how to copy on prem file server share data on Azure file share with all the permission

N Wakchaure, Jagdish 120 Reputation points
2024-08-29T17:23:02.8233333+00:00

We have file server on prem which has the 4 Tb data , which has number of share folder.

We wanted to copy this data on Azure file share but with exact same files and permissions which currently assigned to shared folder. At the same time we also need to have data sync to another region which is a DR site.

to Achieve this we planning as below, please let us know if this is approach correct.

  1. we will be having additional domain controller in both region which will be ADDS VM.
  2. we will create storage account in both region which is RA GRS.
  3. Azure file sync agent will be installed on the server to sync the data on on Azure file share
  4. once the data is replicated we will configured identity based access on the file share and Enable permissions for all authenticated users and groups option.
  5. DR site will also have same replica of the data, if primary site goes down.
  6. once entire DATA is synced to Azure . We will disable the sync on stop on Azure share
  7. we will promote the Additional domain controller to primary domain controller (moving FSMO roles)
  8. decommission on prem Domain controller.
  9. We also thought of having Staging AD on DR site -Entra ID ( i don't know much about this but heard about it , could you let us know how we can implement this) in case primary site down.
  10. and how users can continue to access the data from Secondary site.

There are actually other web servers also for which we creating the solution but above if you could help would much appreciated,

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,298 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,217 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,621 questions
Accepted answer
  1. Nehruji R 8,066 Reputation points Microsoft Vendor
    2024-08-30T11:30:57.05+00:00

    Hello N Wakchaure, Jagdish,

    Greetings! Welcome to Microsoft Q&A Platform.

    Your approach to migrating and syncing your on-premises file server data to Azure File Share while maintaining permissions and setting up a disaster recovery (DR) site is well thought out.

    • Its good to have at least two domain controllers in each site of redundancy and High availability. So having an additional domain controller in both the regions is always a good option.
    • Creating a storage account in both the regions with RA GRS  is a good option for redundancy and disaster recovery.
    • Installing the Azure File Sync agent and syncing data from on-premises to Azure File Share is correct. Once the data is synced, if you stop the sync, any new changes on-premises won't reflect on the Azure file share. If the data needs to remain in sync, consider keeping the sync active.
    • Configuring identity-based access with Azure AD DS ensures that users retain permissions based on their identities. Ensure that all necessary permissions are correctly mapped and tested after enabling this option.
    • Disabling sync after ensuring data is fully replicated is a valid step if no further sync is required. Make sure the final sync is verified before disabling it to avoid missing data.
    • Promoting the additional domain controller and moving FSMO roles to it is essential for ensuring continuity. Plan for a seamless transition to avoid any downtime. Ensure that all role transfers are tested in advance.
    • decommissioning the on-premises domain controller is a good approach for maintaining Active Directory services in the cloud.
    • Implementing a staging server for Microsoft Entra ID (formerly Azure AD) can provide high availability and disaster recovery. A staging server can be set up in an active-passive configuration, where it remains in sync with the primary server but does not actively export changes until needed.

    Additional Recommendations:

    Before fully committing to the migration, perform thorough testing to ensure that all data and permissions are correctly replicated and that the failover to the DR site works seamlessly.

    If you want to continue using the on-prem servers as cache and move the data to Azure, you can consider using Azure File Sync Deploy Azure File Sync | Microsoft Learn

    If you are looking at de-commissioning the on-prem servers and migrate the data, there are couple of ways in which you can transfer the data to Azure Files - using Azure Storage Mover, ROBO copy or AzCopy tool. All of these support full fidelity copies and allow copying the folder structure. 

    Migrate to SMB Azure file shares using Azure Storage Mover | Microsoft Learn

    Migrate to Azure file shares using RoboCopy | Microsoft Learn

    Transfer data to or from Azure Files by using AzCopy v10 | Microsoft Learn

    Copying data using the migration tools is a multi-step process and involves downtime for cut over. When it comes to authentication, there are multiple authentication options supported by Azure Files, but given that you want to Azure AD joined clients to access the file share without proving credentials and non-Azure AD joined clients to access the file share with explicit credentials, you can use Microsoft Entra Domain Services identity-based authentication

    Use Microsoft Entra Domain Services to authorize user access to Azure Files over SMB | Microsoft Learn

    The permissions on the files and folders will remain when you migrate the data, the share permissions have to be configured using the RBAC roles. We have introduced three Azure built-in roles for granting share-level permissions to users:

    Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.

    Storage File Data SMB Share Contributor allows read, write, and delete access in Azure Storage file shares over SMB.

    Storage File Data SMB Share Elevated Contributor allows read, write, delete and modify NTFS permissions in Azure Storage file shares over SMB.

    https://video2.skills-academy.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-service-enable#2-assign-access-permissions-to-an-identity

    This article provides an overview of some of the common Azure data transfer solutions. The article also links out to recommended options depending on the network bandwidth in your environment and the size of the data you intend to transfer: https://video2.skills-academy.com/en-us/azure/storage/common/storage-choose-data-transfer-solution

    You can also use physical shippable devices when you want to do offline one-time bulk data transfer. Microsoft sends you a disk, or a secure specialized device. Alternatively, you can purchase and ship your own disks. You copy data to the device and then ship it to Azure where the data is uploaded. The available options for this case are Data Box Disk, Data Box, Data Box Heavy, and Import/Export (use your own disks).

    Check this link for more details - https://video2.skills-academy.com/en-us/azure/storage/common/storage-solution-large-dataset-low-network

    Please let us know if you have any further queries. I’m happy to assist you further.    

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.