files supports size limits for shares and exports. Set a directory quota by submounting a share
or export onto the path of a standard share.

Procedure

1. Create a share or export and specify the max size, see Creating a Share (SMB) on
page 65.
Alternatively, you can apply a share size limit to the newly created share or export, see
Modifying a Share or Export on page 89.

2. Connect the share or export to a directory of a standard share or export, see Connecting a
Share on page 93.
Files applies the quota for the connected share or export to the directory.

Files |  Share and Export Management | 99

DIRECTORY SERVICE AND DOMAIN
MANAGEMENT
Administration of directory services and file server domains.
The domain and directory service configuration is an essential step of file server management.
Join a domain and update domain name system (DNS) entries during or after file server
creation. The this chapter describes domain and directory service management options and
operations.
The directory services configuration specifies the primary and, if applicable, secondary protocol
of a file server. If you intend to create multi-protocol shares and exports on file servers with
secondary protocols, configure user mapping, see User Mapping on page 110 and Multi-
Protocol Support for Files on page 87.

Joining a Domain
Join a file server to a domain.

About this task

When joining to an Active Directory domain, Files adds the following entries to the Active
Directory.

• Machine account with the Files cluster name

• SPN entries
Join a domain either during or after file server creation. To join a domain during file server
creation, see Creating a File Server on page 36. To join to a domain after file server creation,
follow the instructions:

Note:

• If the file server time and the Network Time Protocol (NTP) time are not in sync, the
Prism web console raises an alert. Be sure to sync the file server time and NTP time
before joining to a domain.
• The join domain process can be unresponsive if the Active Directory computer
objects exist from previous unresponsive join attempts. Before attempting to join to
the domain, remove the previous Files computer objects from the Active Directory.
The Prism web console also prompts you to overwrite existing computer accounts.
• Do not remove the file server computer object in AD, as that can cause disruptions
to file-server services.

Procedure

1. In the Files Console, go to Configuration > Authentication.

Files |  Directory Service and Domain Management | 100

 2. In the Directory Services tab, select one or more protocols you want to use and complete
the fields for the selected protocols.
You can select SMB, NFS, or both. Each protocol contains more fields to complete, including
fields about Active Directory. See the Directory Services tab step in Creating a File Server on
page 36 for detailed instructions.
You must have an administrator account or the following required permissions for the
relevant AD organizational unit (OU) realm:

• Create computer objects

• Read/Write service principal names

3. When all the fields are correct, click Update.

Figure 55: Directory Services Window

Leaving a Domain
Disconnect your file server from a domain by following the steps described.

About this task

The following tasks require that you first remove (leave) the connection between the file server
and its current domain:

• Changing the file server name

• Joining the file server to a different domain
• Deleting the file server

Files |  Directory Service and Domain Management | 101

 Leaving a domain deletes service principal name (SPN) entries and Files computer accounts
created by the file server on the Active Directory. To leave a domain, do the following:

CAUTION: Leaving a domain causes Files to stop services until you join the file server to a
domain. During this time, existing and future clients cannot use shares, exports, or permissions.

Procedure

1. In the Files Console, go to Configuration > Authentication.

2. In the Directory Services tab, click the Leave Domain link.

Figure 56: File Server Basics Window

Clicking the Leave Domain link removes the file server connection to the domain. After
changing the file server name or domain, do the following to re-establish the file server
connection to a new domain:

• Remove any old DNS entries from one or more DNS servers.
• Add the new DNS entries (see Updating Domain Name System (DNS) Entries on
page 102).
• Update the directory services (see Updating Directory Services on page 107).

Updating Domain Name System (DNS) Entries

Modify or add to existing domain name system (DNS) entries.

About this task

Administrators can choose to update or add more DNS entries for the following scenarios:

• Creating a file server

Files |  Directory Service and Domain Management | 102

• Changing the filer server name or target domain
• Removing a node
• Adding a node
Files adds entries to the DNS server to ensure the availability of file services to clients using a
Files namespace. Files uses DNS entries to resolve DFS referrals.
The total number of DNS entries added to the specified DNS server is three times the number
of nodes in the Files cluster. Use the following format for DNS entries:

• File server name for each FSVM IP address: file_server_name.domain_fqdn

• FSVM name for its IP address : fsvm_name.domain_fqdn.
To update the DNS configuration, do the following:

Procedure

1. In the Files Console (see Files Console on page 18), go to Configuration > Update DNS
Entries.

2. To automatically configure DNS entries, select the Automatic (MS-DNS only) option and do
the following in the indicated fields:

Note:

• The automatic option is available only when using Microsoft DNS. If you use a
different DNS server or you see a message that Files did not find the entries on
the DNS server, use the manual method.
• Files can only add PTR entries for the /24 zone. Check the subnet of the external
network to confirm the zone. Files does not add PTR records automatically for

Files |  Directory Service and Domain Management | 103

 external networks that are part of a large DNS zone. For these networks, follow
the manual process instead.

Figure 57: DNS Window (automatic view)

a. Select an action: Select Add/Update entries or Delete Entries from the pull-down menu.
Selecting Add/Update entries adds (or updates as needed) the required file server entries
to the DNS server automatically. (You do not need to enter them yourself.) Selecting
Delete Entries automatically deletes the current file server entries from the DNS server.
b. Preferred Name Server (optional): Enter a preferred name server.
c. Username: Enter the user name of the DNS server administrator.
d. Password: Enter the administrator password.
e. Click Submit.

Files |  Directory Service and Domain Management | 104

3. To manually configure DNS entries, click the Manual (All other DNS) option and do the
following:
A table appears that lists entries consisting of a fully qualified host name and the
corresponding IP address/PTR record.

Figure 58: DNS Window (manual view)

Files |  Directory Service and Domain Management | 105

 a. Note: For file server name, add A records only. For FSVM names, add both the A records
and PTR records.

Copy the entries from the table and add them to the DNS server.
You can either copy the entries manually or click the Copy All link to copy the entire table.
Click Actions to download that table in the CSV or JSON format. (To delete the current
file servers entries on the DNS server, use this list to determine which entries to delete.)
b. Click the Verify button.
After copying the entries to the DNS server, verify that they are correct. Clicking the
Verify button checks each entry in the table against the DNS server entries. A check mark
in the Is Verified column indicates that entry is present on the DNS server. There should
be a check mark for every entry.
c. Repeat step (a) for any entries that do not have a check mark in the Is Verified column.
The most likely reason (other than a network issue) for a missing check mark is a copy-
and-paste error when transferring that entry to the DNS server. Check your work and
repeat this process until Files verifies all entries.

Disjoint Domains
Configure different DNS domain and active directory (AD) realm values through the disjoint
domains feature.
Your deployment must have the following requirements prior to configuring disjoint domains:

• A running AOS cluster

• A DNS domain name
• An AD realm name

Configuring Disjoint Domains

To have different DNS domain and AD realms, configure disjoint domains.

About this task

Follow the steps as indicated after creating a file server.

Procedure

1. After creating the file server configure the protocols and join the domain.
nutanix@fsvm$ afs fs.configure_name_services AD-realm-name username protocol

"SMB", "NFS", "NFS,SMB", "SMB,NFS" and "None" are valid arguments for Protocol.
(Optional) use one of following instead:
nutanix@fsvm$ afs fs.configure_name_services AD-realm-name username protocol organizational_unit=organizational unit
nutanix@fsvm$ afs fs.configure_name_services AD-realm-name username protocol overwrite=true/false

2. Configure the Microsoft DNS, see Updating Domain Name System Entries. If the DNS domain
name and AD realm names are not the same, provide the full user principal name (UPN) of
an administrator or user.

Files |  Directory Service and Domain Management | 106

Updating Directory Services
Update the authentication and user management configuration of a file server.

About this task

To update the directory services configuration, do the following:

Procedure

1. In the Files Console (see Files Console on page 18), go to Configuration > Authentication.

2. In the Directory Services window, select the protocols you want to use and complete the
fields for the selected protocols.
You can select SMB, NFS, or both. Each protocol contains more fields to complete. See the
Directory Services tab step in Creating a File Server on page 36 for detailed instructions.

3. When all the fields are correct, click the Update button.

Figure 59: Directory Services Window

Setting AD Machine Account Password Expiry

Set a 30-day expiry period for the Active Directory (AD) machine account password.

Files |  Directory Service and Domain Management | 107

 About this task
The Files AD machine account password expiry is 0 days by default. Follow the steps as
indicated to change the password expiry to 30 days.

Procedure

1. Get the AD machine account password.

nutanix@FSVM:~$ afs smb.get_conf "machine password timeout"
[global]

2. Update the password expiry period to 30 days.

nutanix@FSVM:~$ afs smb.set_conf "machine password timeout" 30 section=global

Authentication
This topic provides an overview of unmanaged, LDAP, and Active Directory (AD)
authentication for file servers.
Depending on the primary and secondary protocols configured for your file server, access
and authentication configuration vary. File servers using SMB protocol must configure Active
Directory (AD). File servers using the NFS protocol can use Lightweight Directory Access
Protocol (LDAP), AD, or unmanaged authentication services.

LDAP
When you configure LDAP as the authentication service, Files uses Netgroups to control client
access. The Files LDAP setup is based on the RFC 2307 standard.
To configure LDAP, assign an LDAP server and a base distinguished name (DN) in the
Directory Services tab during file server creation. The base DN specifies where the search for
users begins. The file server binds to the LDAP server. For added security, set up a bind DN for
the LDAP server. Without the bind DN, Files binds to the LDAP server as anonymous.

Active Directory
Files supports AD with NFS and SMB. To set up Active Directory, specify the AD realm name,
username, and password. If you have multiple domain controllers, you can configure a preferred
domain controller (PDC). If you do not configure a PDC, Files uses any available domain
controller.
Using the RFC 2307 standard is an optional setting in AD.

Authorization
The authorization setup on native shares and exports determines user and group read-and-
write access permissions.
By default, all domain users and domain admin have full access to standard shares and exports.
For distributed shares and exports, domain admins have full access but domain users have
read-only access.

Note: Files does not support namespace operations on top-level directories (TLDs) from Mac
clients. You can manage TLDs from Windows clients using the Microsoft Management Console
(MMC) Snap-In for Nutanix Files.

Files |  Directory Service and Domain Management | 108

Native SMB Shares
You can only make access permissions changes using the native protocol. New Technology File
System (NTFS) permissions indicate user and group authorization on native SMB shares. Share
access-control lists (ACLs) indicate SMB permissions at the root of the share. Share ACLs on
SMB shares only apply to SMB clients.
To access multi-protocol enabled shares using a non-native protocol, configure user mapping,
see User Mapping on page 110.
You can use the Windows Microsoft Management Console (MMC) Shared Folders plug-in to
manage share ACLs on SMB shares. Use the MMC Snap-In for Nutanix Files to modify NTFS
ACLs for native SMB shares. On multi-protocol enabled shares, Files performs permission
checks based on the native ACLs.

Native NFS Exports

Unix mode bits, set from NFS clients, enforce permissions on NFS exports. By default, the NFS
export root directory sets sticky bits, which are permission bits that allow only object owners
and root users to remove objects. As an object owner, you can change the permissions on the
files and directories that you own. By default, super users can only change export permissions
after disabling root squashing.
Files does not support NFS ACLs.

Files |  Directory Service and Domain Management | 109

USER MANAGEMENT
User and group administration.
This chapter describes options and steps for managing users and groups on the file server,
including their roles, quotas, and mapping across protocols.
The directory services configuration specifies the primary and, if applicable, secondary protocol
of a file server. If you intend to create multi-protocol shares and exports on file servers with
secondary protocols, configure user mapping, see User Mapping on page 110 and Multi-
Protocol Support for Files on page 87.

User Mapping
Configure user mapping on file servers that have multi-protocol shares or exports.
User mapping lets you access the same share or export using native and non-native protocols.
You can retain your user-mapping configuration while configuring the directory services. User-
mapping configurations are on a file-server level, which extend to all shares and exports on the
file server.

Note: If the NFS security type is not Kerberos, you must configure user mapping for multi-
protocol shares and exports.

The following restrictions apply to directory service use across protocols:

• NFS clients accessing SMB shares can use IDs from AD, LDAP, or client-generated
unmanaged IDs .
• If the NFS security type is not Kerberos, you must configure user mapping for multi-protocol
shares and exports
• LDAP usernames cannot be numeric.

Note: Group identifiers (GID) and user identifiers (UID) can appear mismatched because of
the access point. The first part of the UID/GID is a config-based range. The last part of the
UID/GID is the relative ID (RID) of the user, which is based on the SID. Clients and file servers
use different config ranges, so the first part of the GID/UID can appear mismatched.

Mapping Behavior
Files user the following mapping behaviors:

• UserGroup: Default mapping for new shares and exports created with Files 3.6.1 or later. Files
maps a non-native user to a native user. Files ignores all groups of the non-native user and
uses groups of the native user for authorization. Files does not use the groups of the non-
native user in the access token.
• MappedGroups: Files maps the non-native user and the associated groups to a native user
and the respective native groups. The native groups can also be groups of the native user.
The access token has a set of user and group identities. Use MappedGroups for the following
use cases:

• Deny access to a specific group.

• Give access to users based on groups in the ACLs of a file.
• Legacy mapping: Mapping for legacy multi-protocol shares and exports (shares and exports
on file servers created with versions before Files 3.6.1). Legacy non-native SMB shares

Files |  User Management | 110

 use the MappedGroups mapping behavior, and legacy non-native NFS exports use the
UserGroup mapping mechanism. You cannot modify the legacy-mapping behavior.

Note: With legacy mapping, Files requires group mapping for the primary group of SMB users
to access native NFS exports.

Mapping Configurations
User mapping includes the following mapping configurations:

• Search: Use the Search tab to search for mapping rules of a user or a group.
• Rule-Based Mapping: Use the Rule-Based Mapping tab to configure a mapping rule for AD
and LDAP users. The following options apply:

• SMB name matches NFS user name.

• No template mapping.
• Explicit Mapping: Explicit mapping overrides rule-based mapping. The rule entered first
takes precedence for users and groups that have multiple mappings configured. Explicit
mapping consists of two mapping subcategories: a one-to-one mapping list and wildcard
based mapping.
You can use the one-to-one mapping list to manually enter or upload a csv file that maps
users across protocols. Use wildcards for many-to-one mapping. Do not use wildcards on
both ends of a user-mapping entry. You can also deny share and export access for a specific
user or group.
• Default Mapping: Default mapping is the simplest mapping method to configure. You
can map all non-native SMB users and groups to a specific native NFS user or group, and
conversely. Default mapping also specifies how to handle users that have not had user
mapping configured.
The Summary tab shows the configured mapping rules and the order in which the rules are
prioritized. User-mapping rules take priority in the following order:
1. Deny access rules
2. One-to-one mapping
3. Wildcard mapping
4. Template mapping
5. Default mapping

Configuring User Mapping

Administer non-native user access for multi-protocol shares and exports.

About this task

For information on multi-protocol support, see Multi-Protocol Support for Files on page 87.

Note: User mapping does not support the user name format (UPN).

Procedure

1. In the Files Console, go to Configuration > Authentication > User Mapping.

Files |  User Management | 111

2. (optional) search for mapping rules for a specific user or group.

a. Select from one of the following search options:

» SMB to NFS mapping

» NFS to SMB mapping
b. From the dropdown, choose to search by User or Group.
c. In the search bar, enter the search target.

Files |  User Management | 112

3. (optional) In the Explicit Mapping section, click Configure to set up explicit mapping rules.
If you have already configured rules, click Edit.

a. Configure explicit mapping by specifying one-to-one mapping, wildcard mapping, and

deny access rules.

Figure 60: Explicit Mapping

b. (optional) Configure one-to-one mapping to map single users or single groups by doing
one of the following:

• To map users or groups manually, click Add one-to-one mapping. Add the following
information in the indicated fields:
1. In the SMB Name field, enter the name of an SMB user or group.
2. In the NFS ID, enter the name of an NFS user or group.

Files |  User Management | 113

 3. In the User/Group field, indicate if the mapping is between users or groups.
4. To add the add one-to-one mapping rule, click the check icon.
• Click upload a user-mapping csv file to upload a file that specifies one-to-one mapping
rules. Format the CSV file to consist of three columns with the indicated information, in
the following order:

• Name of an SMB user or group

• Name of an NFS user or group
• Indication of whether the mapping is for a user or group

Figure 61: One-to-One Mapping List

c. (optional) Add wildcard mapping to map multiple users or groups to one.

Note: Files does not support user-mapping entries that have wildcards on both ends.

• 1. Click Add wildcard mapping.

2. In the Priority field, choose the priority for the rule. (The lower the number, the
higher the piority).
3. In the SMB Name field, enter the SMB user or group name.
4. In the NFS ID field, enter the name of the NFS user or group.
5. In the User/Groupfield, indicate if the mapping is between users or groups.
6. To add the wildcard mapping rule, click the check icon.

Figure 62: Wildcard Mapping

d. (optional) Add a list of users or groups to be denied access.

• 1. In the Deny Access section, click +Add SMB or NFS users.

Note: Deny access rules take the highest priority.

Files |  User Management | 114

 2. To deny access, add comma-separated users and groups in one or more of the
following fields:

• SMB users to be denied access to NFS exports

• SMB groups to be denied access to NFS exports
• NFS users to be denied Access to SMB shares
• NFS groups to be denied access to SMB shares

Figure 63: Deny Access Rules

e. Click Save.

4. (optional) Configure rule-based mapping.

a. To map SMB and NFS users and groups, choose one of the following default rules:

» SMB name matches NFS name.

» No template mapping.

Figure 64: Rule-Based Mapping

b. Click Save.

Files |  User Management | 115

5. (optional) Set up default-mapping rules for Files to use when no applicable rule-based or
explicit mapping rules exist for the user or group.

Figure 65: Default Mapping Rules

a. Choose one of the following options from the SMB Users With No NFS Mapping
dropdown:

» Deny access to NFS export.

» Map to specific Unix user and group.
b. If you selected Map to specific Unix user and group, do the following (otherwise move on
to the next step):

• Enter a value in the Unix UID field.

Note: If NFS has LDAP, use a user or group name. Otherwise, use a user or group ID.

• Enter a value in the Unix GID field.

c. In the NFS Users With No SMB Mapping field choose from one of the following options:

» Deny access to SMB share.

» Map to specific AD user and group.
d. If you have selected Map to specific AD user and group, fill out the following fields
(otherwise move on to the next step):

• In the SMB User field, enter a default SMB user target for NFS users without mapping.
• In the SMB Group field, enter a default SMB group target for NFS groups without
mapping.
e. Click Save.

6. (optional) To delete all mapping rules for all users and groups, click the Purge All Mapping
button

CAUTION: Clicking Purge All Mapping permanently removes all existing mapping rules.

Files |  User Management | 116

Managing Roles
Manage roles by adding, removing, or modifying administrator privileges.

About this task

You can create two types of Files administrators:

• File server admin. The file server admin can manage all file server operations, modify the
access permissions for all users in all the shares/exports, and back up and restore data on
the file server.
• Backup admin. The backup admin can back up and restore data on the file server (but does
not have other administrative permissions).

Note: Assign a backup service account (AD user or group) the backup admin role to prevent
insufficient access issues.

To add or modify a Files administrator, do the following:

Procedure

Creating a New Role

1. In the Files Console (see Files Console on page 18), go to Configuration > Manage Roles.
The Manage roles view displays.

Figure 66: Manage roles window

2. To add an administrator, click + New user in the Add Admins section.

A line for new credentials appears at the bottom of the list.

3. Do the following :

a. In the User field, enter the Active Directory user or group name.
Enter user or group names in the samAcctName or NETBIOS\samAcctName format. Replace
samAcctName with the SAM-account-name.

b. In the Role field, select File Server Admin: Full access or Backup Admin: Backup access
only from the pull-down list.
c. To add the user, click the check mark icon.
d. To add more administrators, repeat these steps.

Files |  User Management | 117

 Modifying Roles

4. To modify an administrator, click the pencil icon in the three dot menu > edit for that user
and update the name or role as desired.

5. To delete an administrator, click the three dot menu > edit for that user.

Managing REST API Roles

Manage REST API access for all users on a file server.

About this task

To add, modify, or remove REST API access, follow these steps.

Procedure

1. In the Files Console, go to Configuration > Manage roles.

2. To add a RESP API user, click + New User in the REST API access users section.
A new line for the new user appears at the bottom of the list.

Figure 67: Manage roles window

3. To add a user, follow these steps:

a. In the Username field, enter the username requiring REST API access.

Note: You cannot add the "admin" username.

b. In the Password field, type in a password for that user.

c. In the same row, click the check mark icon to save the configuration.
d. To add more users, repeat this step.

4. To modify a username or password, click three dots menu > Edit in the row for the target
entry.

5. To delete a user, click three dots menu > Delete in the row for the target entry.

Authorizing a REST API User

To use the Files APIs, authorize a user in the REST API explorer.

Files |  User Management | 118

 About this task
Follow the steps as indicated from the Files Console.

Note: To create a REST API user, see Managing REST API Roles on page 118.

Procedure

1. Go to Admin > REST API explorer.

Figure 68: REST API explorer

2. Click Authorize.
A dialog box for REST API user credentials appears.

3. Enter the REST API user credentials in the username and password fields.

4. Click Authorize.

Quotas
This topic describes the Files quota types, notifications, and policies.
Set quotas to allot the storage space a user or group can use.
There are two quota levels:

• User: Sets a specific amount of storage for a single user. For example, if an administrator
allots only 1 GB, then you cannot use more than 1 GB – the total storage capacity for you is
limited to 1 GB.
• Group: Sets the amount of space for each user in that group. For example, a group with a
policy of 10 GB and 10 users can potentially use 100 GB of data (10 x 10 = 100 GB) under that
quota policy.
Alternatively, rather than configuring quotas for specifics users, groups, or directories, you can
configure a maximum share size to restrict the amount of storage space used by a share. To
limit the space in a directory, see Setting Directory-Level Quotas on page 99.

Files |  User Management | 119

Notifications
You can configure email alert notifications that Files sends when user or group quotas are
near the maximum threshold. Files can send the alerts to you and other recipients. Emails
notifications alert the recipient when the quota is near maximum and when it is near full
consumption. When the quota reaches 90 percent consumption, Files sends warning emails to
the recipients. When the quota reaches 100 percent consumption, Files sends alert emails to the
recipients. If the quota has a soft limit, you can continue to consume over 100 percent of the
storage and Files will send an email notification to the recipients every 24 hours.

Policies
A quota policy specifies the consumption limit and enforcement type for all quota levels as
configured by the administrator. Enforcement types determine if a user or group can continue
to use the quota once they consume their share. See the enforcement types descriptions in the
following table.

CAUTION: Quota policy enforcement begins several minutes after policy creation. Therefore,
if you reach the quota limit before the interval is complete, Files raises the alert but does not
enforce the quota.

Note: Beginning with AOS 5.15.1 and AOS 5.17.1 you can set decimal quota values, earlier AOS
versions only permit integer quota values. During a disaster recovery (DR) event to a container
with a version earlier than AOS 5.15.1 and AOS 5.17.1, Files rounds the decimal quota value down
to an integer.

Quota Configurations Description

User or Group The designated name for a specific user or group.

Quota The limit of quota space (in GB).

Enforcement Type
• Hard Limit: Prevents further writes once quota
limit is reached.
• Soft Limit: Does not prevent writes. Sends email
notifications to email recipients.

Note: You cannot set both a soft and hard limit

for the same user or group.

Email Recipients Enable the email recipients box and enter the email
addresses for recipients Files should notify about
hard and soft quota limits.

Applying Quota Policies

Files resolves quotas policies per the following:

• If you have defined a Files user-level quota, then recipients receive the quota from this user-
level policy.
• If you have not defined a user level, but you have defined multiple group-level policies, then
Files applies the policy with the most space.
• If you have not defined a user or group policy for any given user, Files chooses the quota
default policy.

Files |  User Management | 120

 • For distributed shares and exports, each user has one home directory. Therefore, quota
applies only to the first user directory at the root of a distributed share.

Note: If you add a new AD group and want to add a quota policy for that group, contact Nutanix
Support to refresh the quota cache.

Multi-Protocol Limitations
The following limitations apply when you enable both SMB and NFS read-and-write access on a
share or export.

• You can only apply a quota to users and groups of the primary protocol. For example, if SMB
is the primary protocol, you can only apply a quota to SMB users.
• When you map multiple non-native users or groups to a single native user or group, Files
only applies a quota to the first non-native user or group.
• Quota applies to non-native users mapped to native users who belong to a group quota.

Managing Quotas
Add or edit user or group quotas in Files.

About this task

Files implements user and group quota types that balance storage per a user of a share or
export. To configure the quota levels for user, group, or default levels, perform one of the
following steps.

Procedure

Creating a new quota policy

1. In the Files Console (see Files Console on page 18), go to Shares.

2. Click the name of the target share.

Files |  User Management | 121

3. Click Actions > Add Quota Policy.

a. Under Add Users, select to add the quota policy for a Individual User or User Group.
b. In the Username field, enter the target user-name or group-name.
c. In the Quota Limit field, enter the space for the quota limit (in GiB).
d. Select the enforcement type.

• Hard limit: Prevents further writes after reaching quota limit and puts the user or group
into read-only mode.
• Soft limit: Does not prevent writes. Sends email notifications to email recipients.

Note: You cannot set both a soft and hard limit for the same user or group.

e. Check the Send email notification to the Files administrator box to enable email
notifications and add email recipients in the Email Recipients field.
f. To add the quota policy after entering the required information, click Add.

Files |  User Management | 122

 Figure 69: Add a Quota Policy

Editing a quota policy

Files |  User Management | 123

4. Edit an existing quota policy.

a. Click the share or export in the Shares tab.

The Quota Policies tab displays all of the quota policies on the share.
b. In the row for the target policy, click the three dot menu > edit.

Figure 70: Edit an Existing Quota

The Quotas window displays.

a. You can edit the existing policy by updating the amount of space (GiB), the enforcement
type (hard or soft limit), and the email notifications and recipients. Click Add.

Note: To remove a quota, change the share size to 0.

Remove a quota policy

5. In the row for the target policy, click the three dot menu > delete.

Files |  User Management | 124

FILES OPTIONS
Files provides a number of options you can employ to accommodate your file server
implementation.

Cloning
Clone any file server protection domain snapshot at the local or remote site.
The file server clone is not protected by default. Be sure to enable the protection domain if
you want the file server protected. Files cannot clone snapshots taken in earlier releases. Also,
file server clones cannot be replicated or migrated to clusters that use earlier AOS and Files
versions.

Figure 71: Cloning capability for Files

Cloning helps with the following without impacting the original Files cluster:

• Create backups at the primary and secondary sites

• Undertake DR test at secondary site
• Recover a file server from a specific point in time
• Spin-up a file server at the primary or remote site for testing or development purposes

Cloning a File Server

Follow this procedure to clone a file server from a specific snapshot.

About this task

The file-server clone is a thin copy that consumes minimal storage space. You cannot clone a
file server to a storage container that is different from the original container.

Files |  Files Options | 125

Procedure

1. In the File Server view in PE (see File Server View in Prism on page 15), select the target file
server and then click the Clone button.
The Clone File Server window displays.

Figure 72: Clone File Server Window (Snapshots tab)

2. In the Snapshots tab, do the following in the indicated fields:

a. Name of Cloned File Server: Enter a name for the new (cloned) file server.
The clone name must be different that the original file server name.
b. Domain: Enter a fully qualified domain.
c. List of Snapshots: Click the option of the snapshot to use for the clone.
A list of available snapshots (if any) appears in this field. Select one of the existing
snapshots or select Take a new snapshot, which takes a new snapshot of the file server
(after you complete this form) and then use that snapshot to create the clone.
d. Click the Next button.

3. In the Client Network tab, enter the required information to configure the client network for
the clone and then click the Next button.

Note: See Creating a File Server on page 36 for details about configuring the client
network, storage network, and user management.

Files |  Files Options | 126

 4. In the Storage Network tab, enter the required information to configure the storage network
for the clone and then click the Next button.

5. In the Directory Services tab, select one or more protocols to use (SMB, NFS, or both) and
enter the specified configuration information. When all the information is complete, click the
Create button.

Encryption
Encryption options for Files.
Files supports AOS software encryption and in-flight message encryption for SMB3 shares.
You can apply AOS software encryption to Files by activating it through Prism, see Configuring
Data-At-Rest Encryption (Software Only) in the AOS Security Guide. Refer to the Files Release
Notes to ensure that you are running a compatible version of AOS.

SMB3 Message Encryption

To enable SMB3 message encryption, see Modifying a Share or Export on page 89. After
enabling message encryption, Files encrypts messages on the file server side and decrypts
them on the client side (only on new connections for the share). Clients that do not support
encryption (Linux, Mac, Windows 7) cannot access a share with encryption enabled.

Files Data Collection

Files data collection with Pulse.
The feature known as Pulse collects Files diagnostic system data and sends it to Nutanix
Support. After you enable Pulse, Files synchronizes Pulse configurations from the Controller
VM to the file server VMs. Synchronized data includes the Pulse enablement status and the
mechanism chosen for streaming data to Nutanix Support. If Pulse data cannot reach Nutanix
Support, administrators receive alerts in Prism. To enable or disable Pulse, see "Configuring
Pulse" in the Prism Web Console Guide.

Access-Based Enumeration (SMB only)

Access-based enumeration (ABE) restricts user-access by only letting you view the files and
folders you have read access to when browsing content on a file server.

About this task

ABE is a Microsoft Windows (SMB protocol) feature that filters the list of available files and
folders on the file server to only include files and folders that the requesting user has read-
access to. The filtering ensures that Files enforces read-and-write privileges for all users and
that information can remain confidential. ABE controls the user visibility of shared folders on
mounted file system shares based on the user permissions.
Enable ABE during or after share creation.

Note: To activate ABE after a group membership of a user changes, remove all previous share
sessions, remount the share, and reconnect existing client connections.

Procedure

1. To enable ABE during share creation, see Creating a Share (SMB) on page 65.

Files |  Files Options | 127

 2. After creating a file share, you can modify ABE settings. To enable ABE after share creation,
do the following:

a. In the Files Console, go to the Shares tab.

b. In the row for the target share, click the three dots menu > Edit.
The Update Share window displays.
c. In the Settings tab, check (enable) or clear (disable) the Enable Access Based
Enumeration (ABE) box and click Save.

File Blocking
Restrict specific files or file types from appearing on a file server or share.
Specify a character pattern of file names or extensions to block files. Use an asterisk (*) as a
wildcard for multiple characters or a question mark (?) as a wildcard for a single character.

Note: The question mark character (?) only matches UTF-8 single byte ASCII characters. The
question mark character (?) does not apply to multibyte unicode characters.

Files applies the file blocking policy to all levels of a share or export, which disables the ability
to create files with the specified character pattern in the name. An attempt to create blocked
files results in an error. Share-level file blocking overrides the files blocked on the file-server
level.
Files allows a maximum of 300 file blocking patterns on a file server.
After enabling file blocking, Files does not permit the following operations:

• Creating a file with the blocked character pattern.

• Renaming an existing file to one with the blocked character pattern.
• Duplicating a file with the blocked character pattern.
• Moving a file with a blocked character pattern.
You can still perform read-and-write operations on existing blocked files.
To enable file blocking on a file server, see File Server Updates on page 54. To enable file
blocking on a share or export, see Modifying a Share or Export on page 89.
Files blocked on a share level appear in the Summary tab of the Create share/export and
Update share/export windows. Files blocked on a file server level appear in the Blocked File
Types tab.

Blocking Files on a File Server

Block the creation and modification of files on a share, export, of file server.

About this task

Refer to File Blocking on page 128 for information about the file blocking feature. To block
files on the share or export level, refer to Modifying a Share or Export on page 89.
To block files with specific character patterns in their names, do the following.

Procedure

1. In the File Server view, select the target file server.

2. Click Update > Blocked File Types.

Files |  Files Options | 128

 3. In the Blocked File Types field, enter (or modify) a comma-separated list of file extensions
for blocked file types.

Figure 73: Blocked File Types

4. Click Save.

Antivirus (AV) Scanning (SMB Only)

Third-party antivirus software for SMB shares.
Files supports the Internet Content Adaptation Protocol (ICAP) to enable communication with
external servers hosting third-party antivirus software. This software scans files stored on file
shares to help provide protection against viruses. This software scans files in real time when you
open, close, read from, or write to files.

Figure 74: Files AV Concept

Note: Refer to the Compatibility Matrix for a list of compatible security software. Filter by
Solution Type > Security and Additional Component > Nutanix Files. Files requires two or more
ICAP servers. Nutanix recommends having a minimum number of scanning threads that is 11 times
the number of FSVM nodes or (11 * number of FSVM nodes).

Overview
Files performs the following tasks with ICAP servers when a client requests to read, write, open,
or close a file.
1. Files determines that the file requires scanning.
2. Files sends files that require scans to the ICAP server with a scan request.
3. The ICAP server scans the file and reports the scan results to Files.
4. Files quarantines and denies access to unsafe files.
5. If the file is clean or disinfected, then Files allows the client access to the file.

Files |  Files Options | 129

 Note: By default, shares have antivirus scan disabled.

Antivirus File State

This diagram shows the process flow for file scans.

Administrator actions are denoted with dotted

lines.
Figure 75: Antivirus File State Diagram

Glossary
Files and Prism Element use the following terms to show file status applied by the antivirus
scanning feature.

Table 19: State

State Definition

Quarantined A scanned file that the antivirus scan qualifies

as unsafe. Files blocks access to the file until
the administrator manually changes the file
state.
Unquarantined The administrator moves the file from the
quarantined state to allow client access. Files
does not rescan unquarantined files.

Files |  Files Options | 130

 Table 20: Events

Event Definition

Cleaned The antivirus scanner has scanned and

cleaned the file. This process overwrites the
original file. Using this feature requires the
disinfected virus file function on the ICAP
server.
Quarantined A scanned file qualified as unsafe. Files blocks
all access to the file until the administrator
manually changes the file state.
Unquarantined The administrator manually moves the file
from the quarantined state to allow client
access. Files does not rescan unquarantined
files.
Deleted File removed from the file system.

Configuring Antivirus Scanning (SMB Only)

Configure and enable antivirus scanning for SMB shares.

About this task

After configuring the antivirus scan, enable the scan for each share that you want scanned.

Procedure

1. In the Files Console, go to Configuration > Antivirus.

2. Connect the ICAP server.

a. Click + Connect ICAP Server.

A new row appears for new ICAP server details.
b. Enter the following information in the corresponding fields:

• IP address or hostname
• Port (the default port number is 1344)
• Description
c. To save the configuration, lick the check mark icon.
For a detected antivirus server, the software tests the validity of the configured server
and updates the status to OK.
d. Ensure the connection status automatically updates to OK.
e. Click Next.

Files |  Files Options | 131

 3. Complete the Scan Settings.
You can override settings through the share-level antivirus settings.

Note: Nutanix recommends two or more ICAP servers.

a. Scan on Write: Scans saved and updated files (a write operation).

b. Scan on Read: Scans opened files (read operation).
Nutanix recommends to always enable Scan on Read.
c. File extensions to be excluded: Add one or more file extensions to exclude from the scan.

Note:

• Ensure these settings match the file type configuration of your ICAP servers.
• Nutanix recommends adding the following file extensions for user profiles
when using the Files antivirus scanning:

• .dat
• .ini
• .pol
• When Files with a specific extension type are quarantined incorrectly by the
ICAP server, adding this file type extension to the ignore list only prevents
future file quarantines. Remove the quarantine for the incorrectly quarantined
files to access them.

d. File Size: Limit the size scanned of files.

e. Advanced Settings:

• Scan Timeout: Set the maximum amount of time that a scan can take before timing
out.
• Block access to files if scan cannot be completed (recommended): Block access if the
ICAP servers are unavailable or cannot scan the file for any reason.
f. Click Save.

4. Enable the antivirus scanning on each share.

a. Go to the Shares tab and click on the target share.

b. In the Share Details, go to Actions > Configure Antivirus.
The Configure Antivirus setup window displays.
c. Note: By default, antivirus scan is disabled on all shares.

Check the Enable antivirus scan box.

d. (optional) Change the settings for the share (see Step 3 for details).
e. Click Save.

Antivirus Tab
The layout and elements of the Antivirus tab in the Files Console.

Files |  Files Options | 132

The Antivirus tab displays dynamic information about scanned files. The tab includes the
following sub-tabs:

• ICAP servers
• Reports
• Quarantined Files
• Unquarantined Files
To view this information, in the Files Console, go to Monitoring > Antivirus.

ICAP Servers
The ICAP servers tab displays the scanned files information for each ICAP server.

• ICAP Server Statistics: The table displays information such as port number, description, files
scanned, disconnect count, average latency, connection status, and actions available.
• Average Latency: This graph displays the latency times for the scans (in milliseconds).
• Files Processed or Data Processed: Click the Files Processed drop-down arrow to select the
files processed or data processed graph. The processed files graph displays the number of
scanned files. The data processed graphs display the amount of processed data (in GiB).
• Queue Length: The number of files in the scan queue.

Reports
The Reports tab displays the information about the scanning period and share status.

• Scan Period: This information displays the files scanned, threats detected, number of files
cleaned, and number of files quarantined during each scanning period.
• Share Status: Displays the state of the scanned share. The parameters includes: file path,
threat description, ICAP server, time, action taken on share.

Quarantined Files
The Quarantined Files tab displays the files that contain a virus. The antivirus software places
virus-infected files into quarantine where clients cannot read or write the files. An administrator
can perform the following actions on the quarantined files.

• Rescan: Rescan the files that have been quarantined.

• Unquarantine: Move the files out of quarantine. The selected file is then available for use.
• Delete: Delete the quarantined file permanently.

Unquarantined Files
The Unquarantined Files tab displays files manually released from quarantine. You can use
unquarantined files. Files does not rescan unquarantined files again until the administrator
resets the unquarantine state. Perform the following actions on unquarantined files.

• Reset: Move the files to a normal state that is not quarantined or unquarantined. In this state,
the next access to the file triggers the scan.
• Quarantine: Move the files to quarantine to block read and write access.

Files |  Files Options | 133

 Note: Reaching the limit of the number of files in both the Quarantined and Unquarantined
tables impacts scanning through the UI. The web consoles alerts you when the number of files
has reached 80 percent of the number of files supported.

Files REST APIs

An introduction to Files REST APIs and the Files REST API explorer.

CAUTION: Alpha APIs are intended for use in testing clusters only and are meant for early
feedback from customers. Do not use the alpha APIs in a production environment. Support for
alpha API-based features may not appear in future releases. Revisions of multiple v4 API versions
may not be compatible. Also note that the APIs could be incomplete, the object schema and
semantics may change drastically. There is no commitment on support for alpha APIs from
Nutanix Support.

The Files REST API Explorer offers developers tools to customize the Files experience using
Files v4 alpha REST APIs. You can access the Files REST API Explorer through the Files Console
or through an FSVM. The Files service v4 APIs are independent from Prism Element (PE) and
Prism Central (PC) APIs. However, the platform APIs, for operations such as create, clone,
update or delete a file server, remain in Prism Element (PE).
To access the Files API Explorer in the Files Console, go to admin > REST API Explorer.

Files |  Files Options | 134

PERFORMANCE OPTIMIZATION
Files performance optimization notifies you when the file server is under load and needs a
change to improve optimization.
Performance optimization includes scale up and scale out options. The Dashboard tab in the
Files Console includes a Recommendations widget that indicates performance optimization
options.
Scale-up recommendations occur when an FSVM reaches 95% client connection utilization
over a two hour time window. If performance is slow due to storage group disruption, the
recommendations for optimal performance options appear in the Recommendations widget.
When possible, perform scale-out and rebalancing operations during maintenance windows, as
scaleout and rebalancing disrupts existing connections.

Figure 76: Performance Optimization Recommendations

Managing Performance Optimization

Performance optimization moves consistently used storage between available storage groups
within the file server.

About this task

CAUTION: This operation can cause a momentary connection drop for end users accessing
files on the file server. When possible, perform scale-out and rebalancing operations during
maintenance windows, or off-peak hours.

Files |  Performance Optimization | 135

Procedure

1. In the Files Console, go to the Dashboard tab.

The file server displays a warning to recommend performance optimization.

Figure 77: Performance Optimization Warning

2. Under Recommendations, click Optimize.

The Recommendations: Performance Optimization window appears.

Files |  Performance Optimization | 136

3. Select one of the following options:

» Scale up
» Rebalance
» Scaleout

Figure 78: Performance Optimization Recommended Options

4. Click Continue.

» For the rebalancing, confirm that you are performing the operation during off-peak hours.

Note: Perform rebalance operations during off-peak hours. For earlier AOS versions, you
must manually unblock the rebalancing operation, see Unblocking Rebalancing on
page 138.

» For scale up or scale out, continue to the next step to update the file server capacity
configuration.

5. (Scale up and scale out only) update the file server capacity configuration.

a. Review or modify the recommended value for Number of VCPUs Per File Server VM as it
appears in the drop-down menu.
b. Review or modify the recommended value for Memory Per File Server VM as it appears in
the drop-down menu.
c. To complete the configuration, click Save.

Dismissing recommendations

Files |  Performance Optimization | 137

 6. In the Recommendations: Performance Optimization window, click Dismiss
Recommendations.
New recommendations appear in the Recommendations widget once the system identifies
new instances of high performance load.

Unblocking Rebalancing
Unblock rebalancing guardrails.

About this task

Files guardrails prevent initiating rebalancing operations during high-volume periods.

Procedure
Unblock load-balancing guardrails on the file server.
nutanix@fsvm$ afs lb.unblock_rebalancing

Workload Optimization
This chapter describes options for optimizing the performance of your Files cluster.
There are three types of share workload types: default, random, and sequential. Designating
a workload type determines the file system characteristics (including block size) used for the
share, which optimizes the resource usage and performance of certain workloads. For example,
workloads with small I/O on large files perform more efficiently with small block sizes.
The different workload types have the following specifications.

• Default: Uses 64 KB per block. Does not provide specified optimization. The share can
perform all workloads varying performance
• Random: Uses 16 KB per block. Optimized for small I/O workloads.
• Sequential: Uses 1 MB per block. Optimized for large I/O workloads. Requires a minimum of
24 GB memory per FSVM.
The Shares view in the Files Console includes a Metrics tab and a Performance subtab, which
displays write, read, and metadata I/O per second in the IOPS graph. Use the data from the
graph to configure the workload type for the share, see Modifying the Workload Type on
page 138.

CAUTION: If you modify the share type without following the workload optimization guidance as
specified, share performance can degrade.

• If the I/O sizes for read and write operations are less than or equal to 16 KB and the file sizes
equal to 10 MB or more, use the Random workload type.
• If the I/O sizes for read and write operations are less than or equal to 1 MB and the file sizes
equal to 10 MB or more, use the Sequential workload type.
• If the I/O sizes for read and write operations do not match the criteria for Random or
Sequential workload types, use the Default workload type.

Modifying the Workload Type

To optimize performance, modify the workload type of a share or export.

Files |  Performance Optimization | 138

 About this task
Perform the following steps to modify the workload size of a share or export, see Workload
Optimization on page 138 for optimization guidelines.

Note: Changing the workload type of a share changes the performance characteristics only for
the files created after the change.

Procedure
Replace share-name with the name of the share or export. Replace workload with one of the
following workload types: default , sequential, or random.
nutanix@fsvm$ afs share.edit share-name share_workload_type=workload

File System Compression

File system compression reduces the input and output (I/O) load, iSCSI traffic, space usage,
and the amount of data on a share or export.
You can enable file system compression at the share or export level. Earlier versions of Files
included compression at the container level. Files applies share-level compression during ingest
operations, compressing incoming data in-line prior to writing it to storage. As a result, share-
level compression reduces storage traffic between Files and AOS.

Note: Only clusters created with later versions of Files and AOS support file system compression.
The option to enable file system compression does not appear on clusters created with earlier
versions of Files and AOS.

To enable or disable compression on the share-level, see the following:

• Creating an Export (NFS) on page 71

• Creating a Share (SMB) on page 65
• Creating a Multi-Protocol Share or Export on page 80
• Modifying a Share or Export on page 89

Files |  Performance Optimization | 139

DATA MANAGEMENT
File server data recovery and management options.
Files provides several features to manage how you access and recover data on your file server.
Manage the availability of data using data recovery features, which include self-service restore
(SSR) and several types of disaster recovery (DR). Use the tiering feature to maximize space
on the file server by moving stale data to an object store. You must configure tiering policies
for the file server through File Analytics, see Smart Tiering on page 147 and the File Analytics
Guide for more details.
Async and NearSync DR replicates data to a protection domain at the granularity of a file
server, while Smart DR replicates data with share-level granularity to a recovery file server (see
"Smart DR" in the Files Manager User Guide for information on Smart DR). If there is a disaster,
you can restore your data from snapshots on the protection domain or on the recovery file
server.
SSR does not copy file data but instead takes read-only snapshots at the share/export-level.
You can recover data from a deleted file or an earlier version of a file based on your snapshot
retention configuration. SSR for SMB lets you restore and manage previous versions of Files
at the system-level, while SSR for NFS lets you restore files by manually copying read-only
snapshot versions.
Both DR and SSR let you configure a desired snapshot interval. With DR, you can set a specific
time to take the snapshot, which is not possible with SSR.
Refer to Self-Service Restore on page 147 and Data Protection and Recovery on page 140
sections for more details on configuring SSR and DR.

Data Protection and Recovery

Files supports disaster recovery (DR) through customizable protection domains and protection
policies.

Tip: For information on disaster recovery with share-level replication, see "Smart DR" in the Files
Manager User Guide.

As part of DR, Files automatically creates a protection domain for a file server and the entities
within the file server (such as VMs and volume groups) during file server creation. By default,
Files adds all entities on the file server to the protection domain.
To activate DR, enable and set up the schedule for snapshots and replication for the protection
domain. Files Async and NearSync DR take snapshots when the preceding snapshot is
complete. Async has a 60-minute recovery point objective (RPO). NearSync has a 1-minute
recovery point objective (RPO).
Files creates a dedicated container for each file server instance, which cannot be used by
another file server, VM, or for any other purpose. This requirement also applies to remote
containers used for replication. If you want to replicate a file server container to a remote site,
make sure that the remote container, like the local container, is not used for any other purpose.
The remote site must have at least the same number of nodes as the number of FSVMs in the
Files instance. To ensure feature parity after activating the file server on the remote site, both
sites must have the same AOS version.
You can provide custom names for the file server protection domains at the time of setting up
the file server (see Creating a File Server on page 36). If a file server does not have a specified
protection domain name, the default protection domain name is NTNX-file_server_name.
Files supports cross-hypervisor DR. Configuration steps are the same.

Files |  Data Management | 140

 Note: You can restore all self-service restore (SSR) and Windows Previous Version (WPV)
snapshots that exist at the time of the protection domain (PD) snapshot locally or remotely.

Configuring Disaster Recovery

This task describes how to set up disaster recovery for file server clusters for planned or
unplanned (disaster) migration.

About this task

To set up file server Async disaster recovery (protection domain based), follow the steps in this
procedure.

Note: Refer to "Smart DR" in the Files Manager Guide, for steps on configuring Smart DR.

Procedure

1. If you have not done so already, configure a remote backup site to the local cluster.
See the "Configuring a Remote Site (Physical Cluster)" topic in the Data Protection and
Recovery with Prism Element guide.

Note: The remote site must have at least the same number of nodes as the number of FSVMs
in the Files instance.

2. In the Files Console (see Files Console on page 18), go to Data Management > Protection.
The Disaster Recovery and Self Service Restore tabs appear. In the Disaster Recovery tab,
the Protection Domain (PD) Based and Smart DR sections specify if the indicated DR type is
enabled.
After creating a file server, Files automatically adds the file server to a newly created
protection domain. However, when the file server does not have a protection domain, the
Configure action link displays in the Protection Domain (PD) Based section with the not
enabled status.

3. To add the file server to a protection domain, do the following:

a. Click Configure.
Files redirects to the File Server view in Prism Element.

4. In the file server table, select the file server by clicking the row it appears in.

5. Under the file server table, click the Protect action link.
The Protection configuration: [file-server-name] window appears.

6. In the Disaster Recovery section do the following:

a. (Optional) in the Protection Domain Name field, update the name of the protection
domain.
b. Click Protect File Server.

Files |  Data Management | 141

7. (Optional) configure a schedule for disaster recovery.

Note: Prism creates a default schedule for every protection domain.

a. In the Files Console, go to Data Management > Protection.

b. Click Manage on Prism Element.
Files redirects you to Prism Element.
c. See Creating a Protection Domain Schedule on page 142 to add or modify the
protections schedule.

8. Configure the local and remote container mapping.

a. Note: In Metro-Availability-enabled environments, avoid using identical container names.

Ensure that the name of the remote container is unique, then map the containers to each
other.

If you did not map the local and remote containers when configuring a remote site
(VStore name mapping), create a new remote container.

Tip: See the "Creating a Storage Container" section in the Prism Web Console Guide for
this procedure.

Changing a vStore mapping causes associated protection domains to initiate full

replication of protected entities to the newly specified target container as if it were
initial replication. A mapping change therefore results in the overconsumption of storage
resources at the remote site. Contact Nutanix Support for help with cleaning up snapshots
in the previously specified container.
b. Ensure that the remote and the local containers have symmetric configurations and that
both containers map to each other. On the remote VStore site, configure explicit mapping
between the source and the destination container.

Creating a Protection Domain Schedule

This task describes how to create a snapshot schedule for Files protection domains.

About this task

Create a snapshot schedule for the protection domain to use Files disaster recovery.

Note: Ensure to also save the snapshot schedule on the remote site.

Procedure

1. In Prism Element, go to the Data Protection tab in the pull-down menu.

2. In the Table view and Async DR tab, select the protection domain from the table.

3. Click Update.
The "Update Protection Domain" window appears.

4. In the Schedule tab, click New Schedule (or, to update an existing schedule, click the pencil
icon).

Files |  Data Management | 142

5. Complete the indicated fields:

Figure 79: Create the File Server Protection Domain Schedule

a. Repeat every [minutes|hours|days]: Click the appropriate circle for minutes, hours, or
days and then enter the desired number in the box for the scheduled time interval.
The interval cannot be less than 1 minute.

Note: Intervals of less than 60 minutes use NearSync disaster recovery. NearSync
schedules inherit requirements and limitations of AOS NearSync, see "Requirements of

Files |  Data Management | 143

 Data Protection with NearSync Replication" in the Data Protection and Recovery with
Prism Element guide.

b. Repeat [weekly|monthly]: Select which days to run the schedule.

• If you select weekly, select the boxes for the days of the week the schedule should run.
• If you select monthly, enter one or more integers (in a comma-separated list) to
indicate which days in the month to run the schedule. For example, to run the schedule
on the 1st, 10th, and 20th days, enter "1,10, 20".
c. Start on: Enter the start date and time in the indicated fields.
The default value is the current date and time. Enter a new date if you want to delay the
schedule from starting immediately.
d. End on: To specify an end date, check the box and then enter the end date and time in
the indicated fields.
The schedule does not have an end date by default, and the schedule runs indefinitely
unless you enter an end date.
e. Retention Policy: Enter the number of snapshots to save locally and at the remote sites.

• Enter a number in the Local line "keep the last ## snapshots" field. The default is 1.
• Enter the number of snapshots to save on the Remote Site in the "keep the last ##
snapshots" field. This number can be different from the number that you have entered
in the Local line. This replication is an async replication. After the replication completes,
the protection domain is going to be available in the Async DR tab of the remote site.
• The saved snapshots equal to the value entered in the keep the last ## snapshots field
+ 1. For example, if you entered 20 as the value for keep the last ## snapshots field,
Files saves 21 snapshots. When Files takes the next (22nd) snapshot, Files deletes the
oldest snapshot and replaces it with the new snapshot.

Note: If too many schedules have the same start time, replications can fall behind. To
avoid this issue, stagger start times across schedules.

Activating Disaster Recovery

This topic describes how to recover a file server cluster after a planned or unplanned (disaster)
migration.

About this task

Note: The name for the automatically created protection domain contains NTNX as a prefix
followed by the file server name.

Procedure

1. Fail over the protection domain.

Unactivated protection domains display shaded indicators next to the protection domain
name. Activated protection domains display green indicators next to the name. For AOS
5.15 in later, see "Failover and Failback Operations for Asynchronous and NearSync DR" in
the Data Protection and Recovery with Prism Element guide. For earlier AOS versions, see
the "Failing Over a Protection Domain" topic in the Prism Web Console Guide for either a
planned (migration) or unplanned (disaster recovery) activation procedure.

Files |  Data Management | 144

2. Fail back a protection domain.
See the "Failing Back a Protection Domain" topic in the Prism Web Console Guide for this
procedure.

What to do next
Activate the file server for planned or unplanned migration (see Activating a File Server on
page 145).

Activating a File Server

Activate an inactive file server.

About this task

Follow the steps as indicated to activate a file server after disaster recovery.

Procedure

1. In the Prism Element File Server view, select the target file server.
When a file server is inactive, (Needs activation) appears next to the file server name and an
Activate button appears in the action button list (just below the file server table).

Files |  Data Management | 145

2. Click the Activate button.
The Activate File Server window appears.

Figure 80: Activate File Server

Files |  Data Management | 146

 3. Complete the indicated fields in the Client Network and Storage Network tabs.
Some fields populate from information provided when the file server was created. See
Creating a File Server on page 36 for more information about the fields.

4. When all the information is complete, click the Save button.

The file server configuration updates, and the (Needs activation) message disappears indicating
the file server is now active.

High Availability
Fail over for file server VMs (FSVMs).
High Availability (HA) for Files insures that during a disruption of service a file server VM
(FSVM), on clusters of two or more FSVMs, can fail over to another FSVM. High Availability is
enabled by default on all clusters of two or more FSVMs.
When an FSVM experiences an issue, Files reassigns the IP of the FSVM to another FSVM in the
cluster. The IP of the out-of-service FSVM remains available. However, the shares and exports
on the impacted FSVM are unavailable for several minutes during a failover.
Affinity rules do not affect HA; multiple FSVMs can share a single host during a HA event.

Smart Tiering
Tier data to an object store.
You can free up space on your file server by tiering data to aobject store. You must configure
tiering through Data Lens. However, you can also access the Tiering Dashboard on Data Lens
from the Files Console. In the Files Console, go to Data Management > Smart Tiering and click
Manage on Data Lens.

Self-Service Restore
Self-service restore (SSR) lets you open and copy a previous version of a file. For SMB you can
use SSR to restore files.
With Self-Service Restore (SSR), Files takes snapshots of the stored cluster data at the share
level. SSR exposes these snapshots to the share or export and lets you view or restore a file
from any of the previous snapshots without an administrator. The snapshots are read-only and
point-in-time (snapshots taken at a certain time) copies.
SSR is disabled by default, but you can enable it during or after share creation.
Files supports 24 hour (every hour), daily, weekly, and monthly snapshots on a fixed schedule.
By default, SST takes a snapshot every hour, retains the most recent 24 snapshots, and deletes
the oldest SSR snapshot after exceeding the retention count for the snapshot type. Schedule
snapshots for regular or frequent intervals to provide same-day protection against accidental
deletions.
The snapshot retention count corresponds to the retention period, which are as follows:

• 24 hours for hourly snapshots

• 7 days for daily snapshots
• 4 weeks for weekly snapshots
• 3 months for monthly snapshots
For example, when the snapshot count for daily snapshots is 7, Files deletes the oldest
snapshot and creates a new one every day.

Files |  Data Management | 147

 You can view removed or overwritten files and choose a snapshot from the history of a share
or export. For SMB, you can restore files through the system. For NFS, Files only provides read-
access and you must manually perform restoration. Admins can configure snapshots schedules
at a file-server-level that are applicable to all shares and exports in the file server. Currently, it is
not possible to configure unique SSR schedules for shares.
Files supports share updates for both standard and distributed shares. To enable SSR during
share creation, see Creating a Share (SMB) on page 65 or Creating an Export (NFS) on page 71.
To enable SSR after share creation, see Enabling Self-Service Restore on page 148.

Limitations
Consider the following limitations before enabling SSR.

• SSR for SMB does not restore streams or attributes in directories.

• Files does not support SSR at the root of distributed shares or exports.

Enabling Self-Service Restore

Enable self-service restore on a share or export.

About this task

Follow the steps as indicated.

Procedure

1. In the Files Console, go to the Shares tab.

2. In the row for the target share, click three dot menu > edit.

3. In the Update Share window, click Next to go to the Settings tab.

Files |  Data Management | 148

 4. For the Enable Self-Service Restore box, do one of the following:

» To enable self-service restore, check the box.

» Otherwise, to disable self-service restore, clear the box.

Figure 81: Enabled Self-Service Restore

5. Click Next > Save

What to do next
Add a snapshot schedule for SSR, see Adding Snapshot Schedules on page 149.

Adding Snapshot Schedules

Add file server protection by adding a snapshot schedule.

About this task

Use self-service restore (SSR) to create snapshot schedules to protect the file server. You
can change the snapshot intervals but cannot change the specific time when Files takes the
snapshot. Files takes snapshots at 00:00 UTC (midnight) for daily snapshots and at 0 minutes
for hourly snapshots.

Before you begin

Ensure that the file server shares have SSR enabled.

Note: The limit for configured snapshots is 50 or all schedule types.

Files |  Data Management | 149

Procedure

1. In the Files Console, go to Data Management > Protection > Self Service Restore.
The Self Service Restore window displays.

Figure 82: Add snapshot schedule

2. Click + Add New Schedule and enter schedule details in the indicated fields.

a. Type: Set the schedule interval. The snapshot types include hourly, daily, weekly, and
monthly.

Note: You can only have one schedule type per file server. For example, a single file server
cannot have two hourly schedules.

The schedule does not have an end date by default, and the schedule runs indefinitely
unless you enter an end date.

• If you select weekly, select boxes for the days of the week to run the schedule. Select
the boxes in Pick days of week.
• If you select monthly, enter one or more integers (in a comma-separated list) to
indicate which days in the month to run the schedule. For example, to run the schedule
on the 1st, 10th, and 20th days, enter "1,10,20".
b. Frequency: Enter the number of snapshots to occur within that type of schedule in the
box. Enter the value in numerical format for minutes, hours, or days.
The interval cannot be less than an hour, so the minutes value must be at least 60.

Note: The frequency field only supports hourly and daily schedules.

c. Snapshots: Enter the number of snapshots to retain for this schedule. Enter the value in
numerical format.

Files |  Data Management | 150

 3. Click the blue check mark icon to add the schedule.
The new schedule appears in the Snapshot Schedule table.

4. To edit an existing snapshot schedule, click the three dots menu > edit icon.

a. To delete an existing schedule, click three dots menu > delete. Deleting schedules
ages out the snapshots based on the schedule type. For example, Files deletes hourly
schedules every hour until complete.

Retrieving Files (SMB Only)

This task describes how to retrieve files from file shares using self-service restore.

About this task

Procedure

1. To access the file share, go to the target directory and select Properties > Previous Versions.
Previous versions of files display in order of date modified. Therefore, unmodified files do not
appear. Previous versions of folders display every available snapshot.
To see deleted files or directories, access a previous version of the parent folder and restore
the file or directory.

2. Open and manage the previous versions according to your vendor documentation.

Retrieving Files (NFS Only)

Follow this procedure to retrieve snapshots of earlier file versions using Self-Service Restore
(SSR).

About this task

Enabling SSR on NFS exports lets you access snapshot versions of a directory using a hidden
.snapshot subdirectory. Browse the directory for the intended snapshot and restore it by
manually copying the file or its content.

Note: When the absolute path to the directory of the snapshot is longer than 3922 characters,
the attempt to browse into the snapshot can fail with a file name too long error message.

Follow these steps to restore a snapshot version from an NFS client.

Procedure

1. Go to the snapshots of the target directory by replacing /dir1/dir2 with the directory path.
$ cd /dir1/dir2/.snapshot

Note: You can only get to the .snapshot directory using the cd command. The .snapshot directory
is not visible otherwise. Using the ls -a command does not show the .snapshot directory.

2. List the snapshots for the target directory.

$ ls

3. Browse through the snapshots and copy the desired data.

Deleting SSR Snapshots

Manually delete SSR snapshots to reclaim disk space.

Files |  Data Management | 151

 About this task
By default, Files deletes the oldest SSR snapshot after exceeding the retention count for that
snapshot type. To manually delete SSR snapshots, follow the steps as indicated.

Procedure

1. List the snapshots by creation time.

nutanix@fsvm$ afs snapshot.list share_name=share_name

2. List the space occupied by a single snapshot or by a range.

nutanix@fsvm$ afs snapshot.reclaimable_space uuid_start:uuid_end

3. Remove snapshots.

» Remove a single snapshot using the universally unique identifier (UUID).

Note: You can delete multiple snapshots by specifying a comma-separated list of UUIDs.

nutanix@fsvm$ afs snapshot.remove share_name=share_name snapshot_uuid_list=snapshot_uuid

» Remove multiple snapshots using labels by defining the label. Labels define if the
snapshot schedule is hourly, daily, weekly, or monthly. Deleting snapshots using labels
deletes all snapshots for the specified label on the share.
nutanix@fsvm$ afs snapshot.remove share_name=share_name label=label

Setting Custom Snapshot Times

Set a custom hour for SSR snapshots.

About this task

Files takes SSR snapshots at 00:00 UTC (midnight) for daily snapshots and at 0 minutes for
hourly snapshots, taken 24 times per day. To take snapshots at a custom time, indicate the time
by specifying the number of hours offset from midnight UTC time.

Procedure
Replace 1 - 23 with an integer to specify the time offset from UTC. For example, replace 1 - 23
with 2 to offset the time by 2 hours.
nutanix@fsvm$ afs snapshot.set_ssr_hourly_offset 1 - 23

Files |  Data Management | 152

SECURITY HARDENING
Use the Nutanix command-line interface (nCLI) or Files CLI to customize your Files security
configuration.

Note: Hardening Files with the settings described in this section requires AOS 5.19.2 (or later)
and Files 3.8.1 (or later).

Table 21: Department of Defense (DoD) Hardening Configuration

Description Command or settings

Support file server configuration of the SCMA ncli file-server get-security-config fs-name=file-server-name
policy.

Schedule weekly execution of advanced ncli file-server edit-security-params fs-name=file-server-name

intrusion detection environment (AIDE) enable-aide=true

Enable the strong password policy. cli file-server edit-security-params fs-name=file-server-name

enable-high-strength-password=true

Enable the Department of Defense knowledge ncli file-server edit-security-params fs-name=file-server-name

consent banner of the US department. enable-banner=true

Change the default schedule of running the ncli file-server edit-security-params fs-name=file-server-name
SCMA. The schedule can be hourly, daily, schedule=hourly
weekly, and monthly.

Disable the core-dump settings to let the ncli file-server edit-security-params fs-name=file-server-name
file server VM generate stack traces for any enable-core=false
cluster issue.

Note: On a file server, this parameter

turns both the core and the kerneldump salt
status on or off.

When a high governance official must run the Have the following settings.
hardened configuration. Enable Aide : true
Enable Core : false
Enable High Strength Password : true
Enable Banner : false
Schedule : HOURLY

When a federal official must run the hardened Have the following settings.
configuration. Enable Aide : true
Enable Core : false
Enable High Strength Password : true
Enable Banner : true
Schedule : HOURLY

Files |  Security Hardening | 153

Description Command or settings

Back up the DoD banner file. Run the following command, and repeat on all
FSVMs.
nutanix@FSVM$ sudo cp -a /srv/salt/security/AFS/sshd/
DODbanner /srv/salt/security/AFS/sshd/DODbannerbak

Modify DoD banner file. Run the following command, and repeat on all
FSVMs.
nutanix@FSVM$ sudo vi /srv/salt/security/AFS/sshd/
DODbanner

Secure Sockets Layer (SSL) Certificate Settings

Files supports installing a self-signed or custom SSL certificate for certificate-based
authentication. For file servers, these operations are only available through the nCLI and afs-CLI
commands.

Table 22: SSL Certificate Settings on a File Servers

Description Command or Settings

Generate a new self-signed SSL certificate. Run the following command.

Note: Replace fs_uuid with the universally

unique identifier of the file server.

nutanix@CVM$ ncli file-server ssl-certificate-generate

uuid=fs_uuid

Replace the existing self-signed SSL certificate Run the following command.
with a new one. nutanix@CVM$ ncli file-server ssl-certificate-change-pfx-file-
password uuid=fs_uuid

Get the current SSL certificate. Run the following command.

nutanix@CVM$ file-server get-ssl-certificate

Apply a custom SSL certificate on an FSVM. Run the following command.

• Replace ca-path with the CA certificate or

chain file path.
• Replace cert-path with the SSL certificate file
path.
• Replace key-path with the private key path.
• Replace value with the type of private
key (ECDSA_256, ECDSA_384, ECDSA_521,
RSA_2048).
nutanix@FSVM$ afs misc.import_ssl ca_chain_file=ca_path
cert_file=cert-path
key_file=key-path key_type=value

Files |  Security Hardening | 154

Quality of Service (QoS) Setup
The table following details QoS setup on a file server using differentiate services code point
(DSCP) values.

Note: QoS requires the --qos_enabled=True gflag .

Table 23: QoS Settings

Description Command or settings

Enable QoS. nutanix@FSVM$ afs net.enable_qos

[management_dscp_value=value]
Note: The default management traffic [data_dscp_value=value]
value is 16, and the default data traffic
value is 10.

Get the currently configured DSCP values. nutanix@FSVM$ afs net.get_qos

Modify the DSCP value of one or more traffic nutanix@FSVM$ afs net.edit_qos
types. [management_dscp_value=value] [data_dscp_value=value]

Disable QoS on all traffic types and delete the nutanix@FSVM$ afs net.disable_qos
existing configuration.

Rsyslog
The table following provides details on rsyslog daemon configuration for log forwarding.

Files |  Security Hardening | 155

Table 24: Rsyslog

Description Command or settings

Add a rsyslog server. nutanix@FSVM$ afs rsyslog.add_server

server_name=server_name ip_address=server_ip
port=server_port network_protocol=TCP/UDP
relp_enabled=true/false

Modify the properties of the rsyslog server. nutanix@FSVM$ afs rsyslog.update_server

server_name=configured_server_name ip_address=server_ip
port=server_port network_protocol=TCP/UDP
relp_enabled=true/false

Remove the configured rsyslog server. nutanix@FSVM$ afs rsyslog.remove_server

server_name=configured_server_name

Add forwarded modules and their debug-level nutanix@FSVM$ afs rsyslog.add_server_module

to the rsyslog server. server_name=configured_server_name
module_name=SYSLOG_MODULE level=ALERT/
Note: Files only supports the syslog CRITICAL/ DEBUG/ EMERGENCY/ ERROR/ INFO/
module. NOTICE/ WARNING

Remove the module and forwarding level form nutanix@FSVM$ afs rsyslog.remove_server_module
the rsyslog server. server_name=configured_server_name
module_name=SYSLOG_MODULE

Set the status for rsyslog forwarding. (You can nutanix@FSVM$ afs rsyslog.set_status enable=true/false
disable rsyslog forwarding completely without
removing the configured server details.)

Note: Setting the false status ends

forwarding and removes the configuration.

Get the status of rsyslog forwarding. nutanix@FSVM$ afs rsyslog.get_status

Get the current rsyslog configuration. nutanix@FSVM$ afs rsyslog.list

Get the configured modules and their nutanix@FSVM$ afs rsyslog.list_modules

forwarding level for a configured rsyslog server_name=server_name
server.

Set up transport layer security (TLS)
parameters of the rsyslog server.
Note: Not setting the auth-mode to anon,
requires specifying permitted peers in a
comma-separated list.
nutanix@FSVM$ afs rsyslog.set_tls auth_mode=anon, x509/
certvalid, x509/fingerprint,
x509/name
ca_chain_path=PEM_encoded_CA_certificate_file_absolute_path
permitted_peers=permitted_peers

Get the configured TLS parameters. nutanix@FSVM$ afs rsyslog.get_tls

Disable all configured TLS parameters, and nutanix@FSVM$ afs rsyslog.disable_tls

disable TLS on forwarded packets.

Files |  Security Hardening | 156

TROUBLESHOOTING
Invalid Mounts After Authentication Change
Clients cannot mount share.
Changes to the authentication method.

Procedure
Remount the authentication type as a value for parameter sec.
host$ -o sec=authentication-type

For example, use -o sec=krb5 for Kerberos 5.

Client Access Denial (NFS Protocol)

Linux client experiences a "permission denied" error while accessing NFS shares.
A user management (authentication) change on an existing file server.

Procedure
This problem might be fixed by restarting the RPC-GSSAPI service on the clients. For example,
enter the following command on a Linux CentOS 6 client:
nutanix@fsvm$ sudo service rpcgssd restart

The command syntax to restart the RPC-GSSAPI service varies among different Linux versions.

Clients Cannot Mount Shares

Clients in the same subnet as the Controller VM or in the storage network of the file server
cannot mount the shares of the file server.
The file server was configured with two separate networks for the client-side and storage-side
networks.

Procedure
To allow clients in the same subnet as the Controller VM or storage network to mount shares,
configure the file server with the same network for both the client-side and storage-side
networks.

Client Side Network Mapping

The file server client network does not map to a site on the AD and does not specify the client
side.
The file server’s client network does not map to any site on the AD. Files cannot find the local
domain controllers in a multi-site AD environment and uses a geographically remote DC, which,
can result in delayed domain operations.

Procedure

1. In a multi-site environment, map the Files client network to a local site in the AD.

2. In a single-site environment or with only a single geographic location, ignore the warning.

Files |  Troubleshooting | 157
Connecting to Authentication Services
The file server cannot connect with the AD server or it cannot contact the LDAP server for the
given domain.
The file server cannot reach the given domain name with the specified DNS server list.
Possible reasons include spelling mistakes in the domain name, incorrect DNS name servers, or
connectivity issues with the domain controller servers.

Procedure

1. Check the DNS server addresses, domain name, and status of the domain controllers.

2. Verify the DNS entries for the given domain name.

Constraint Violation
Domain controller reused an operation due to a possible constraint violation.

• Incorrect SPN configuration.

• An SPN is not unique in the forest and the conflict results in failure.

Procedure

1. Ensure that Files related SPN entries are not present in the forest.

2. Ensure that the domain controllers do not have any replication issues.

DNS Missing SRV Records

SRV records not found on the specified DNS servers.
The specified DNS servers do not resolve the SRV records with the appropriate domain
controller names.

Procedure
Add the domain controller SRV records for the required protocols and services.

Domain Controller Issues

Cannot find a writable and reachable domain controller.
Files cannot discover an active non-RODC (writable) LDAP domain controller (at the site or
domain level).

Procedure
Ensure that one writeable domain controller is working in the given domain.

Finding IP Addresses
Fetch the IP addresses for all FSVMs.
Various causes.

Procedure
Enter the following command from any FSVM: nutanix@fsvm$ afs misc.fsvmips
Output lists the IP addresses for the FSVMs in the node.

Files |  Troubleshooting | 158
Identifying the Share Owner
Identify the owner of a share or export.
The Files UI does not list the name of share and export owners.

Procedure
Perform one of the following commands to identify the share owner.

» List the share owners of a standard share or export.

nutanix@fsvm$ share.owner_fsvm share-name

» List the share owners of a distributed share or export by specifying the share-name and the
share-path(including the name of the top-level directory TLD).
nutanix@fsvm$ share.owner_fsvm share-name path=share-path

Invalid Credential
Invalid user name or password.
Files cannot authenticate on the AD using the given user name and password combinations.

Procedure

1. Ensure that the user name and password are correct.

2. Verify that the user is not expired, locked, or disabled.

NLM Locks
Unable to get Network Lock Manager (NLM) locks from Mac client.
NLM recovery does not work over the User Datagram Protocol (UDP). Use the transmission
Control Protocol (TCP) instead.

Procedure

1. Add the following lines to the /etc/nfs.conf file:

nfs.lockd.send_using_tcp = 1
nfs.statd.send_using_tcp = 1

2. Restart services.
user@host$ launchctl stop com.apple.lockd ; launchctl start com.apple.lockd
user@host$ launchctl stop com.apple.statd ; launchctl start com.apple.statd

Network Cannot Expand

You changed the network ID and the file server cannot expand.
Update the UUIDs.

Procedure

1. Log into the CVM.

Files |  Troubleshooting | 159
 2. To update the file server network, enter the following:
nutanix@cvm$ afs infra.update_file_server_network

3. To update a specific file server within the network, enter the following:
nutanix@cvm$ afs infra.update_file_server_network fs_name

NTLM Authentication Issues

Authentication might be unsuccessful for NTLM when contacting read-only domain controllers
(RODC).
The list of allowed password replication must include the machine account name or file server
name. To resolve, follow troubleshooting steps on a domain controller.

Procedure

1. Add the host name.

C:\>repadmin /prp add RODC_host_name allow machine_account_DN

2. View the list of added names.

C:\>repadmin /prp view RODC_host_name allow

For example, viewing the list of added names would appear similar to the following:
C:\>repadmin /prp view MINDC03 allow

Output looks similar to the following:

Allow list (msDS-RevealOnDemandGroup):
RODC "CN=MINDC03,OU=Domain Controllers,DC=automation,DC=nutanix,DC=com":
CN=MNRVATST124803,CN=Computers,DC=automation,DC=nutanix,DC=com
CN=Allowed RODC Password Replication Group,CN=Users,DC=automation,DC=nutanix,DC=
com

Share Copying
Copy operation interrupted while using Microsoft robocopy to copy large files to Files shares.
Various causes (for example network bandwidth issues).

Procedure
Use robocopy with the /z option. This option resumes any interrupted copy operation.

Stale Statistics
Windows client experiences stale statistics.
Default cache entry time is approximately 5 minutes.

Procedure
To change the default cache entry time of 5 minutes, log into the FSVM and run the following :
nutanix@fsvm$ afs smb.set_conf “stats cache ttl” “value” section=global

Time Difference
A time difference exists between Files and the domain controller.

Files |  Troubleshooting | 160
 Files uses Kerberos protocol for authentication on the AD. Kerberos is a time sensitive protocol
and cannot sync the correct time when the client and servers are out of sync for several
minutes.

Procedure
Use the same NTP server for the domain controller and Files.

Unsuccessful Authentication
Authentication might be unsuccessful for the NT LAN manager (NTL when contacting read-
only domain controllers (RODC).
The list of allowed password replication must include the machine account name or file server
name. To resolve, follow troubleshooting steps on a domain controller.

Procedure

1. Add the host name.

C:\>repadmin /prp add RODC_host_name allow machine_account_DN

2. View the list of added names.

C:\>repadmin /prp view RODC_host_name allow

For example, viewing the list of added names would appear similar to the following:
C:\>repadmin /prp view MINDC03 allow

Output looks similar to the following:

Allow list (msDS-RevealOnDemandGroup):
RODC "CN=MINDC03,OU=Domain Controllers,DC=automation,DC=nutanix,DC=com":
CN=MNRVATST124803,CN=Computers,DC=automation,DC=nutanix,DC=com
CN=Allowed RODC Password Replication Group,CN=Users,DC=automation,DC=nutanix,DC=
com

Files |  Troubleshooting | 161
COPYRIGHT
Copyright 2021 Nutanix, Inc.
Nutanix, Inc.
1740 Technology Drive, Suite 150
San Jose, CA 95110
All rights reserved. This product is protected by U.S. and international copyright and intellectual
property laws. Nutanix and the Nutanix logo are registered trademarks of Nutanix, Inc. in the
United States and/or other jurisdictions. All other brand and product names mentioned herein
are for identification purposes only and may be trademarks of their respective holders.

Files |  Copyright | 162