Quotas can be enabled and configured at the volume level and applied to user and group objects. This is the same quota management included with Windows 2000 Server, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Window Server 2008 R2. Quotas enabled at the volume will be calculated based on all files saved to the volume by a particular user who is not part of the server administrators group. Volume quotas can only be enabled on NTFS volumes and cannot be applied to any lower level, such as a subfolder. The key to a successful implementation of quotas on a volume is setting the correct file permissions for the entire volume and folders and to limit the data transferred to a volume for an end user by a third party, such as a desktop or server administrator.
Prior to the release of FSRM, organizations used to depend on NTFS volume quotas or third-party products to provide their quota storage management capabilities; however, FSRM has effectively replaced the use of NTFS volume quotas. The coverage of NTFS volume quotas in this section is merely to describe the process and use of NTFS volume quotas; however, most organizations should consider using FSRM quotas and should avoid using NTFS volume quotas or both types because they are not complementary to each other.
The quota management features available in the File Server Resource Manager are different from the features included with NTFS volume quotas;
To enable quotas for an NTFS volume, perform the following steps:
1. Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
2. Click Start, click All Programs, click Administrative Tools, and select Server Manager.
3. In the tree pane, double-click the Storage node, and select Disk Management.
4. In the tasks pane, scroll down to locate the desired volume, right-click the volume, and select Properties.
5. Select the Quota tab and check the Enable Quota Management check box.
6. Enter the appropriate quota limit and warning thresholds and decide whether users will be denied write access when the limit is reached.
7. Click OK to complete the quota configuration for the NTFS volume.
8. A window opens, prompting you to confirm the enabling of quotas; click OK to enable the quota and scan the volume to update quota statistics.
9. After you configure quotas, open the properties of the volume, select the Quota tab, and click the Quota Entries button to review the existing quotas based on data already stored on the volume.
Source of Information : Sams - Windows Server 2008 R2 Unleashed (2010)
Monday, February 28, 2011
Thursday, February 24, 2011
Windows Server 2008 R2 Shares - Managing Folder Shares
Folders can be shared on FAT, FAT32, and NTFS volumes. When a folder is shared, as stated earlier, share options can be configured, including the share name, description, share permissions, access-based enumeration, limiting the number of simultaneous connections, the default offline file settings, and BranchCache if the service is already installed on the Windows Server 2008 R2 system. There are many ways to create a share, but to provide the most functionality during the share creation task, administrators should use the Share and Storage Management console located in Server Manager. The Share and Storage Management console can be used to create shares and provision storage, including tasks such as creating volumes on existing Windows disks. To create a new share using the Share and Storage Management console, perform the following steps:
1. Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
2. Click Start, click All Programs, click Administrative Tools, and select Server Manager.
3. Double-click on Roles, and then double-click on File Services.
4. Select Share and Storage Management.
5. In the Actions pane, click Provision Share to invoke the Provision a Shared Folder Wizard.
6. For this example, a new folder called HumanResources will be created and shared on the C: drive. Type c:\HumanResources in the location area, and click Next.
7. A pop-up window opens, stating that the folder does not exist; click Yes to create the folder.
8. On the NTFS Permissions page, select the No, Do Not Change NTFS Permissions option button, and click Next to continue. If desired, click to change the permissions and add the Human Resources department members or security groups to limit access to the share.
9. On the Share Protocols page, select the SMB protocol to share the folder to Windows and other compatible SMB clients, type in the name of the share if the default is not desired, and click Next to continue. If the Services for NFS is installed, the administrator can also enable the NFS protocol for this share by checking the NFS check box and entering a share name.
10. On the SMB Settings page, click the Advanced button to configure the advanced share settings.
11. In the Advanced Settings window, select the User Limits tab to configure the maximum number of connections to the share and check the Enable Access-based Enumeration check box.
12. On the Caching tab, select the No Files or Programs from the Share Are Available Offline option button, and click OK. Because we are sharing a folder that will contain Human Resources data, users should only be able to access the folders and files when connected to the company network and that is why we are disabling caching. Also, due to the secure nature of some Human Resources data, we have also enabled access-based enumeration to ensure that the users who do not have access to the data do not even see the folders or files hosted within the share.
13. Back on the SMB Settings page, click Next to continue.
14. On the SMB Permissions page, select the Administrators Have Full Control; All Other Users and Groups Have Only Read Access option button, and click Next. This permission setting is preferred on some networks to allow administrators to upload new data to the share from the network to simplify administration. If tighter security is required, as would be typical with a Human Resources folder, the administrator can select the users and groups that have custom share permissions and configure the permissions to allow only the network administrators and Human Resources department members access to the share.
15. If the File Server Resource Manager is installed, the Quota Policy page is displayed. On the Quota Policy page, configure the Apply Quota check box as necessary, and click Next to continue.
16. If the File Server Resource Manager is installed, the File Screen Policy page is displayed on the next page. On the File Screen Policy page, configure the Apply File Screen check box as necessary, and click Next to continue.
17. On the DFS Namespace Publishing page, clear the check box, and click Next to continue.
18. On the Review Settings and Create Share page, review the chosen settings and if everything appears correct, click Create to continue.
19. The Confirmation page is displayed to show the results of the share creation. Click Close to complete the share creation.
Using the Share and Storage Management console on Windows Server 2008 R2 systems with the File Server Resource Manager (FSRM) installed enables administrators to fully configure a share’s properties and security settings. That is why no file server should be deployed without the FSRM and why shares should only be created using the Share and Storage Management console.
As a best practice, always define share permissions for every share regardless of the volume format type. When a share is first created using the Share and Storage Management console, the administrator is provided three standard permissions configuration options as well as the ability to customize the permissions. The three preconfigured permissions options use the local Administrators group and the Everyone group for share permissions.
Using any of the three preconfigured settings and not customizing permissions might not be acceptable for companies that must adhere to strict security requirements as the Everyone group can enable guest and anonymous share access and viewing. Even though the guest account is disabled by default, and anonymous access is disabled by default, using a best-practice recommendation is to always replace the Everyone group with at least the Authenticated Users, local server Users, or Domain Users group to require authentication before accessing a share.
1. Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
2. Click Start, click All Programs, click Administrative Tools, and select Server Manager.
3. Double-click on Roles, and then double-click on File Services.
4. Select Share and Storage Management.
5. In the Actions pane, click Provision Share to invoke the Provision a Shared Folder Wizard.
6. For this example, a new folder called HumanResources will be created and shared on the C: drive. Type c:\HumanResources in the location area, and click Next.
7. A pop-up window opens, stating that the folder does not exist; click Yes to create the folder.
8. On the NTFS Permissions page, select the No, Do Not Change NTFS Permissions option button, and click Next to continue. If desired, click to change the permissions and add the Human Resources department members or security groups to limit access to the share.
9. On the Share Protocols page, select the SMB protocol to share the folder to Windows and other compatible SMB clients, type in the name of the share if the default is not desired, and click Next to continue. If the Services for NFS is installed, the administrator can also enable the NFS protocol for this share by checking the NFS check box and entering a share name.
10. On the SMB Settings page, click the Advanced button to configure the advanced share settings.
11. In the Advanced Settings window, select the User Limits tab to configure the maximum number of connections to the share and check the Enable Access-based Enumeration check box.
12. On the Caching tab, select the No Files or Programs from the Share Are Available Offline option button, and click OK. Because we are sharing a folder that will contain Human Resources data, users should only be able to access the folders and files when connected to the company network and that is why we are disabling caching. Also, due to the secure nature of some Human Resources data, we have also enabled access-based enumeration to ensure that the users who do not have access to the data do not even see the folders or files hosted within the share.
13. Back on the SMB Settings page, click Next to continue.
14. On the SMB Permissions page, select the Administrators Have Full Control; All Other Users and Groups Have Only Read Access option button, and click Next. This permission setting is preferred on some networks to allow administrators to upload new data to the share from the network to simplify administration. If tighter security is required, as would be typical with a Human Resources folder, the administrator can select the users and groups that have custom share permissions and configure the permissions to allow only the network administrators and Human Resources department members access to the share.
15. If the File Server Resource Manager is installed, the Quota Policy page is displayed. On the Quota Policy page, configure the Apply Quota check box as necessary, and click Next to continue.
16. If the File Server Resource Manager is installed, the File Screen Policy page is displayed on the next page. On the File Screen Policy page, configure the Apply File Screen check box as necessary, and click Next to continue.
17. On the DFS Namespace Publishing page, clear the check box, and click Next to continue.
18. On the Review Settings and Create Share page, review the chosen settings and if everything appears correct, click Create to continue.
19. The Confirmation page is displayed to show the results of the share creation. Click Close to complete the share creation.
Using the Share and Storage Management console on Windows Server 2008 R2 systems with the File Server Resource Manager (FSRM) installed enables administrators to fully configure a share’s properties and security settings. That is why no file server should be deployed without the FSRM and why shares should only be created using the Share and Storage Management console.
As a best practice, always define share permissions for every share regardless of the volume format type. When a share is first created using the Share and Storage Management console, the administrator is provided three standard permissions configuration options as well as the ability to customize the permissions. The three preconfigured permissions options use the local Administrators group and the Everyone group for share permissions.
Using any of the three preconfigured settings and not customizing permissions might not be acceptable for companies that must adhere to strict security requirements as the Everyone group can enable guest and anonymous share access and viewing. Even though the guest account is disabled by default, and anonymous access is disabled by default, using a best-practice recommendation is to always replace the Everyone group with at least the Authenticated Users, local server Users, or Domain Users group to require authentication before accessing a share.
Source of Information : Windows Server 2008 R2 Shares - Managing Folder Shares
Monday, February 14, 2011
Windows Server 2008 R2 Shares - BranchCache
BranchCache is a new feature for Windows Server 2008 R2 and Windows 7. BranchCache allows a branch office that has no server to allow local workstations to locate and locally store copies of files and folders hosted on remote Windows Server 2008 R2 BranchCache file servers. When BranchCache is installed on a Windows Server 2008 R2 file server, and BranchCache is enabled on a particular file share, when a remote branch office user on a Windows 7 workstation requests the file from the file server, it broadcasts the request on the local network. If no copy exists, it will pull a copy to the local machine. The updates to that file will be sent across the network as changes are made. When the next Windows 7 workstation attempts to access this same file from across the network, the broadcast for that file will be sent on the local network, and in this particular example, the file will be referenced from the original workstation that copied the file over during the initial request, thus improving access performance to the file and reducing network traffic. To enable BranchCache on a Windows Server 2008 R2 system, perform the steps in the following sections.
Install the BranchCache Service
Before BranchCache can be utilized, the service must be installed on a Windows Server 2008 R2 system. To install the BranchCache service, perform the following steps:
1. Log on to the Windows Server 2008 R2 system with the File Services Role installed with an account with administrator privileges.
2. Click Start, click All Programs, click Administrative Tools, and select Server Manager.
3. Double-click on Roles in the tree pane to expand the role services. In the tasks pane on the right, scroll down to Role Services until you reach the File Services Role section. Under the File Service Role section, check to see whether the BranchCache for network files is installed.
4. If the service is not installed, click on Add Role Services and follow the steps to check and install the BranchCache for network files service.
Enable BranchCache on a File Share
Once the BranchCache for network files service is installed on the Windows Server 2008 R2 system, the service can be enabled on a share-by-share basis. To enable BranchCache functionality on a particular server share, perform the following steps:
1. Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
2. Click Start, click All Programs, click Administrative Tools, and select Server Manager.
3. Double-click on Roles, and then double-click on File Services.
4. Select Share and Storage Management.
5. In the tasks pane, right-click the share that needs to have BranchCache functionality enabled and select Properties.
6. On the Sharing tab, click the Advanced button.
7. Select the Caching tab, and verify that the Only the Files and Programs That Users Specify Are Available Offline option button is selected. Check the Enable BranchCache check box, and click OK to close the Advanced window.
8. Click OK again to save the settings to the share and close the Server Manager window.
Before BranchCache functionality is enabled, network administrators need to understand the service in greater detail, especially because it is currently only supported on Windows 7 workstations and Windows Server 2008 R2, and any lower-level client will not be able to make use of this feature. In cases where Windows Vista or older clients still exist on remote or branch office networks, administrators should continue to deploy remote file servers with replicated DFS file shares when access to large or numerous files is required.
Source of Information : Sams - Windows Server 2008 R2 Unleashed (2010)
Install the BranchCache Service
Before BranchCache can be utilized, the service must be installed on a Windows Server 2008 R2 system. To install the BranchCache service, perform the following steps:
1. Log on to the Windows Server 2008 R2 system with the File Services Role installed with an account with administrator privileges.
2. Click Start, click All Programs, click Administrative Tools, and select Server Manager.
3. Double-click on Roles in the tree pane to expand the role services. In the tasks pane on the right, scroll down to Role Services until you reach the File Services Role section. Under the File Service Role section, check to see whether the BranchCache for network files is installed.
4. If the service is not installed, click on Add Role Services and follow the steps to check and install the BranchCache for network files service.
Enable BranchCache on a File Share
Once the BranchCache for network files service is installed on the Windows Server 2008 R2 system, the service can be enabled on a share-by-share basis. To enable BranchCache functionality on a particular server share, perform the following steps:
1. Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
2. Click Start, click All Programs, click Administrative Tools, and select Server Manager.
3. Double-click on Roles, and then double-click on File Services.
4. Select Share and Storage Management.
5. In the tasks pane, right-click the share that needs to have BranchCache functionality enabled and select Properties.
6. On the Sharing tab, click the Advanced button.
7. Select the Caching tab, and verify that the Only the Files and Programs That Users Specify Are Available Offline option button is selected. Check the Enable BranchCache check box, and click OK to close the Advanced window.
8. Click OK again to save the settings to the share and close the Server Manager window.
Before BranchCache functionality is enabled, network administrators need to understand the service in greater detail, especially because it is currently only supported on Windows 7 workstations and Windows Server 2008 R2, and any lower-level client will not be able to make use of this feature. In cases where Windows Vista or older clients still exist on remote or branch office networks, administrators should continue to deploy remote file servers with replicated DFS file shares when access to large or numerous files is required.
Source of Information : Sams - Windows Server 2008 R2 Unleashed (2010)
Tuesday, February 8, 2011
Windows Server 2008 R2 Shares - Client-Side Caching and Offline Files
To provide flexibility for mobile users and to provide centralized storage for end-user data, Windows Server 2008 R2 shares can be configured to allow, enforce, or disable client-side caching of shared server data. Client-side caching (CSC) is a feature that enables data shared on a server to be synchronized between the server and end-user workstations. This enables end users to access data when the server is unavailable or when the workstation is not connected to the company network. This feature also can be used to ensure that any data stored in a synchronized end-user workstation folder is copied to the server for centralized storage and backup and recoverability.
For CSC to function properly, both the workstation and the server must be configured to support it. CSC from the workstation and server side is more commonly referred to as Offline Files. Depending on the workstation operating system version, different synchronization options are available. A common usage of offline files is to couple offline files with a Group Policy setting called Folder Redirection.
Folder Redirection can be used to redirect the end user’s My Documents or Documents folder to a server share. When an end user’s My Documents or Documents folder is redirected to a server share with offline files enabled, enforced or not, the folder is automatically configured to synchronize with the server. This functionality ensures that any file an end user saves to their default documents folder will be copied up to the server during synchronization. The default offline file synchronization settings for Windows 7 and Windows Server 2008 R2 will synchronize with the server at logon, logoff, and when a file is opened or saved. Additionally, synchronization can be configured to run when a computer has been idle or when a user locks or unlocks a workstation.
Offline files can be configured on a per-share basis using the shared folder’s share property page. By default, all shares allow end users to configure offline file synchronization as they desire. Certain folders—for example, the My Documents or Documents folders—when redirected to a Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 system, will automatically enable and configure the folder to be synchronized. To synchronize additional shares, perform the following steps on the server and the workstation:
1. Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
2. Click Start, click All Programs, click Administrative Tools, and select Server Manager.
3. Double-click on Roles, and then double-click on File Services.
4. Select Share and Storage Management.
5. In the tasks pane, right-click the share that needs to be available offline, and select Properties.
6. On the Sharing tab, click the Advanced button.
7. Select the Caching tab, and verify that one of the following option buttons is selected:
» Only the Files and Programs That Users Specify Are Available Offline
» All Files and Programs That Users Open from the Share Are Automatically Available Offline
8. Close the Share Properties dialog box and the Share and Storage Management console.
9. Log on to the Windows 7 workstation with an account with administrator privileges.
10. Click the Windows flag, or Start button, and select Control Panel.
11. Near the upper-right corner of the Control Panel window, pull down the View By menu and choose to view the window by Small Icons instead of Categories.
12. Scroll down in the window as necessary to locate Sync Center and click on the link.
13. When the Sync Center window opens, click on the Manage Offline Files link in the left pane of the window.
14. When the Offline Files window opens, verify that the top button on the General tab is labeled Disable Offline Files, which means that offline file functionality is enabled. If the button is labeled Enable Offline Files, click the button and click OK to save the settings and reboot the workstation.
Source of Information : Sams - Windows Server 2008 R2 Unleashed
For CSC to function properly, both the workstation and the server must be configured to support it. CSC from the workstation and server side is more commonly referred to as Offline Files. Depending on the workstation operating system version, different synchronization options are available. A common usage of offline files is to couple offline files with a Group Policy setting called Folder Redirection.
Folder Redirection can be used to redirect the end user’s My Documents or Documents folder to a server share. When an end user’s My Documents or Documents folder is redirected to a server share with offline files enabled, enforced or not, the folder is automatically configured to synchronize with the server. This functionality ensures that any file an end user saves to their default documents folder will be copied up to the server during synchronization. The default offline file synchronization settings for Windows 7 and Windows Server 2008 R2 will synchronize with the server at logon, logoff, and when a file is opened or saved. Additionally, synchronization can be configured to run when a computer has been idle or when a user locks or unlocks a workstation.
Offline files can be configured on a per-share basis using the shared folder’s share property page. By default, all shares allow end users to configure offline file synchronization as they desire. Certain folders—for example, the My Documents or Documents folders—when redirected to a Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 system, will automatically enable and configure the folder to be synchronized. To synchronize additional shares, perform the following steps on the server and the workstation:
1. Log on to the Windows Server 2008 R2 system with an account with administrator privileges.
2. Click Start, click All Programs, click Administrative Tools, and select Server Manager.
3. Double-click on Roles, and then double-click on File Services.
4. Select Share and Storage Management.
5. In the tasks pane, right-click the share that needs to be available offline, and select Properties.
6. On the Sharing tab, click the Advanced button.
7. Select the Caching tab, and verify that one of the following option buttons is selected:
» Only the Files and Programs That Users Specify Are Available Offline
» All Files and Programs That Users Open from the Share Are Automatically Available Offline
8. Close the Share Properties dialog box and the Share and Storage Management console.
9. Log on to the Windows 7 workstation with an account with administrator privileges.
10. Click the Windows flag, or Start button, and select Control Panel.
11. Near the upper-right corner of the Control Panel window, pull down the View By menu and choose to view the window by Small Icons instead of Categories.
12. Scroll down in the window as necessary to locate Sync Center and click on the link.
13. When the Sync Center window opens, click on the Manage Offline Files link in the left pane of the window.
14. When the Offline Files window opens, verify that the top button on the General tab is labeled Disable Offline Files, which means that offline file functionality is enabled. If the button is labeled Enable Offline Files, click the button and click OK to save the settings and reboot the workstation.
Source of Information : Sams - Windows Server 2008 R2 Unleashed
Friday, February 4, 2011
Windows Server 2008 R2 Shares - Access-Based Enumeration
A new sharing feature included with Windows Server 2008 and Windows Server 2008 R2 is called access-based enumeration. Access-based enumeration, when enabled on a share, hides the folders or files within the share from view for users who do not have access to the data. Access-based enumeration, however, does not hide the share itself. This feature can simplify data access for end users as they will only see what they can access, but, on the flip side, users who are collaborating and trying to instruct their co-workers on where to locate the data might be confused when the folders cannot be located.
Source of Information : Sams - Windows Server 2008 R2 Unleashed
Source of Information : Sams - Windows Server 2008 R2 Unleashed
Tuesday, February 1, 2011
Managing Data Access Using Windows Server 2008 R2 Shares
Providing access to data stored on a Windows Server 2008 R2 server can be very simple to configure using Windows shares. Existing folders and entire drives can be shared with a few clicks, but understanding who can access that data is critical to security and, in some cases, licensing. Server shares are accessed using the UNC or Universal Naming Convention of \\server\sharename. Administrators can configure a few different settings when creating or updating shares. Share options or features include the following:
» Determining whether the share will be visible or hidden, based on the share name
» Setting the description of the share
» Configuring the type of share; if Server for NFS is installed, there will be two options
» Configuring the number of simultaneous connections allowed through the share
» Configuring the cache or offline sync settings of the share
» Enabling or disabling BranchCache
» Configuring access-based enumeration to control folder and file visibility based on NTFS permissions
» Configuring NTFS permissions on the folder or volume hosting the file share
» Configuring share permissions to manage whether users can read, change, or have full control over a share
Because sharing can be performed for CD drives, DVD drives, and FAT and NTFS volumes, the configurable share permissions are limited to Full Control, Change, and Read. Full Control permissions allow users to manage all data and to reset permissions. Change allows users to manage all data and Read only allows users to read the data. Because share permissions are not very granular, folder shares should be created only on NTFS volumes, when possible, to increase the security of data.
When shares are created on NTFS volumes, both the Share and NTFS folder and file permissions are applied to the user. Windows Server 2008 R2 will combine the permissions, and the most restrictive permissions will apply. For example, if a folder located at c:\users is shared and testuser1 is granted Read permission at the share and Change or Modify permissions on the NTFS folder, testuser1 will only have Read permission when accessing the data across the network through the share. If testuser1 logs on to the system console and accesses the c:\users folder directly, testuser1 will have Change or Modify permissions.
» Determining whether the share will be visible or hidden, based on the share name
» Setting the description of the share
» Configuring the type of share; if Server for NFS is installed, there will be two options
» Configuring the number of simultaneous connections allowed through the share
» Configuring the cache or offline sync settings of the share
» Enabling or disabling BranchCache
» Configuring access-based enumeration to control folder and file visibility based on NTFS permissions
» Configuring NTFS permissions on the folder or volume hosting the file share
» Configuring share permissions to manage whether users can read, change, or have full control over a share
Because sharing can be performed for CD drives, DVD drives, and FAT and NTFS volumes, the configurable share permissions are limited to Full Control, Change, and Read. Full Control permissions allow users to manage all data and to reset permissions. Change allows users to manage all data and Read only allows users to read the data. Because share permissions are not very granular, folder shares should be created only on NTFS volumes, when possible, to increase the security of data.
When shares are created on NTFS volumes, both the Share and NTFS folder and file permissions are applied to the user. Windows Server 2008 R2 will combine the permissions, and the most restrictive permissions will apply. For example, if a folder located at c:\users is shared and testuser1 is granted Read permission at the share and Change or Modify permissions on the NTFS folder, testuser1 will only have Read permission when accessing the data across the network through the share. If testuser1 logs on to the system console and accesses the c:\users folder directly, testuser1 will have Change or Modify permissions.
Source of Information : Sams - Windows Server 2008 R2 Unleashed
Subscribe to:
Posts (Atom)