Reduce storage cost
Build highly available, scalable, software-defined storage solutions at a fraction of the cost of a storage area network (SAN) or network-attached storage (NAS). Storage Spaces Direct lets you use industry-standard servers with local storage.
Create affordable business continuity
Prepare for the worst using synchronous storage replication for disaster recovery across datacenters.
Ensure storage resources for critical apps
Centrally manage and monitor storage performance, control workload access to storage resources, and keep noisy neighbors from impacting performance using storage Quality of Service (QoS) policies.
Reduce capacity needs and cost structure with deduplication
Use improved data deduplication capabilities to support volume sizes up to 64 TB and file sizes up to 1 TB, plus gain volume space savings of up to 90 percent.
<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
xmlns:content="http://purl.org/rss/1.0/modules/content/"
xmlns:wfw="http://wellformedweb.org/CommentAPI/"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:atom="http://www.w3.org/2005/Atom"
xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
>
<channel>
<title>Server Storage at Microsoft</title>
<atom:link href="https://blogs.technet.microsoft.com/filecab/feed/" rel="self" type="application/rss+xml" />
<link>https://blogs.technet.microsoft.com/filecab</link>
<description>The official blog of the Windows Server storage engineering teams</description>
<lastBuildDate>Tue, 18 Oct 2016 00:18:20 +0000</lastBuildDate>
<language>en-US</language>
<sy:updatePeriod>hourly</sy:updatePeriod>
<sy:updateFrequency>1</sy:updateFrequency>
<item>
<title>Storage Spaces Direct with Persistent Memory</title>
<link>https://blogs.technet.microsoft.com/filecab/2016/10/17/storage-spaces-direct-with-persistent-memory/</link>
<comments>https://blogs.technet.microsoft.com/filecab/2016/10/17/storage-spaces-direct-with-persistent-memory/#comments</comments>
<pubDate>Mon, 17 Oct 2016 19:32:42 +0000</pubDate>
<dc:creator><![CDATA[clausjor]]></dc:creator>
<category><![CDATA[Software Defined Storage]]></category>
<category><![CDATA[Windows Server 2016]]></category>
<category><![CDATA[Storage]]></category>
<category><![CDATA[Storage Spaces Direct]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/filecab/?p=7095</guid>
<description><![CDATA[Howdy, Claus here again, this time with Dan Lovinger. At our recent Ignite conference we had some very exciting results and experiences to share around Storage Spaces Direct and Windows Server 2016. One of the more exciting ones that you may have missed was an experiment we did on a set of systems built with the... <a href="https://blogs.technet.microsoft.com/filecab/2016/10/17/storage-spaces-direct-with-persistent-memory/" class="read-more">Read more</a>]]></description>
<content:encoded><![CDATA[<p>Howdy, <a href="https://twitter.com/ClausJor">Claus</a> here again, this time with Dan Lovinger.</p>
<p>At our recent Ignite conference we had some very exciting results and experiences to share around Storage Spaces Direct and Windows Server 2016. One of the more exciting ones that you may have missed was an experiment we did on a set of systems built with the help of Mellanox and Hewlett-Packard Enterprise’s NVDIMM-N technology.</p>
<p>What’s exciting about NVDIMM-N is that it is part of the first wave of new memory technologies referred to as Persistent Memory (PM), sometimes also referred to as Storage Class Memory (SCM ). A PM device offers persistent storage – stays around after the server resets or the power drops – but can be on the super high speed memory bus, and accessible at the granularity (bytes not blocks!) and latencies we’re more familiar with for memory. In the case of NVDIMM-N it is literally memory (DRAM) with the addition of natively persistent storage, usually NAND flash, and some power capacity and to allow capture of the DRAM to that persistent storage regardless of conditions.</p>
<p>These 8 HPE ProLiant DL380 Gen9 nodes had Mellanox CX-4 100Gb adapters connected through a Mellanox Spectrum switch and <strong><em>16</em></strong> 8GiB NVDIMM-N modules along with 4 NVMe flash drives – <strong><em>each</em></strong> – for an eye-watering <strong><em>1TiB</em></strong> of NVDIMM-N around the cluster.</p>
<p>Of course, being storage nerds, what did we do: we created three-way mirrored Storage Spaces Direct virtual disks over each type of storage – NVMe and, in their block personality, the NVDIMM-N – and benched them off. Our partners in SQL Server showed it like this:<a href="https://msdnshared.blob.core.windows.net/media/2016/10/PMperf.png"><img width="590" height="733" class="aligncenter size-full wp-image-7105" alt="PMperf" src="https://msdnshared.blob.core.windows.net/media/2016/10/PMperf.png" /></a></p>
<p>What we’re seeing here are simple, low intensity DISKSPD loads – equal in composition – which lets us highlight the relative latencies of each type of storage. In the first pair of 64K IO tests we see the dramatic difference which gets PM up to the line rate of the 100Gb network before NVME is even 1/3<sup>rd</sup> of the way there. In the second we can see how PM neutralizes the natural latency of going all the way into a flash device – even as efficient and high speed as our NVMe devices were – and provides reads at less than 180us to the 99<sup>th</sup> percentile – <strong><em>99% of the read IO was over three times faster </em></strong>for three-way mirrored, two node fault tolerant storage!</p>
<p>We think this is pretty exciting! Windows Server is on a journey to integrate Persistent Memory and this is one of the steps along the way. While we may do different things with it in the future, this was an interesting experiment to point to where we may be able to go (and more!).</p>
<p>Let us know what you think.</p>
<p>Claus and Dan.</p>
<p>p.s. if you’d like to see the entire SQL Server 2016 & HPE Persistent Memory presentation at Ignite (video available!), follow this link: <a href="https://myignite.microsoft.com/sessions/2767">https://myignite.microsoft.com/sessions/2767</a></p>
]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/filecab/2016/10/17/storage-spaces-direct-with-persistent-memory/feed/</wfw:commentRss>
<slash:comments>2</slash:comments>
</item>
<item>
<title>TLS for Windows Standards-Based Storage Management (SMI-S) and System Center Virtual Machine Manager (VMM)</title>
<link>https://blogs.technet.microsoft.com/filecab/2016/10/14/tls-for-windows-standards-based-storage-management-smi-s-and-system-center-virtual-machine-manager-vmm/</link>
<comments>https://blogs.technet.microsoft.com/filecab/2016/10/14/tls-for-windows-standards-based-storage-management-smi-s-and-system-center-virtual-machine-manager-vmm/#respond</comments>
<pubDate>Fri, 14 Oct 2016 16:31:04 +0000</pubDate>
<dc:creator><![CDATA[Jeff Goldner [MSFT]]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[SMI-S]]></category>
<category><![CDATA[SNIA]]></category>
<category><![CDATA[SSL]]></category>
<category><![CDATA[Storage Area Network (SAN)]]></category>
<category><![CDATA[Storage Management]]></category>
<category><![CDATA[TLSv1.2]]></category>
<category><![CDATA[VMM]]></category>
<category><![CDATA[Windows Server 2012 R2]]></category>
<category><![CDATA[Windows Server 2016]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/filecab/?p=7075</guid>
<description><![CDATA[In a previous blog post, I discussed setting up the Windows Standards-Based Storage Management Service (referred to below as Storage Service) on Windows Server 2012 R2. For Windows Server 2016 and System Center 2016 Virtual Machine Manager, configuration is much simpler since installation of the service includes setting up the necessary self-signed certificate. We also... <a href="https://blogs.technet.microsoft.com/filecab/2016/10/14/tls-for-windows-standards-based-storage-management-smi-s-and-system-center-virtual-machine-manager-vmm/" class="read-more">Read more</a>]]></description>
<content:encoded><![CDATA[<p>In a <a href="https://blogs.technet.microsoft.com/filecab/2013/05/22/using-indications-with-the-windows-standards-based-storage-management-service-smi-s/">previous blog post</a>, I discussed setting up the Windows Standards-Based Storage Management Service (referred to below as Storage Service) on Windows Server 2012 R2. For Windows Server 2016 and System Center 2016 Virtual Machine Manager, configuration is much simpler since installation of the service includes setting up the necessary self-signed certificate. We also allow using CA signed certificates now provided the Common Name (CN) is “MSSTRGSVC”.</p>
<p>Before I get into those changes, I want to talk about the Transport Layer Security 1.2 (TLS 1.2) protocol, which is now a required part of the Storage Management Initiative Specification (SMI-S).</p>
<h1>TLS 1.2</h1>
<p>Secure communication through the Hyper Text Transport Protocol (HTTPS) is accomplished using the encryption capabilities of <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security">Transport Layer Security</a>, which is itself an update to the much older Security Sockets Layer protocol (SSL) – although still commonly called Secure Sockets. Over the years, several vulnerabilities in SSL and TLS have been exposed, making earlier versions of the protocol insecure. TLS 1.2 is the latest version of the protocol and is defined by <a href="https://tools.ietf.org/html/rfc5246">RFC 5246</a>.</p>
<p>The Storage Networking Industry Association (SNIA) made TLS 1.2 a mandatory part of SMI-S (even <em>retroactively</em>). In 2015, the International Standards Organization (ISO) published <a href="http://www.iso.org/iso/catalogue_detail?csnumber=44404">ISO 27040:2015</a> “Information Technology – Security Techniques – Storage Security”, and this is incorporated by reference into the SMI-S protocol and pretty much all things SNIA.</p>
<p>Even though TLS 1.2 was introduced in 2008, it’s uptake was impeded by interoperability concerns. Adoption was accelerated after several exploits (e.g., <a href="http://www.webopedia.com/TERM/S/ssl_beast.html">BEAST</a>) ushered out the older SSL 3.0 and TLS 1.0 protocols (TLS 1.1 did not see broad adoption). Microsoft Windows offered <a href="https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/">support</a> for TLS 1.2 beginning in Windows 7 and Windows Server 2008 R2. That being said, there were still a lot of interop issues at the time, and TLS 1.1 and 1.2 support was hidden behind various registry keys.</p>
<p>Now it’s 2016, and there are no more excuses for using older, proven-insecure protocols, so it’s time to update your SMI-S providers. But unfortunately, you still need to take action to fully enable TLS 1.2. There are three primary Microsoft components that are used by the Storage Service which affect HTTPS communications between providers and the service: SCHANNEL, which implements the SSL/TLS protocols; HTTP.SYS, an HTTP server used by the Storage Service to support indications; and .NET 4.x, used by Virtual Machine Manager (VMM) (not by the Storage Service itself).</p>
<p>I’m going to skip some of the details of how clients and servers negotiate TLS versions (this may or may not allow older versions) and cipher suites (the most secure suite mutually agreed upon is always selected, but refer to this <a href="https://weakdh.org/">site</a> for a recent exploit involving certain cipher suites).</p>
<h3>A sidetrack: Certificate Validation</h3>
<p>How certificates are validated varies depending on whether the certificate is self-signed or created by a trusted Certificate Authority (CA). For the most part, SMI-S will use self-signed certificates – and providers should never, ever, be exposed to the internet or another untrusted network. A quick overview:</p>
<p>A CA signed certificate contains a signature that indicates what authority signed it. The user of that certificate will be able to establish a chain of trust to a well-known CA.</p>
<p>A self-signed certificate needs to establish this trust in some other way. Typically, the self-signed certificate will need to be loaded into a local certificate store on the system that will need to validate it. See below for more on this.</p>
<p>In either case, the following conditions must be true: the certificate has not expired; the certificate has not been revoked (look up <a href="https://en.wikipedia.org/wiki/Revocation_list">Revocation List</a> for more about this); and the purpose of the certificate makes sense for its use. Additional checks include “Common Name” matching (disabled by default for the Storage Service; must not be used by providers) and key length. Note that we have seen issues with certificates being valid “from” a time and there is a time mismatch between the provider and the storage service. These tend to cure themselves once the start time has been passed on both ends of the negotiation. When using the Windows PowerShell cmdlet <a href="https://technet.microsoft.com/en-us/library/jj884241(v=wps.630).aspx">Register-SmisProvider</a> you will see this information.</p>
<p>In some instances, your provider may ignore one or more of the validation rules and just accept any certificate that we present. A useful debugging approach but not very secure!</p>
<p><strong>One more detail</strong>: when provisioning certificates for the SMI-S providers, make sure they use key lengths of 1024 or 2048 bits only. 512 bit keys are no longer supported due to recent exploits. And odd length keys won’t work either. At least I have never seen them work, even though technically allowed.</p>
<h1>Microsoft product support for TLS 1.2</h1>
<p>This article will discuss Windows Server and System Center Releases, and the .NET Framework. It should not be necessary to mess with registry settings that control cipher suites or SSL versions except as noted below for the .NET framework.</p>
<h2>Windows Server 2012 R2/2016</h2>
<p>Since the initial releases of these products, there have been <em>many</em> security fixes released as patches, and more than a few of them changed SCHANNEL and HTTP.SYS behavior. Rather than attempt to enumerate all of the changes, let’s just say it is essential to apply ALL security hotfixes.</p>
<p>If you are using Windows Server 2016 RTM, you also need to apply all available.</p>
<p>There is no .NET dependency.</p>
<h2>System Center 2012 R2 Virtual Machine Manager</h2>
<p>SC 2012 R2 VMM uses the .NET runtime library but the Storage Service does not. If you are using VMM 2012 R2, to fully support TLS 1.2, the most recent version of .NET 4.x should be installed; this is currently <a href="https://blogs.msdn.microsoft.com/dotnet/2016/08/02/announcing-net-framework-4-6-2/">.NET 4.6.2</a>. Also, update VMM to the latest Update Release.</p>
<p>If, for some reason, you must stay on .NET 4.5.2, then a registry change will be required to turn on TLS 1.2 on the VMM Server(s) since by default, .NET 4.5.2 only enables SSL 3.0 and TLS 1.0.</p>
<p>The registry value (which changes to allow TLS 1.0, TLS 1.1 and TLS 1.2 and <em>not </em>SSL 3.0 which you should never use anyway) is:</p>
<p>HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\<strong>v4.0.30319</strong> “SchUseStrongCrypto”=dword:00000001</p>
<p> </p>
<p>You can use this PowerShell command to change the behavior:</p>
<p>Set-ItemProperty -Path “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319” -Name “SchUseStrongCrypto” -Value “1” -Force</p>
<p>(Note that the version number highlighted applies regardless of a particular release of .NET 4.5; do not change it!)</p>
<p>This change will apply to every application using the .NET 4.x runtime on the same system. Note that Exchange 2013 does not support 4.6.x, but you shouldn’t be running VMM and Exchange on the same server anyway! Again, apply this to the VMM <em>Server </em>system or VM, which may not be the same place you are running the VMM <em>UI.</em></p>
<h2>System Center 2016 VMM</h2>
<p>VMM 2016 uses .NET 4.6.2; no changes required.</p>
<h1>Exporting the Storage Service Certificate</h1>
<p>Repeating the information from a previous blog, follow these steps on the VMM Server machine:</p>
<ul>
<li>Run MMC.EXE from an administrator command prompt.</li>
<li>Add the Certificates Snap-in using the File\Add/Remove Snap-in menu.</li>
<li>Make sure you select Computer Account when the wizard prompts you, select Next and leave Local Computer selected. Click Finish.</li>
<li>Click OK.</li>
<li>Expand Certificates (Local Computer), then Personal and select Certificates.</li>
<li>In the middle pane, you should see the msstrgsvc Right click, select All Tasks, Export… That will bring up the Export Wizard.</li>
<li>Click Next to not export the private key (this might be grayed out anyway), then select a suitable format. Typically DER or Base-64 encoded are used but some vendors may support .P7B files. For EMC, select Base-64.</li>
<li>Specify a file to store the certificate. Note that Base-64 encoded certificates are text files and can be open with Notepad or any other editing program.</li>
</ul>
<p>Note: if you deployed VMM in a HA configuration, you will need to repeat these steps on each VMM Server instance. Your vendor’s SMI-S provider must support a certificate store that allows multiple certificates.</p>
<h2>Storage Providers</h2>
<p>Microsoft is actively involved in SNIA plugfests and directly with storage vendors to ensure interoperability. Some providers may require settings to ensure the proper security protocols are enabled and used, and many require updates.</p>
<h3>OpenSSL</h3>
<p>Many SMI-S providers and client applications rely on the open source project <a href="https://www.openssl.org/">OpenSSL</a>.</p>
<p>Storage vendors who use OpenSSL must absolutely keep up with the latest version(s) of this library and it is up to them to provide you with updates. We have seen a lot of old providers that rely on the long obsolete OpenSSL 0.9.8 releases or unpatched later versions. Microsoft will not provide any support if your provider is out-of-date, so if you have been lazy and not keeping up-to-date, time to get with the program. At the time of this writing there are three current branches of OpenSSL, each with patches to mend security flaws that crop up frequently. Consult the link above. How a provider is updated is a vendor-specific activity. (Some providers – such as EMC’s – do not use OpenSSL; check with the vendor anyway.)</p>
<h3>Importing the Storage Service certificate</h3>
<p>This step will vary greatly among providers. You will need to consult the vendor documentation for how to import the certificate into their appropriate Certificate Store. If they do not provide a mechanism to import certificates, you will not be able to use fully secure indications or mutual authentication with certificate validation.</p>
<h1>Summary</h1>
<p>To ensure you are using TLS 1.2 (and enabling indications), you must do the following:</p>
<ul>
<li>Check with your storage vendor for the latest provider updates and apply them as directed</li>
<li>Update to .NET 4.6.2 on your VMM Servers <em>or</em> enable .NET strong cryptography if you must use .NET 4.5.x for any reason</li>
<li>Install the Storage Service (installing VMM will do this for you)</li>
<li>If you are using Windows Server 2012 R2, refer back to this <a href="https://blogs.technet.microsoft.com/filecab/2013/05/22/using-indications-with-the-windows-standards-based-storage-management-service-smi-s/">previous blog post</a> to properly configure the Storage Service (skip this for Windows Server 2016)</li>
<li>Export the storage service certificate</li>
<li>Import the certificate into your provider’s certificate store (see vendor instructions)</li>
<li><em>Then </em>you can register one or more SMI-S providers, either through the Windows <a href="https://technet.microsoft.com/en-us/library/jj884241(v=wps.630).aspx">Register-SmisProvider</a> cmdlet or using VMM</li>
</ul>
<p> </p>
<p> </p>
]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/filecab/2016/10/14/tls-for-windows-standards-based-storage-management-smi-s-and-system-center-virtual-machine-manager-vmm/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Squeezing hyper-convergence into the overhead bin, for barely $1,000/server: the story of Project Kepler-47</title>
<link>https://blogs.technet.microsoft.com/filecab/2016/10/14/kepler-47/</link>
<comments>https://blogs.technet.microsoft.com/filecab/2016/10/14/kepler-47/#comments</comments>
<pubDate>Fri, 14 Oct 2016 15:18:10 +0000</pubDate>
<dc:creator><![CDATA[Cosmos Darwin]]></dc:creator>
<category><![CDATA[SDS]]></category>
<category><![CDATA[Software Defined Storage]]></category>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Windows Server 2016]]></category>
<category><![CDATA[S2D]]></category>
<category><![CDATA[Storage]]></category>
<category><![CDATA[Storage Spaces Direct]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/filecab/?p=6997</guid>
<description><![CDATA[The Challenge In the Windows Server team, we tend to focus on going big. Our enterprise customers and service providers are increasingly relying on Windows as the foundation of their software-defined datacenters, and needless to say, our hyperscale public cloud Azure does too. Recent big announcements like support for 24 TB of memory per server... <a href="https://blogs.technet.microsoft.com/filecab/2016/10/14/kepler-47/" class="read-more">Read more</a>]]></description>
<content:encoded><![CDATA[<p><div id="attachment_7045" style="width: 889px" class="wp-caption aligncenter"><img src="https://msdnshared.blob.core.windows.net/media/2016/10/Carryon-1024x597.png" alt="This tiny two-server cluster packs powerful compute and spacious storage into one cubic foot." width="879" height="512" class="wp-image-7045 size-large" /><p class="wp-caption-text">This tiny two-server cluster packs powerful compute and spacious storage into one cubic foot.</p></div></p>
<p><strong>The Challenge</strong></p>
<p>In the Windows Server team, we tend to focus on going <em>big. </em>Our enterprise customers and service providers are increasingly relying on Windows as the foundation of their software-defined datacenters, and needless to say, our hyperscale public cloud Azure does too. Recent <em>big </em>announcements like support for <a href="https://blogs.technet.microsoft.com/windowsserver/2016/08/25/windows-server-scalability-and-more/">24 TB of memory per server</a> with Hyper-V, or <a href="https://www.youtube.com/watch?v=0LviCzsudGY&t=28m00s">6+ million IOPS per cluster</a> with Storage Spaces Direct, or delivering <a href="https://youtu.be/6IFmjMr0Oao?t=45m00s">50 Gb/s of throughput per virtual machine</a> with Software-Defined Networking are the proof.</p>
<p>But what can these same features in Windows Server do for smaller deployments? Those known in the IT industry as Remote-Office / Branch-Office (“ROBO”) – think retail stores, bank branches, private practices, remote industrial or constructions sites, and more. After all, their basic requirement isn’t so different – they need high availability for mission-critical apps, with rock-solid storage for those apps. And generally, they need it to be <em>local, </em>so they can operate – process transactions, or look up a patient’s records – even when their Internet connection is flaky or non-existent.</p>
<p>For these deployments, cost is paramount. Major retail chains operate thousands, or tens of thousands, of locations. This multiplier makes IT budgets <em>extremely</em> sensitive to the per-unit cost of each system. The simplicity and savings of hyper-convergence – using the same servers to provide compute <em>and storage </em>– present an attractive solution.</p>
<p>With this in mind, under the auspices of <em>Project Kepler-47</em>, we set about going <em>small</em>…</p>
<h3 style="text-align: center"></h3>
<p> </p>
<p><strong>Meet Kepler-47</strong></p>
<p>The resulting prototype – and it’s just that, a <em>prototype </em>– was revealed at Microsoft Ignite 2016.</p>
<p><div id="attachment_7055" style="width: 889px" class="wp-caption aligncenter"><img src="https://msdnshared.blob.core.windows.net/media/2016/10/Kepler-47-1024x768.jpg" alt="Kepler-47 on expo floor at Microsoft Ignite 2016 in Atlanta." width="879" height="659" class="size-large wp-image-7055" /><p class="wp-caption-text">Kepler-47 on expo floor at Microsoft Ignite 2016 in Atlanta.</p></div></p>
<p>In our configuration, this tiny two-server cluster provides over 20 TB of available storage capacity, and over 50 GB of available memory for a handful of mid-sized virtual machines. The storage is flash-accelerated, the chips are Intel Xeon, and the memory is error-correcting DDR4 – no compromises. The storage is mirrored to tolerate hardware failures – drive or server – with continuous availability. And if one server goes down or needs maintenance, virtual machines live migrate to the other server with no appreciable downtime.</p>
<p>(Did we mention it also has not one, but <em>two</em> 3.5mm headphone jacks? <a href="http://www.theverge.com/2016/9/7/12823596/apple-iphone-7-no-headphone-jack-lightning-earbuds">Hah</a>!)</p>
<p><div id="attachment_7005" style="width: 889px" class="wp-caption aligncenter"><img src="https://msdnshared.blob.core.windows.net/media/2016/10/Size-1024x390.png" alt="Kepler-47 is 45% smaller than standard 2U rack servers." width="879" height="335" class="wp-image-7005 size-large" /><p class="wp-caption-text">Kepler-47 is 45% smaller than standard 2U rack servers.</p></div></p>
<p>In terms of size, Kepler-47 is barely one cubic foot – 45% smaller than standard 2U rack servers. For perspective, this means both servers fit readily in one carry-on bag in the overhead bin!</p>
<p>We bought (almost) every part online at retail prices. The total cost for each server was just $1,101. This excludes the drives, which we salvaged from around the office, and which could vary wildly in price depending on your needs.</p>
<p><div id="attachment_7015" style="width: 850px" class="wp-caption aligncenter"><img src="https://msdnshared.blob.core.windows.net/media/2016/10/Pricetag.png" alt="Each Kepler-47 server cost just $1,101 retail, excluding drives." width="840" height="540" class="wp-image-7015 size-full" /><p class="wp-caption-text">Each Kepler-47 server cost just $1,101 retail, excluding drives.</p></div></p>
<p> </p>
<p><strong>Technology</strong></p>
<p>Kepler-47 is comprised of two servers, each running <a href="https://www.microsoft.com/en-us/cloud-platform/windows-server">Windows Server 2016 Datacenter</a>. The servers form one hyper-converged <a href="https://technet.microsoft.com/en-us/windows-server-docs/failover-clustering/failover-clustering-overview">Failover Cluster</a>, with the new <a href="https://technet.microsoft.com/en-us/windows-server-docs/failover-clustering/deploy-cloud-witness">Cloud Witness</a> as the low-cost, low-footprint quorum technology. The cluster provides high availability to <a href="https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server">Hyper-V</a> virtual machines (which may also run Windows, at no additional licensing cost), and <a href="https://technet.microsoft.com/en-us/windows-server-docs/storage/storage-spaces/storage-spaces-direct-overview">Storage Spaces Direct</a> provides fast and fault tolerant storage using just the local drives.</p>
<p>Additional fault tolerance can be achieved using new features such as <a href="https://technet.microsoft.com/en-us/library/mt126104(v=ws.12).aspx">Storage Replica</a> with Azure Site Recovery.</p>
<p>Notably, Kepler-47 does not use traditional Ethernet networking between the servers, eliminating the need for costly high-speed network adapters and switches. Instead, it uses Intel Thunderbolt™ 3 over a USB Type-C connector, which provides up to 20 Gb/s (or up to 40 Gb/s when utilizing display and data together!) – plenty for replicating storage and live migrating virtual machines.</p>
<p>To pull this off, we partnered with our friends at Intel, who furnished us with pre-release PCIe add-in-cards for Thunderbolt™ 3 and a proof-of-concept driver.</p>
<p><div id="attachment_7025" style="width: 889px" class="wp-caption aligncenter"><img src="https://msdnshared.blob.core.windows.net/media/2016/10/Thunderbolt-1024x404.png" alt="Kepler-47 does not use traditional Ethernet between the servers; instead, it uses Intel Thunderbolt™ 3." width="879" height="347" class="wp-image-7025 size-large" /><p class="wp-caption-text">Kepler-47 does not use traditional Ethernet between the servers; instead, it uses Intel Thunderbolt™ 3.</p></div></p>
<p>To our delight, it worked like a charm – here’s the <em>Networks</em> view in Failover Cluster Manager. Thanks, Intel!</p>
<p><div id="attachment_7036" style="width: 889px" class="wp-caption aligncenter"><img src="https://msdnshared.blob.core.windows.net/media/2016/10/Screenshot-Cropped-1024x498.png" alt="The Networks view in Failover Cluster Manager, showing Thunderbolt™ Networking." width="879" height="427" class="size-large wp-image-7036" /><p class="wp-caption-text">The Networks view in Failover Cluster Manager, showing Thunderbolt™ Networking.</p></div></p>
<p>While Thunderbolt™ 3 is already in widespread use in laptops and other devices, this kind of server application is new, and it’s one of the main reasons Kepler-47 is <em>strictly </em>a prototype. It also boots from USB 3 DOM, which isn’t yet supported, and has no host-bus adapter (HBA) nor SAS expander, both of which are currently required for Storage Spaces Direct to leverage SCSI Enclosure Services (SES) for slot identification. However, it otherwise passes all our validation and testing and, as far as we can tell, works flawlessly.</p>
<p>(In case you missed it, support for Storage Spaces Direct clusters with just two servers was announced at Ignite!)</p>
<p> </p>
<p><strong>Parts List</strong></p>
<p>Ok, now for the juicy details. Since Ignite, we have been asked repeatedly what parts we used. Here you go:</p>
<p><div id="attachment_7035" style="width: 889px" class="wp-caption aligncenter"><img src="https://msdnshared.blob.core.windows.net/media/2016/10/Parts-1024x576.png" alt="The key parts of Kepler-47." width="879" height="494" class="wp-image-7035 size-large" /><p class="wp-caption-text">The key parts of Kepler-47.</p></div></p>
<table>
<tbody>
<tr>
<td width="173"><em>Function</em></td>
<td width="402"><em>Product</em></td>
<td width="96"><em>View Online</em></td>
<td width="96"><em>Cost</em></td>
</tr>
<tr>
<td width="173"><strong>Motherboard</strong></td>
<td width="402">ASRock C236 WSI</td>
<td width="96"><a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16813599009&cm_re=asrock_c236_wsi-_-13-599-009-_-Product">Link</a></td>
<td width="96">$199.99</td>
</tr>
<tr>
<td width="173"><strong>CPU</strong></td>
<td width="402">Intel Xeon E3-1235L v5 25w 4C4T 2.0Ghz</td>
<td width="96"><a href="http://www.serversdirect.com/Components/CPUs_and_Processors/id-CP9160/Intel_Xeon_E3-1235Lv5_2GHz_Quad-core_8M_Cache_25W_LowVoltage_HD_Graphics__Quick_Sync">Link</a></td>
<td width="96">$283.00</td>
</tr>
<tr>
<td width="173"><strong>Memory</strong></td>
<td width="402">32 GB (2 x 16 GB) Black Diamond ECC DDR4-2133</td>
<td width="96"><a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16820014107">Link</a></td>
<td width="96">$208.99</td>
</tr>
<tr>
<td width="173"><strong>Boot Device</strong></td>
<td width="402">Innodisk 32 GB USB 3 DOM</td>
<td width="96"><a href="http://www.nextwarehouse.com/item/?1679318">Link</a></td>
<td width="96">$29.33</td>
</tr>
<tr>
<td width="173"><strong>Storage (Cache) </strong></td>
<td width="402">2 x 200 GB Intel S3700 2.5” SATA SSD</td>
<td width="96"><a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16822106011&cm_re=intel_s3700_200gb-_-22-106-011-_-Product">Link</a></td>
<td width="96">–</td>
</tr>
<tr>
<td width="173"><strong>Storage (Capacity)</strong></td>
<td width="402">6 x 4 TB Toshiba MG03ACA400 3.5” SATA HDD</td>
<td width="96"><a href="http://www.newegg.com/Product/Product.aspx?Item=9SIAAP63ZS6252&cm_re=MG03ACA400-_-09Z-01S5-00008-_-Product">Link</a></td>
<td width="96">–</td>
</tr>
<tr>
<td width="173"><strong>Networking (Adapter)</strong></td>
<td width="402">Intel Thunderbolt™ 3 JHL6540 PCIe Gen 3 x4 Controller Chip</td>
<td width="96"><a href="http://ark.intel.com/products/94031/Intel-JHL6540-Thunderbolt-3-Controller">Link</a></td>
<td width="96">–</td>
</tr>
<tr>
<td width="173"><strong>Networking (Cable)</strong></td>
<td width="402">Cable Matters 0.5m 20 Gb/s USB Type-C Thunderbolt™ 3</td>
<td width="96"><a href="https://www.amazon.com/USB-IF-Certified-Cable-Matters-Thunderbolt/dp/B01AS8U7GU">Link</a></td>
<td width="96">$17.99*</td>
</tr>
<tr>
<td width="173"><strong>SATA Cables</strong></td>
<td width="402">8 x SuperMicro CBL-0481L</td>
<td width="96"><a href="http://store.supermicro.com/cable/sas-sata/81cm-sata-cbl-0481l.html">Link</a></td>
<td width="96">$13.20</td>
</tr>
<tr>
<td width="173"><strong>Chassis</strong></td>
<td width="402">U-NAS NSC-800</td>
<td width="96"><a href="http://www.u-nas.com/xcart/product.php?productid=17617">Link</a></td>
<td width="96">$199.99</td>
</tr>
<tr>
<td width="173"><strong>Power Supply</strong></td>
<td width="402">ASPower 400W Super Quiet 1U</td>
<td width="96"><a href="http://www.u-nas.com/xcart/product.php?productid=17624">Link</a></td>
<td width="96">$119.99</td>
</tr>
<tr>
<td width="173"><strong>Heatsink</strong></td>
<td width="402">Dynatron K2 75mm 2 Ball CPU Fan</td>
<td width="96"><a href="http://www.newegg.com/Product/Product.aspx?Item=N82E16835114115">Link</a></td>
<td width="96">$34.99</td>
</tr>
<tr>
<td width="173"><strong>Thermal Pads</strong></td>
<td width="402">StarTech Heatsink Thermal Transfer Pads (Set of 5)</td>
<td width="96"><a href="http://www.newegg.com/Product/Product.aspx?Item=9SIA0ZX44E7726&cm_re=startech_thermal-_-35-230-030-_-Product">Link</a></td>
<td width="96">$6.28*</td>
</tr>
</tbody>
</table>
<p>* Just one needed for both servers.</p>
<p> </p>
<p><strong>Practical Notes</strong></p>
<p>The ASRock C236 WSI motherboard is the only one we could locate that is mini-ITX form factor, has eight SATA ports, and supports server-class processors and error-correcting memory with SATA hot-plug. The E3-1235L v5 is just 25 watts, which helps keep Kepler-47 very quiet. (Dan has been running it <em>literally </em>on his desk since last month, and he hasn’t complained yet.)</p>
<p>Having spent all our SATA ports on the storage, we needed to boot from something else. We were delighted to spot the USB 3 header on the motherboard.</p>
<p>The U-NAS NSC-800 chassis is not the cheapest option. You could go cheaper. However, it features an aluminum outer casing, steel frame, and rubberized drive trays – the quality appealed to us.</p>
<p>We actually had to order two sets of SATA cables – the first were not malleable enough to weave their way around the tight corners from the board to the drive bays in our chassis. The second set we got are flat and 30 AWG, and they work great.</p>
<p>Likewise, we had to confront physical limitations on the heatsink – the fan we use is barely 2.7 cm tall, to fit in the chassis.</p>
<p>We salvaged the drives we used, for cache and capacity, from other systems in our test lab. In the case of the SSDs, they’re several years old and discontinued, so it’s not clear how to accurately price them. In the future, we imagine ROBO deployments of Storage Spaces Direct will vary tremendously in the drives they use – we chose 4 TB HDDs, but some folks may only need 1 TB, or may want 10 TB. This is why we aren’t focusing on the price of the drives themselves – it’s really up to you.</p>
<p>Finally, the Thunderbolt™ 3 controller chip in PCIe add-in-card form factor was pre-release, for development purposes only. It was graciously provided to us by our friends at Intel. They have cited a price-tag of $8.55 for the chip, but not made us pay yet. <img src="https://s.w.org/images/core/emoji/72x72/1f642.png" alt="" class="wp-smiley" style="height: 1em; max-height: 1em;" /></p>
<p> </p>
<p><strong>Takeaway</strong></p>
<p>With <em>Project Kepler-47</em>, we used Storage Spaces Direct and Windows Server 2016 to build an unprecedentedly low-cost high availability solution to meet remote-office, branch-office needs. It delivers the simplicity and savings of hyper-convergence, with compute and storage in a single two-server cluster, with next to no networking gear, that is <em>very </em>budget friendly.</p>
<p>Are you or is your organization interested in this type of solution? Let us know in the comments!</p>
<p> </p>
<p>// Cosmos Darwin (<a href="https://twitter.com/CosmosDarwin">@CosmosDarwin</a>), Dan Lovinger, and Claus Joergensen (<a href="https://twitter.com/ClausJor">@ClausJor</a>)</p>
]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/filecab/2016/10/14/kepler-47/feed/</wfw:commentRss>
<slash:comments>17</slash:comments>
</item>
<item>
<title>Work Folders does not work on iOS 10 when using Digest authentication</title>
<link>https://blogs.technet.microsoft.com/filecab/2016/10/10/work-folders-does-not-work-on-ios-10-when-using-digest-authentication/</link>
<comments>https://blogs.technet.microsoft.com/filecab/2016/10/10/work-folders-does-not-work-on-ios-10-when-using-digest-authentication/#comments</comments>
<pubDate>Mon, 10 Oct 2016 19:21:37 +0000</pubDate>
<dc:creator><![CDATA[Jeff Patterson - MSFT]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Work Folders]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/filecab/?p=6965</guid>
<description><![CDATA[Hi all, I’m Jeff Patterson, Program Manager for Work Folders. I wanted to let you know that Digest authentication does not work on iOS 10. Please review the issue details below if you’re currently using the Work Folders iOS client in your environment. Symptom After upgrading to iOS 10, Work Folders fails with the following... <a href="https://blogs.technet.microsoft.com/filecab/2016/10/10/work-folders-does-not-work-on-ios-10-when-using-digest-authentication/" class="read-more">Read more</a>]]></description>
<content:encoded><![CDATA[<p><span>Hi all,</span></p>
<p><span>I’m Jeff Patterson, Program Manager for Work Folders. </span></p>
<p><span>I wanted to let you know that Digest authentication does not work on iOS 10. Please review the issue details below if you’re currently using the Work Folders iOS client in your environment. </span></p>
<h5><strong><span>Symptom</span></strong></h5>
<p>After upgrading to iOS 10, Work Folders fails with the following error after user credentials are provided:</p>
<p><span style="color: #ff0000">Check your user name and password</span></p>
<h5><strong><span>Cause</span></strong></h5>
<p><span>There’s a bug in iOS 10 which causes Digest authentication to fail.</span></p>
<h5><strong><span>Status</span></strong></h5>
<p><span>We’re working with Apple to resolve the issue.</span></p>
<h5><strong><span>Workarounds</span></strong></h5>
<ul>
<li><span>Do not install iOS 10. If iOS 10 is already installed, roll back to iOS 9.</span></li>
<li><span>Use </span><span>Active Directory Federation Services (ADFS) authentication.</span>
<ul>
<li><span>Note: If ADFS is not configured in your environment, you’re using Digest authentication. </span></li>
</ul>
</li>
</ul>
<p><span>I will provide an update once this issue is resolved.</span></p>
<p><span>Thanks,</span></p>
<p><span>Jeff</span></p>
]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/filecab/2016/10/10/work-folders-does-not-work-on-ios-10-when-using-digest-authentication/feed/</wfw:commentRss>
<slash:comments>2</slash:comments>
</item>
<item>
<title>All The Windows Server 2016 sessions at Ignite</title>
<link>https://blogs.technet.microsoft.com/filecab/2016/09/22/all-the-windows-server-2016-sessions-at-ignite/</link>
<comments>https://blogs.technet.microsoft.com/filecab/2016/09/22/all-the-windows-server-2016-sessions-at-ignite/#respond</comments>
<pubDate>Fri, 23 Sep 2016 03:58:46 +0000</pubDate>
<dc:creator><![CDATA[NedPyle [MSFT]]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/filecab/?p=6945</guid>
<description><![CDATA[Hi folks, Ned here again. If you were smart/cool/lucky enough to land some Microsoft Ignite tickets for next week, here’s the nicely organized list of all the Windows Server 2016 sessions. Color-coding, filters, it’s very sharp. aka.ms/ws2016ignite Naturally, the killer session you should register for is Drill into Storage Replica in Windows Server 2016. I hear the... <a href="https://blogs.technet.microsoft.com/filecab/2016/09/22/all-the-windows-server-2016-sessions-at-ignite/" class="read-more">Read more</a>]]></description>
<content:encoded><![CDATA[<p>Hi folks, Ned here again. If you were smart/cool/lucky enough to land some Microsoft Ignite tickets for next week, here’s the nicely organized list of all the Windows Server 2016 sessions. Color-coding, filters, it’s very sharp.</p>
<h3 style="padding-left: 30px"><strong><a href="http://aka.ms/ws2016ignite">aka.ms/ws2016ignite</a></strong></h3>
<p><a href="https://msdnshared.blob.core.windows.net/media/2016/09/Capture17.png"><img width="879" height="614" class="alignnone wp-image-6955 size-large" alt="Capture" src="https://msdnshared.blob.core.windows.net/media/2016/09/Capture17-1024x715.png" /></a></p>
<p>Naturally, the killer session you should register for is <a href="https://myignite.microsoft.com/sessions/2689">Drill into Storage Replica in Windows Server 2016</a>. I hear the presenter kicks ass and has swag for attendees.</p>
<p>– Ned “not so humble brag” Pyle</p>
]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/filecab/2016/09/22/all-the-windows-server-2016-sessions-at-ignite/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>The not future of SMB1 – another MS engineering quickie survey</title>
<link>https://blogs.technet.microsoft.com/filecab/2016/09/16/the-not-future-of-smb1-another-ms-engineering-quickie-survey/</link>
<comments>https://blogs.technet.microsoft.com/filecab/2016/09/16/the-not-future-of-smb1-another-ms-engineering-quickie-survey/#respond</comments>
<pubDate>Fri, 16 Sep 2016 23:38:13 +0000</pubDate>
<dc:creator><![CDATA[NedPyle [MSFT]]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/filecab/?p=6935</guid>
<description><![CDATA[Hi folks, Ned here again. Speaking of SMB1 removal, please take 30 seconds to complete this anonymous survey on SMB1 removal as a default option. Your honesty counts; I’d rather hear ‘no’ and some legit reasons than have sunshine blown up my kilt. Survey: consideration of SMB1 being removed by default in OSes Thankee, Ned “Scotsman” Pyle... <a href="https://blogs.technet.microsoft.com/filecab/2016/09/16/the-not-future-of-smb1-another-ms-engineering-quickie-survey/" class="read-more">Read more</a>]]></description>
<content:encoded><![CDATA[<p>Hi folks, <a href="https://twitter.com/nerdpyle">Ned </a>here again. <a href="https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/">Speaking of SMB1 removal</a>, please take 30 seconds to complete this anonymous survey on SMB1 removal as a default option. Your honesty counts; I’d rather hear ‘no’ and some legit reasons than have sunshine blown up my kilt.</p>
<p style="padding-left: 30px"><strong>Survey: <a href="https://www.surveymonkey.com/r/6WP983K">consideration of SMB1 being removed by default in OSes</a></strong></p>
<p>Thankee,</p>
<p>Ned “Scotsman” Pyle</p>
]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/filecab/2016/09/16/the-not-future-of-smb1-another-ms-engineering-quickie-survey/feed/</wfw:commentRss>
<slash:comments>0</slash:comments>
</item>
<item>
<title>Stop using SMB1</title>
<link>https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/</link>
<comments>https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/#comments</comments>
<pubDate>Fri, 16 Sep 2016 21:59:01 +0000</pubDate>
<dc:creator><![CDATA[NedPyle [MSFT]]]></dc:creator>
<category><![CDATA[SMB]]></category>
<category><![CDATA[Windows 10]]></category>
<category><![CDATA[Windows Server 2016]]></category>
<category><![CDATA[SMB 3.0]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/filecab/?p=6925</guid>
<description><![CDATA[Hi folks, Ned here again and today’s topic is short and sweet: Stop using SMB1. Stop using SMB1. STOP USING SMB1! Earlier this week we released MS16-114, a security update that prevents denial of service and remote code execution. If you need this security patch, you already have a much bigger problem: you are still... <a href="https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/" class="read-more">Read more</a>]]></description>
<content:encoded><![CDATA[<p>Hi folks, <a href="https://twitter.com/nerdpyle">Ned </a>here again and today’s topic is short and sweet:</p>
<p style="padding-left: 30px">Stop using SMB1. <i>Stop using SMB1</i>. <b><i><strong>STOP USING SMB1!</strong></i></b></p>
<p>Earlier this week we released <a href="https://support.microsoft.com/en-us/kb/3177186">MS16-114</a>, a security update that prevents denial of service and remote code execution. If you need this security patch, you already have a much bigger problem: you are still running SMB1.</p>
<p>The original SMB1 protocol is nearly <a href="https://en.wikipedia.org/wiki/Server_Message_Block#History">30 years old</a>, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle.</p>
<p>Let me explain why this protocol needs to hit the landfill.</p>
<h3>SMB1 isn’t safe</h3>
<p>When you use SMB1, you lose key protections offered by later SMB protocol versions:</p>
<ul>
<li><a href="https://blogs.msdn.microsoft.com/openspecification/2015/08/11/smb-3-1-1-pre-authentication-integrity-in-windows-10/">Pre-authentication Integrity</a> (SMB 3.1.1+). Protects against security downgrade attacks.</li>
<li><a href="https://blogs.msdn.microsoft.com/openspecification/2012/06/28/smb3-secure-dialect-negotiation/">Secure Dialect Negotiation</a> (SMB 3.0, 3.02). Protects against security downgrade attacks.</li>
<li><a href="https://blogs.msdn.microsoft.com/openspecification/2015/09/09/smb-3-1-1-encryption-in-windows-10/">Encryption</a> (SMB 3.0+). Prevents inspection of data on the wire, MiTM attacks. In SMB 3.1.1 encryption performance is even better than signing!</li>
<li><a href="https://msdnshared.blob.core.windows.net/media/2016/09/2016-09-14_17-15-54.png">Insecure guest auth blocking (SMB 3.0+ on Windows 10+)</a> . Protects against MiTM attacks.</li>
<li><a href="https://blogs.technet.microsoft.com/josebda/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2/">Better message signing</a> (SMB 2.02+). HMAC SHA-256 replaces MD5 as the hashing algorithm in SMB 2.02, SMB 2.1 and AES-CMAC replaces that in SMB 3.0+. Signing performance increases in SMB2 and 3.</li>
</ul>
<p>The nasty bit is that no matter how you secure all these things, if your clients use SMB1, then a man-in-the-middle can tell your client <i>to ignore all the above</i>. All they need to do is block SMB2+ on themselves and answer to your server’s name or IP. Your client will happily derp away on SMB1 and share all its darkest secrets unless you required encryption on that share to prevent SMB1 in the first place. This is not theoretical – we’ve seen it. We believe this so strongly that when we introduced Scaleout File Server, we explicitly prevented SMB1 access to those shares!</p>
<blockquote class="twitter-tweet">
<p lang="en" dir="ltr">As an owner of SMB at MS, I cannot emphasize enough how much I want everyone to stop using SMB1 <a href="https://t.co/kHPqvyxTKC">https://t.co/kHPqvyxTKC</a></p>
<p>— Ned Pyle (@NerdPyle) <a href="https://twitter.com/NerdPyle/status/719977329548664832">April 12, 2016</a></p></blockquote>
<h3>SMB1 isn’t modern or efficient</h3>
<p>When you use SMB1, you lose key performance and productivity optimizations for end users.</p>
<ul>
<li>Larger reads and writes (2.02+)- more efficient use of faster networks or higher latency WANs. Large MTU support.</li>
<li>Peer caching of folder and file properties (2.02+) – clients keep local copies of folders and files via BranchCache</li>
<li>Durable handles (2.02, 2.1) – allow for connection to transparently reconnect to the server if there is a temporary disconnection</li>
<li>Client oplock leasing model (2.02+) – limits the data transferred between the client and server, improving performance on high-latency networks and increasing SMB server scalability</li>
<li>Multichannel & SMB Direct (3.0+) – aggregation of network bandwidth and fault tolerance if multiple paths are available between client and server, plus usage of modern ultra-high throughout RDMA infrastructure</li>
<li>Directory Leasing (3.0+) – Improves application response times in branch offices through caching</li>
</ul>
<blockquote class="twitter-tweet">
<p lang="en" dir="ltr">Running SMB1 is like taking your grandmother to prom: she means well, but she can’t really move anymore. Also, it’s creepy and gross</p>
<p>— Ned Pyle (@NerdPyle) <a href="https://twitter.com/NerdPyle/status/776900804712148993">September 16, 2016</a><br />
<script src="//platform.twitter.com/widgets.js"></script>
</blockquote>
<h3>SMB1 isn’t usually necessary</h3>
<p>This is the real killer: there are very few cases left in any modern enterprise where SMB1 is the only option. Some legit reasons:</p>
<ol>
<li>You’re still running XP or WS2003 under a custom support agreement.</li>
<li>You have some decrepit management software that demands admins browse via the ‘network neighborhood’ master browser list.</li>
<li>You run old multi-function printers with antique firmware in order to “scan to share”.</li>
</ol>
<p>None of these things should affect the average end user or business. Unless you let them.</p>
<p>We work carefully with partners in the storage, printer, and application spaces all over the world to ensure they provide at least SMB2 support and have done so with annual conferences and plugfests for six years. Samba supports SMB 2 and 3. So does OSX and MacOS. So do EMC, NetApp, and their competitors. So do our licensed SMB providers like Visuality and Tuxera, who also help printer manufacturers join the modern world.</p>
<p>A proper IT pro is always from Missouri though. We provide SMB1 usage auditing in Windows 10 and Windows Server 2016 just to be sure. That way you can configure your Windows Servers to see if disabling SMB1 would break someone:</p>
<pre style="padding-left: 30px"><span>Set-SmbServerConfiguration –AuditSmb1Access $true</span></pre>
<p>Then just examine the SMBServer\Audit event log on the systems. If you have older servers than WS2016, now is good time to talk upgrade. Ok, that’s a bit extortionist – now is the time to talk to your blue teams, network teams, and other security folks about if and where they are seeing SMB1 usage on the network. If they have no idea, they need to get one. If you still don’t know because this is a smaller shop, run your own network captures on a sample of your servers and clients, see if SMB1 appears. </p>
<blockquote class="twitter-tweet"><p>
Day 700 without SMB1 installed: nothing happened. Just like last 699 days. Because anyone requiring SMB1 is not allowed on my $%^&%# network</p>
<p>— Ned Pyle (@NerdPyle) <a href="https://twitter.com/NerdPyle/status/775840453203677184">September 13, 2016</a>
</p></blockquote>
<script src="//platform.twitter.com/widgets.js"></script>
<h3>SMB1 removal isn’t hard</h3>
<p>Starting in Windows 8.1 and Windows Server 2012 R2, we made removal of the SMB1 feature possible and trivially easy.</p>
<p><b><strong>On Server, the Server Manager approach:</strong></b></p>
<p><a href="https://msdnshared.blob.core.windows.net/media/2016/09/image495.png"><img width="726" height="544" title="image" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/09/image_thumb410.png" border="0" /></a></p>
<p><b><strong>On Server, the PowerShell approach (Remove-WindowsFeature FS-SMB1):</strong></b></p>
<p><a href="https://msdnshared.blob.core.windows.net/media/2016/09/image496.png"><img width="405" height="142" title="image" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/09/image_thumb411.png" border="0" /></a></p>
<p><b><strong>On Client, the add remove programs approach (appwiz.cpl):</strong> </b></p>
<p><a href="https://msdnshared.blob.core.windows.net/media/2016/09/image497.png"><img width="387" height="342" title="image" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/09/image_thumb412.png" border="0" /></a></p>
<p><b><strong>On Client, the PowerShell approach (Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol)</strong></b></p>
<p><a href="https://msdnshared.blob.core.windows.net/media/2016/09/image498.png"><img width="586" height="174" title="image" alt="image" src="https://msdnshared.blob.core.windows.net/media/2016/09/image_thumb413.png" border="0" /></a></p>
<p><b><strong>On legacy operating systems:</strong></b></p>
<p>When using operating systems older than Windows 8.1 and Windows Server 2012 R2, you can’t remove SMB1 – but you can disable it: <a href="https://support.microsoft.com/en-us/kb/2696547">KB 2696547- How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 </a></p>
<p><span style="color: #ff0000">A key point:</span> <span style="color: #008000">when you begin the removal project, start at smaller scale and work your way up. <i>No one says you must finish this in a day. </i></span></p>
<h3>SMB1 isn’t good</h3>
<p>Stop using SMB1. For your children. For your children’s children. Please. <a href="https://regularitguy.com/2015/08/31/the-demise-of-smb-1-in-the-windows-stack/">We’re begging you.</a></p>
<p>– Ned “and the rest of the SMB team at Microsoft” Pyle</p>
]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/feed/</wfw:commentRss>
<slash:comments>27</slash:comments>
</item>
<item>
<title>Survey: Why R2?</title>
<link>https://blogs.technet.microsoft.com/filecab/2016/09/08/survey-why-r2/</link>
<comments>https://blogs.technet.microsoft.com/filecab/2016/09/08/survey-why-r2/#comments</comments>
<pubDate>Thu, 08 Sep 2016 22:45:39 +0000</pubDate>
<dc:creator><![CDATA[NedPyle [MSFT]]]></dc:creator>
<category><![CDATA[Uncategorized]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/filecab/?p=6795</guid>
<description><![CDATA[Hi folks, Ned here again. I have a very quick survey for you if you’re a Windows Server customer. It is anonymous, only has one mandatory question, and one secondary optional question – shouldn’t take you more than 30 seconds and will help us understand our customer base better. Why do you deploy R2 versions so much more... <a href="https://blogs.technet.microsoft.com/filecab/2016/09/08/survey-why-r2/" class="read-more">Read more</a>]]></description>
<content:encoded><![CDATA[<p>Hi folks, <a href="https://twitter.com/nerdpyle">Ned </a>here again. I have a very quick survey for you if you’re a Windows Server customer. It is anonymous, only has one mandatory question, and one secondary optional question – shouldn’t take you more than 30 seconds and will help us understand our customer base better.</p>
<p><strong><a href="https://www.surveymonkey.com/r/P9BSWSQ">Why do you deploy R2 versions so much more than non-R2?</a></strong></p>
<p>Thanks in advance.</p>
<ul>
<li>Ned “actual monkey” Pyle</li>
</ul>
]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/filecab/2016/09/08/survey-why-r2/feed/</wfw:commentRss>
<slash:comments>1</slash:comments>
</item>
<item>
<title>Volume resiliency and efficiency in Storage Spaces Direct</title>
<link>https://blogs.technet.microsoft.com/filecab/2016/09/06/volume-resiliency-and-efficiency-in-storage-spaces-direct/</link>
<comments>https://blogs.technet.microsoft.com/filecab/2016/09/06/volume-resiliency-and-efficiency-in-storage-spaces-direct/#comments</comments>
<pubDate>Tue, 06 Sep 2016 22:43:00 +0000</pubDate>
<dc:creator><![CDATA[clausjor]]></dc:creator>
<category><![CDATA[SDS]]></category>
<category><![CDATA[Software Defined Storage]]></category>
<category><![CDATA[Uncategorized]]></category>
<category><![CDATA[Windows Server 2016]]></category>
<category><![CDATA[S2D]]></category>
<category><![CDATA[Storage Spaces Direct]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/filecab/?p=6745</guid>
<description><![CDATA[Hello, Claus here again. One of the most important aspects when creating a volume is to choose the resiliency settings. The purpose of resiliency is to provide resiliency in case of failures, such as failed drive or a server failure. It also enables data availability when performing maintenance, such as server hardware replacement or operating... <a href="https://blogs.technet.microsoft.com/filecab/2016/09/06/volume-resiliency-and-efficiency-in-storage-spaces-direct/" class="read-more">Read more</a>]]></description>
<content:encoded><![CDATA[<p>Hello, Claus here again.</p>
<p>One of the most important aspects when creating a volume is to choose the resiliency settings. The purpose of resiliency is to provide resiliency in case of failures, such as failed drive or a server failure. It also enables data availability when performing maintenance, such as server hardware replacement or operating system updates. Storage Spaces Direct supports two resiliency types; mirror and parity.</p>
<h2>Mirror resiliency</h2>
<p>Mirror resiliency is relatively simple. Storage Spaces Direct generates multiple block copies of the same data. By default, it generates 3 copies. Each copy is stored on a drive in different servers, providing resiliency to both drive and server failures. The diagram shows 3 data copies (A, A’ and A’’) laid out across a cluster with 4 servers.</p>
<p><a href="https://msdnshared.blob.core.windows.net/media/2016/09/Volume1.png"><img width="856" height="205" class="aligncenter size-full wp-image-6755" alt="Volume1" src="https://msdnshared.blob.core.windows.net/media/2016/09/Volume1.png" /></a></p>
<p style="text-align: center"><em>Figure </em><em>1</em><em> 3-copy mirror across 4 servers</em></p>
<p>Assuming there is a failure on the drive in server 2 where A’ is written. A’ is regenerated from reading A or A’’ and writing a new copy of A’ on another drive in server 2 or any drive in server 3. A’ cannot be written to drives in server 1 or server 4 since it is not allowed to have two copies of the same data in the same server.</p>
<p>If the admin puts a server in maintenance mode, the corresponding drives also enters maintenance mode. While maintenance mode suspends IO to the drives, the administrator can still perform drive maintenance tasks, such as updating drive firmware. Data copies stored on the server in maintenance mode will not be updated since IOs are suspended. Once the administrator takes the server out of maintenance mode, the data copies on the server will be updated using data copies from other servers. Storage Spaces Direct tracks which data copies are changed while the server is in maintenance mode, to minimize data resynchronization.</p>
<p>Mirror resiliency is relatively simple, which means it has great performance and does not have a lot of CPU overhead. The downside to mirror resiliency is that it is relatively inefficient, with 33.3% storage efficiency when storing 3 full copies of all data.</p>
<h2>Parity resiliency</h2>
<p>Parity resiliency is much more storage efficient compared to mirror resiliency. Parity resiliency uses parity symbols across a larger set of data symbols to drive up storage efficiency. Each symbol is stored on a drive in different servers, providing resiliency to both drive and server failures. Storage Spaces Direct requires at least 4 servers to enable parity resiliency. The diagram shows two data symbols (X<sub>1</sub> and X<sub>2</sub>) and two parity symbols (P<sub>1</sub> and P<sub>2</sub>) laid out across a cluster with 4 servers.</p>
<p style="text-align: center"><a href="https://msdnshared.blob.core.windows.net/media/2016/09/Volume2.png"><img width="856" height="205" class="aligncenter size-full wp-image-6756" alt="Volume2" src="https://msdnshared.blob.core.windows.net/media/2016/09/Volume2.png" /></a></p>
<p style="text-align: center"><em>Figure </em><em>2</em><em> Parity resiliency across 4 servers</em></p>
<p>Assuming there is a failure on the drive in server 2 where X<sub>2</sub> is written. X<sub>2</sub> is regenerated from reading the other symbols (X<sub>1</sub>, P<sub>1</sub> and P<sub>2</sub>), recalculate the value of X<sub>2</sub> and write X<sub>2</sub> on another drive in server 2. X<sub>2</sub> cannot be written to drives in others servers, since it is not allowed to have two symbols in the same symbol set in the same server.</p>
<p>Parity resiliency works similar to mirror resiliency when a server is in maintenance mode.</p>
<p>Parity resiliency has better storage efficiency than mirror resiliency. With 4 servers the storage efficiency is 50%, and it can be as high as 80% with 16 servers. The downside of parity resiliency is twofold:</p>
<ul>
<li>Performing data reconstruction involves all of the surviving symbols. All symbols are read, which is extra storage IO, Lost symbols are recalculated, which incurs expensive CPU cycles and written back to disk.</li>
<li>Overwriting existing data involves all symbols. All data symbols are read, data is updated, parity is recalculated, and all symbols are written. This is also known as Read-Modify-Write and incurs significant storage IO and CPU cycles.</li>
</ul>
<h2>Local Reconstruction Codes</h2>
<p>Storage Spaces Direct uses <a href="https://en.wikipedia.org/wiki/Reed%E2%80%93Solomon_error_correction">Reed-Solomon error correction</a> (aka erasure coding) for parity calculation in smaller deployments for the best possible efficiency and resiliency to two simultaneous failures. A cluster with four servers has 50% storage efficiency and resiliency to two failures. With larger clusters storage efficiency is increased as there can be more data symbols without increasing the number of parity symbols. On the flip side, data reconstruction becomes increasingly inefficient as the total number of symbols (data symbols + parity symbols) increases, as all surviving symbols will have to be read in order to calculate and regenerate the missing symbol(s). To address this, Microsoft Research invented <a href="https://microsoft-my.sharepoint.com/personal/clausjor_ntdev_microsoft_com/Documents/calabria/blogs/ga/research.microsoft.com/en-us/um/people/chengh/papers/LRC12.pdf">Local Reconstruction Codes</a>, which is being used in Microsoft Azure and Storage Spaces Direct.</p>
<p>Local Reconstruction Codes (LRC) optimizes data reconstruction for the most common failure scenario, which is a single drive failure. It does so by grouping the data symbols and calculate a single (local) parity symbol across the group using simple XOR. It then calculates a global parity across all the symbols. The diagram below shows LRC in a cluster with 12 servers.</p>
<p style="text-align: center"><a href="https://msdnshared.blob.core.windows.net/media/2016/09/Volume3.tif"><img class="aligncenter size-full wp-image-6765" alt="Volume3" src="https://msdnshared.blob.core.windows.net/media/2016/09/Volume3.tif" /></a></p>
<p style="text-align: center"><em>Figure </em><em>3</em><em> LRC in a cluster with 12 servers</em></p>
<p>In the above example we have 11 symbols, 8 data symbols represented by X<sub>1</sub>, X<sub>2</sub>, X<sub>3, </sub>X<sub>4,</sub> Y<sub>1, </sub>Y<sub>2, </sub>Y<sub>3</sub> and Y<sub>4</sub>, 2 local parity symbols represented by P<sub>X</sub> and P<sub>Y</sub>, and finally one global parity symbol represented by Q. This particular layout is also sometimes described as (8,2,1) representing 8 data symbols, 2 groups and 1 global parity.</p>
<p>Inside each group the parity symbol is calculated as simple XOR across the data symbols in the group. XOR is not a very computational intensive operation and thus requires few CPU cycles. Q is calculated using the data symbols and local parity symbols across all the groups. In this particular configuration, the storage efficiency is 8/11 or ~72%, as there are 8 data symbols out of 11 total symbols.</p>
<p>As mentioned above, in storage systems a single failure is more common than multiple failures and LRC is more efficient and incurs less storage IO when reconstructing data in the single device failure scenario and even some multi-failure scenarios.</p>
<p>Using the example from figure 3 above:</p>
<p>What happens if there is one failure, e.g. the disk that stores X<sub>2</sub> fails? In that case X<sub>2</sub> is reconstructed by reading X<sub>1,</sub> X<sub>3, </sub>X<sub>4</sub><sub>,</sub><sub> </sub>and P<sub>X</sub> (four reads), perform XOR operation (simple), and write X<sub>2</sub> (one write) on a different disk in server 2. Notice that none of the Y symbols or the global parity Q are read or involved in the reconstruction.</p>
<p>What happens if there are two simultaneous failures, e.g. the disk that stores X<sub>1</sub> fails and the disk that stores Y<sub>2</sub> also fails. In this case, because the failures occurred in two different groups, X<sub>1</sub> is reconstructed by reading X<sub>2,</sub> X<sub>3, </sub>X<sub>4 </sub>and P<sub>X</sub> (four reads), perform XOR operation, and write X<sub>1</sub> (one write) on a different disk in server 1. Similarly, Y<sub>2</sub> is reconstructed by reading Y<sub>1, </sub>Y<sub>3, </sub>Y<sub>4</sub> and P<sub>Y</sub> (four reads), perform XOR operation, and write Y<sub>2</sub> (one write) to a different disk in server 5. A total of eight reads and two writes. Notice that only simple XOR was involved in data reconstruction thus reducing the pressure on the CPU.</p>
<p>What happens if there are two failures in the same group, e.g. the disks that stores X<sub>1</sub> and X<sub>2</sub> have both failed. In this case X<sub>1</sub> is reconstructed by reading X<sub>3, </sub>X<sub>4</sub> P<sub>X</sub>, Y<sub>1</sub>, Y<sub>2, </sub>Y<sub>3, </sub>Y<sub>4</sub> and Q (8 reads), perform erasure code computation and write X<sub>1</sub> to a different disk in server 1. It is not necessary to read P<sub>Y</sub>, since it can be calculated it from knowing Y<sub>1,</sub> Y<sub>2, </sub>Y<sub>4</sub> and Y<sub>4</sub>. Once X<sub>1</sub> is reconstructed, X<sub>2</sub> can be reconstructed using the same mechanism described for one failure above, except no additional reads are needed.</p>
<p>Notice how, in the example above, one server does not have symbols? This configuration allows reconstruction of symbols even in the case where a server has malfunctioned and is permanently retired, after which the cluster effective will have only 11 servers until a replacement server is added to the cluster.</p>
<p>The number of data symbols in a group depends on the cluster size and the drive types being used. Solid state drives perform better, so the number of data symbols in a group can be larger. The below table, outlines the default erasure coding scheme (RS or LRC) and the resulting efficiency for hybrid and all-flash storage configuration in various cluster sizes.</p>
<p> </p>
<table>
<tbody>
<tr>
<td width="71"><strong>Servers</strong></td>
<td width="174" colspan="2">
<p style="text-align: center"><strong>SSD + HDD</strong></p>
</td>
<td width="181" colspan="2">
<p style="text-align: center"><strong>All SSD</strong></p>
</td>
</tr>
<tr>
<td width="71"><strong> </strong></td>
<td width="90"><strong>Layout</strong></td>
<td width="84"><strong>Efficiency</strong></td>
<td width="98"><strong>Layout</strong></td>
<td width="84"><strong>Efficiency</strong></td>
</tr>
<tr>
<td width="71"><strong>4</strong></td>
<td width="90">RS 2+2</td>
<td width="84">50%</td>
<td width="98">RS 2+2</td>
<td width="84">50%</td>
</tr>
<tr>
<td width="71"><strong>5</strong></td>
<td width="90">RS 2+2</td>
<td width="84">50%</td>
<td width="98">RS 2+2</td>
<td width="84">50%</td>
</tr>
<tr>
<td width="71"><strong>6</strong></td>
<td width="90">RS 2+2</td>
<td width="84">50%</td>
<td width="98">RS 2+2</td>
<td width="84">50%</td>
</tr>
<tr>
<td width="71"><strong>7</strong></td>
<td width="90">RS 4+2</td>
<td width="84">66%</td>
<td width="98">RS 4+2</td>
<td width="84">66%</td>
</tr>
<tr>
<td width="71"><strong>8</strong></td>
<td width="90">RS 4+2</td>
<td width="84">66%</td>
<td width="98">RS 4+2</td>
<td width="84">66%</td>
</tr>
<tr>
<td width="71"><strong>9</strong></td>
<td width="90">RS 4+2</td>
<td width="84">66%</td>
<td width="98">RS 6+2</td>
<td width="84">75%</td>
</tr>
<tr>
<td width="71"><strong>10</strong></td>
<td width="90">RS 4+2</td>
<td width="84">66%</td>
<td width="98">RS 6+2</td>
<td width="84">75%</td>
</tr>
<tr>
<td width="71"><strong>11</strong></td>
<td width="90">RS 4+2)</td>
<td width="84">66%</td>
<td width="98">RS 6+2</td>
<td width="84">75%</td>
</tr>
<tr>
<td width="71"><strong>12</strong></td>
<td width="90">LRC (8,2,1)</td>
<td width="84">72%</td>
<td width="98">RS 6+2</td>
<td width="84">75%</td>
</tr>
<tr>
<td width="71"><strong>13</strong></td>
<td width="90">LRC (8,2,1)</td>
<td width="84">72%</td>
<td width="98">RS 6+2</td>
<td width="84">75%</td>
</tr>
<tr>
<td width="71"><strong>14</strong></td>
<td width="90">LRC (8,2,1)</td>
<td width="84">72%</td>
<td width="98">RS 6+2</td>
<td width="84">75%</td>
</tr>
<tr>
<td width="71"><strong>15</strong></td>
<td width="90">LRC (8,2,1)</td>
<td width="84">72%</td>
<td width="98">RS 6+2</td>
<td width="84">75%</td>
</tr>
<tr>
<td width="71"><strong>16</strong></td>
<td width="90">LRC (8,2,1)</td>
<td width="84">72%</td>
<td width="98">LRC (12,2,1)</td>
<td width="84">80%</td>
</tr>
</tbody>
</table>
<h2>Accelerating parity volumes</h2>
<p>In Storage Spaces Direct it is possible to create a hybrid volume. A hybrid volume is essentially a volume where some of the volume uses mirror resiliency and some of the volume uses parity resiliency.</p>
<p style="text-align: center"><a href="https://msdnshared.blob.core.windows.net/media/2016/09/Volume4.png"><img width="283" height="366" class="aligncenter wp-image-6775" alt="Volume4" src="https://msdnshared.blob.core.windows.net/media/2016/09/Volume4-232x300.png" /></a><a href="https://msdnshared.blob.core.windows.net/media/2016/09/Volume4.png"></a></p>
<p style="text-align: center"><em>Figure </em><em>4</em><em> Hybrid Volume</em></p>
<p>The purpose of mixing mirror and parity in the volume is to provide a balance between storage performance and storage efficiency. Hybrid volumes require the use of the ReFS on-disk file system as it is aware of the volume layout:</p>
<ul>
<li>ReFS always writes data to the mirror portion of the volume, taking advantage of the write performance of mirror</li>
<li>ReFS rotates data into the parity portion of the volume when needed, taking advantage of the efficiency of parity</li>
<li>Parity is only calculated when rotating data into the parity portion</li>
<li>ReFS writes updates to data stored in the parity portion by placing new data in the mirror portion and invalidating the old stored in to parity portion – again to take advantage of the write performance of mirror</li>
</ul>
<p>ReFS starts rotating data into the parity portion at 60% utilization of the mirror portion and gradually becomes more aggressive in rotating data as utilization increases. It is highly desirable to:</p>
<ul>
<li>Size the mirror portion to twice the size of the active working set (hot data) to avoid excessive data rotation</li>
<li>Size the overall volume to always have 20% free space to avoid excessive fragmentation due to data rotation</li>
</ul>
<h2>Conclusion</h2>
<p>I hope this blog post helps provide more insight into how mirror and parity resiliency works in Storage Spaces Direct, how data is laid out across servers, and how data is reconstructed in various failure cases.</p>
<p>We also discussed how Local Reconstruction Codes (LRC) increases the efficiency of data reconstruction in both reduced storage IO churn and CPU cycles, and overall helps reach a healthy system quicker.</p>
<p>And finally we discussed how hybrid volumes provide a balance between the performance of mirror and the efficiency of parity.</p>
<p>Let me know what you think.</p>
<p>Until next time</p>
<p>Claus</p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/filecab/2016/09/06/volume-resiliency-and-efficiency-in-storage-spaces-direct/feed/</wfw:commentRss>
<slash:comments>11</slash:comments>
</item>
<item>
<title>Work Folders and Offline Files support for Windows Information Protection</title>
<link>https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/</link>
<comments>https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/#comments</comments>
<pubDate>Tue, 30 Aug 2016 03:25:27 +0000</pubDate>
<dc:creator><![CDATA[Jeff Patterson - MSFT]]></dc:creator>
<category><![CDATA[Information Worker]]></category>
<category><![CDATA[Windows 10]]></category>
<category><![CDATA[Client-Side Caching (CSC)]]></category>
<category><![CDATA[Offline Files]]></category>
<category><![CDATA[Work Folders]]></category>
<guid isPermaLink="false">https://blogs.technet.microsoft.com/filecab/?p=6705</guid>
<description><![CDATA[Hi all, I’m Jeff Patterson, Program Manager for Work Folders and Offline Files. Windows 10, version 1607 will be available to Enterprise customers soon so I wanted to cover support for Windows Information Protection (a.k.a. Enterprise Data Protection) when using Work Folders or Offline Files. Windows Information Protection Overview Windows Information Protection (WIP) is a... <a href="https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/" class="read-more">Read more</a>]]></description>
<content:encoded><![CDATA[<p><span style="color: #000000">Hi all,</span></p>
<p><span style="color: #000000">I’m Jeff Patterson, Program Manager for Work Folders and Offline Files.</span></p>
<p><span style="color: #000000">Windows 10, version 1607 will be available to Enterprise customers soon so I wanted to cover support for Windows Information Protection (a.k.a. Enterprise Data Protection) when using Work Folders or Offline Files.</span></p>
<h3><span style="color: #000000">Windows Information Protection Overview</span></h3>
<p><span style="color: #000000">Windows Information Protection (WIP) is a new security feature introduced in Windows 10, version 1607 to protect against data leaks.</span></p>
<p><span style="color: #000000">Benefits of WIP</span></p>
<ul>
<li><span style="color: #000000">Separation between personal and corporate data, without requiring employees to switch environments or apps</span></li>
<li><span style="color: #000000">Additional data protection for existing line-of-business apps without a need to update the apps</span></li>
<li><span style="color: #000000">Ability to wipe corporate data from devices while leaving personal data alone</span></li>
<li><span style="color: #000000">Use of audit reports for tracking issues and remedial actions</span></li>
<li><span style="color: #000000">Integration with your existing management system (Microsoft Intune, System Center Configuration Manager 2016, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company</span></li>
</ul>
<p><span style="color: #000000">For additional information on Windows Information Protection, please reference our TechNet <a href="https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-enterprise-data-using-wip">documentation</a>.</span></p>
<h3><span style="color: #000000">Work Folders support for Windows Information Protection</span></h3>
<p><span style="color: #000000">Work Folders was updated in Windows 10 to support Windows Information Protection.</span></p>
<p><span style="color: #000000">If a WIP policy is applied to a Windows 10 device, all user data stored in the Work Folders directory will be encrypted using the same key and Enterprise ID that is used by Windows Information Protection.</span></p>
<p><span style="color: #000000">Note: The user data is only encrypted on the Windows 10 device. When the user data is synced to the Work Folders server, it’s not encrypted on the server. To encrypt the user data on the Work Folders server, you need to use RMS encryption.</span></p>
<h3><span style="color: #000000">Offline Files and Windows Information Protection</span></h3>
<p><span style="color: #000000">Offline Files (a.k.a. Client Side Caching) is an older file sync solution and was not updated to support Windows Information Protection. This means any user data stored on a network share that’s cached locally on the Windows 10 device using Offline Files is not protected by Windows Information Protection.</span></p>
<p><span style="color: #000000">If you’re currently using Offline Files, our recommendation is to migrate to a modern file sync solution such as <a href="https://blogs.technet.microsoft.com/filecab/2016/08/12/offline-files-csc-to-work-folders-migration-guide/">Work Folders </a>or <a href="https://onedrive.live.com/about/en-us/business/">OneDrive for Business </a>which supports Windows Information Protection.</span></p>
<p><span style="color: #000000">If you decide to use Offline Files with Windows Information Protection, you need to be aware of the following issue if you try to open cached files while working offline:</span></p>
<p><span style="color: #000000">Can’t open files offline when you use Offline Files and Windows Information Protection</span><br />
<a href="https://support.microsoft.com/en-us/kb/3187045">https://support.microsoft.com/en-us/kb/3187045</a></p>
<h3><span style="color: #000000">Conclusion</span></h3>
<p><span style="color: #000000">Offline Files does not support Windows Information Protection, you should use a modern file sync solution such as <a href="https://blogs.technet.microsoft.com/filecab/2016/08/12/offline-files-csc-to-work-folders-migration-guide/">Work Folders </a>or <a href="https://onedrive.live.com/about/en-us/business/">OneDrive for Business </a>that supports WIP.</span></p>
]]></content:encoded>
<wfw:commentRss>https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/feed/</wfw:commentRss>
<slash:comments>5</slash:comments>
</item>
</channel>
</rss>


