Labels

Sunday, June 22, 2008

FSRM and NTFS Quotas in 2003 R2

This post discusses several methods of using File Server Resource Manager (FSRM) auto-quotas with a single share for many home directories, and how you can bypass the limitation with FSRM quotas over SMB and return a reduced amount of disk space through the single share. The two methods discussed are reparse points, and combined FSRM and NTFS quotas.

There is an inherent problem with FSRM quotas in Windows Server 2003 R2 – when accessed remotely, a hard quota is used to report disk free space to the client only when a quota is set on the root of the disk or share. The share overwrites volume root if both have hard quotas set.

Unfortunately this is not practical in this scenario, as the free space from the quota root down will be affected by a hard quota. For example, a hard quota set on the root of the share, where that share contains user home directories, the total space would be limited based on the quota, rather than limiting each home directory. No method could be found to prevent inheritance of a quota setting to sub-folders.

Note that this does not occur when accessing the quota locally on a machine; the problem exists due to the SMB call for QUERY_FS_INFO is querying the free space at the root, not the free space at the folder (historically there was no difference). File screening has the capability to include a blocking exception entry deeper in the tree to override policies above, but quotas do not have the same interface through the GUI.

The following methods were tried (and failed) to see if there was an easy workaround for this issue:

However, if this functionality is required, there are at least two methods to work around the problem – using reparse points or using a combination of NTFS quotas and FSRM quotas.

Reparse Points

Testing was conducted to see whether reparse points, junctions, mount points or symbolic links could be used to return a different amount of free space from the root of the volume compared to the quota applied to each home drive folder.

Using one directory junction, one share, one hard quota and one autoquota, it is possible to use FSRM R2 quotas to report the free disk space based on a hard quota at a root folder, while still providing different per-folder quotas.

For example, in the following scenario, it’s possible to report a reduced disk free space limit, using only FSRM quotas and a directory junction point on the same volume.

  1. Cluster share Root: f:\QuotaTest - file://server/QuotaTest
  2. User Home Root: file://server/f$/users
  3. User home drive: \\server\quotatest\junction\user1 (f:)
  4. FSRM Hard Quota on the share root: 10MB
  5. FSRM Hard or Soft autoquota on the home directory root: 20MB
  6. Junction Directory: f:\quotatest\junction
  7. Junction Target: f:\users
  8. Create the directory junction/reparse point: junction.exe f:\quotatest\junction f:\users

Tests completed under this scenario from a workstation:

  1. Directory of H: on reports 10MB free space, based on the hard quota set at the root of the share
  2. Explorer view of H: reports 10MB free space, with the drive mapped through the junction (AD)
  3. Copy a 13MB file to H: succeeds, still 10MB reported free, FSRM warning triggered based on 50% usage (of the 20MB)
  4. Copy another 13MB file to H: fails, 20MB hard autoquota set on h:\users prevents copy

Notes:

  1. Apparently Windows Vista clients using SMB 2.0 do not have this issue
  2. Windows 2000 and later support directory junctions – reparse points. When accessing a reparse point, the processing occurs on the server, unlike Vista/2008 which has a modified MUP and network redirector architecture, supporting client-side processing of file and directory symbolic links.
  3. This still has at least one major disadvantage in that free space will not change for users, they would always see the free space available at the root of the share, 10MB in the example above. However, if hard FSRM autoquotas were used without this method, the free space reported to users would be the total free space on the volume, regardless of the 10MB hard limit that they would be limited to. This is potentially confusing in both scenarios.

Combined FSRM and NTFS quotas

Being completely different technologies, it doesn’t seem that NTFS quotas and FSRM quotas conflict with each other. Therefore one method of providing soft/hard FSRM quotas and also reducing the disk space seen by users is to also use NTFS hard quotas.

There are several caveats with this approach:

  1. NTFS quotas are only relevant for user-owned data, where each user has data in one directory, ideal for home directories, but not suitable for shared data directories.
  2. The two different quota systems would have to be separately maintained and aligned as configuration changes in the other. While all users conform to the standard template this would not be challenging, but as individual quotas are changed this will become problematic (as always happens).

Overall this solution provides a more realistic disk-free result for each user, provided the FSRM hard quota matches the NTFS hard quota, and file ownership is correctly set.

The following testing was completed with FSRM and NTFS quotas working together in a 2003 MSCS cluster:

  1. Hard NTFS quota of 15MB
  2. Soft auto-quota of 20MB
  3. Writing a file using user1 to the H: drive, automatically creates a quota entry in NTFS quotas
  4. Writing a second file which takes it over 10MB (50%), the FSRM quota event/command takes place
  5. The user doing a directory of the filesystem reports only the NTFS hard quota disk free space.
  6. Trying to copy another file as user1 to the H: drive fails with not enough disk space according to the hard NTFS quota
  7. Moved the cluster group to verify this follows on a cluster
  8. After the group was moved to another server, conducted same tests, NTFS quotas still apply and hard limites being returned to the client as total space.


Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.

No comments:


All Posts

printQueue AD objects for 2003 ClusterVirtualCenter Physical to VirtualVirtual 2003 MSCS Cluster in ESX VI3
Finding duplicate DNS recordsCommand-line automation – Echo and macrosCommand-line automation – set
Command-line automation - errorlevels and ifCommand-line automation - find and findstrBuilding blocks of command-line automation - FOR
Useful PowerShell command-line operationsMSCS 2003 Cluster Virtual Server ComponentsServer-side process for simple file access
OpsMgr 2007 performance script - VMware datastores...Enumerating URLs in Internet ExplorerNTLM Trusts between 2003 and NT4
2003 Servers with Hibernation enabledReading Shortcuts with PowerShell and VBSModifying DLL Resources
Automatically mapping printersSimple string encryption with PowerShellUseful NTFS and security command-line operations
Useful Windows Printer command-line operationsUseful Windows MSCS Cluster command-line operation...Useful VMware ESX and VC command-line operations
Useful general command-line operationsUseful DNS, DHCP and WINS command-line operationsUseful Active Directory command-line operations
Useful command-linesCreating secedit templates with PowerShellFixing Permissions with NTFS intra-volume moves
Converting filetime with vbs and PowerShellDifference between bat and cmdReplica Domain for Authentication
Troubleshooting Windows PrintingRenaming a user account in ADOpsMgr 2007 Reports - Sorting, Filtering, Charting...
WMIC XSL CSV output formattingEnumerating File Server ResourcesWMIC Custom Alias and Format
AD site discoveryPassing Parameters between OpsMgr and SSRSAnalyzing Windows Kernel Dumps
Process list with command-line argumentsOpsMgr 2007 Customized Reporting - SQL QueriesPreventing accidental NTFS data moves
FSRM and NTFS Quotas in 2003 R2PowerShell Deleting NTFS Alternate Data StreamsNTFS links - reparse, symbolic, hard, junction
IE Warnings when files are executedPowerShell Low-level keyboard hookCross-forest authentication and GP processing
Deleting Invalid SMS 2003 Distribution PointsCross-forest authentication and site synchronizati...Determining AD attribute replication
AD Security vs Distribution GroupsTroubleshooting cross-forest trust secure channels...RIS cross-domain access
Large SMS Web Reports return Error 500Troubleshooting SMS 2003 MP and SLPRemotely determine physical memory
VMware SDK with PowershellSpinning Excel Pie ChartPoke-Info PowerShell script
Reading web content with PowerShellAutomated Cluster File Security and PurgingManaging printers at the command-line
File System Filters and minifiltersOpsMgr 2007 SSRS Reports using SQL 2005 XMLAccess Based Enumeration in 2003 and MSCS
Find VM snapshots in ESX/VCComparing MSCS/VMware/DFS File & PrintModifying Exchange mailbox permissions
Nested 'for /f' catch-allPowerShell FindFirstFileW bypassing MAX_PATHRunning PowerSell Scripts from ASP.Net
Binary <-> Hex String files with PowershellOpsMgr 2007 Current Performance InstancesImpersonating a user without passwords
Running a process in the secure winlogon desktopShadow an XP Terminal Services sessionFind where a user is logged on from
Active Directory _msdcs DNS zonesUnlocking XP/2003 without passwords2003 Cluster-enabled scheduled tasks
Purging aged files from the filesystemFinding customised ADM templates in ADDomain local security groups for cross-forest secu...
Account Management eventlog auditingVMware cluster/Virtual Center StatisticsRunning scheduled tasks as a non-administrator
Audit Windows 2003 print server usageActive Directory DiagnosticsViewing NTFS information with nfi and diskedit
Performance Tuning for 2003 File ServersChecking ESX/VC VMs for snapshotsShowing non-persistent devices in device manager
Implementing an MSCS 2003 server clusterFinding users on a subnetWMI filter for subnet filtered Group Policy
Testing DNS records for scavengingRefreshing Computer Account AD Group MembershipTesting Network Ports from Windows
Using Recovery Console with RISPAE Boot.ini Switch for DEP or 4GB+ memoryUsing 32-bit COM objects on x64 platforms
Active Directory Organizational Unit (OU) DesignTroubleshooting computer accounts in an Active Dir...260+ character MAX_PATH limitations in filenames
Create or modify a security template for NTFS perm...Find where a user is connecting from through WMISDDL syntax in secedit security templates

About Me

I’ve worked in IT for over 13 years, and I know just about enough to realise that I don’t know very much.