MCSA (70-410)

Configure Server Roles and Features

New/Updated Features for File and Storage Services in Windows Server 2012 and Windows Server 2012 R2

Features Description Server Server

2012 2012R2
File Server Resource • Limiting the amount of space used by users X X
Manager (FSRM) • Restricting the types of files being saved
• monitoring the amount of storage used

Data Deduplication reduces the amount of duplicate blocks of data in storage X X

Services for Network Enables file sharing among servers running Windows and UNIX X X
File System (NFS)
Support for Resilient Combined with the new Storage Spaces feature, ReFS provides a highly X X
File System (ReFS) available, scalable, and resilient data access system for modern
information storage needs.

Server Message Block network file sharing protocol X X

(SMB) 3.0
Storage Manager for • creating and managing physical and logical storage solutions X X
SANs pertaining to storage area networks (SANs)
• include Fibre Channel and iSCSI disk drive subsystems

Share and Storage • facilitates administration of shared resources X X

Management • Included is ABE
Storage Pools and • can be divided into one or more Storage Spaces using Virtual Disks. X X
Storage Spaces
Windows Search • indexes files and folders to facilitate rapid searching by users when X X
Service connecting to shared folders.
New/Updated Features for File and Storage Services in Windows Server 2012 and Windows Server 2012 R2

Features Description Server Server

2012 2012R2
Transactional NTFS Enables sequential operations on a file volume running NTFS to be X X
performed as a single transaction.
Work Folders Enables users to store and access work data on personal computers, X
tablets, smartphones, and other devices, and access this data in a
consistent manner.
iSCSI Target Server provides block storage to other servers and applications on the network X X
 Share Folder
Types of Folder Share
SMB Share–Quick Uses SMB to provide basic file sharing with shared
folder and NTFS permissions. (This is the default sharing option)
SMB Share–Advanced Adds access to services provided by File Server Resource
Manager to the basic SMB sharing protocol, including
configuration of folder owners for access-denied assistance,
default classification of data, and the enabling of quotas.
SMB Share–Applications Enables sharing settings used by Hyper-V, certain databases, and
many other applications.
NFS Share–Quick NFS is a file sharing protocol used when sharing files with UNIX
servers. This option includes basic sharing permissions.
NFS Share–Advanced Adds access to services provided by File Server Resource
Manager to the basic NFS sharing protocol, similar to those
mentioned for advanced SMB sharing.
 SMB (Server Message Block)
Originally designed by IBM
- Additional features added by Microsof
CIFS (Common Internet File System)
- A dialect of SMB
SMB 2.0 introduced in Windows Vista
- Reduced chattiness of the protocol
SMB 3.0 introduced in Windows 8/2008 R2
- Additional functionality and improvements

NFS (Network File System)

Development originally by sun
Released as version 2
Version 3 included additional features
- 64bit support , files larger than 2 gigabytes
Version 4
- Performance and security imporvements
Share Settings
ABE(Access-Based Prevent users from seeing files and folders they do not have
Enumeration) permission to access
Caching of Share Enable offline users to access the contents of this share
Branch Cache Enable Branch Cache servers to cache files accessed from this
share
Encrypt Data Access Causes the server to encrypt remote file access to this share
 Network and Sharing Center to Configure File Sharing
Advanced Share Settings
Network discovery Enables the computer to locate other computers and devices on the
network
File and printer Enables the Standard Folder Sharing model, thereby allowing others on
sharing the network to access shared files on your computer and print from
printers attached to your computer.
Public folder allowing others on the network to access files in your Public folders of
sharing each Windows library (Documents, Pictures, Videos, and Music). This is a
simplified folder sharing model that is not normally used on a server-
based computer.
Password Increases security by limiting access of shared files and printers to only
protected sharing those who have a user account and password on your computer.
Permission systems
Share permissions Control access to folders over a network. To access a file over a network, a
user must have appropriate share permissions (and appropriate NTFS per-missions if the shared
folder is on an NTFS volume).

NTFS permissions Control access to the files and folders stored on disk volumes formatted with
the NTFS file system. To access a file, either on the local system or over a network, a user must
have the appropriate NTFS permissions.

Basic and advanced permissions

NTFS permission system has 14 advanced permissions you can assign to a folder or file six basic
permissions, which are various combinations of the 14 advanced permissions

Allowing and denying permissions

Additive Start with no permissions and then grant Allow permissions to individual security
principals to give them the access they need.
Subtractive Start by granting all possible Allow permissions to individual security principals,
giving them full control over the system element, and then grant them Deny permissions for the
access you don’t want them to have.
Inheriting permissions
Permission inheritance means that parent elements pass their permissions down to their
subordinate elements.

Turn off inheritance When you assign advanced permissions, you can configure an ACE not to
pass its permissions down to its subordinate elements. This effectively blocks the inheritance
process.
Deny permissions When you assign a Deny permission to a system element, it overrides any
Allow permissions that the element might have inherited from its parent objects.

Understanding effective access

The combination of Allow permissions and Deny permissions a security principal receives for a given system
element, whether explicitly assigned, inherited, or received through a group membership, is called the
effective access for that element.

Allow permissions are cumulative. When a security principal receives Allow permissions from more than one
source, the permissions are combined to form the effective access permissions.
Deny permissions override Allow permissions. When a security principal receives Allow permissions, whether
explicitly, by inheritance, or from a group, you can override those permissions by granting the principal Deny
permissions of the same type.
Explicit permissions take precedence over inherited permissions. When a security principal receives
permissions by inheriting them from a parent or from group memberships, you can override those permissions
by explicitly assigning contradicting permissions to the security principal itself.
 What is Security Principal?
Is an entity that can be authenticated
Summary
Security Identifier (SID
- Unique Number
- Use in Access Control Entries (ACE)
- Multiple ACE’s Form an Access Control List (ACL)
Access Token
- Created when authentication occurs
- Mathematically time consuming to create
- When memberships change , must be recreated
- User must logoff and log back in again
Shared Folder Options

Options Description
Share this folder Click to start sharing the folder.
Share name This is the folder name that remote users will employ to connect to
the share. It will appear in a user’s File Explorer window, or the user
can access it by typing \\ computername \sharename at the Run
command or in the address bar of an Explorer window.
Comments This information is optional and identifies the purpose or contents
of the shared folder. The comment appears in the Map Network
Drive dialog box when remote users are browsing shared folders on
a server.
User limit This sets the number of remote users who can connect to a shared
resource simultaneously, reducing network traffic. For Windows
Server 2012 R2, the limit is set to 77216 by default.
Permissions Permissions can be assigned to individual users, groups, or both.
Caching Enables offline access to a shared folder.
Share Permission (Basic Permission)

Permission Description
Full Control Users are allowed to perform any task on the folder or its constituent
files, including modifying their individual attributes and permissions
used by others accessing them.
Change Users are allowed to view and modify files but not change the
attributes of the shared folder itself. This is equivalent to Read/Write,
as described earlier in this section.
Read Users are allowed to view but not modify files.
 Mapping a Drive
Mapping a network drive means associating a shared folder on another computer with a
drive letter available on your computer.

Mapping a Drive Settings

• Drive Letter [ E: ]
• Folder Path [ E:\Shared Folder]

Option Description
Reconnect at sign-in This option is enabled by default and creates permanent connections. It
reconnects the user to the shared folder each time the user logs on
unless the user manually disconnects from the resource.
Connect Using Different This option enables you to connect to a shared folder using a different
credentials user account. This option is useful if you are at another user’s computer
and need to connect to a resource to which the currently logged-in user
does not have the appropriate access.
net share Command to Manage Shared Folders

Parameter Description
/users:number Specifies the maximum number of users who can access the shared
resource at the same time. Specify unlimited to allow the licensed
limit of users.
/cache:option Enables offline caching as discussed in the next section, according to
the value of option:
Documents: Specifies automatic reintegration of documents
Programs: Specifies automatic reintegration of programs
Manual: Specifies manual reintegration
None: Advises the client that caching is inappropriate
/delete Stops sharing the specified resource.
/remark:”text” Adds a descriptive comment. Enclose the comment ( text ) in
quotation marks.
 Offline Files
 The Offline Files feature in Windows Server 2012, Windows Server 2012
R2, Windows 8, and Windows 8.1 originated with Windows 2000 and XP.
This feature enables a user to access and work with files and folders stored
on a network share when the user is disconnected from that share.
 Offline files are stored on the local computer in a special area of the hard
drive called a cache . More specifically, this is located at %systemroot
%\CSC , where CSC stands for client-side caching.
 By default, this cache takes up 10 percent of the disk volume space
 Offline Files
Introduced in Windows 2000
Also referred to as client side-caching
User can decide which files to make offline

Features of Offline Files

• Sync Center works in the background
• Slow-link mode
• Transparent Caching
• Supports Branchache
• Offline cache can be encrypted using EFS
• Added in Windows Server 2012 R2 and Windows 8.1
• Always available offline mode
Offline Files setting
Setting
Only the files and programs that users
specify are available offline:
Enable BranchCache:
No files or programs from the shared
folder are available offline:
All files and programs that users open
from the shared folder are
automatically available offline:
Optimize for performance:
Description
Requires that a user connecting to the share specifically
indicate the files
to be made available for caching. This is the default setting.
Enables computers in a branch office to cache
downloaded files and then securely serve these files to other
branch
office client computers.
Effectively disables the Offline Files feature.
Makes every file in the share available
for caching by a remote user. When a user opens a file from
the share, the file is downloaded to the client’s cache and
replaces any older versions of the file.
Enables expanded caching of shared
programs so that users can run them locally, thereby
improving performance. Note that this option does not
provide any enhancement for client computers running
Windows Vista or newer.
Offline File Policies
Computer Configuration\Policies\Administrative Templates\Network\Offline Files
Policy
Specify administratively
assigned Offline Files
Configure Background
Sync
Limit disk space used by
Offline Files
Allow or Disallow use of
the Offline Files feature
Encrypt the Offline Files
cache
Remove “Make Available
Offline” command
Remove “Make Available
Offline” for these files and
folders
Description
Specifies network files and folders that are always available offline. Type the
UNC path to the required files.
Enables you to control synchronization of files across slow links.
You can configure sync interval and variance parameters, as well as blackout
periods when sync should not occur.
When enabled, limits the amount of disk space in MB used to store offline
files.
Determines whether users can enable Offline Files. When enabled, Offline
Files is enabled and users cannot disable it; when disabled, Offline Files is
disabled and users cannot enable it.
When enabled, all files in the Offline Files cache are encrypted.
Prevents users from making network files and folders available offline. Even
when enabled, Windows still caches local copies offiles on network shares
that are designated for automatic caching.
Enables you to specify the UNC path to shared files and folders for which you
want to block the Make Available Offline command.
Offline File Policies (Continue)
Policy Description
Enable Transparent Controls caching of offline files across slow links. You can specify
Caching a network latency value above which network files are temporarily
cached. More about this policy in the next section.
Configure slow-link mode Controls background synchronization across slow links and determines how
network file requests are handled across slow links.
Configure Slow link speed Specifies the threshold link speed value below which Offline Files considers
a network connection to be slow. Specify the value in
bits per second divided by 100; for example, specify 1280 for a
threshold of 128,000 bps.
 Work Folder

Work Folders is a new role service within File and Storage Services in Windows Server 2012 R2
that enables users to automatically and seamlessly synchronize work-related documents with a
file server.

The following are functionalities included with Work Folders:

Work Folders role service: Enables you to set up shared folders that store work data on a
Windows Server 2012 R2 computer. You can also monitor data
being stored and manage sync shares and user access.
Work Folders PowerShell Includes a comprehensive set of cmdlets for managing Work Folders
cmdlets: on Windows Server 2012 R2 computers.
Integration with client Provides Work Folders functionality on computers and devices
computers: running Windows 8.1 or Windows RT 8.1. Included is a Control Panel
applet that sets up and monitors Work Folders, integration with File
Explorer, and a sync engine that facilitates file transfer with the
file server.

Work Folders app for Apps are currently in development that will enable popular devices
devices: such as iPads and Android to access information stored in Work
Folders.
 Volume Shadow Copy Service

Volume Shadow Copy Services (VSS) creates point-in-time copies, known as snapshots ,
of user files located on server shares. With just a few clicks, users can roll back to
previous versions of the files.

 Lower administrative overhead: VSS empowers users with the ability to recover
previous versions of their files.
 Deleted file recovery: VSS provides the ability to recover previous versions of the file
afer accidental file deletes.
 File overwrite recovery: VSS provides the ability to recover from accidental file
overwrites.
 File comparison: VSS provides the ability to compare different versions of a file and
track changes between the versions.
 Application integrations: Many applications such as Windows Server Backup, Shadow
Copies for Shared Folders, System Restore, and so on take advantage of the VSS core
services to create point-in-time copies of data or configurations for easy recovery. This is
especially useful in situations where snapshots allow in use data, applications, or even
Hyper-V virtual machines to be backed up.
Shadow Copies
VSS Infrastructure Components
Component Function
VSS Service Primary component that manages VSS interaction between the
operating systems and other VSS components.
VSS Requester Component that requests the creation of shadow copies.
VSS Writer Component responsible for guaranteeing data consistency as napshots
are created.
VSS Provider Component that creates and maintains the shadow copies. This is built
in to many operating systems and in some cases hardware appliances.
Volume Shadow Copies (Settings)
1. Which Volume you create [ enable /disable]
2. Create / Delete Volume Shadow Copies
3. Settings
1. Storage Area [ E: ]
2. Size Limit
3. Schedule
Guidelines for Using VSS
While it might seem simple, there are several guidelines for enabling and using VSS:
■ Always be sure to continue to back up your data on a regular basis. VSS is not designed to be a replacement
for regular data backups, but it can be considered a complement to it.

■ Consider server I/O load when determining an appropriate schedule. If you are currently experiencing
higher I/O load, choose a less frequent shadow copy schedule.

■ Consider how ofen users request file restores to determine frequency or how much storage you will need
for shadow copies. A maximum of 64 shadow copies per volume can be stored. If you reach the 64-copy limit
or storage runs out, older shadow copies will be deleted to make room for new versions.

■ Know that when a file is restored to a previous version, permissions remain the same. If a file was
accidentally deleted, file permissions will be reset to the default permissions for the folder.

■ Avoid using shadow copies on volumes that use mount points because the mounted drive and its data will
not be included in the shadow copies.

■ When possible, use a separate volume or even storage space to contain shadow copies.
■ If a volume must be deleted, ensure that all shadow copy tasks are removed and disable shadow copy
services for that volume before deleting the volume.

■ For optimal file fragmentation, format the source volume for the shadow copies using a 16-KB allocation
unit size.
■ If you need to restore a previously backed-up shadow copy volume, be sure to restore the data to the same
volume to avoid the risk of duplicate snapshots.
 NTFS Quotas
Windows Server 2008 is the use of File Server Resource Manager (FSRM) to enable quotas
on shared folders within disk volumes, together with additional mechanisms for notifying
users who are approaching or exceeding their quota limits. Both quotas and FSRM have
been carried over into Windows Server 2012 and Windows Server 2012 R2.
Disk Quota Configuration Options
Option Description
Enable quota management Enables quota management and enables the other options so you can
configure them.
Deny disk space to users When users exceed their quota, they receive an Out of disk space
exceeding quota limit message and they cannot write further data.
Do not limit disk usage Select this option when you do not want to limit the amount of disk
space used.
Limit disk space to Configures the disk space limit per user.
Set warning level to Configures the amount of disk space that a user can write before
receiving a warning.
Log event when a user exceeds Writes an event to the Windows system log on the computer running disk
their quota limit quotas whenever a user exceeds her quota limit.
Log event when a user exceeds Writes an event to the Windows system log on the computer running disk
their warning level quotas any time a user exceeds her quota warning level, not her actual
quota.
NTFS Quotas
 First introduced in Windows Server 2000
 New quota system in Windows Server 2008
 File System Resource Manager (FSRM)
 Data usage calculated based on owner of the file
 Files in recycle bin count toward quota
 Based on uncompressed size
FSRM to Enable Quotas

Enable quotas on shared folders as well as volumes, and you can define templates that can be
used for setting common quota definitions across multiple servers and shares.

FSRM enables you to create the following types of quotas:

Hard quota Denies additional disk space to a user exceeding her quota limit and
generates notifications when data saved reaches configured thresholds.
Soft quota Only generates the configured notifications when data saved reaches
configured thresholds. Equivalent to clearing the previously mentioned
option.
Quota Settings
1. Quota Path [ E:\.... ]
2. Apply Template

Quota Templates

1. Template Name
2. Description
3. Space Limit
4. Notification Threshold
Some Guidelines for Using Quotas
The following are a few guidelines for using quotas on Windows Server 2012 R2 file servers:

■ If you need to specify different quotas for different users, use File Explorer to configure quotas.
Conversely, if you need to specify quotas that apply to shared folders, use FSRM to configure
quotas.
■ When installing applications, use the Administrator account rather than your own user account.
That way, the space used by the applications will not be charged against your quota if you have
one.
■ If you want to use disk quotas only to monitor disk space usage, specify a sof quota by clearing
the Deny disk space to users exceeding quota limit check box in File Explorer or by selecting the
Soft quota option in FSRM. That way, users are not prevented from saving important data.
■ Be aware that the use of hard quotas might cause applications to fail. Using FSRM to configure
hard quotas provides additional reports and warnings that alert you to situations where quota
limits are being approached and enable you to take action as needed.
■ Monitor the space used and increase the limits for those users who need larger amounts of
space. When using FSRM, set up additional folders with less restrictive limits applied to users with
access permissions for these folders.
■ Set quotas on all shared volumes, including public folders and network servers, to ensure
appropriate use of space by users.
■ If a user no longer stores files on a certain volume, delete her disk quota entries. You can do
this only afer her files have been moved or deleted or afer someone has taken ownership of
them.
NTFS Permission

NTFS file and folder permissions are also known as security permissions; they can apply
to both files and folders, and they apply on your computer to files and folders whether a
folder is shared or not shared at all.

ACL (access control list )is a list of users and groups that have been granted access
for a particular file or folder, as well as the types of access that the users and groups
have been granted.

Collectively, these kinds of entries in the ACL are called access control entries (ACEs).

Windows uses the ACL to determine the level of access a user should be granted
when he attempts to access a file or folder.
NTFS File and Folder Permissions (Basic Permission)
Permission What a User Can Do on a Folder
Full Control Change permissions, take ownership, and delete
subfolders and files. All other actions allowed by the
permissions listed in this table are also possible.
Modify Delete the folder as well as grant that
user the Read permission and the List
Folder Contents permission.
Read & Run files and display file attributes,
Execute owner, and permissions.
List Folder List a folder’s contents, that is, its files
Contents and subfolders.
Read Display file names, subfolder names, owner,
permissions, and file attributes (Read Only, Hidden,
Archive, and System).
Write Create new folders and files, change a folder’s
attributes, and display owner and permissions.
What a User Can Do on a File
Change permissions, take ownership, and perform
all other actions allowed by the permissions listed
in this table.
Modify a file’s contents and delete the file as well
as perform all actions allowed by the Write
permission and the Read and Execute permission.
Run application files and display fileattributes,
owner, and permissions.
n/a
Display data, file attributes, owner,
and permissions.
Write changes to the file, change its attributes,
and display owner and permissions.
NTFS Special Access Permissions (Advanced Permission)
Folder Permission What a User Is Allowed to Do File Permission What a User Is Allowed to Do

Full control Includes all special access permissions. Full control Includes all special access permissions.

Traverse folder Navigate through folders that a user normally can’t Execute file Run executable files.
access to reach files or folders that the user does
have permission to access.

List folder View files or subfolders. Read data View data in a particular file.
Read attributes View folder attributes. These attributes are Read attributes View file attributes. These attributes are
defined by NTFS. defined by NTFS.

Read extended View extended folder attributes. Extended Read extended View extended file attributes. Extended
attributes attributes are defined by sofware and can vary. attributes attributes are defined by sofware and can
vary

Create files Create files within a Write data Write changes to or

folder. overwrite a file.

Create folders Create subfolders. Append data Make changes to the end of a file by
appending data. Does not allow changing,
deleting, or overwriting existing data.

Write attributes Change the attributes of a folder, such as read-only Write attributes Change the attributes of a file, such as
or hidden. Attributes are defined by NTFS. read-only or hidden. Attributes are defined
by NTFS.

Write extended Change the extended attributes of a folder. Write extended Change the extended attributes of a file.
attributes Extended attributes are defined by programs and attributes Extended attributes are defined by programs
can vary. and can vary.
Folder Permission
Delete subfolders and files
Delete
Read permissions
Change permissions
Take ownership
What a User Is Allowed to
Do
Delete subfolders, even if the
Delete permission has not been
granted on the subfolder.
Delete a folder or subfolder.
Read permissions for a folder,
such as Full Control, Read, and
Write.
Change permissions for a folder,
such as Full Control, Read,
and Write.
Take ownership of a folder.
File Permission What a User Is Allowed to Do
Delete subfolders and Delete files, even if the Delete
files permission has not been granted
on the file.
Delete Delete a file.
Read permissions Read permissions for a file, such as Full
Control, Read, and
Write.
Change permissions Change permissions for a file, such as
Full Control, Read, and Write.
Take ownership Take ownership of a file.
NTFS Permissions Inheritance

All NTFS permissions are inherited—that is, they pass down through the folder hierarchy from
parent to child.

 Convert inherited permissions into explicit permissions on this object: Select this link
to add existing inherited permissions assigned for the parent folder to the subfolder or
file. This action also prevents subsequent permissions inheritance from the parent
folder.
 Remove all inherited permissions from this object: Select this link to remove existing
inherited permissions assigned to the parent folder to the subfolder or file. Only
permissions that you explicitly assign to the file or folder will apply.
 Cancel: Click Cancel to abort the operation and restore the Allow inheritable
permissions from parent to propagate to this object check box.
Effective Permissions

Effective permissions are a combination of all permissions configured for your user
account and for the groups of which you are a member.