Azure File Sync and Private Endpoint

rr-4098 1,836

We have setup File Sync in Entra with a private endpoint and installed the agenton a small onprem file server. We are not using Azure DNS etc.. and updated the local host file for all the private endpoint IP's and FQDN's. When the Server Registration runs it completes and the test connection to the file sync services passes as well. In Entra when I setup the Server Endpoint it fails with "The operation 'Create server endpoint' failed with the following error: The server could not apply the new configuration." The event logs on the file server state it was block since a private endpoint is in place.

I cannot for the left find what I am missing....

Keshavulu Dasari 3,185 Reputation points Microsoft Vendor

2025-01-30T21:18:58.24+00:00
Hi rr-4098,

Greetings & Welcome to Microsoft Q&A forum! Thanks for posting your query!

You have completed much of the setup correctly, but there might be a few things to check to resolve the issue with creating the server endpoint. I suggest few considerations.

Verify Network Configuration ensure that the private endpoint is correctly configured and that the network interface associated with the private endpoint has the correct IP address and DNS settings, check that the private DNS zone is correctly set up and that the DNS records for the private endpoint are resolving correctly on your on-premises server.

Make sure that there are no firewall or NSG rules blocking the traffic between your on-premises server and the Azure File Sync service, look at the event logs on your on-premises server for any specific error messages that might give more details about why the configuration is being blocked.

Use the Debug-Storage Sync Server Cmdlet:

Run the Debug-StorageSyncServer PowerShell cmdlet on your on-premises server to diagnose common issues such as certificate misconfiguration and incorrect server time.

Check Server Endpoint Path:

Ensure that the server endpoint path specified is a locally attached NTFS volume. Azure File Sync does not support mapped drives as a server endpoint path.

Update Azure File Sync Agent Make sure you have the latest version of the Azure File Sync agent installed on your on-premises server.

Hope this helps, if you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you
Silvia Wibowo 5,281 Reputation points Microsoft Employee

2025-01-30T21:22:29.5066667+00:00
Hi @rr-4098 , please verify the Azure File Sync service is running on the server:

Open the Services MMC snap-in and verify the Storage Sync Agent service (FileSyncSvc) is running. If the service is not running and fails to start, see Storage Sync Agent service (FileSyncSvc) fails to start.
rr-4098 1,836 Reputation points

2025-01-30T21:28:09.2266667+00:00

The storage sync agent is running and has been restarted multiple times. Also the local host list the fqdns for all services without the privatelink name which is correct, right?
rr-4098 1,836 Reputation points

2025-01-31T16:29:05.87+00:00

Still no luck. I forgot to mention in Entra we only have the VPN and storage account no NSG's are in place.
rr-4098 1,836 Reputation points

2025-01-31T18:51:36.31+00:00

I ran the debug-StorageSyncServer commands as listed in https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files/file-sync/file-sync-troubleshoot

everything passed...
rr-4098 1,836 Reputation points

2025-01-31T19:27:12.9066667+00:00

As a test I disabled AV on the server and was able to create the server endpoint. It start to run for a bit but failed on "Private endpoint configuration access blocked." Both Cloud Tiering and Upload Health passed. Right now from the portal it only the "Download to Server" which is failing.. Check the private endpoint configuration and allow access to the file sync service
Keshavulu Dasari 3,185 Reputation points Microsoft Vendor

2025-02-02T12:29:25.5333333+00:00
Hi rr-4098,

It appears you are nearing a solution to the issue based on the above additional details, I Suggest few steps please consider,

DNS settings for the private endpoint are correctly configured. Since you are not using Azure DNS, verify that the local host file entries are accurate and resolve to the correct private IP addresses.

Run nslookup <storage-account-name>.file.core.windows.net to confirm that it resolves to the private endpoint's IP address.

Double-check that the private endpoint is correctly associated with the storage account and the virtual network.

Ensure that the private endpoint's network interface has the correct private IP address and is within the correct subnet.

Even though you mentioned there are no NSGs, ensure that there are no other firewalls or security settings blocking access to the private endpoint.

Verify that the VPN configuration allows traffic to and from the private endpoint.

Since disabling the antivirus allowed the server endpoint creation to proceed, consider configuring the antivirus to allow traffic to the private endpoint. You may need to add exceptions for the Azure File Sync service and related processes.

Azure Portal and Logs:

Check the Azure portal for any additional error messages or logs that might provide more insight into the "Download to Server" failure.

Review the event logs on the file server for any additional details.

For more detailed information, you can refer to the Azure File Sync networking considerations and troubleshooting guides for more detailed steps and common issues.
Keshavulu Dasari 3,185 Reputation points Microsoft Vendor

2025-02-03T15:53:16.9233333+00:00

Hi rr-4098,

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
rr-4098 1,836 Reputation points

2025-02-03T18:43:17.8433333+00:00

I reviewed the local host file again and all 4 entries listed in the network \ DNS settings for the Sync Services are in the local host file. I also included the private IP of the storage account. It's so odd that uploads are successfully but downloads are not. Where can I find additional logs for File Sync in the portal?
Keshavulu Dasari 3,185 Reputation points Microsoft Vendor

2025-02-03T19:21:16.0333333+00:00
Hi rr-4098,

I appreciate that you are verified the local host file and included the necessary entries. The issue of uploads working while downloads fail is certainly perplexing. To locate additional logs for Azure File Sync in the portal, I Suggest below,

Azure Portal:

Navigate to the Storage Sync Service resource in the Azure portal.

Go to the Sync groups section and select the sync group associated with your server endpoint.

Here, you can view the health status and any persistent sync errors.

Azure Monitor:

You can use Azure Monitor to view metrics and create alerts for Azure File Sync. This can help you proactively identify and resolve issues.

Navigate to Azure Monitor in the portal, and then select Metrics. From there, you can add metrics related to Azure File Sync to monitor its performance.

Event Logs on the Server:

On your file server, you can check the event logs for more detailed information. Look under Applications and Services Logs > Microsoft > FileSync > Operational.

These logs can provide specific error messages and details about the sync process.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
rr-4098 1,836 Reputation points

2025-02-04T15:46:35.38+00:00

I am wondering if this could be a routing issue back to onprem. Please keep in mind we only have the Entra VPN, Storage Account and File Sync service inplace. There are no custom routes. I am thinking about standing up a small VM for testing...

https://journeyofthegeek.com/2020/09/10/interesting-behaviors-with-private-endpoints-new/
Keshavulu Dasari 3,185 Reputation points Microsoft Vendor

2025-02-04T19:41:55.5166667+00:00
Hi rr-4098 ,

I understand here few possibilities that routing issues could be causing the problem, especially since you mentioned that uploads are successful, but downloads are not. Setting up a small VM for testing is a good idea to help isolate the issue. I suggest few additional steps you can take to troubleshoot the routing,

Review Private Endpoint Configuration ensure that the private endpoint is correctly configured and associated with the correct virtual network and subnet. Verify that the private endpoint's network interface is properly set up and has the correct IP address.

Check DNS Resolution:

Make sure that the DNS settings are correctly resolving the private endpoint's FQDN to the private IP address.

Use tools like nslookup or dig to verify DNS resolution from the on-premises server.
Double-check that there are no NSGs blocking the traffic. Even though you mentioned not using NSGs, implicit rules might still affect the traffic.

Routing Configuration:

Verify that the routing configuration allows traffic to flow between the on-premises network and the private endpoint.

Ensure that the VPN connection is correctly routing traffic to the private endpoint.

Test with a VM:

Deploy a small VM in the same virtual network as the private endpoint and test connectivity from the VM to the private endpoint.

Use tools like ping, tracert, or telnet to test connectivity and identify any potential routing issues.

Azure Monitor and Network Watcher, Use Azure Monitor to check for any anomalies in the network traffic. Utilize Azure Network Watcher to perform connection troubleshooting and packet capture to diagnose the issue.

I hope this information helps. Please do let us know if you have any further queries.
rr-4098 1,836 Reputation points

2025-02-04T19:57:39.8166667+00:00

I setup a 2019 in Entra and was able to RDP to the private IP which is the same subnet I am using for Private Endpoints. From the Entra VM I was able to UNC to onprem servers so network wise things look ok..

I am looking into the article below you sent now...

https://learn.microsoft.com/en-us/azure/private-link/troubleshoot-private-endpoint-connectivity
rr-4098 1,836 Reputation points

2025-02-04T20:06:24.9366667+00:00

I know you mentioned about checking NSG rules but I do not have any NSG's present.
Keshavulu Dasari 3,185 Reputation points Microsoft Vendor

2025-02-05T20:06:53.29+00:00

Hi rr-4098 ,

I am pleased to hear that, your network setup seems to be functioning correctly and that you can RDP to the private IP and UNC to on-prem servers. Since you are confirmed that there are no NSGs in place, let's focus on a few other potential areas to troubleshoot the "Download to Server" issue.

Ensure that the private endpoint is correctly configured to allow access to the Azure File Sync service. Verify that the necessary permissions and access policies are in place, confirm that the DNS resolution for the private endpoint FQDNs is working correctly from both the VM and your on-premises server. You can use tools like nslookup or ping to verify this.

Check that there are no firewall rules or security settings on your on-premises server that might be blocking the connection to the Azure File Sync service.

Since disabling the antivirus allowed the server endpoint creation to proceed, consider configuring the AV to allow traffic to and from the Azure File Sync service. You might need to add exceptions for the specific processes and ports used by Azure File Sync.

Use Azure Monitor to check for any network-related logs or metrics that might provide insights into the routing issue. You can also review the logs in the Azure portal for any errors or warnings related to the private endpoint.

For more information: https://learn.microsoft.com/en-us/azure/storage/file-sync/file-sync-networking-endpoints?tabs=azure-portal.

Hope this helps, if you have any other questions, please let me know.
rr-4098 1,836 Reputation points

2025-02-06T15:03:01.8133333+00:00

I removed all entries in the host file and added them again. Same data mind you, now uploads and downloads are showing successfully. Cloud Tiering has the error: "The file failed to tier because the current sync mode is initial upload..."
Keshavulu Dasari 3,185 Reputation points Microsoft Vendor

2025-02-07T18:16:13.0966667+00:00

Hi rr-4098 ,

Just checking in to see if the response helped. If you have any questions, let me know in the "comments" and I would be happy to help you.
rr-4098 1,836 Reputation points

2025-02-07T19:19:54.2666667+00:00

I don't see an option to mark a comment as an answer
Keshavulu Dasari 3,185 Reputation points Microsoft Vendor

2025-02-07T21:45:12.0066667+00:00

Hi rr-4098 ,

Glad to know that your issue has resolved. And thanks for sharing the solution, which might be beneficial to other community members reading this thread. Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.

1 answer

Keshavulu Dasari 3,185 Reputation points Microsoft Vendor

2025-02-06T17:39:42.87+00:00

Hi rr-4098 ,

I am pleased to hear that uploads and downloads are now working successfully, the error you are seeing with Cloud Tiering is related to the initial upload mode. This mode prioritizes uploading files to Azure before enabling tiering. I Suggest some steps to address this please try,

Ensure that the initial upload process is fully completed. Cloud Tiering will not start until all files are uploaded to Azure. You can monitor the progress in the Azure portal under the Sync Groups section.

Use Event Viewer on your server to monitor tiering activity. Look for Event IDs 9003, 9016, and 9029 in the Telemetry event log under Applications and Services Logs > Microsoft > FileSync > Agent

For more Information: https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files/file-sync/file-sync-troubleshoot-cloud-tiering Verify that the sync mode is set correctly. Once the initial upload is complete, the sync mode should switch to a state that allows tiering. You can check this in the Azure portal under the Sync Groups section. ensure that your cloud tiering policies are set correctly.

You can configure policies such as the volume free space policy and the date policy to inform Azure File Sync when to tier cool files. Hope this helps, if you have any other questions, please let me know

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

If you have any other questions or are still running into more issues, let me know in the "comments" and I would be happy to help you.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure File Sync and Private Endpoint

1 answer

Your answer