Search Service Cluster Edition

Windows Server File Services is a classic well known Service form Microsoft. If you use the Search bar on the top of every Windows Explorer Window since Windows 7, your fileserver will respond very fast with an result, but only if Search Service is installed. If not, you’ll see a slow and long time working search, that displays one file found aftern another.

Setup Steps

If you follow this order of steps, you’ll have success:

  • Configure Search Service as described below
  • Move Clustered File Server with all Drives to the other Node
  • Configure Search Service on other Node(s)
  • Setup Clustered Service (details at the end of article)

Here are the detailed configuration steps:

Search Service Configuration

Because Search Index can be used for multiple drives of a file server / cluster, we will use an additional, clustered Drive using letter S. The following configuration steps must be dont on both cluster nodes individually, while the file server cluster role is active on that node.

  • Create folder S:\Search, if it doen’t already exist
  • Stop service “Windows Search” and set startup type to “manual”

To force windows to use the new search index location also after a index reset, the following registry key must be modified.

HKLM\Software\Microsoft\Windows Search\
DataDirectory -> S:\Search\Data\
DefaultDataDirectory -> S:\Search\Data\

  • start Service „Windows Search“
  • check folder content: die search put in some files here?

Now we configure the folders to be indexed. The easiest way would be using the GUI in control panel. For easy access, just create a desktop icon for this command:

control /name Microsoft.IndexingOptions

  • click on “modify” to de-select existing indexed locations
  • add all to-be-indexed shares
  • stop Windows Search Service

Configuration complete – on this node. Now the same steps are required on the other node too.

Setup Clustered Generic Service

After configuring both Nodes with the steps above, we can create a Clustered Generic Service for Windows Search.

  • start Failover Cluster Manager
  • Add a “Generic Service” under your fileserver’s Role
  • Open Properties of the new Service and add a Dependency for Drive S:
  • right-click on the Search Service and choose “bring online” to start
  • test if Failover works by doing Failover and re-check the Search Configuration



Quick Guide to Setup Dynamic Access Control

Dynamic Access Control enables the functionality to deploy file or object permissions based on claims instead of access control lists (acl). As claims, we use pre-defined properties from active directory user objects like department, Title or Manager information. Almost everything from Active Directory can be used. So configuring DAC works like this:

Let’s assume, you want to restrict access on all Folders with “TopSecret” Confidentiality for users in Department “Agents” of Company “Investigate&Co”.

(1) Define Claims.

Open AD Administrative Center and go to Dynamic Access Control, where you open Claim Types. Now add all Properties you wish to use for filtering and grouping all of your Employees.

Claims will be used to give permissions. For our example, we add Department and Company.


(2) Define Resource Properties.

Still in AD Administrative Center, select Resource Properties in the left navigation tree. There appears a list of available Properties that can be enabled for use. For our example, enable Confidentiality and right-click on it to edit the properties. At the bottom, there’s a dialog to add Suggested Values. Hit “add” and create a additional “Top Secret” Entry with Value “4000” (just greater than the highest).


(3) Configure a Recource Property List.

There’s already a default configured “Global Resource Property List” that contains the most of the default available values. Just ensure the “Confidentiality” Property is listed here.


(4) Create a Central Access Rule.

File System Permissions are no longer configured on the file server itself, the cool thins is they’re now configured central and maintained general. So we don’t define a access policy for Folder XY and make decisions about recursion like done in past. What we do now is to define what kind of data can be accessed by what type of user.

For our example, we create this rule: Objects classified as “Top Secret” can only be accessed by users that are members of Department “Agents” and work for Company “Investigate&Co”. This Rule looks like this:


(5) Create a Central Access Policy.

A policy is a collection of all or many Central Access Rules. You assign a policy to a file server. With this functionality, you can define multiple and/or different policies for different servers.


(6) Configure Kerberos and KDC to support claims and Kerberos armoring.

Edit the Default Domain Controller Policy to enable the following Kerberos and KDC setting.


…and for Kerberos too…


(the difference betweek this two pictures is the selection of KDC and Kerberos in the left tree)

(7) Assign the Policy to the Fileserver.

Create a GPO either on root and use security filtering or link it directly to a OU that only contains the file server(s). This OU gets the following settings.


Under Computer Configuration/Windows Settings/Security Settings/File System, there’s a “Central Access Policy” Setting where you can define the DAC Policy we just created.

(8) Setup Fileserver, Verify Permissions.

Your file server needs the “File Server” role and “File Server Resource Manager” (FSRM) being installed to have the classification tab enabled on folders. Using “gpudate /force”, we ensure the new policy gets downloaded.

To verify our example rule is running, I created a folder called “Obama” and set the Confidentiality manually to “Top Secret”.


This isn’t the way you will set the properties on your data (mind the huge effort to do this on big filers). In production, you create rules in FSRM to automatically classify data based on rules. But this is another story.

So after classifying my folder, let’s use old good known “Effective Access” Tab in the Advanced Security Settings of the Folder to verify access of my User “Agent007” who’s in Department “Agents” and works for Company “Investigate&Co” and for JuniorAgent123 who’s in Department “Junior Agents”.

Folder NTFS Security Settings:


Effective Permissions for Agent007:


Effective Permissions for JuniorAgent123:



NTFS permissions gives the basic permissions for the users on objects and the DAC is used to restrict access by classification rules on top of it.

(9) Using File Classification Infrastructure of FSRM

If you open FSRM under the “Classification Management” tree, you see our enabled “Confidentiality” Property for Objects in here als “Global” Scope Property.


The Classification Rules tree is empty by default, you can create Rules here to classify files and folders. For example, a rule could classify files by scanning their content for credit card numbers and assign them the classification “Financial Data”. To get some examples and templates, there’s a downloadable package from Microsoft:


This Solution Accelerator is designed to help enable an organization to identify, classify, and protect data on their file servers. The out-of-the-box classification and rule examples help organizations build and deploy their policies to protect critical information on the file servers in their environment.