Blog - Title

April, 2010

  • Win2008 R2 BPA Updates Released for April 2010 wave

    Ahoy hoy. The BPA release release cycle has just ticked over once for Windows Server 2008 R2. This means that you can now install – through Windows Update or the Download Center – add-ons that snap into Server Manager and will tell you if you are following MS best practices for your installed roles. Simply install the update, look at the role, and click “scan this role”. After some noodling, BPA will kick out info.

    For example, it appears I stink at running DFSN…


    But I rule at running DFSR!


    Here’s what just shipped:

    • Update for Best Practices Analyzer for HYPER-V for Windows Server 2008 R2
    • Update for Best Practices Analyzer for Network Policy and Access Services for Windows Server 2008 R2
    • Update for Best Practices Analyzer for Active Directory Rights Management Services for Windows Server 2008 R2
    • Update for Best Practices Analyzer for Application Server for Windows Server 2008 R2
    • Update for Best Practices Analyzer for File Services for Windows Server 2008 R2
    • Update for Best Practices Analyzer for DHCP Server for Windows Server 2008 R2
    • Update for Best Practices Analyzer for Windows Server Update Services for Windows Server 2008 R2

    Download them all from here.

    Read more about them all here.

    You need Windows Server 2008 R2 to use any of this stuff, so add it to your list of reasons to upgrade if you haven’t already. More BPA’s coming out when they… come out. Including updates to these existing ones, in theory.

    Hey Mahesh, where’s your post?


    Ned “beat filecab to the punch for once”  Pyle

  • It’s our turn to ask you a question

    Hi. Russell here. Scott and I are in the pre-production stages for a series of AskDS podcasts and video “How To’s.”

    We’d like your input on the content that will help you the most. As an example, we’ve been tasked with providing a video demo of Metadata cleanup. I bet you were not aware that there is a GUI version available, in addition to the tried and true NTDSUtil that we’ve all come to love (sarcasm intentional).

    So how about some ideas on what you want to see and hear? (scratch and sniff not available) What are some of your pain points that you’d like to have addressed by way of a podcast or video “How To?”

    Let us know in our comments section below or by emailing us through our contact form above.


    Russell ”The Spaniard” Despain

  • Friday Mail Sack – I live again edition

    Hello all, Ned here again. After a brief absence, the rocket sled that I use to carry my disembodied head around has brought me back to AskDS headquarters. The coup is over and I have emerged triumphant again. You won’t be hearing from Jonathan until the truth serum wears off.

    So let’s talk some talk.


    There was a tool called ntrights.exe in the Win2003 resource kit tools, but we couldn't find one for Windows Server 2008. I need a command-line based tool to add security privileges for users.


    The ntrights.exe tool still works fine even in Windows Server 2008 R2 and Windows 7 so feel free to use it. You could also use secedit.exe /configure with a custom INF file that added the user rights (good idea Mike). Not to mention group policy – adding privs with the command-line sounds like a lot of extra work to me.


    How much free space is needed for temporary files doing a USMT 4.0 scanstate? I grok that it arbitrarily requires at least 250MB as stated here, but could I need more? I plan to have the store file written to a network drive.


    By default, the USMT temp/working folder is the operator's %TEMP% folder (obviously, this is local to the computer). The full set of files is not gathered here; the store is updated in a serialized fashion directly. The temporary file that USMT 4.0 creates is used purely to track work and back the stores catalog data and non-file data.

    When running scanstate /p the estimator for space figures how big the backing file will get, then adds an additional 1MB of "fudge factor". The binary size of gathered user data files never matters -just the quantity of units to be migrated.

    For example, in a repro I had a Windows 7 client with eight profiles. This created a temporary backing file that was 44MB. Then when I cut the migration down to a single user profile the temporary file was only 9MB. When I added 300+MB of data to my profile (so only 20 files, but each being very big), the temporary space usage estimate did not get appreciably larger.

    <?xml version="1.0" encoding="UTF-8"?>
        <size clusterSize="4096">96075776</size>

    <?xml version="1.0" encoding="UTF-8"?>
        <size clusterSize="4096">425594880</size>

    Also, you can use the USMT_WORKING_DIR override environment variable to make the temporary folder a remote server path. But the migration is going to get much slower. My repro scanstate ran ~2-3 times slower because I had traded fast local I/O for comparatively slow network I/O. That was on gigabit network with no contention. A hard-link migration would be much faster.


    Is there a way to isolate a DC in order to do an AD Schema upgrade? I cannot find any documentation on how to do this.


    Isolating the Schema Master for ADPREP /FORESTPREP is not tested by the Product Group and not recommended*; we intentionally try to block you from this scenario starting in Win2003 SP1. Attempting to do so will return:

    “Adprep was unable to extend the schema.
    The schema master did not complete a replication cycle after the last reboot. The schema master must complete at least one replication cycle before the schema can be extended.
    [User Action]
    Verify that the schema master is connected to the network and can communicate with other domain controllers. Use the Sites and Services snap-in to replicate between the schema operations master and at least one replication partner. After replication has succeeded, run adprep again.”

    This was added back in Win2003 SP1, based on the fact that customers were causing horrendous issues trying to isolate their Schema Master FSMO servers during a migration or never verifying that the Schema master was healthy, then incorrectly (or never) reattaching them to their domain while the now split schemas diverged.

    Our supported and recommended methodology is for you to test the migration in your lab with a copy of your current forest/schema; if there are going to be problems in the schema upgrade, they will happen in your lab. Likewise if there are going to be problems with the Schema itself, they would occur there as well. Prior to upgrading your schema, we recommend that you get a good System State backup on all DC’s; but we recommend you do this every day, not just for Schema upgrades. If there was some irreconcilable issue you could restore your forest from backup using those system states using our forest recovery info here:

    This was an especially excellent question – sometimes we imply through an absence of documentation rather than stating things flat out, unfortunately.

    * And to be clear here , yes it is possible to disable replication temporarily. Older documentation even used to say things like "disconnect your schema master" or "block outbound replication". Newer documentation does NOT, as we now have a decade's worth of experience with customers using those techniques in lieu of proper testing. And dealing with the fallout of that! We've had customers disable the replication then forget to ever turn it back on again; guess what happened after 61 days?

    When the AskDS team says something is possible, it often gets construed as it's recommended and supported. It's not. Testing your schema update in a lab costs nothing thanks to free virtualization products aplently. Do that and you cannot go wrong.


    Do the registry values in KB954968 apply to Windows Server 2008 and 2008 R2 also, in regards to configuring FSRM hard quotas to work with DFSR?


    The registry values still work, yes. But they shouldn’t be as necessary in 2008/2008 R2 DFSR because all of the folders and files that FSRM would count against quota are now under a reparse point. The reparse point will prevent the quota from being enforced in this circumstance.

    So for example, if you set an FSRM quota against c:\condelrf, it would not affect the contents of the c:\condelrf\dfsrprivate folder:


    Because that is actually this reparse point target location:


    So the data in there is not covered for quota. The KB and registry change from 2003 R2 were necessary because back then, dfsrprivate was a real folder under the DFSR replicated folder. When quota was hit there, kaboooooom.

    You still need to make sure that you approach hard quotas with extreme caution though:

    DFSR and FSRM do not really have a good interop story – using them together is not something I’d personally recommend, after many, many support cases fixing the fallout of inappropriately configured hard quotas.


    Finally, some sad news. Our fearless manager Mike O’Reilly - he of the swapped desk and the cubicle tree - has left us for greener pastures. At least as green as pastures get in Newfoundland. Mike is now a director at a large construction firm back on his native island in his pseudo-country we call America’s Hat. In fond memory, here is his email address: I sure hope it doesn’t get crazily inappropriate spam, what with it being out here on the Internet forever.

    That’s all, have a nice weekend folks,


    Ned “image “ Pyle

  • The Case for Migrating SYSVOL to DFSR

    Hello folks, Ned here again. Recently I was asked to provide a technical assessment of the risks of continuing to use the File Replication Service (FRS) and the benefits of migrating to DFSR, all regarding SYSVOL on domain controllers. I thought I’d find a decent set of documentation on TechNet, polish it up and send it along – I was wrong; I had to spend several hours coming up with a complete list.

    Now you can reap the benefits. Hopefully this helps you convince yourself or your management that the time has come to cut the cord on FRS, especially if you have already deployed your Windows Server 2008 DC’s.

    I sure hope you like bullet points!

    The risks and downsides of FRS and SYSVOL

    • FRS code is in maintenance mode, where Microsoft does not accept design change requests or bug fixes except when related to security.The last FRS bug fix update was released in KB939667. It was for Win2003 and nearly 3 years ago; Win2008 has never gotten an FRS bug fix update in its history.
    • Additionally, the FRS component began deprecation starting in Windows Server 2003 R2:  
      • The Microsoft product team stopped investing in FRS in Windows Server 2003 R2, when it was decided to build DFSR and have that replace FRS even for SYSVOL replication
      • DFSGUI.MSC FRS management tool was removed in Win2008
      • FRS component no longer installable in Win2008 R2 except for SYSVOL replication on DC’s
      • FRS component automatically uninstalled during in-place upgrade of Win2008 R2 non-DC’s 
    • FRS scalability and performance are significantly lower than DFSR, especially with frequently modified files, larger data sets, larger files, and slow wide area networks. FRS always replicates an entire file regardless of modification type (i.e. a security change, data change, attribute change, or file name change each replicate the entire file)
    • FRS does not include a public development interface (API or WMI) for monitoring, and it’s interface for management is limited
    • FRS does not have a native, supported health reporting mechanism.
    • FRS does not have a native, supported monitoring solution from Microsoft System Center. Only has legacy unsupported tools like Sonar, Ultrasound, CONNSTAT, etc. with limited MOM 2005 integration
    • FRS has limited performance monitoring counters through PERFMON/ETW
    • FRS does not have a working self-healing system for problems like database corruption,  journal wraps, and morphed folders
    • FRS does not fully support RODC SYSVOL replicas and allows data to become unsynchronized without chance of automatic resynchronization
    • FRS does not support the inter-site change notification flag, leading to artificially slow replication between DC’s in different AD logical sites
    • FRS does not have significant built-in instrumentation (debug logs, event logs) for troubleshooting and debugging

    The improvements and upsides to DFSR and SYSVOL

    • DFSR code is in active development with full product DCR and QFE support. Hotfixes for feature improvements as well as bug fixes are regularly released and also integrated into new Service Packs.
    • DFSR scalability and performance are designed to be superior to FRS. This includes:
      • Ability to replicate partial file changes using RDC (block-level delta replication) rather than entire files
      • Support for cross-file RDC that can construct new files from similar files, rather than replicating the new file over the wire (when using Enterprise edition)
      • A more efficient file compression on staged files
      • The number of files that can be replicated inbound and outbound simultaneously is significantly increased
      • Support for unstable and slow networks with asynchronous RPC
      • Support for more efficient OS kernel mechanisms introduced in Win2008 like unbuffered I/O, low priority I/O, and asynchronous I/O’s
      • No staging of smaller files (<=64KB by default)
      • Staging compression can be controlled on a per-file type basis
      • Scalable to a supported (not hard) limit of 10 terabytes of data. Although if you have 10TB in SYSVOL, you are doing it wrong buddy.
    • DFSR has a public interface (using WMI/DCOM) managing and monitoring all aspects of DFSR, including backlog (and files currently on the wire in Win2008 R2).  It also includes command-line tools that give feature parity with the GUI management tools
    • DFSR has a native, supported health reporting mechanism that is available through the GUI or command-line and generates HTML/XML outputs
    • DFSR has several releases of native, supported monitoring solutions from Microsoft System Center via management packs. The new Win2008 R2 File Services MP is also in final stages of beta
    • DFSR has more complete performance monitoring counters through PERFMON/ETW
    • DFSR has a self-healing system for problems like database corruption or journal wraps. Due to improved replication performance and the ability to enable content freshness protection, it is also very unlikely to ever see a journal wrap in the first place. DFSR also does not create morphed folders like FRS and instead uses a conflict resolution algorithm
    • DFSR supports RODC SYSVOL replicas and does not allow SYSVOL’s to remain out of sync in Win2008. In Win2008 R2 originating I/O in SYSVOL is completely blocked with a filter driver on RODC’s
    • DFSR  - while it does not directly support the AD DS inter-site change notification flag – always replicates SYSVOL immediately and continuously with its own internal change notification as long as the schedule is open; these scheduled windows are in 15 minute blocks and are assigned on the AD DS connection objects. If the current time matches an open block, you replicate continuously (as fast as possible, sending DFSR change notifications) until that block closes. If the next block is closed, you wait for 15 minutes, sending no updates at all. If that next block had also been open, you continue replicating at max speed.
    • DFSR has significant built-in instrumentation for troubleshooting and debugging, including considerable event logging and a large number of highly verbose debug logs (1000 debug logs maintained under compression by default in Win2008 R2, at the second to highest level of verbosity by default)

    A table

    Here’s a different way of looking at it, as I know executives love their matrices:




    Reliable, fast, scalable, and continually improving



    Is deader than fried chicken



    Now go migrate. For most customers it will be a few hours of work. Your manager may not even have time to buy you lunch on a Saturday.

    Stay tuned for another article about the benefits of using FRS. Its title will be “the shortest blog post ever written” and will contain only a picture of my dogs eating their toys. Here’s a preview.


    A special thanks to Mahesh from the DFSR product team for his timely review and contributions to this write up. You rock dude.

    Until next time,

    Ned “nom nom nom” Pyle

  • Friday Mail Sack – Marshmallow Bird Edition

    Hi there intarwebz, Ned here. Hopefully you’re at home right now filling up the basket with Peeps for the kids. For those that aren’t, here are this week’s interesting questions from our readers and fellow employees.


    I am looking for a newer set of information on Active Directory’s LDAP V3 compliance. This old document is good but it was written when the LDAP V3 RFC was still in review by the IETF. Is there something more up to date I can use to fight the good fight?


    You bet, and boy did we bury it. If you go into MSDN –> Open Specifications –> Windows Protocols –> Windows Communication Protocols –> [MS-ADTS] –> Details –> Common Details –> 3.1.1 Abstract Data Model –> LDAP –> LDAP Conformance you will find:

    Which states in robot lawyer talk:

    “The purpose of this section is to document how the implementation of Active Directory DCs interprets the LDAPv3 RFCs, including differences from those RFCs. Except as noted in the following subsections, Active Directory is compliant to [RFC3377]. All error codes returned by Active Directory are taken from the resultCode enumeration of the LDAPResult structure defined in [RFC2251] section 4.1.10.”

    It covers Win2000, 2003, Win2008, and Win2008 R2 and specifically goes into details of compliance. We also have extended LDAP for AD purposes so we have extra functionality not mandated by the RFC’s.

    Enjoy your nap.


    I have a Java application that cannot retrieve data from a constructed attribute. Does anything need to be changed in AD to allow this to work?


    If DSA.MSC, ADSIEDIT.MSC, LDP.EXE, LDIFDE.EXE, CSVDE.EXE, Get-AdObject, Joeware tools, DC's, Clients, Users, and the rest of the kitchen sink can all read it, nothing needs to be done with AD. Something needs to be done with the Java code. :-) This is the first thing we hammer into the heads of new engineers here in AD Support – validate with known quantity tools.


    Is there any good reason to turn on the “Disable machine account password change” security policy when computers are on a LAN and on all the time?


    Officially, we do not recommend disabling the password changes, just like it says in the Explain tab in policy editor.


    However, if you:

    • Restore a 31+ day old system state backup
    • Change the computer account password more than once with NLTEST and then restore a system state backup

    … then the computer would have to be rejoined to the domain. Not having the password change ever would prevent this.

    A computer account password getting brute forced is extremely unlikely (it’s ridiculously complex) so having it change every 30 days is mostly paranoia on our part. It is far easier – and thus more likely - that the machine itself gets owned without knowledge of the password, just through a careless user with admin rights or an un-patched security bug elsewhere; having the password change every 30 days would not save you in that scenario.

    Again though: officially not recommended. Especially since if your only downside is rejoining the computer to the domain after restoring it from backup. Not exactly the end of the world.


    How do I know if the Windows Server 2008-related content is updated on the TechNet? Any other ways can I get updates or alerts via email when the content has been updated ??


    I hope you have a couple terabyte storage arrays lying around, you are looking to get updates from one of the busiest websites in the world. :-) There is no “alert me when TechNet is updated” option, but Craig and his TechNet Wiki pals came up with an interesting way to get this in a “lite” fashion through RSS:

    1. Go to and search for something broad that you are interested in, like: Windows Server 2008 R2 DFSR


    2. This returns a boatload of hits as you might expect. You then refine that into “documentation and articles”. Note though that there’s a little RSS nubbin’ here:


    3. If you subscribe to that, you can see new content for those displayed topics when changed.  Nifty.


    Wooo, and check this out:


    Once you install that federated search connector in your Windows 7 client, now you get:



    Oh. Em. Gee. That’s cool. We also have one for MSDN.


    Web 2.0 is so yesterday. Full client search within Windows Explorer is the future! :-D

    Final note

    There will not be a Friday Mail Sack next week as I am off to see the Cubs play the Braves in Atlanta on Thursday, and making a weekend of it. For our British, Indian, and Australian readers, baseball is defined as “A cricket-like game that does not take a month to play and does not involve cardigan sweaters”.

    Come by and say hi!


    - Ned “theriot” Pyle

  • New Directory Services KB Articles/Blogs 3/28-4/3



    A domain user account that has a blank password cannot be used to authenticate against Microsoft SharePoint Server 2010 or against Windows Live SkyDrive


    Best practices around Active Directory Authoritative Restores in Windows Server 2003 and 2008

    Tuning replication performance in DFSR (especially on Win2008 R2)

    Friday Mail Sack – Marshmallow Bird Edition

    Enabling CEP and CES to enroll non-domain joined computers for certificates

    Some RODC-related queries you’ll probably need some day

    TechNet topic about how to upgrade domain controllers to Windows Server 2008 R2

    New location for topic about Active Directory functional levels and features

    Windows Server 2008 R2 to Phase Out Itanium

    Five mistakes to avoid when deploying Hyper-V virtual machines

    How to Disable BitLocker Drive Encryption Fixed Data Drive Read-Only Policy Using GPO

    AdminSDHolder confusion and admin actions

    Windows Server 2008 R2 + Xeon 7500 = Lightning Fast Performance with Mission-Critical Reliability

    New Networking-related KB articles for the week of March 21 – March 27

    Windows Remote Desktop Services spotlight

    Developing an Active Directory Forest Recovery Plan

    High Impact Issue: Servers may become unresponsive due to multiple issues

    Event 17 – Certificate Corruption on Terminal Services/Remote Desktop License Servers

    Changes to Windows 2008 LDAP limits

    Windows Activation in Development Environments

    Where is my (AD) web service?

    Access Denied Error 0x80070005 message when initializing TPM for Bitlocker

    Perfmon: Identifying processes by PID instead of instance

    PowerShell Quick Start on Server Core R2

    File Classification Infrastructure in Windows Server 2008 R2 - Capabilities

    Powershell OU Shadow Script

    Group Policy Setting of the Week 20 – Exclude File form being cached

  • Friday Mail Sack – While the Ned’s Away Edition

    Hello Internet! Last week, Ned said there wouldn’t be a Mail Sack this week because he was going to be out of town. Well, the DS team was sitting around during our “Ned is out of our hair for a few days” party and we decided that since this is a Team Blog after all, we’d go ahead and post a Friday Mail Sack. So even though the volume was a little light this week, perhaps due to Ned’s announcement, we put one together all by ourselves.

    So without further ado, here is this week’s Ned-less Mail Sack.

    Certificate Template Supersedence

    Q: I’m using the Certificate Wizard in OCS to generate a certificate request and submit it to my Enterprise CA. My CA isn’t configured to issue certificates based on the Web Server template, but I have duplicated the Web Server template and modified the settings. My new template is configured to supersede the Web Server template.

    The request fails. Why doesn’t the CA issue the certificate based on my new template if it supersedes the default Web Server template?

    A: While that would be a really cool feature, that’s not how Supersedence works. Supersedence is used when you want to replace certificates that have already been issued with a new certificate with modified settings. In addition, it only works with certificates that are being managed by Windows Autoenrollment.

    For example, the Administrator has enabled Autoenrollment in the Computer Configuration of the Default Domain Policy:


    Further, the Administrator has granted the Domain Computers group permission to Autoenroll for the Corporate Computer template. Appropriately, every Windows workstation and member server in the domain enrolls for a certificate based on this template.

    Later, the Administrator decides that she needs to update the template in some fashion – add a new certificate purpose to the Enhanced Key Usage, change a key option, whatever. Our intrepid Admin duplicates her Corporate Computer template and creates a new Better Corporate Computer template. In the properties of this new template, she adds the now obsolete Corporate Computer template to the Superseded Templates list.


    The Admin clicks Ok to commit the changes and then sits back and waits for all of the workstations and member servers in the domain to update their certificate. So how does that work, exactly?

    On each workstation and member server, the Autoenrollment server wakes up about every 8 hours and checks to see if it has any work to do. As this occurs on each Windows computer, Autoenrollment determines it is enabled by policy and so checks Active Directory for a list of templates. It discovers that there is a new template for which this computer has Autoenrollment permissions. Further, this new template is configured to supersede the template a certificate it already has is based upon.

    The Autoenrollment service then archives the current certificate and enrolls for a new certificate based on the superseding template.

    In summary, supersedence doesn’t change the behavior of the CA at all, so you can’t use it to control how the CA will respond when it receives a request for a certain template. No, supersedence is merely a hint to tell Autoenrollment on the client that it needs to replace an existing certificate.

    Active Directory Web Services

    Q: I’m seeing the following warning event recorded in the Active Directory Web Services event log about once a minute.

    Log Name:      Active Directory Web Services
    Source:        ADWS
    Date:          4/8/2010 3:13:53 PM
    Event ID:      1209
    Task Category: ADWS Instance Events
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Active Directory Web Services encountered an error while reading the settings for the specified Active Directory Lightweight Directory Services instance.  Active Directory Web Services will retry this operation periodically.  In the mean time, this instance will be ignored.
    Instance name: ADAM_ContosoAddressbook

    I can’t find any Microsoft resources to explain why this event occurs, or what it means.

    A: Well…we couldn’t find any documentation either, but we were curious ourselves so we dug into the problem. It turns out that event is only recorded if ADWS can’t read the ports that AD LDS is configured to use for LDAP and Secure LDAP (SSL). In our test environment, we deleted those values and restarted the ADWS service, and sure enough, those pesky warning events started getting logged.

    The following registry values are read by ADWS:

    Key: HKLM\SYSTEM\CurrentControlSet\Services\<ADAM_INSTANCE_NAME>\Parameters
    Value: Port LDAP
    Type: REG_DWORD
    Data: 1 - 65535 (default: 389)

    Key: HKLM\SYSTEM\CurrentControlSet\Services\<ADAM_INSTANCE_NAME>\Parameters
    Value: Port SSL
    Type: REG_DWORD
    Data: 1 - 65535 (default: 636)

    Verify that the registry values described above exist and have the appropriate values. Also verify that the NT AUTHORITY\SYSTEM account has permission to read the values. ADWS runs under the Local System account.

    Once you've corrected the problem, restart the ADWS service. If you have to recreate the registry values because they've been deleted, restart the AD LDS instance before restarting the ADWS service.

    Thanks for sending us this question. We’ve created the necessary internal documentation, and if we see more issues like this we’ll promote it to the Knowledge Base.

    Final Note

    Well…that’s it for this week. Please keep posting your comments, observations, topic ideas and questions. And fear not, Ned will be back next week.

    Jonathan “The Pretender” Stephens

  • New Directory Services KB Articles/Blogs 4/4-4/10



    System state backup error in Windows Server 2008 and in Windows Vista: "Enumeration of the files failed"


    Enabling CEP and CES to enroll non-domain joined computers for certificates

    Friday Mail Sack – While the Ned’s Away Edition

    Group Policy Setting of the week 22 – Enable Transparent Caching (Offline Files)

    AD WS diagnostic logging

    Other places to find good information

    Configuring Remote Desktop certificates

    Windows 7 Security Just Got Easier: Download the Security Compliance Manager

    Active Directory Domain Services Command Fu, Part 3

    Manage Remote Desktop Licensing by using Windows PowerShell

    New resources to help business customers deploy Windows 7

    New Networking-related KB articles for the week of March 28 – April 3

    How to remove imported Internet Explorer Group Policy Settings

    Microsoft Desktop Player This has potential !

    How to backup recovery information in AD after Bitlocker is turned ON in Windows 7

    Dedicated Dump File for Windows Vista or Windows Server 2008

    Common Engineering Criteria Website Re-Launches

    Office Parsers Available

    Microsoft pulls the plug on future Itanium support

    How to use Group Policy to make Windows 7 90% more secure

    Group Policy Setting of the week 21 – Configure Background Sync (offline files)