I recently converted from VMware to AHV, and I wanted to show how I did Nutanix Files 3.7 with FSLogix. While I haven’t moved everything over yet, I have tested this very hard, and it’s solid as iron. I still use VMware for my datacenter servers, but we wanted our Citrix Environment on all Nutanix because it’s a solid product, and it’s simplified so that we can focus on other areas. This is how I did it, and I have learned a lot so far in the process. I am by far no expert, and this is for beginners like myself. I had a lot of help from the Nutanix Slack EUC channel, and especially Jarian Gibson. This is a single site, which is 3 FSVM only.
In regard to setting up Nutanix Files, this video is very useful. I suggest you watch it and get an understanding of what it is:
Nutanix Files – Shares are not accessible from clients that are on the same subnet as the Nutanix Files storage network.
*****Client access network must not be on the Storage network. ****
Does Not Work:
File Client 10.60.175.0/21
Files Access Network 10.60.105.0/24
Files Storage Network 10.60.175.0/21
File Client 10.50.175.0/21
Files Access Network 10.x.x.0/21
Files Storage Network 10.x.x.0/24
Make sure that either the client is on a subnet different from the Storage Network or that all three (the client, Files access Network, and Files storage network) IP addresses belong to the same subnet.
The screenshot on deploying Files is very high level. The video will help you understand more.
For me, all I wanted was SMB. Then, insert a username and password so it can join AD.
I left this blank.
For the DNS and Naming, at first, I did this (automatic).
But I had some bad reverse PRT issues. So, I fixed them, then went and manually added it.
I made them Static Records.
Then I clicked on verify, and it was good.
Here is a pic I found from Christiaan Brinkhoff's site that gave a logical understanding of the layout.
I read a lot of material on 3.6, and one of the things I found was this
Ensure that the client and storage networks use a tagged VLAN. The client and storage networks must have separate subnets if the networks are not the same. If the same network is used for both clients and storage, then IP addresses must be unique. Clients on the same subnet as the storage network will not be able to access the shares or exports.
I am not 100% if this applies to 3.7, but I followed it anyway to make sure I had no issues.
Overview of the bigger picture.
The CVM and FSVM layer
Nutanix Files VMs have access to two networks:
- External network – it is used by clients and external services communication.
- Storage or internal network – it is used for communication between Files VM and the Nutanix cluster.
The FSVM layer and communication.
I used Prism element to configure this:
Create the Nutanix Files – File Share.
Open the File Server menu in Prism Element and click on Create a Share/Export in the top right-hand corner.
You need to open the File Server menu in Prism and click on Create a Share/Export to get in the list.
The name of the share will be the share name within the UNC path to the share of the Files.
An example of my File Share is “FSLogix_Office_Containers.”
After putting in the information above, you have the option to configure Access Based Enumeration to hide other FSLogix Office 365 folders/User Profiles from other users.
ABE can be compared with the Access Based Enumeration setting within Windows File Services as well
The CLI run afs smb.set_conf “restrict nonamdin access” “no” section=global” isn’t needed for Files 3.7. I reached out to Jarian Gibson to confirm this as well. Thanks, Jarian!
As I learned, you will want to use distributed for Profiles. The explanation is below, and it is explained well.
Now, download MMC from Nutanix to manage permissions. I found out that I still could manage permission for what I was trying to achieve. Once again, I reached out to Slack around this and for TLD permission as René Bigler explained it to me. Thank you again!
Share permission you can’t change. You will need to control it with NTFS. I was updated by Jarian that you can modify shares. But, you need to open MMC and add the Share Snapin.
“If you want to change share permissions from the default of Everyone full control, you have to use Shared Folders MMC snap-in. If you don’t change default share permissions, then NTFS permissions will take precedence.”
Typically, on a Windows file share, I remove everyone and lock it down with a group instead. It’s just something I have always done. However, it’s not needed if the NTFS permission is set up correctly.
Screenshot from an example that was shown to me.
As you can see now, you can do this:
Set the NTFS Permissions on the Nutanix Files share.
Make sure that the following best practices NTFS rights are set on the Nutanix Files – file share location. The procedure is the same as for a normal Windows File Server but now on the Nutanix Files namespace folder share.
Open the File Share and open the Security properties.
NTFS permission Table
This is how I did it below.
Here is my GPO for around FSLogix. (Again, this is for RDSH 2016 and windows 10 1607/1809. Remember, Server 2019 will be different. So please don’t enable Search in the GPO for Server 2019.)
Profile I logged in, and my profile was created.
ODFC (Didn’t set the flipflop here-missed by mistake).
Let's test access base enumeration.
I can’t see davism from my test Citrix account.
Test NTFS permission on davism. I forced it so I could test the NTFS.
I must admit, it's a very good feature that Nutanix has, and I look forward to learning more about continuous availability (tech preview) and expanding this out to a DR site so the data can all replicate. I don’t know how to do this yet. But I will learn it soon.
Slack: Jarian Gibson and Nutanix-euc
#Citrix VAD Profiles