all projects
// production · storage

Cohesity SmartFiles — SMB share + snapshot recovery

SMB View created on an AD-joined Cohesity cluster: passwordless access for domain users, write permissions delegated to specific AD groups, Protection Group with automatic snapshots at a configurable cadence, and self-service restore from Windows clients via "Previous Versions" — without going through the Cluster UI.

Statuscompleted
Year2026
Roleproduction · storage
EnvironmentCohesity · Active Directory
Cohesity SmartFiles SMB Active Directory Snapshot Windows

context

We needed a corporate SMB share for a small group of users, with two strong requirements: transparent access (no credential popup for users already logged into the domain) and autonomous restore of deleted/modified files — without opening a ticket or entering the cluster UI.

Cohesity SmartFiles exposes all these capabilities through the View primitive: a logical file-share on a Storage Domain, with a selectable protocol (SMB, NFS, S3) and ACLs integrated with AD.

approach

  • Prerequisites validated: cluster already joined to the AD domain, at least one Storage Domain available (DefaultStorageDomain), and a reachable client on the network.
  • View creation: SmartFiles → Views → Create View, name Share_SteGio, protocol SMB. The access address is the same IP used to reach the Cluster UI in the browser — if the VIPs page is empty, that's the right IP.
  • Permissions via AD groups: in More Options → Users, I added the domain users allowed to read and the groups authorized to write. The rest of the domain gets automatic read-only access via the Subnet Allowlist.
  • Client-side verification: from a domain-member Windows PC, \\10.1.1.31\Share_SteGio in File Explorer. No credential prompt — the share opens immediately. Negative test: a user outside the write group sees the files but gets Access denied on New → Folder.
  • Protection Group + snapshots: attached the View to a Protection Group with a recurring snapshot policy (frequency and retention set to requirements). The first snapshot kicks off automatically on Protect.
  • Self-service restore: on Windows clients, snapshots appear as Previous Versions in the folder/file properties — a chronological list of restore points, which users access without touching Cohesity.

outcome

  • Share reachable with no extra credentials for all domain users.
  • Write access constrained to authorized groups — confirmed by a negative test with a non-group user.
  • Self-service restore of historical files via File Explorer → Properties → Previous Versions: zero tickets to the IT team for routine recoveries.
  • Automatic snapshots as per policy: retention and frequency governed centrally by the Protection Group.

constraints

Subnet Allowlist: this is the thing that most often breaks. If the client subnet isn't in the View's allowlist, the share simply doesn't show up — with no clear error message. First line of debugging: always here.

VIP vs UI IP: when the VIPs page is empty, the cluster answers on the UI's own IP — but that's not obvious from standard docs and often leads to mount attempts on wrong IPs.

Windows-dependent feature: "Previous Versions" is natively integrated only in Windows clients. macOS and Linux clients see the share but not the snapshot UI: for them, restore remains a Cohesity-side administrative action.

lessons

  • Delegating write permissions to AD groups (not individual users) keeps the share maintainable long-term: adding a person to the team is an AD change, not a Cohesity change.
  • The "invisible" step for the end user — no popup, no credentials — is what decides success or failure of a production share. The technical part is short, the UX part is everything.
  • Having restore as a self-service function shifts helpdesk load more than any other infrastructural choice. A user who can restore a file by themselves doesn't file a ticket.
  • When diagnosing "share unreachable", the order of checks is: (1) subnet allowlist, (2) AD join still valid, (3) IP the client is hitting, (4) protocols enabled on the View. Almost always it's (1).
matrix-mode · ON