Contents - Pearsoncmg
The practical, portable guide for
Windows Server administrators!
Portable and precise, this pocket-sized guide delivers
ready answers for administering storage, security, and
networking features in Windows Server 2012 R2. Zero
in on core procedures and operations through quickreference tables, instructions, and lists. You’ll get the
focused information you need to save time and get the
job done—whether at your desk or in the field.
Get fast facts to:
•
•
•
•
•
•
•
•
•
•
Administer п¬Ѓle systems and drives
Configure storage and implement RAID
About the Author
William R. Stanek is a
Microsoft MVP with 20+
years of experience in systems
management and advanced
programming. He is an awardwinning author of more than
150 books, including Windows
Server 2012 Inside Out and the
Pocket Consultants for Microsoft
Exchange Server 2013, Windows
8.1, and SQL Server 2012. He is
the series editor for the Pocket
Consultant line of books.
Configure file sharing and permissions
Audit system resources and implement quotas
Administer Group Policy and security settings
Install and configure DHCP servers
Also Look For
Set up and optimize DNS on a network
Manage TCP/IP and network connections
Manage and troubleshoot print services
Encrypt, back up, and restore data
Windows Server 2012 R2
Configuration, Storage,
& Essentials
Inside Out
William Stanek
ISBN 9780735682672
microsoft.com/mspress
ISBN: 978-0-7356-8259-7
U.S.A. $39.99
Canada $41.99
[Recommended]
Operating Systems/
Windows Server
Celebrating 30 years!
Windows Server 2012 R2
Pocket Consultant Storgae,
Security, & Networking
Windows Server 2012 R2
Storage, Security, & Networking
Pocket Consultant
Stanek
Windows
Server 2012 R2
Storage, Security,
& Networking
William R. Stanek
Author and Series Editor
Pocket
Consultant
PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright В© 2014 by William R. Stanek
All rights reserved. No part of the contents of this book may be reproduced or transmitted
in any form or by any means without the written permission of the publisher.
Library of Congress Control Number: 2013956655
ISBN: 978-0-7356-8259-7
Printed and bound in the United States of America.
First Printing
Microsoft Press books are available through booksellers and distributors worldВ­В­В­wide. IfВ you need support related to this book, email Microsoft Press Book
SupportВ atВ [email protected] Please tell us what you think of this book
at http://www.microsoft.com/learning/booksurvey.
Microsoft and the trademarks listed at http://www.microsoft.com/en-us/legal/
intellectualproperty/trademarks/en-us.aspx are trademarks of the Microsoft group
ofВ companies. All other marks are property of their respective owners.
The example companies, organizations, products, domain names, email addresses, logos,
people, places, and events depicted herein are fictitious. No association with any real
company, organization, product, domain name, email address, logo, person, place, or
event is intended or should be inferred.
This book expresses the author’s views and opinions. The information contained in this
book is provided without any express, statutory, or implied warranties. Neither the authors,
Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages
caused or alleged to be caused either directly or indirectly by this book.
Acquisitions Editor: Anne Hamilton
Developmental Editor: Karen Szall
Editorial Production: Online Training Solutions, Inc. (OTSI)
Project Editor: Karen Szall
Technical Reviewer: Charlie Russell; Technical Review services provided by
ContentВ Master, a member of CM Group, Ltd.
Copyeditor: Denise Bankaitis (OTSI)
Indexer: Krista Wall (OTSI)
Cover: Best & Company Design
Contents
Introductionxv
Chapter 1
Managing file systems andВ drives
1
Managing the File And Storage Services role. . . . . . . . . . . . . . . . . . . 1
Adding hard drives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Physical drives
5
Preparing a physical drive for use
8
Using Disk Management
11
Using removable storage devices
14
Installing and checking for a new drive
16
Understanding drive status
16
Working with basic, dynamic, and virtual disks. . . . . . . . . . . . . . . . 18
Using basic and dynamic disks
18
Special considerations for basic and dynamic disks
19
Changing drive types
20
Reactivating dynamic disks
22
Rescanning disks
22
Moving a dynamic disk to a new system
22
Managing virtual hard disks
23
Using basic disks and partitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Partitioning basics
24
Creating partitions and simple volumes
25
Formatting partitions
28
Compressing drives and data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Compressing drives
30
Compressing directories and files
30
Expanding compressed drives
31
Expanding compressed directories and files
31
What do you think of this book? We want to hear from you!
Microsoft is interested in hearing your feedback so we can continually improve our
books and learning resources for you. To participate in a brief online survey, please visit:
microsoft.com/learning/booksurvey
iii
Encrypting drives and data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Understanding encryption and the encrypting file
system
Chapter 2
32
Encrypting directories and files
33
Working with encrypted files and folders
34
Configuring recovery policies
35
Decrypting files and directories
36
Configuring storage
37
Using volumes and volume sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Understanding volume basics
38
Understanding volume sets
39
Creating volumes and volume sets
42
Deleting volumes and volume sets
44
Managing volumes
44
Improving performance and fault tolerance with RAID. . . . . . . . . 44
Implementing RAID on Windows Server 2012 R2. . . . . . . . . . . . . . 45
Implementing RAID-0: disk striping
45
Implementing RAID-1: disk mirroring
46
Implementing RAID-5: disk striping with parity
49
Managing RAID and recovering from failures . . . . . . . . . . . . . . . . . 50
Breaking a mirrored set
50
Resynchronizing and repairing a mirrored set
50
Repairing a mirrored system volume to enable boot
51
Removing a mirrored set
52
Repairing a striped set without parity
52
Regenerating a striped set with parity
52
Standards-based storage management. . . . . . . . . . . . . . . . . . . . . . . 53
Getting started with standards-based storage
53
Working with standards-based storage
54
Using storage pools and allocating space
57
Creating a storage pool
58
Creating a virtual disk in a storage space
62
Creating a standard volume
64
Troubleshooting storage spaces
66
Managing existing partitions and drives. . . . . . . . . . . . . . . . . . . . . . 67
iv
Contents
Assigning drive letters and paths
67
Changing or deleting the volume label
68
Deleting partitions and drives
69
Converting a volume to NTFS
70
Resizing partitions and volumes
72
Repairing disk errors and inconsistencies automatically
73
Analyzing and optimizing disks
78
CHAPTER 3 Data sharing and redundancy
81
Using and enabling file sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Configuring standard file sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Understanding SMB changes
85
Viewing existing shares
86
Creating shared folders in Computer Management
88
Creating shared folders in Server Manager
91
Changing shared folder settings
94
Managing share permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Understanding the various share permissions
95
Viewing and configuring share permissions
95
Managing existing shares. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Understanding special shares
100
Connecting to special shares
101
Viewing user and computer sessions
102
Stopping file and folder sharing
106
Configuring NFS sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Using shadow copies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Understanding shadow copies
109
Creating shadow copies
110
Restoring a shadow copy
110
Reverting an entire volume to a previous shadow copy 111
Deleting shadow copies
111
Disabling shadow copies
111
Connecting to network drives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Mapping a network drive
112
Disconnecting a network drive
113
Configuring synced sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Getting started with Work Folders
114
Creating sync shares and enabling SMB access
116
Accessing Work Folders on clients
119
Contents
v
CHAPTER 4 Data security and auditing
121
Object management, ownership, and inheritance. . . . . . . . . . . . 121
Objects and object managers
121
Object ownership and transfer
122
Object inheritance
123
File and folder permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Understanding file and folder permissions
125
Setting basic file and folder permissions
127
Setting special permissions on files and folders
129
Setting claims-based permissions
132
Auditing system resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Setting auditing policies
135
Auditing files and folders
136
Auditing the registry
138
Auditing Active Directory objects
139
Using, configuring, and managing NTFS disk quotas. . . . . . . . . 140
Understanding NTFS disk quotas and how
NTFS quotas areВ used
141
Setting NTFS disk quota policies
142
Enabling NTFS disk quotas on NTFS volumes
145
Viewing disk quota entries
147
Creating disk quota entries
147
Deleting disk quota entries
148
Exporting and importing NTFS disk quota settings
149
Disabling NTFS disk quotas
150
Using, configuring, and managing Resource Manager
disk quotas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Understanding Resource Manager disk quotas
151
Managing disk quota templates
152
Creating Resource Manager disk quotas
155
CHAPTER 5Enhancing computer security
157
Using security templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Using the Security Templates and Security
Configuration And Analysis snap-ins
vi
Contents
159
Reviewing and changing template settings
159
Analyzing, reviewing, and applying security templates
167
Deploying security templates to multiple computers
170
Using the Security Configuration Wizard . . . . . . . . . . . . . . . . . . . . 172
Creating security policies
172
Editing security policies
177
Applying security policies
177
Rolling back the last applied security policy
178
Deploying a security policy to multiple computers
178
CHAPTER 6 Managing users and computers
with Group Policy
181
Centrally managing special folders. . . . . . . . . . . . . . . . . . . . . . . . . 181
Redirecting a special folder to a single location
182
Redirecting a special folder based on group
membership
184
Removing redirection
186
User and computer script management . . . . . . . . . . . . . . . . . . . . 187
Assigning computer startup and shutdown scripts
187
Assigning user logon and logoff scripts
189
Deploying software through Group Policy. . . . . . . . . . . . . . . . . . 190
Getting to know Software Installation policy
190
Deploying software throughout your organization
191
Configuring software deployment options
192
Updating deployed software
194
Upgrading deployed software
194
Automatically configuring Work Folders. . . . . . . . . . . . . . . . . . . . 195
Automatically enrolling computer and user certificates. . . . . . . 196
Managing Automatic Updates in Group Policy . . . . . . . . . . . . . . 197
Configuring Automatic Updates
198
Optimizing Automatic Updates
199
Using intranet update service locations
200
CHAPTER 7 Managing TCP/IP networking
201
Navigating networking in Windows Server 2012 R2. . . . . . . . . . 201
Managing networking in Windows 8.1 and
Windows Server 2012 R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Installing TCP/IP networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Configuring TCP/IP networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Configuring static IP addresses
209
Contents
vii
Configuring dynamic IP addresses and alternate
IPВ addressing
211
Configuring multiple gateways
212
Configuring networking for Hyper-V
213
Managing network connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Checking the status, speed, and activity for
network connections
215
Enabling and disabling network connections
215
Renaming network connections
215
CHAPTER 8 Running DHCP clients andВ servers
217
Understanding DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Using dynamic IPv4 addressing and configuration
217
Using dynamic IPv6 addressing and configuration
219
Checking IP address assignment
221
Understanding scopes
222
Installing a DHCP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Installing DHCP components
223
Starting and using the DHCP console
225
Connecting to remote DHCP servers
227
Starting and stopping a DHCP server
227
Authorizing a DHCP server in Active Directory
228
Configuring DHCP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Configuring server bindings
228
Updating DHCP statistics
229
Auditing and troubleshooting DHCP
229
Integrating DHCP and DNS
230
Integrating DHCP and NAP
232
Avoiding IP address conflicts
236
Saving and restoring the DHCP configuration
236
Managing DHCP scopes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Creating and managing superscopes
238
Creating and managing scopes
239
Creating and managing failover scopes
249
Managing the address pool, leases, and reservations. . . . . . . . . . 252
viii
Contents
Viewing scope statistics
252
Enabling and configuring MAC address filtering
253
Setting a new exclusion range
254
Reserving DHCP addresses
255
Modifying reservation properties
257
Deleting leases and reservations
257
Backing up and restoring the DHCP database. . . . . . . . . . . . . . . . 257
Chapter 9
Backing up the DHCP database
257
Restoring the DHCP database from backup
258
Using backup and restore to move the DHCP
database to a new server
258
Forcing the DHCP Server service to regenerate
the DHCP database
259
Reconciling leases and reservations
259
Optimizing DNS
261
Understanding DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Integrating Active Directory and DNS
262
Enabling DNS on the network
263
Configuring name resolution on DNS clients. . . . . . . . . . . . . . . . 266
Installing DNS servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Installing and configuring the DNS Server service
268
Configuring a primary DNS server
270
Configuring a secondary DNS server
273
Configuring reverse lookups
274
Configuring global names
275
Managing DNS servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Adding and removing servers to manage
277
Starting and stopping a DNS server
278
Using DNSSEC and Signing Zones
278
Creating child domains within zones
280
Creating child domains in separate zones
281
Deleting a domain or subnet
282
Managing DNS records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Adding address and pointer records
283
Adding DNS aliases with CNAME
284
Adding mail exchange servers
284
Adding name servers
285
Viewing and updating DNS records
286
Updating zone properties and the SOA record. . . . . . . . . . . . . . 287
Modifying the SOA record
287
Contents
ix
Allowing and restricting zone transfers
289
Notifying secondaries of changes
290
Setting the zone type
291
Enabling and disabling dynamic updates
291
Managing DNS server configuration and security. . . . . . . . . . . . 292
Enabling and disabling IP addresses for a DNS server
292
Controlling access to DNS servers outside the
organization
292
Enabling and disabling event logging
294
Using debug logging to track DNS activity
294
Monitoring a DNS server
295
Chapter 10 Administering network printers and print services 297
Managing the Print and Document Services role . . . . . . . . . . . . 297
Using print devices
298
Printing essentials
298
Configuring print servers
300
Enabling and disabling file and printer sharing
302
Getting started with Print Management. . . . . . . . . . . . . . . . . . . . 302
Installing printers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Using the autoinstall feature of Print Management
305
Installing and configuring physically attached
print devices
307
Installing network-attached print devices
311
Connecting to printers created on the network
314
Deploying printer connections
315
Configuring point and print restrictions
317
Moving printers to a new print server
319
Monitoring printers and printer queues automatically
320
Solving spooling problems
322
Configuring printer properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
x
Contents
Adding comments and location information
322
Listing printers in Active Directory
323
Managing printer drivers
323
Setting a separator page and changing print
device mode
324
Changing the printer port
325
Scheduling and prioritizing print jobs
325
Starting and stopping printer sharing
327
Setting printer access permissions
327
Auditing print jobs
329
Setting document defaults
329
Configuring print server properties. . . . . . . . . . . . . . . . . . . . . . . . 329
Locating the Spool folder and enabling printing
on NTFS
329
Managing high-volume printing
330
Enabling print job error notification
330
Managing print jobs on local and remote printers. . . . . . . . . . . . 331
Viewing printer queues and print jobs
331
Pausing the printer and resuming printing
332
Emptying the print queue
332
Pausing, resuming, and restarting individual
document printing
332
Removing a document and canceling a print job
332
Checking the properties of documents in the printer
333
Setting the priority of individual documents
333
Scheduling the printing of individual documents
333
Chapter 11 Data backup and recovery
335
Creating a backup and recovery plan. . . . . . . . . . . . . . . . . . . . . . . . 335
Figuring out a backup plan
335
Basic types of backup
337
Differential and incremental backups
338
Selecting backup devices and media
339
Common backup solutions
339
Buying and using backup media
340
Selecting a backup utility
341
Backing up your data: the essentials. . . . . . . . . . . . . . . . . . . . . . . . 342
Installing the Windows backup and recovery utilities
343
Getting started with Windows Server Backup
343
Getting started with the Backup Command-Line utility 346
Working with Wbadmin commands
348
Using general-purpose commands
348
Using backup management commands
349
Using recovery management commands
350
Contents
xi
Performing server backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Configuring scheduled backups
352
Modifying or stopping scheduled backups
355
Creating and scheduling backups with Wbadmin
356
Running manual backups
357
Recovering your server from hardware or
startup failure
358
Recovering from a failed start
361
Starting a server in safe mode
361
Backing up and restoring the system state
363
Restoring Active Directory
364
Restoring the operating system and the full system
364
Restoring applications, nonsystem volumes, and
files and folders
367
Managing encryption recovery policy. . . . . . . . . . . . . . . . . . . . . . 368
Understanding encryption certificates and
recovery policy
368
Configuring the EFS recovery policy
370
Backing up and restoring encrypted data and certificates . . . . 371
Backing up encryption certificates
371
Restoring encryption certificates
372
Index
373
About the author
395
What do you think of this book? We want to hear from you!
Microsoft is interested in hearing your feedback so we can continually improve our
books and learning resources for you. To participate in a brief online survey, please visit:
microsoft.com/learning/booksurvey
xii
Contents
Acknowledgments
T
o my readers—thank you for being there with me through many books and
many years. It has been an honor and a privilege to be your pocket consultant.
To my wife—for many years, through many books, many millions of words, and
many thousands of pages she’s been there, providing support and encouragement
and making every place we’ve lived a home.
To my kids—for helping me see the world in new ways, for having exceptional
patience and boundless love, and for making every day an adventure.
To Anne, Karen, Martin, Lucinda, Juliana, and many others who’ve helped out in
ways both large and small.
Special thanks to my son Will for not only installing and managing my extensive
dev lab for all my books since Windows 8 Pocket Consultant but for also performing checkВ reads of all those books as well.
—William R. Stanek
xiii
Introduction
W
indows Server 2012 R2 Pocket Consultant: Storage, Security, & Networking
is designed to be a concise and compulsively usable resource for Windows
administrators, developers, and programmers, and for anyone else who wants to
use the storage, networking, and security features of Windows Server 2012 R2. This
is the readable resource guide that you’ll want on your desk or in your pocket at all
times. The book discusses everything you need to perform core tasks. Because the
focus is directed on providing you with the maximum value in a pocket-sized guide,
you don’t have to wade through hundreds of pages of extraneous information to find
what you’re looking for. Instead, you’ll find exactly what you need to get the job done.
In short, the book is designed to be the one resource you consult whenever you
have questions regarding storage, networking, and security in Windows Server
2012В R2. To this end, the book concentrates on configuration options, frequently
used tasks, documented examples, and options that are representative but not
necessarily inclusive. One of the goals is to keep the content so concise that the
book remains compact and easy to navigate while ensuring that the book is packed
with as much information as possible—making it a valuable resource.
Anyone transitioning to Windows Server 2012 R2 from Windows Server 2012
might be surprised at just how much has been updated, as changes both subtle and
substantial have been made throughout the operating system. Like Windows Server
2012, Windows Server 2012 R2 supports a touch user interface (UI), in addition to
the traditional mouse and keyboard.
Although you might not install Windows Server 2012 R2 on touch UI–capable
computers, you can manage Windows Server 2012 R2 from your touch UI–capable
computers. If you do end up managing it this way, understanding the touch UI in
addition to the revised interface options will be crucial to your success. For this reason, I discuss both the touch UI and the traditional mouse and keyboard techniques
throughout this book.
When you are working with touch-enabled computers, you can manipulate
on-screen elements in ways that weren’t possible previously. You can do any of the
following:
■■■■■■Tap  Tap an item by touching it with your finger. A tap or double-tap
of elements on the screen generally is the equivalent of a mouse click or
double-click.
Press and hold  Press your finger down and leave it there for a few seconds.
Pressing and holding elements on the screen generally is the equivalent of a
right-click.
Swipe to select  Slide an item a short distance in the opposite direction
compared to how the page scrolls. This selects the items and might also
bring up related commands. If press and hold doesn’t display commands
andВ options for an item, try using swipe to select instead.
xv
■■■■■■Swipe from edge (slide in from edge)  Starting from the edge of the
screen, swipe or slide in. Sliding in from the right edge opens the Charms
panel. Sliding in from the left edge shows open apps and enables you to
switch between them easily. Sliding in from the top or bottom edge shows
commands for the active element.
Pinch  Touch an item with two or more fingers, and then move the fingers
toward each other. Pinching zooms out.
Stretch  Touch an item with two or more fingers, and then move the fingers
away from each other. Stretching zooms in.
You are also able to enter text using the on-screen keyboard. Although the UI
changes are substantial, they aren’t the most significant changes to the operating
system. The most significant changes are below the surface, affecting the underlying architecture and providing many new features. Some of these features are
revolutionary in that they forever change the way we use Windows.
As you’ve probably noticed, a great deal of information about Windows Server
2012 R2 is available on the Web and in other printed books. You can find tutorials,
reference sites, discussion groups, and more to make using Windows Server 2012 R2
easier. However, the advantage of reading this book is that much of the information
you need to learn about Windows Server 2012 R2 is organized in one place and presented in a straightforward and orderly fashion. This book has everything you need
to customize Windows Server 2012 R2 installations, master Windows Server 2012 R2
configurations, and maintain Windows Server 2012 R2 servers.
In this book, I teach you how features work, why they work the way they do,
and how to customize them to meet your needs. I also offer specific examples of
how certain features can meet your needs, and how you can use other features to
troubleshoot and resolve issues you might have. In addition, this book provides tips,
best practices, and examples of how to optimize Windows Server 2012 R2. This
book won’t just teach you how to configure Windows Server 2012 R2, it will teach
you how to squeeze every last bit of power out of it and make the most from the
features and options it includes.
Unlike many other books about managing Windows Server 2012 R2, this book
doesn’t focus on a specific user level. This isn’t a lightweight beginner book. Regardless of whether you are a beginning administrator or a seasoned professional, many
of the concepts in this book will be valuable to you, and you can apply them to your
Windows Server 2012 R2 installations.
Who is this book for?
Windows Server 2012 R2 Pocket Consultant: Storage, Security, & Networking covers all
editions of Windows Server 2012 R2. The book is designed for the following readers:
xvi
в– в– Current Windows system administrators
в– в– Accomplished users who have some administrator responsibilities
в– в– Administrators upgrading to Windows Server 2012 R2 from previous versions
в– в– Administrators transferring from other platforms
Introduction
To pack in as much information as possible, I had to assume that you have basic
networking skills and a basic understanding of Windows Server. With this in mind,
I don’t devote entire chapters to explaining Windows Server architecture or why
you want to use Windows Server. I do, however, cover configuring storage, security,
auditing, and much more.
I also assume that you are fairly familiar with Windows commands and procedures
in addition to the Windows user interface. If you need help learning Windows basics,
you should read other resources (many of which are available from Microsoft Press).
How is this book organized?
Rome wasn’t built in a day, nor was this book intended to be read in a day, in a
week, or even in a month. Ideally, you’ll read this book at your own pace, a little
each day as you work your way through all the features Windows Server 2012 R2
has to offer. This book is organized into 11 chapters. The chapters are arranged in
aВ logical order, taking you from planning and deployment tasks to configuration
and maintenance tasks.
Ease of reference is an essential part of this hands-on guide. This book has an
expanded table of contents and an extensive index for finding answers to problems
quickly. Many other quick-reference features have been added to the book as well,
including quick step-by-step procedures, lists, tables with fast facts, and extensive
cross references.
Conventions used in this book
I’ve used a variety of elements to help keep the text clear and easy to follow. You’ll
find code listings in monospace type. When I tell you to actually enter a command,
the command appears in bold type. When I introduce and define a new term or
use a code term in a paragraph of text, I put it in italics.
NOTE  Group Policy includes both policies and preferences. Under the Computer
Configuration and User Configuration nodes, you find two nodes: Policies and
Preferences. Settings for general policies are listed under the Policies node. Settings
forВ general preferences are listed under the Preferences node. When referencing
settings under the Policies node, I sometimes use shortcut references, such as User
Configuration\Administrative Templates\Windows Components, or specify that the
policies are found in the Administrative Templates for User Configuration under
Windows Components. Both references tell you that the policy setting being disВ­cussed is under User Configuration rather than Computer Configuration and can
beВ found under Administrative Templates\Windows Components.
Other conventions include the following:
■■■■Best Practices  To examine the best technique to use when working with
advanced configuration and maintenance concepts
Caution  To warn you about potential problems
Introduction
xvii
■■Important  To highlight important concepts and issues
■■More Info  To provide more information on a subject
■■Note  To provide additional details on a particular point that needs emphasis
■■Real World  To provide real-world advice when discussing advanced topics
■■Security Alert  To point out important security issues
■■Tip  To offer helpful hints or additional information
I truly hope you find that Windows Server 2012 R2 Pocket Consultant: Storage,
Security, & Networking provides everything you need to perform the essential
administrative tasks on Windows servers as quickly and efficiently as possible. You
are welcome to send your thoughts to me at [email protected] Follow me on
Twitter atВ WilliamStanek and on Facebook at www.facebook.com/William.Stanek.
Author.
Other resources
No single magic bullet for learning everything you’ll ever need to know about
Windows Server 2012 R2 exists. Even though some books are offered as all-in-one
guides, there’s just no way one book can do it all. With this in mind, I hope you use
this book as it is intended to be used—as a concise and easy-to-use resource. It
covers everything you need to perform core administration tasks for Windows
servers, but it is by no means exhaustive.
Your current knowledge will largely determine your success with this or any other
Windows resource or book. As you encounter new topics, take the time to practice
what you’ve learned and read about. Seek out further information as necessary to
get the practical hands-on know-how and knowledge you need.
I recommend that you regularly visit the Microsoft website for Windows Server
(microsoft.com/windowsserver) and support.microsoft.com to stay current with
theВ latest changes. To help you get the most out of this book, you can visit my corresponding website at williamstanek.com/windows. This site contains information
about Windows Server 2012 R2 and updates to the book.
Errata and book support
We’ve made every effort to ensure the accuracy of this book and its companion content. Any errors that have been reported since this book was published are listed at:
http://aka.ms/WSR2PC2/errata
If you find an error that is not already listed, you can report it to us through the
same page.
If you need additional support, email Microsoft Press Book Support at:
[email protected]
Please note that product support for Microsoft software is not offered through
the addresses above.
xviii
Introduction
We want to hear from you
At Microsoft Press, your satisfaction is our top priority, and your feedback is our
most valuable asset. Please tell us what you think of this book at:
http://aka.ms/tellpress
The survey is short, and we read every one of your comments and ideas. Thanks
in advance for your input!
Stay in touch
Let’s keep the conversation going! We’re on Twitter: http://twitter.com/MicrosoftPress.
Introduction
xix
CHAPTER 3
Data sharing and redundancy
■■Using and enabling file sharing  82
■■Configuring standard file sharing  85
■■Managing share permissions  95
■■Managing existing shares  100
■■Configuring NFS sharing  107
■■Using shadow copies  109
■■Connecting to network drives  112
■■Configuring synced sharing  114
T
he Server Message Block (SMB) protocol is the primary file sharing protocol
used by computers running Windows. When folders are shared over a network,
an SMB client reads and writes to files and requests services from computers hosting SMB-shared folders. With SMB, Windows Server 2012 R2 supports standard file
sharing and public folder sharing. Standard file sharing makes it possible for remote
users to access network resources such as files, folders, and drives. When you share
a folder or a drive, you make all its files and subfolders available to a specified set
of users. Because you don’t need to move files from their current location, standard
file sharing is also referred to as in-place file sharing.
You can enable standard file sharing on disks formatted with FAT, FAT32, exFAT,
NTFS, or Resilient File System (ReFS). One set of permissions apply to disks formatted with exFAT, FAT, or FAT32. These permissions are called share permissions. Two
sets of permissions apply to disks formatted with NTFS or ReFS: NTFS permissions
(also referred to as access permissions) and share permissions. Having two sets of
permissions allows you to determine precisely who has access to shared files and
the level of access assigned. With either NTFS permissions or share permissions,
you do not need to move the files you are sharing.
With public folder sharing, you share files by just copying or moving files to the
computer’s Public folder. Public files are available to anyone who logs on to a computer locally regardless of whether that person has a standard user account or an
administrator user account on the computer. You can also grant network access to
the Public folder; however, if you do this, there are no access restrictions. The Public
folder and its contents are open to everyone who can access the computer over
the local network.
81
Using and enabling file sharing
The sharing settings on a computer determine the way files can be shared. The two
file sharing models that Windows Server 2012 R2 supports have the following
differences:
■■■■Standard (in-place) file sharing  Allows remote users to access files, folders, and drives over the network. When you share a folder or a drive, you
make all its files and subfolders available to a specified set of users. Share
permissions and access permissions together enable you to control who has
access to shared files and the level of access assigned. You do not need to
move the files you are sharing.
Public folder sharing  Allows local users and (optionally) remote users to
access any files placed in the computer’s %SystemDrive%\Users\Public folder.
Access permissions on the Public folder determine which users and groups
have access to publicly shared files in addition to the level of access those
users and groups have. When you copy or move files to the Public folder,
access permissions are changed to match those of the Public folder. Some
additional permissions are added as well. When a computer is part of a workgroup, you can add password protection to the Public folder. Separate password protection isn’t needed in a domain because only domain users can
access Public folder data.
With standard file sharing, local users don’t have automatic access to any data
stored on a computer. You control local access to files and folders by using the
security settings on the local disk. With public folder sharing, on the other hand,
files copied or moved to the Public folder are available to anyone who logs on
locally. You can grant network access to the Public folder as well; however, doing
soВ makes the Public folder and its contents open to everyone who can access the
computer over the network.
Windows Server 2012 R2 adds new layers of security through compound identities,
claims-based access controls, and central access policies. With both Windows 8.1
and Windows Server 2012 R2, you can assign claims-based access controls to file
and folder resources on NTFS and ReFS volumes. With Windows Server 2012 R2,
users are granted access to file and folder resources, either directly with access permissions and share permissions or indirectly with claims-based access controls and
central access policies.
SMB 3.0 makes it possible to encrypt data being transferred over the network.
You can enable SMB encryption for shares configured on NTFS and ReFS volumes.
SMB encryption works only when the computer requesting data from an SMB-based
share (either a standard file share or a DFS share) and the server supplying the data
support SMB 3.0. Both Windows 8.1 and Windows Server 2012 R2 support SMB 3.0.
(They have an SMB 3.0 client.)
Public folder sharing is designed to enable users to share files and folders from a
single location. With public folder sharing, you copy or move files you want to share
to a computer’s %SystemDrive%\Users\Public folder. You can access public folders in
82
CHAPTER 3  Data sharing and redundancy
File Explorer by double-tapping or double-clicking the system drive, and then
accessing the Users\Public folder.
The Public folder has several subfolders you can use to help organize public files:
■■■■■■Public Desktop  Used for shared desktop items. Any files and program
shortcuts placed in the Public Desktop folder appear on the desktop of all
users who log on to the computer (and to all network users if network access
has been granted to the Public folder).
Public Documents, Public Music, Public Pictures, Public Videos Used
for shared document and media files. All files placed in one of these subfolders are available to all users who log on to the computer (and to all network
users if network access has been granted to the Public folder).
Public Downloads  Used for shared downloads. Any downloads placed in
the Public Downloads subfolder are available to all users who log on to the
computer (and to all network users if network access has been granted to the
Public folder).
NOTE  By default, the Public Desktop folder is hidden from view. If hidden items
aren’t being displayed in File Explorer, tap or click View, and then select Hidden Items.
By default, anyone with a user account and password on a computer can access
that computer’s Public folder. When you copy or move files to the Public folder,
access permissions are changed to match that of the Public folder, and some additional permissions are added as well.
You can change the default Public folder sharing configuration in two key ways:
в– в– в– в– Allow users logged on to the computer to view and manage public files but
restrict network users from accessing public files. When you configure this
option, the implicit groups Interactive, Batch, and Service are granted special
permissions on public files and public folders.
Allow users with network access to view and manage public files. This allows
network users to open, change, create, and delete public files. When you
configure this option, the implicit group Everyone is granted Full Control
permission to public files and public folders.
Windows Server 2012 R2 can use either or both sharing models at any time. However, standard file sharing offers more security and better protection than public
folder sharing, and increasing security is essential to protecting your organization’s
data. With standard file sharing, share permissions are used only when a user attempts
to access a file or folder from a different computer on the network. Access permissions are always used, whether the user is logged on to the console or is using a
remote system to access a file or folder over the network. When data is accessed
remotely, first the share permissions are applied, and then the access permissions
are applied.
As shown in Figure 3-1, you can configure the basic file sharing settings for a server
by using Advanced Sharing Settings in Network And Sharing Center. Separate options
are provided for network discovery, file and printer sharing, and public folder sharing.
Data sharing and redundancy  CHAPTER 3
83
FIGURE 3-1  Network And Sharing Center shows the current sharing configuration.
You can manage a computer’s sharing configuration by following these steps:
1. In Control Panel, tap or click View Network Status And Tasks under the Net-
work And Internet heading to open Network And Sharing Center.
2. In Network And Sharing Center, tap or click Change Advanced Sharing Settings
in the left pane. Select the network profile for the network on which you want
to enable file and printer sharing. Typically, this will be the Domain profile.
3. Standard file and printer sharing controls network access to shared resources.
To configure standard file sharing, do one of the following:
в– в– Select Turn On File And Printer Sharing to enable file sharing.
в– в– Select Turn Off File And Printer Sharing to disable file sharing.
4. Public folder sharing controls access to a computer’s Public folder. To config-
ure public folder sharing, expand the All Networks panel by tapping or clicking the related expand button. On the Public Folder Sharing panel, choose
one of the following options:
в– в– 84
Turn On Sharing So Anyone With Network Access Can Read And
Write Files In The Public Folders  Enables public folder sharing by
granting access to the Public folder and all public data to anyone who can
access the computer over the network. Windows Firewall settings might
prevent external access.
CHAPTER 3  Data sharing and redundancy
■■Turn Off Public Folder Sharing  Disables public folder sharing, preventing local network access to the Public folder. Anyone who logs on
locally to your computer can still access the Public folder and its files.
5. Tap or click Save Changes.
Configuring standard file sharing
You use shares to control access for remote users. Permissions on shared folders
have no effect on users who log on locally to a server or to a workstation that has
shared folders.
Understanding SMB changes
SMB is the primary file sharing protocol used by Windows operating systems. As
Windows itself has changed over the years, so has SMB. To allow for version and
feature changes, SMB was designed to enable clients and servers to negotiate and
then use the highest version supported by both the client attempting to connect an
SMB share and the server hosting the share.
The current version of SMB is version 3.02, which is supported by Windows 8.1
and Windows Server 2012 R2. Thus, when a Windows 8.1 computer connects to an
SMB share hosted on a server running Windows Server 2012 R2, SMB 3.02 is the
version used for the SMB session.
The earliest implementation of SMB was called CIFS, which was introduced with
Windows NT 4.0, followed by SMB 1.0, which was used by all versions of Windows
from Windows 2000 to Windows Server 2003 R2. Beginning with Windows 8.1 and
Windows Server 2012 R2, support for CIFS and SMB 1.0 is an optional feature that
must be enabled. Because CIFS and SMB 1.0 are outdated, perform poorly, and are
less secure than their predecessors, SMB 1.0/CIFS File Sharing Support should not
be enabled unless required. That said, if a computer running Windows 8.1 needs to
connect to a server running a legacy Windows operating system, the computer
must have the SMB 1.0/CIFS File Sharing Support feature enabled. In addition, if a
computer running a legacy Windows operating system needs to connect to a server
running Windows Server 2012 R2, the server must have the SMB 1.0/CIFS File Sharing
Support feature enabled.
Table 3-1 provides a summary of the current versions of SMB, the associated
versions of Windows, and the major features introduced. You can enter Get-SmbConnection at an elevated, administrator Windows PowerShell prompt to determine
the version of SMB a client has negotiated with a file server. In the command output,
the version is listed in the Dialect column, as shown in the following sample output:
ServerName
---------Server36
Server36
ShareName
--------IPC$
PrimaryData
UserName
-------CPANDL\williams
CPANDL\williams
Credential
Dialect
---------------CPANDL\williams
3.02
CPANDL\williams
3.02
NumOpens
-------0
14
Data sharing and redundancy  CHAPTER 3
85
TABLE 3.1  Overview of current SMB versions
SMB VERSION
WINDOWS VERSION
FEATURES
SMB 2.0
Windows Vista SP1,
Windows Server 2008
Increasing scalability and security,
asynchronous operations, larger
reads/writes, request
compounding
SMB 2.1
Windows 7, Windows
Server 2008 R2
Large MTU support, BranchCache
support
SMB 3.0
Windows 8, Windows
Server 2012
Enhancements for server clusters,
BranchCache v2 support, SMB
over RDMA, improved security
SMB 3.02
Windows 8.1, Windows
Server 2012 R2
Improved performance for SMB
over RDMA, additional scale-out
options, Hyper-V live migration
support
IMPORTANT  SMB 3.0 and SMB 3.02 brought many enhancements for performance,
especially when you use clustered file servers. A key enhancement that doesn’t rely
on a special configuration is end-to-end encryption of SMB data, which eliminates
the need to use Internet Protocol security (IPsec), specialized hardware, or wide area
network (WAN) accelerators to protect data from eavesdropping. SMB encryption can
be enabled on a per-share basis.
Viewing existing shares
You can use both Computer Management and Server Manager to work with shares.
You also can view current shares on a computer by entering net share at a command prompt or by entering get-smbshare at a Windows PowerShell prompt.
TIP  The get-smbshare cmdlet is only one of many cmdlets associated with the
smbshare module. To get a list of other cmdlets available for working with SMB
shares, enter get-command –module smbshare at a Windows PowerShell prompt.
NOTE  Computer Management, net share, and get-smbshare display information
about SMB-based shares, including standard SMB folder shares, hidden SMB folder
shares (those ending with the $ suffix), and SMB folders shared by using Distributed
File System (DFS). Server Manager displays information about standard SMB folder
shares, SMB folders shared by using DFS, and folders shared by using Network File
System (NFS). Server Manager does not display information about hidden SMB folder
shares.
86
CHAPTER 3  Data sharing and redundancy
In Computer Management, you can view the shared folders on a local or remote
computer by following these steps:
1. You’re connected to the local computer by default. If you want to connect to
a remote computer, press and hold or right-click the Computer Management
node and then tap or click Connect To Another Computer. Choose Another
Computer, type the name or IP address of the computer you want to connect
to, and then tap or click OK.
2. In the console tree, expand System Tools, expand Shared Folders, and then
select Shares. The current shares on the system are displayed, as shown in
Figure 3-2.
FIGURE 3-2  Available shares are listed in the Shared Folders node.
3. The columns for the Shares node provide the following information:
■■Share Name  Name of the shared folder.
■■Folder Path  Complete path to the folder on the local system.
■■Type  What kind of computers can use the share. This typically shows as
Windows because SMB shares are for Windows-based computers.
■■# Client Connections  Number of clients currently accessing the share.
■■Description  Description of the share.
In Server Manager, you can view the shared folders on a local or remote computer by following these steps:
1. Select the File And Storage Services node, and then select the related Shares
subnode.
2. As Figure 3-3 shows, the Shares subnode provides information about shares
on each file server that has been added for management. The columns for
the Shares subnode provide the following information:
■■Share  Name of the shared folder.
■■Local Path  Complete path to the folder on the local system.
■■Protocol  What protocol the share uses, either SMB or NFS.
■■Cluster Role  If the server sharing the folder is part of a cluster, the
cluster role is shown here. Otherwise, the cluster role is listed as None.
Data sharing and redundancy  CHAPTER 3
87
FIGURE 3-3  Tap or click Shares in the main pane (on the left) to view the available shares.
3. When you tap or click a share in the Shares pane, information about the
related volume is displayed in the Volume pane.
REAL WORLD  NFS is the file sharing protocol used by UNIX-based systems, which
includes computers running Apple OS X. As discussed in “Configuring NFS sharing”
later in this chapter, you can enable support for NFS by installing the Server For NFS
role service as part of the file server configuration.
Creating shared folders in Computer Management
Windows Server 2012 R2 provides several ways to share folders. You can share local
folders by using File Explorer, and you can share local and remote folders by using
Computer Management or Server Manager.
When you create a share with Computer Management, you can configure its share
permissions and offline settings. When you create a share with Server Manager, you
can provision all aspects of sharing, including NTFS permissions, encrypted data
access, offline settings for caching, and share permissions. Typically, you create shares
on NTFS volumes because NTFS offers the most robust solution.
In Computer Management, you share a folder by following these steps:
1. If necessary, connect to a remote computer. In the console tree, expand
System Tools, expand Shared Folders, and then select Shares. The current
shares on the system are displayed.
2. Press and hold or right-click Shares, and then tap or click New Share. This
starts the Create A Shared Folder Wizard. Tap or click Next.
3. In the Folder Path text box, enter the local file path to the folder you want to
share. The file path must be exact, such as C:\EntData\Documents. If you
don’t know the full path, tap or click Browse, use the Browse For Folder dialog box to find the folder you want to share, and then tap or click OK. Tap or
click Next.
88
CHAPTER 3  Data sharing and redundancy
TIP  If the file path you specified doesn’t exist, the wizard can create it for you.
Tap or click Yes when prompted to create the necessary folder or folders.
4. In the Share Name text box, enter a name for the share, as shown in Figure 3-4.
This is the name of the folder to which users will connect. Share names must
be unique for each system.
FIGURE 3-4  Use the Create A Shared Folder Wizard to configure the essential share proper-
ties, including name, description, and offline resource usage.
TIP  If you want to hide a share from users (which means that they won’t be able
to view the shared resource when they try to browse to it in File Explorer or at the
command line), enter a dollar sign ($) as the last character of the shared resource
name. For example, you could create a share called PrivEngData$, which would be
hidden from File Explorer, NET VIEW, and other similar utilities. Users can still connect to the share and access its data if they’ve been granted access permission and
they know the share’s name. Note that the $ must be typed as part of the share
name when mapping to the shared resource.
5. If you want to, enter a description of the share in the Description text box.
When you view shares on a particular computer, the description is displayed
in Computer Management.
6. By default, the share is configured so that only files and programs that users
specify are available for offline use. Typically, this is the option you want to
use because this option also enables users to take advantage of the new
Always Offline feature. If you want to use different offline file settings, tap
orВ click Change, select the appropriate options in the Offline Settings dialog
Data sharing and redundancy  CHAPTER 3
89
box, and then tap or click OK. The offline availability settings available
include the following:
в– в– в– в– в– в– Only The Files And Programs That Users Specify Are Available
Offline  Select this option if you want client computers to cache only
the files and programs that users specify for offline use. Optionally, if the
BranchCache For Network Files role service is installed on the file server,
select Enable BranchCache to enable computers in a branch office to cache
files that are downloaded from the shared folder, and then securely share
the files to other computers in the branch office.
No Files Or Programs From The Shared Folder Are Available Offline
Select this option if you don’t want cached copies of the files and programs in the share to be available on client computers for ­offline use.
All Files And Programs That Users Open From The Shared Folder Are
Automatically Available Offline  Select this option if you want client
computers to automatically cache all files and programs that users open
from the share. Optionally, select Optimize For Performance to run cached
program files from the local cache instead of the shared folder on the
server.
7. Tap or click Next, and then set basic permissions for the share. You’ll find
helpful pointers in “Managing share permissions” later in the chapter. The
available options are as follows:
■■■■■■■■All Users Have Read-Only Access  Gives users access to view files and
read data. They can’t create, modify, or delete files and folders.
Administrators Have Full Access; Other Users Have Read-Only Access
Gives administrators complete control over the share. Full access allows
administrators to create, modify, and delete files and folders. On an NTFS
volume or partition, it also gives administrators the right to change permissions and to take ownership of files and folders. Other users can view
files and read data; however, they can’t create, modify, or delete files and
folders.
Administrators Have Full Access; Other Users Have No Access Gives
administrators complete control over the share, but prevents other users
from accessing the share.
Customize Permissions  Allows you to configure access for specific users
and groups, which is usually the best technique to use. Setting share permissions is discussed fully in “Managing share permissions.”
8. When you tap or click Finish, the wizard creates the share and displays a
status report, which should state “Sharing Was Successful.” If an error is displayed instead, note the error and take corrective action as appropriate
before repeating this procedure to create the share. Tap or click Finish.
90
CHAPTER 3  Data sharing and redundancy
Individual folders can have multiple shares. Each share can have a different name
and a different set of access permissions. To create additional shares on an existing
share, just follow the preceding steps for creating a share with these changes:
в– в– в– в– In step 4, when you name the share, make sure that you use a different
name.
In step 5, when you add a description for the share, use a description that
explains what the share is used for and how it’s different from the other
shares for the same folder.
Creating shared folders in Server Manager
In Server Manager, you share a folder by following these steps:
1. The Shares subnode of the File And Storage Services node shows existing
shares for file servers that have been added for management. In the Shares
pane, tap or click Tasks, and then tap or click New Share to start the New
Share Wizard.
2. Choose one of the available file share profiles, and then tap or click Next.
TheВ New Share Wizard has the following file share profiles:
■■■■■■SMB Share—Quick  A basic profile for creating SMB file shares that
allows you to configure the settings and permissions of the shares.
SMB Share—Advanced  An advanced profile for creating SMB file shares
that allows you to configure the settings, permissions, management properties, and NTFS quota profile (if applicable) of the shares.
SMB Share—Applications  A custom profile for creating SMB file shares
with settings appropriate for Hyper-V, certain databases, and other server
applications. It’s essentially the same as the quick profile, but it doesn’t
allow you to enable access-based enumeration or offline caching.
NOTE  If you are using the Server For NFS role service, options are available for
creating NFS shares as well.
REAL WORLD  SMB 3.0 includes enhancements for server-based applications.
These enhancements improve performance for small random reads and writes,
which are common with server-based applications, such as Microsoft SQL Server
OLTP. With SMB 3.0, packets use large Maximum Transmission Units (MTUs) as
well, which enhance performance for large, sequential data transfers, such as
those used for deploying and copying virtual hard disks (VHDs) over the network,
database backup and restore over the network, and SQL Server data warehouse
transactions over the network.
Data sharing and redundancy  CHAPTER 3
91
3. On the Select The Server And Path For This Share page, select the server and
volume on which you want the share to be created. Only file servers you’ve
added for management are available. When you are ready to continue, tap
or click Next.
By default, Server Manager creates the file share as a new folder in the \Shares
directory on the selected volume. To override this, choose the Type A Custom
Path option, and then either enter the share path, such as C:\Data, or click
Browse to use the Select Folder dialog box to select the share path.
4. On the Specify Share Name page, enter a name for the share, as shown in
Figure 3-5. This is the name of the folder to which users will connect. Share
names must be unique for each system.
FIGURE 3-5  Set the name and description for the share.
5. If you want to, enter a description of the share in the Description text box.
When you view shares on a particular computer, the description is displayed
in Computer Management.
6. Note the local and remote paths to the share. These paths are set based on
the share location and share name you specified. When you are ready to
continue, tap or click Next.
7. On the Configure Share Settings page, use the following options to configure
the way the share is used:
в– в– 92
Enable Access-Based Enumeration  Configures permissions so that
when users browse the folder, only files and folders a user has been
granted at least Read access to are displayed. If a user doesn’t have at
least Read (or equivalent) permission for a file or folder within the shared
CHAPTER 3  Data sharing and redundancy
folder, that file or folder is hidden from view. (This option is dimmed if
you are creating an SMB share optimized for applications.)
■■■■Allow Caching Of Share  Configures the share to cache only the files
and programs that users specify for offline use. Although you can later
edit the share properties and change the offline files’ availability settings,
you typically want to select this option because it allows users to take
advantage of the new Always Offline feature. Optionally, if the BranchCache For Network Files role service is installed on the file server, select
Enable BranchCache to enable computers in a branch office to cache files
that are downloaded from the shared folder and then securely share the
files to other computers in the branch office. (This option is dimmed if
you are creating an SMB share optimized for applications.)
Encrypt Data Access  Configures the share to use SMB encryption, which
protects file data from eavesdropping while being transferred over the
network. This option is useful on untrusted networks.
8. On the Specify Permissions To Control Access page, the default permissions
assigned to the share are listed. By default, the special group Everyone is
granted the Full Control share permission and the underlying folder permissions are as listed. To change share, folder, or both permissions, tap or click
Customize Permissions, and then use the Advanced Security Settings dialog
box to configure the required permissions. Setting share permissions is discussed fully in “Managing share permissions” later in this chapter. Setting
folder permissions is discussed fully in “Understanding file and folder permissions” in Chapter 4 “Data security and auditing.”
NOTE  If the share will be used for Hyper-V, you might need to enable constrained delegation for remote management of the Hyper-V host.
9. If you are using the advanced profile, optionally set the folder management
properties, and then tap or click Next. These properties specify the purpose
of the folder and the type of data stored in it so that data management
policies, such as classification rules, can then use these properties.
10. If you are using the advanced profile, optionally apply a quota based on a
template to the folder, and then tap or click Next. You can select only quota
templates that have already been created. For more information, see “Managing disk quota templates” in Chapter 4.
11. On the Confirm Selections page, review your selections. When you tap or
click Create, the wizard creates the share, configures it, and sets permissions.
The status should state, “The share was successfully created.” If an error is
displayed instead, note the error and take corrective action as appropriate
before repeating this procedure to create the share. Tap or click Close.
Data sharing and redundancy  CHAPTER 3
93
Changing shared folder settings
When you create a share, you can configure many basic and advanced settings,
including those for access-based enumeration, encrypted data access, offline settings for caching, and management properties. In Server Manager, you can modify
these settings by following these steps:
1. The Shares subnode of the File And Storage Services node shows existing
shares for file servers that have been added for management. Press and hold
or right-click the share with which you want to work, and then tap or click
Properties.
2. In the Properties dialog box, shown in Figure 3-6, you have several options
panels that can be accessed by using controls in the left pane. You can expand
the panels one by one or tap or click Show All to expand all the panels at the
same time.
FIGURE 3-6  Modify share settings by using the options provided.
3. Use the options provided to modify the settings as necessary, and then tap
or click OK. The options available are the same whether you use the basic,
advanced, or applications profile to create the shared folder.
TIP  If you’re creating a share for general use and general access, you can publish
the shared resource in Active Directory. Publishing the resource in Active Directory
makes finding the share easier for users; however, this option is not available in Server
Manager. To publish a share in Active Directory, press and hold or right-click the share
in Computer Management, and then tap or click Properties. On the Publish tab, select
the Publish This Share In Active Directory check box, add an optional description and
owner information, and then tap or click OK.
94
CHAPTER 3  Data sharing and redundancy
Managing share permissions
Share permissions set the maximum allowable actions available within a shared folder.
By default, when you create a share, everyone with access to the network has Read
access to the share’s contents. This is an important security change—in previous
editions of Windows Server, the default permission was Full Control.
With NTFS and ReFS volumes, you can use file and folder permissions and ownership, in addition to share permissions, to further constrain actions within the share.
With FAT volumes, share permissions control only access.
Understanding the various share permissions
From the most restrictive to the least restrictive, the share permissions available are
as follows:
■■No Access  No permissions are granted for the share.
■■Read  Users can do the following:
•
•
•
•
в– в– Access the subfolders in the share
Read file data and attributes
Run program files
Change  Users have Read permission and the ability to do the following:
•
•
•
•
в– в– View file and subfolder names
Create files and subfolders
Modify files
Change attributes on files and subfolders
Delete files and subfolders
Full Control  Users have Read and Change permissions, in addition to the
following capabilities on NTFS volumes:
• Change file and folder permissions
• Take ownership of files and folders
You can assign share permissions to users and groups. You can even assign permissions to implicit groups. For details on implicit groups, see Chapter 9, “Creating
user and group accounts” In Windows Server 2012 R2 Pocket Consultant: Essentials
& Configuration.
Viewing and configuring share permissions
You can view and configure share permissions in Computer Management or Server
Manager. To view and configure share permissions in Computer Management, follow these steps:
1. In Computer Management, connect to the computer on which the share is
created. In the console tree, expand System Tools, expand Shared Folders,
and then select Shares.
2. Press and hold or right-click the share with which you want to work, and then
tap or click Properties.
Data sharing and redundancy  CHAPTER 3
95
3. In the Properties dialog box, tap or click the Share Permissions tab, shown in
Figure 3-7. You can now view the users and groups that have access to the
share and the type of access they have.
FIGURE 3-7  The Share Permissions tab shows which users and groups have access to the
share and what type of access they have.
4. Users or groups that already have access to the share are listed in the Group
Or User Names list. You can remove permissions for these users and groups
by selecting the user or group you want to remove, and then tapping or
clicking Remove. You can change permissions for these users and groups by
doing the following:
a. Select the user or group you want to change.
b. Allow or deny access permissions in the Permissions list box.
5. To add permissions for another user or group, tap or click Add. This opens
the Select Users, Computers, Service Accounts, Or Groups dialog box, shown
in Figure 3-8.
96
CHAPTER 3  Data sharing and redundancy
FIGURE 3-8  Add users and groups to the share.
6. Enter the name of a user, computer, or group in the current domain, and
then tap or click Check Names. This produces one of the following results:
в– в– в– в– в– в– If a single match is found, the dialog box is automatically updated and
the В entry is underlined.
If no matches are found, you either entered an incorrect name part or
you’re working with an incorrect location. Modify the name and try again,
or tap or click Locations to select a new location.
If multiple matches are found, select the name or names you want to use,
and then tap or click OK. To assign permissions to other users, computers,
or groups, enter a semicolon (;) and then repeat this step.
NOTE  The Locations button enables you to access account names in other domains. Tap or click Locations to find a list of the current domains, trusted domains,
and other resources you can access. Because of the transitive trusts in Windows
Server, you can usually access all the domains in the domain tree or forest.
7. Tap or click OK. The users and groups are added to the Group Or User
Names list for the share.
8. Configure access permissions for each user, computer, and group by select-
ing an account name and then allowing or denying access permissions. Keep
in mind that you’re setting the maximum allowable permissions for a particular account.
9. Tap or click OK. To assign additional security permissions for NTFS, see “File
and folder permissions” in Chapter 4.
IMPORTANT  Keep in mind that you can select the opposite permission to override
an inherited permission. Note also that Deny typically overrides Allow, so if you explicitly deny permission to a user or group for a child folder or file, this permission should
be denied to that user or group of users.
Data sharing and redundancy  CHAPTER 3
97
To view and configure share permissions in Server Manager, follow these steps:
1. The Shares subnode of the File And Storage Services node shows existing
shares for file servers that have been added for management.
2. Press and hold or right-click the share with which you want to work, and then
tap or click Properties.
3. In the Properties dialog box, tap or click the Permissions in the left pane. You
can now view the users and groups that have access to the share and the
type of access they have.
4. To change share, folder, or both permissions, tap or click Customize Permis-
sions. Next, select the Share tab in the Advanced Security Settings dialog
box, as shown in Figure 3-9.
FIGURE 3-9  The Share tab shows which users and groups have access to the share and what
type of access they have.
5. Users or groups that already have access to the share are listed in the Permis-
sion Entries list. You can remove permissions for these users and groups by
selecting the user or group you want to remove, and then tapping or clicking
Remove. You can change permissions for these users and groups by doing
the following:
a. Select the user or group you want to change, and then select Edit.
b. Allow or deny access permissions in the Permission Entries list, and then
tap or click OK.
6. To add permissions for another user or group, tap or click Add. This opens
the Permission Entry dialog box, shown in Figure 3-10.
98
CHAPTER 3  Data sharing and redundancy
FIGURE 3-10  Add permission entries for a particular user or group.
7. Tap or click Select A Principal to display the Select User, Computer, Service
Account Or Group dialog box. Enter the name of a user or a group account.
Be sure to reference the user account name rather than the user’s full name.
Only one name can be entered at a time.
8. Tap or click Check Names. If a single match is found for each entry, the dialog
box is automatically updated, and the entry is underlined. Otherwise, you’ll
get an additional dialog box. If no matches are found, you either entered the
name incorrectly or you’re working with an incorrect location. Modify the
name in the Name Not Found dialog box and try again, or tap or click Locations to select a new location. When multiple matches are found, in the
Multiple Names Found dialog box, select the name you want to use, and
then tap or click OK.
9. Tap or click OK. The user and group is added as the Principal, and the Permis-
sion Entry dialog box is updated to show this.
10. Use the Type list to specify whether you are configuring allowed or denied
permissions, and then select the permissions you want to allow or deny.
11. Tap or click OK to return to the Advanced Security Settings dialog box. To
assign additional security permissions for NTFS, see “File and folder permissions” in Chapter 4.
Data sharing and redundancy  CHAPTER 3
99
Managing existing shares
As an administrator, you often have to manage shared folders. This section covers
the common administrative tasks of managing shares.
Understanding special shares
When you install Windows Server, the operating system creates special shares automatically. These shares are known as administrative shares and hidden shares, and
they are designed to help make system administration easier. You can’t set access
permissions on automatically created special shares; Windows Server assigns access
permissions. You can create your own hidden shares by adding the $ symbol as the
last character of the share name.
You can delete special shares temporarily if you’re certain the shares aren’t
needed; however, the shares are re-created automatically the next time the operating system starts. To permanently disable the administrative shares, change the
following registry values to 0 (zero):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver
\parameters\AutoShareServer
в– в– HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver
\parameters\AutoShareWks
в– в– Which special shares are available depends on your system configuration. Table 3-2
lists special shares you might find and how they’re used.
TABLE 3-2  Special shares used by Windows Server 2012 R2
SHARE NAME
DESCRIPTION
USAGE
ADMIN$
A share used during remote
administration of a system. It
provides access to the operating system %SystemRoot%.
On workstations and servers,
administrators and backup operators can access these shares. On
domain controllers, server operators
also have access.
FAX$
Supports network faxes.
Used by fax clients when sending
faxes.
IPC$
Supports named pipes durUsed by programs when performing
ing remote interprocess
remote administration and when
communications (IPC) access. viewing shared resources.
NETLOGON
Supports the Net Logon
service.
100
CHAPTER 3  Data sharing and redundancy
Used by the Net Logon service
when processing domain logon
requests. Everyone has Read access.
SHARE NAME
DESCRIPTION
USAGE
PRINT$
Supports shared printer
Used by shared printers. Everyone
resources by providing access has Read access. Administrators,
to printer drivers.
server operators, and printer operators have Full Control.
SYSVOL
Supports Active Directory.
Used to store data and objects for
Active Directory.
Driveletter$
A share that allows administrators to connect to a drive’s
root folder. These shares are
shown as C$, D$, E$, and so
on.
On workstations and servers,
administrators and backup operators can access these shares. On
domain controllers, server operators
also have access.
Connecting to special shares
Most special shares end with the $ symbol. Although these shares aren’t displayed in
File Explorer, administrators and certain operators can connect to them (except for
NETLOGON and SYSVOL). If your current logon account has appropriate permissions, you can connect directly to a special share or any standard share by typing
the UNC path for the share in File Explorer’s address box. The basic syntax is:
\\ServerName\ShareName
ServerName is the DNS name or IP address of the server and ShareName is the
name of the share. In the following example, you connect to the D$ share on
CorpServer25:
\\CorpServer25\D$
If you always want the drive to be listed as a network location in This PC or need
to specify credentials, you can connect to a special share by following these steps:
1. When you open File Explorer, the This PC node should be opened by default.
If you have an open Explorer window and This PC is not the selected node,
select the leftmost option button in the address list, and then select This PC.
2. Next, tap or click the Map Network Drive button on the Computer panel, and
then tap or click Map Network Drive. This displays the Map Network Drive
dialog box, shown in Figure 3-11.
Data sharing and redundancy  CHAPTER 3
101
FIGURE 3-11  Connect to special shares by mapping them with the Map Network Drive
dialog box.
3. In the Drive list, select a free drive letter. This drive letter is used to access the
special share.
4. In the Folder text box, enter the Universal Naming Convention (UNC) path to
the share. For example, to access the C$ share on a server called Twiddle, you
would use the path \\TWIDDLE\C$.
5. The Reconnect At Sign-In check box is selected automatically to ensure that
the network drive is connected each time you log on. If you need to access
the share only during the current logon session, clear this check box.
6. If you need to connect to the share using different user credentials, select
the Connect Using Different Credentials check box.
7. Tap or click Finish. If you are connecting using different credentials, enter the
user name and password when prompted. Enter the user name in Domain
\Username format, such as Cpandl\Williams. Before tapping or clicking OK,
select Remember My Credentials if you want the credentials to be saved.
Otherwise, you’ll need to provide credentials in the future.
After you connect to a special share, you can access it as you would any other
drive. Because special shares are protected, you don’t have to worry about ordinary
users accessing these shares. The first time you connect to the share, you might be
prompted for a user name and password. If you are prompted, provide that inforВ­mation.
Viewing user and computer sessions
You can use Computer Management to track all connections to shared resources on
a Windows Server 2012 R2 system. Whenever a user or computer connects to a
shared resource, Windows Server 2012 R2 lists a connection in the Sessions node.
102
CHAPTER 3  Data sharing and redundancy
To view connections to shared resources, enter net session at an elevated command prompt or Get-SMBSession at an elevated Windows PowerShell prompt. You
also can follow these steps:
1. In Computer Management, connect to the computer on which you created
the shared resource.
2. In the console tree, expand System Tools, expand Shared Folders, and
thenВ select Sessions. You can now view connections to shares for users
andВ computers.
The columns for the Sessions node provide the following important information
about user and computer connections:
■■User  The names of users or computers connected to shared resources.
Computer names are shown with a $ suffix to differentiate them from users.
■■Computer  The name of the computer being used.
■■Type  The type of network connection being used.
■■■■# Open Files  The number of files with which the user is actively working.
For more detailed information, access the Open Files node.
Connected Time  The time that has elapsed since the connection was
established.
■■Idle Time  The time that has elapsed since the connection was last used.
■■Guest  Whether the user is logged on as a guest.
As shown in the following example, the output of Get-SMBSession provides the
session ID, client computer name, client user name and the number of open files for
each session:
SessionId
ClientComputerName
-------------------------601295421497 10.0.0.60
ClientUserName
-------------CPANDL\williams
NumOpens
-------2
Managing sessions and shares
Managing sessions and shares is a common administrative task. Before you shut
down a server or an application running on a server, you might want to disconnect
users from shared resources. You might also need to disconnect users when you
plan to change access permissions or delete a share entirely. Another reason to
disconnect users is to break locks on files. You disconnect users from shared resources
by ending the related user sessions.
ENDING INDIVIDUAL SESSIONS
To disconnect individual users from shared resources, enter net session \\computername /delete at an elevated command prompt or Close-SMBSession at –Computer
Name computername an elevated Windows PowerShell prompt. In both instances,
computername is the DNS name or IP address of computer from which the session
originates.
Data sharing and redundancy  CHAPTER 3
103
You also can disconnect users by following these steps:
1. In Computer Management, connect to the computer on which you created
the share.
2. In the console tree, expand System Tools, expand Shared Folders, and then
select Sessions.
3. Press and hold or right-click the user sessions you want to end, and then tap
or click Close Session.
4. Tap or click Yes to confirm the action.
ENDING ALL SESSIONS
To disconnect all users from shared resources, follow these steps:
1. In Computer Management, connect to the computer on which you created
the share.
2. In the console tree, expand System Tools, expand Shared Folders, and then
press and hold or right-click Sessions.
3. Tap or click Disconnect All Sessions, and then tap or click Yes to confirm the
action.
NOTE  Keep in mind that you’re disconnecting users from shared resources, not from
the domain. You can use only logon hours and Group Policy to force users to log off
after they’ve logged on to the domain. Thus, disconnecting users doesn’t log them off
the network. It just disconnects them from the shared resource.
To disconnect individual users from shared resources, enter net session \\
computername /delete at an elevated command prompt or Close-SMBSession at
–ComputerName computername an elevated Windows PowerShell prompt. In both
instances, computername is the DNS name or IP address of computer from which
the session originates.
You also can use Windows PowerShell to disconnect all users from a shared
resource. The key here is to ensure you only close the sessions you want to close.
Consider the following example:
ForEach-Object ($Session in (Get-SMBSession)) {
Close-SMBSession –force}
This example uses a ForEach loop to get all active SMB sessions and then close
each SMB session in turn. Thus, if you enter this example at an elevated Windows
PowerShell prompt, you will disconnect all users from all shared resources.
To close all connections only for a specific share, you must create a ForEach loop
that only examines the connections for that share, such as:
ForEach-Object ($Session in (Get-SMBShare CorpData |
Get-SMBSession)) {Close-SMBSession –force}
This example uses a ForEach loop to get all active SMB sessions for the CorpData
share and then close each of those sessions in turn. Thus, if you enter this example at
an elevated Windows PowerShell prompt, you only disconnect users from the CorpData share.
104
CHAPTER 3  Data sharing and redundancy
Managing open resources
Any time users connect to shares, the individual file and object resources they are
working with are displayed in the Open Files node. The Open Files node might show
the files the user has open but isn’t currently editing.
You can access the Open Files node by following these steps:
1. In Computer Management, connect to the computer on which you created
the share.
2. In the console tree, expand System Tools, expand Shared Folders, and then
select Open Files. This displays the Open Files node, which provides the following information about resource usage:
■■Open File  The file or folder path to the open file on the local system.
The path might also be a named pipe, such as \PIPE\spools, which is used
for printer spooling.
■■Accessed By  The name of the user accessing the file.
■■Type  The type of network connection being used.
■■# Locks  The number of locks on the resource.
■■Open Mode  The access mode used when the resource was opened,
such as read, write, or write+read.
You also can use Get-SMBOpenFile to list open files. As shown in the following
example, Get-SMBOpenFile provides the file ID, session ID, path, share relative path,
client computer name, and client user name for each open file:
FileId SessionId Path ShareRelativePath ClientComputerName ClientUserN
------ --------- ---- ----------------- ------------------ -----------601295424973 601295421497 C:\PrimaryData\
10.0.0.60
CPANDL\williams
601295425045 601295421577 C:\Windows\SYSVOL cpan... 10.0.0.60 CPANDL\
CORPPC29$
CLOSING AN OPEN FILE
To close an open file on a computer’s shares, follow these steps:
1. In Computer Management, connect to the computer with which you want
toВ work.
2. In the console tree, expand System Tools, expand Shared Folders, and then
select Open Files.
3. Press and hold or right-click the open file you want to close, and then tap or
click Close Open File.
4. Tap or click Yes to confirm the action.
You also can use Close-SMBOpenFile to close open files. When you close a file,
you use the –FileID parameter to specify the identifier for the file to close, such as:
Close-SMBOpenFile –FileID 601295424973
Add the –Force parameter to force close the file if needed. However, if the file
has been modified by a user, any changes to the file could be lost.
Data sharing and redundancy  CHAPTER 3
105
CLOSING ALL OPEN FILES
To close all open files on a computer’s shares, follow these steps:
1. In Computer Management, connect to the computer on which the share is
created.
2. In the console tree, expand System Tools, expand Shared Folders, and then
press and hold or right-click Open Files.
3. Tap or click Disconnect All Open Files, and then tap or click Yes to confirm
the action.
You also can use Windows PowerShell to close all open files on a computer’s
share. The key here is to ensure that you only close the files you want to close.
Consider the following example:
ForEach-Object ($Session in (Get-SMBOpenFile)) {
Close-SMBOpenFile –force}
This example uses a ForEach loop to get all open SMB files, and then close each
SMB file in turn. Thus, if you enter this example at an elevated Windows PowerShell
prompt, you will close all open files for all shared resources.
To close open files on a specific share, you must create a ForEach loop that only
examines the open files for that share, such as:
ForEach-Object ($Session in (Get-SMBShare CorpData |
Get-SMBOpenFile)) {Close-SMBOpenFile –force}
This example uses a ForEach loop to get all open SMB files for the CorpData share
and then close each of those files in turn. Thus, if you enter this example at an elevated Windows PowerShell prompt, you only close open files for the CorpData
share.
Stopping file and folder sharing
To stop sharing a folder, follow these steps:
1. Do one of the following:
в– в– в– в– In Server Manager, select the share you want to manage on the Shares
subnode of the File And Storage Services node.
In Computer Management, connect to the computer on which you created
the share, and then access the Shares node.
2. Press and hold or right-click the share you want to remove, tap or click Stop
Sharing, and then tap or click Yes to confirm the action.
CAUTION  You should never delete a folder containing shares without first stopping
the shares. If you fail to stop the shares, Windows Server 2012 R2 attempts to reestablish the shares the next time the computer is started, and the resulting error is logged
in the system event log.
106
CHAPTER 3  Data sharing and redundancy
Configuring NFS sharing
As discussed in Chapter 1, “Managing file systems and drives,” you can install Server
For NFS as a role service on a file server. Server For NFS provides a file sharing solution for enterprises with mixed Windows, OS X, and UNIX environments, allowing
users to transfer files between Windows Server 2012 R2, OS X, and UNIX operating
systems by using the NFS protocol.
You can configure NFS sharing for local folders on NTFS volumes by using File
Explorer. You can also configure NFS sharing of local and remote folders on NTFS
volumes by using Server Manager. In File Explorer, follow these steps to enable and
configure NFS sharing:
1. Press and hold or right-click the share you want to manage, and then tap or
click Properties to display a Properties dialog box for the share.
2. On the NFS Sharing tab, tap or click Manage NFS Sharing.
3. In the NFS Advanced Sharing dialog box, select the Share This Folder check
box, as shown in Figure 3-12.
FIGURE 3-12  You can use NFS sharing to share resources between Windows and UNIX
computers.
4. In the Share Name text box, enter a name for the share. This is the name
ofВ the folder to which UNIX users will connect. NFS share names must be
unique for each system and can be the same as those used for standard file
sharing.
Data sharing and redundancy  CHAPTER 3
107
5. ANSI is the default encoding for text associated with directory listings and
file names. If your UNIX computers use a different default encoding, you can
choose that encoding in the Encoding list.
6. UNIX computers use Kerberos v5 authentication by default. Typically, you want
to allow Kerberos integrity and authentication in addition to standard Kerberos authentication. Select the check boxes for the authentication mechanisms
you want to use. Clear the check boxes for those you don’t want to use.
7. The share can be configured so that no server authentication is required. If
you want to require server authentication, select the No Server Authentication
check box, and then choose additional options as appropriate. Unmapped user
access can be allowed and enabled. If you want to allow anonymous access
to the NFS share, select the Allow Anonymous Access option, and then enter
the anonymous user UID and anonymous group GID.
8. For UNIX computers, you configure access primarily based on the computer
names (also referred to as host names). By default, no UNIX computers have
access to the NFS share. If you want to grant read-only or read/write permissions, tap or click Permissions, set the permissions you want to use in the NFS
Share Permissions dialog box, and then tap or click OK. You can configure no
access, read-only access, or read/write access by client computer name and
client computer groups.
9. Tap or click OK twice to close the open dialog boxes and save your settings.
In File Explorer, you can disable NFS sharing by following these steps:
1. Press and hold or right-click the share you want to manage, and then tap or
click Properties. This displays a Properties dialog box for the share.
2. On the NFS Sharing tab, tap or click Manage NFS Sharing.
3. In the NFS Advanced Sharing dialog box, clear the Share This Folder check
box, and then tap or click OK twice.
With Server Manager, you can configure NFS permissions as part of the initial
share configuration when you are provisioning a share. On the Shares subnode of
the File And Storage Services node, you can create an NFS share by following these
steps:
1. In the Shares pane, tap or click Tasks, and then tap or click New Share to start
the New Share Wizard. Choose NFS Share—Quick or NFS Share—­Advanced
as the share profile, and then tap or click Next.
2. Specify the share name and location as you would for an SMB share.
3. On the Specify Authentication Methods page, configure Kerberos v5 Authen-
tication and No Server Authentication. The options provided are similar to
those discussed previously in this section.
4. On the Specify Share Permissions page, configure access for UNIX hosts. Hosts
can be set for no access, read-only access, or read/write access to the share.
5. On the Specify Permissions To Control Access, optionally set NTFS permissions
for the share.
108
CHAPTER 3  Data sharing and redundancy
6. On the Confirm Selections page, review your selections. When you tap or
click Create, the wizard creates the share, configures it, and sets permissions.
The status should state, “The share was successfully created.” If an error is
displayed instead, note the error and take corrective action. However, because
typical errors relate to configuring host access, you probably won’t need to
repeat this procedure to create the share. Instead, you might need to modify
only the share permissions. Tap or click Close.
Using shadow copies
Any time your organization uses shared folders, you should consider creating shadow
copies of these shared folders as well. Shadow copies are point-in-time backups of
data files that users can access directly in shared folders. These point-in-time backups can save you and the other administrators in your organization a lot of work,
especially if you routinely have to retrieve lost, overwritten, or corrupted data files
from backups. The usual procedure for retrieving shadow copies is to use the Previous
Versions or Shadow Copy client. Windows Server 2012 R2 includes a feature enhancement that enables you to revert an entire (nonsystem) volume to a previous shadow
copy state.
Understanding shadow copies
You can create shadow copies only on NTFS volumes. You use the Shadow Copy
feature to create automatic backups of the files in shared folders on a per-volume
basis. For example, on a file server that has three NTFS volumes, each containing
shared folders, you need to configure this feature for each volume separately.
If you enable this feature in its default configuration, shadow copies are created
twice each weekday (Monday–Friday) at 7:00 A.M. and 12:00 P.M. You need at least
100 megabytes (MB) of free space to create the first shadow copy on a volume. The
total disk space used beyond this depends on the amount of data in the volume’s
shared folders. You can restrict the total amount of disk space used by Shadow Copy
by setting the allowable maximum size of the point-in-time backups.
You configure and view current Shadow Copy settings on the Shadow Copies tab
of the disk’s Properties dialog box. In File Explorer or Computer Management, press
and hold or right-click the icon for the disk with which you want to work, tap or click
Properties, and then tap or click the Shadow Copies tab. The Select A Volume panel
shows the following:
■■■■Volume  The volume label of NTFS volumes on the selected disk drive
Next Run Time  The status of Shadow Copy as Disabled, or the next time a
shadow copy of the volume will be created
■■Shares  The number of shared folders on the volume
■■Used  The amount of disk space used by Shadow Copy
Individual shadow copies of the currently selected volume are listed in the
Shadow Copies Of Selected Volume panel by date and time.
Data sharing and redundancy  CHAPTER 3
109
Creating shadow copies
To create a shadow copy on an NTFS volume with shared folders, follow these steps:
1. Open Computer Management. If necessary, connect to a remote computer.
2. In the console tree, expand Storage, and then select Disk Management. The
volumes configured on the selected computer are displayed in the details
pane.
3. Press and hold or right-click Disk Management, point to All Tasks, and then
tap or click Configure Shadow Copies.
4. On the Shadow Copies tab, select the volume with which you want to work in
the Select A Volume list.
5. Tap or click Settings to configure the maximum size of all shadow copies for
this volume and to change the default schedule. Tap or click OK.
6. After you configure the volume for shadow copying, tap or click Enable if
necessary. When prompted to confirm this action, tap or click Yes. Enabling
shadow copying creates the first shadow copy and sets the schedule for later
shadow copies.
NOTE  If you create a run schedule when configuring the Shadow Copy settings,
shadow copying is enabled automatically for the volume when you tap or click OK to
close the Settings dialog box. However, the first shadow copy won’t be created until
the next scheduled run time. If you want to create a shadow copy of the volume now,
select the volume and then tap or click Create Now.
Restoring a shadow copy
Users working on client computers access shadow copies of individual shared folders by using the Previous Versions or Shadow Copy client. The best way to access
shadow copies on a client computer is to follow these steps:
1. In File Explorer, press and hold or right-click the share for which you want to
access previous file versions, tap or click Properties, and then tap or click the
Previous Versions tab.
2. On the Previous Versions tab, select the folder version with which you want
to work. Each folder has a date and time stamp. Tap or click the button corresponding to the action you want to perform:
в– в– в– в– в– в– 110
Tap or click Open to open the shadow copy in File Explorer.
Tap or click Copy to display the Copy Items dialog box, which lets you
copy the snapshot image of the folder to the location you specify.
Tap or click Restore to roll back the shared folder to its state at the time
ofВ the snapshot image you selected.
CHAPTER 3  Data sharing and redundancy
Reverting an entire volume to a previous shadow copy
Windows Server 2012 R2 features a shadow copy enhancement that enables you to
revert an entire volume to the state it was in when a particular shadow copy was
created. Because volumes containing operating system files can’t be reverted, the
volume you want to revert must not be a system volume. The same goes for volumes on a cluster shared disk.
To revert an entire volume to a previous state, follow these steps:
1. Open Computer Management. If necessary, connect to a remote computer.
2. In the console tree, expand Storage. Press and hold or right-click Disk Manage-
ment, point to All Tasks, and then tap or click Configure Shadow Copies.
3. On the Shadow Copies tab, select the volume with which you want to work in
the Select A Volume list.
4. Individual shadow copies of the currently selected volume are listed by date
and time in the Shadow Copies Of Selected Volume panel. Select the shadow
copy with the date and time stamp to which you want to revert, and then tap
or click Revert.
5. To confirm this action, select the Check Here If You Want To Revert This Vol-
ume check box, and then tap or click Revert Now. Tap or click OK to close the
Shadow Copies dialog box.
Deleting shadow copies
Each point-in-time backup is maintained separately. You can delete individual
shadow copies of a volume as necessary, and this recovers the disk space used by
the shadow copies.
To delete a shadow copy, follow these steps:
1. Open Computer Management. If necessary, connect to a remote computer.
2. In the console tree, expand Storage. Press and hold or right-click Disk Man-
agement, point to All Tasks, and then tap or click Configure Shadow Copies.
3. On the Shadow Copies tab, select the volume with which you want to work in
the Select A Volume list.
4. Individual shadow copies of the currently selected volume are listed by date
and time in the Shadow Copies Of Selected Volume panel. Select the shadow
copy you want to delete, and then tap or click Delete Now. Tap or click Yes to
confirm the action.
Disabling shadow copies
If you no longer want to maintain shadow copies of a volume, you can disable the
Shadow Copy feature. Disabling this feature turns off the scheduling of automated
point-in-time backups and removes any existing shadow copies.
Data sharing and redundancy  CHAPTER 3
111
To disable shadow copies of a volume, follow these steps:
1. Open Computer Management. If necessary, connect to a remote computer.
2. In the console tree, expand Storage. Press and hold or right-click Disk Man-
agement, point to All Tasks, and then tap or click Configure Shadow Copies.
3. On the Shadow Copies tab, select the volume with which you want to work in
the Select A Volume list, and then tap or click Disable.
4. When prompted, confirm the action by tapping or clicking Yes. Tap or click
OK to close the Shadow Copies dialog box.
Connecting to network drives
Users can connect to a network drive and to shared resources available on the network. This connection is shown as a network drive that users can access like any
other drive on their systems.
NOTE  When users connect to network drives, they’re subject not only to the permissions set for the shared resources, but also to Windows Server 2012 R2 file and folder
permissions. Differences in these permission sets are usually the reason users might
not be able to access a particular file or subfolder within the network drive.
Mapping a network drive
In Windows Server 2012 R2, you connect to a network drive by mapping to it using
NET USE and New-PsDrive. The syntax for NET USE is the following:
net use DeviceName \\ComputerName\ShareName
DeviceName specifies the drive letter or an asterisk (*) to use the next available
drive letter, and \\ComputerName\ShareName is the UNC path to the share, such as
either of the following:
net use g: \\ROMEO\DOCS
or
net use * \\ROMEO\DOCS
NOTE  To ensure that the mapped drive is available each time the user logs on, make
the mapping persistent by adding the /Persistent:Yes option.
The syntax for New-PsDrive is:
New-PsDrive –Name DriveLetter –Root \\ServerName\ShareName
-PsProvider FileSystem
DriveLetter is the drive letter to use and ServerName is the DNS name or IP
address of the server hosting the share and ShareName is the name of the share,
such as:
New-PsDrive –Name g –Root \\CorpServer21\CorpData
-PsProvider FileSystem
112
CHAPTER 3  Data sharing and redundancy
NOTE  To ensure that the mapped drive is available each time the user logs on, add
the –Persist parameter.
If the client computer is running Windows 8.1, you can map network drives by
completing the following steps:
1. When you open File Explorer, the This PC node should be opened by default.
If you have an open Explorer window and This PC is not the selected node,
select the leftmost option button in the address list, and then select This PC.
2. Next, tap or click the Map Network Drive button in the Computer panel, and
then tap or click Map Network Drive.
3. Use the Drive list to select a free drive letter to use, and then tap or click the
Browse button to the right of the Folder list. In the Browse For Folder dialog
box, expand the network folders until you can select the name of the workgroup or the domain with which you want to work.
4. When you expand the name of a computer in a workgroup or a domain,
you’ll get a list of shared folders. Select the shared folder with which you
want to work, and then tap or click OK.
5. Select Reconnect At Logon if you want Windows to connect to the shared
folder automatically at the start of each session.
6. Tap or click Finish. If the currently logged-on user doesn’t have appropriate
access permissions for the share, select Connect Using Different Credentials,
and then tap or click Finish. After you tap or click Finish, you can enter the
user name and password of the account with which you want to connect to
the shared folder. Enter the user name in Domain\UserName format, such
asВ Cpandl\Williams. Before tapping or clicking OK, select Remember My
Credentials if you want the credentials to be saved. Otherwise, you’ll need to
provide credentials in the future.
Disconnecting a network drive
In Windows Server 2012 R2, you disconnect a network drive using NET USE and
Remove-PsDrive. The syntax for NET USE is:
net use DeviceName /delete
DeviceName specifies the network drive to remove, such as:
net use g: /delete
The syntax for Remove-PsDrive is:
Remove-PsDrive –Name DriveLetter
DriveLetter is the network drive to remove, such as:
Remove-PsDrive –Name g
NOTE  If the network drive has open connections, you can force remove the network
drive using –Force parameter.
Data sharing and redundancy  CHAPTER 3
113
In File Explorer, you can disconnect a network drive by following these steps:
1. When you open File Explorer, the This PC node should be opened by default.
If you have an open Explorer window and This PC is not the selected node,
select the leftmost option button in the address list, and then select This PC.
2. Under Network Location, press and hold or right-click the network drive
icon, and then tap or click Disconnect.
Configuring synced sharing
Although the standard approach to sharing files requires a computer that is joined
and connected to a domain, synced sharing does not. With sync shares, users can
use an Internet or corporate network connection to sync data to their devices from
folders located on enterprise servers. You implement synced sharing by using Work
Folders.
Work Folders is a feature that you can add to servers running Windows Server
2012 R2 or later. Work Folders use a client-server architecture. A Work Folders client
is natively integrated into Windows 8.1, and clients for Windows 7, Apple iPad, and
other devices are becoming available as well.
Getting started with Work Folders
You deploy Work Folders in the enterprise by performing these procedures:
1. Add the Work Folders role to servers that you want to host sync shares.
2. Use Group Policy to enable discovery of Work Folders.
3. Create sync shares on your sync servers and optionally, enable SMB access to
sync shares.
4. Configure clients to access Work Folders.
NOTE  Group Policy is discussed in detailed in Chapter 6 “Managing users and computers with Group Policy.” For detailed information about configuring Group Policy
to enable discovery of Work Folders, see “Automatically configuring Work Folders,” in
Chapter 6.
Work Folders use a remote web gateway configured as part of the IIS hostable
web core. When users access a sync share via a URL provided by an administrator
and configured in Group Policy, a user folder is created as a subfolder of the sync
share and this subfolder is where the user’s data is stored. The folder naming format
for the user-specific folder is set when you create a sync share. The folder can be
named by using only the user alias portion of the user’s logon name or the full logon
name in [email protected] format. The format you choose primarily depends on the
level of compatibility required. Using the full logon name eliminates potential conflicts when users from different domains have identical user aliases, but this format
is not compatible with redirected folders.
To maintain compatibility with redirected folders, you should configure sync
folders to use aliases. However, in enterprises with multiple domains, the drawback
114
CHAPTER 3  Data sharing and redundancy
to this approach is that there could be conflicts between identical user aliases in
different domains. Although the automatically configured permissions for a user
folder would prevent amyh from the cpandl.com domain from accessing a user
folder created for amyh from the pocket-consultant.com domain, the conflict would
cause problems. If there was an existing folder for amyh from the cpandl.com
domain, the server would not be able to create a user folder for amyh from the
pocket-consultant.com.
With Work Folders, you have several important options during initial setup. You
can encrypt files in Work Folders on client devices and ensure that the screens on
client devices lock automatically and require an access password. Encryption is
implemented by using the Encrypting File System (EFS). EFS encrypts files with an
enterprise encryption key rather than an encryption key generated by the client
device. The enterprise encryption key is specific to the enterprise ID of the user
(which by default is the primary SMTP address of the user). Having an enterprise
encryption key that is separate from a client’s standard encryption key is important
toВ ensure that encrypted personal files and encrypted work files are managed
separately.
When files are encrypted, administrators can use a selective wipe to remove
enterprise files from a client device. The selective wipe removes the enterprise
encryption key and thus renders the work files unreadable. Selective wipe does not
affect any encrypted personal files. As the work files remain encrypted, there’s no
need to actually delete the work files from the client device. That said, you could run
Disk Optimizer on the drive where the work files were stored. During optimization,
Disk Optimizer should then overwrite the sectors where the work files were stored.
Selective wipe only works when you’ve enabled the encryption option on Work
Folders.
Although encryption is one way to protect enterprise data, another way is to configure client devices to lock screens and require a password for access. The exact
policy enforced requires:
в– в– A minimum password length of 6 characters
в– в– A maximum password retry of 10
в– в– A screen that automatically locks in 15 minutes or less
If you enforce the use of automatic lock screens and passwords, any device that
doesn’t support these requirements is prevented from connecting to the Work Folder.
By default, sync shares are not available in the same way as standard file shares.
Because of this, users can only access sync shares by using the Work Folders client.
IfВ you want to make sync shares available to users as standard file shares, you must
enable SMB access. After you enable SMB access, users can access files stored in
Work Folders by using syncing and by mapping network drives.
When a user makes changes to files in Work Folders, the changes might not be
immediately apparent to others using the same Work Folders. For example, if a user
deletes a file from a Work Folder by using SMB, other users accessing the Work
Folder might still see the file as available. This inconsistency can occur because by
default clients only poll the sync server every 10 minutes for SMB changes.
Data sharing and redundancy  CHAPTER 3
115
A sync server also uses a Work Folders client to check periodically for changes
users have made using SMB; the default polling interval is 5 minutes. When the
server identifies changes, the server relays the changes the next time a client syncs.
Following this, you can determine that it could take up to 15 minutes for a change
made using SMB to fully propagate.
REAL WORLD  To minimize support issues related to Work Folders, you’ll want to
let users know how the technology works. Specifically, you’ll want to let users know
changes might not be immediately apparent, and they’ll need to be patient when
waiting for changes to propagate.
You can specify how frequently the server checks for changes made locally on
the server or through SMB by using the –MinimumChangeDetectionMins parameter
of the Set-SyncServerSetting cmdlet. However, as the server must check the change
information for each file stored in the sync share, you need to be careful that you
don’t configure a server to try to detect changes too frequently. A server that checks
for changes too frequently can become overloaded. Remember, change detection
uses more resources as the number of files stored in the sync share increases.
If you deploy roles and features that require a full version of the Web (IIS) role,
you might find that these roles and features or the Work Folders feature itself don’t
work together. A conflict can occur because the full version of the Web (IIS) role has
a Default Web Site that uses port 80 for HTTP communications and port 443 for
secure HTTP communications. For example, running Windows Essentials Experience
and Work Folders together on the same server requires a special configuration. Typically, you need to change the ports used by Windows Essentials Experience so that
they don’t conflict with the ports used by Work Folders.
To enable detailed logging of Work Folders, you can enable and configure the
Audit Object Access policy setting for a Group Policy Object (GPO) processed by
the server. You’ll find this setting in the Administrative Templates for Computer
Configuration under Windows Settings\Security Settings\Local Policies Audit Policies.
After you enable Audit Object Access, add an audit entry for the specific folders you
want to audit. In File Explorer, press and hold or right-click a folder you want to
audit, and then select Properties. In the Properties dialog box, on the Security tab,
select Advanced. In the Advanced Security Settings dialog box, use the options on
the Auditing tab to configure auditing.
Creating sync shares and enabling SMB access
You create a sync share to identify a local folder on a sync server that will be synchronized and accessible to domain users via the Work Folders client. As sync shares are
mapped to local paths on sync servers, I recommend that you create any folders
that you want to use before creating sync shares. This will make it easier to select
the exact folders with which you want to work. For details on adding the Work Folders
role and configure Work Folders in Group Policy, see “Automatically configuring
Work Folders” in Chapter 6.
116
CHAPTER 3  Data sharing and redundancy
To create a sync share, complete the following steps:
1. In Server Manager, select File And Storage Services, and then select Work
Folders. On the Work Folders panel, select Tasks, and then select New Sync
Share to open the New Sync Share Wizard. If the Before You Begin page is
displayed, tap or click Next.
2. On the Select The Server And Path page, shown in Figure 3-13, select the
server with which you want to work. Keep in mind that only servers that
have the Work Folders role installed are available for selection.
FIGURE 3-13  Specify the server and folder to use.
3. When configuring sync shares, you have several options. You can:
в– в– в– в– в– в– Add syncing to an existing file share by choosing the Select By File Share
option, and then selecting the file share that should also be synced.
Add syncing to an existing local folder by choosing Enter A Local Path,
selecting Browse, and then using the Select Folder dialog box to locate
and chose the folder to sync.
Add syncing to a new local folder by choosing Enter A Local Path, and
then entering the path to use.
4. When you are ready to continue, tap or click Next. If you specified a new
folder location, you are prompted to confirm whether you want to create
thisВ folder. Select OK to create the folder and continue.
5. On the Specify The Structure For User Folders page, choose a folder nam-
ing format for the subfolders where user data is stored. To use only the
user alias portion of the user’s logon name for naming user folders, choose
User Alias. To use the full logon name for naming user folders, choose User
[email protected]
Data sharing and redundancy  CHAPTER 3
117
6. By default, all folders and files stored under the user folder are synced auto-
matically. If you’d prefer that only a specific folder is synced, select the Sync
Only The Following Folder check box, and then enter the name of the folder,
such as Documents. Tap or click Next to continue
7. On the Enter The Sync Share Name page, enter a share name and description
before tapping or clicking Next to continue.
8. On the Grant Sync Access To Groups page, shown in Figure 3-14, use the
options provided to specify the users and groups that should be able to
access the sync share. To add a user or group, tap or click Add, and then use
the Select User Or Group dialog box to specify the user or group that should
have access to the sync share.
SECURITY ALERT  Any users and groups you specify will be granted permissions on the base folder that allows the users and groups to create folders and
access files in their folders. Specifically, Creator/Owner is granted Full Control on
subfolders and files only. The users and groups are granted List Folder/Read Data,
Create Folders/Append Data, Traverse Folder/Execute File, Read/Write attributes
on the base folder. Local System is granted Full Control of the base folder, subfolders, and files. Administrator is granted Read permission on the base folder.
FIGURE 3-14  Specify the users and groups that should have access to the sync share.
9. By default, inherited permissions are disabled and users have exclusive
access to their user folders. Because of this, only the user who stores a file
has access to this file on the share. If the base folder for the share has permissions that you want to be applied to user folders, such as those that
would grant administrators access to user folders, clear the Disable Inherited
Permissions check box. When you are ready to continue, tap or click Next.
118
CHAPTER 3  Data sharing and redundancy
10. On the Specify Device Policies page, you have two options. You can select
Encrypt Work Folders to encrypt files in Work Folders on client devices. You
can select Automatically Lock Screen And Require A Password to ensure that
the screens on client devices lock automatically and require a password for
access.
11. Tap or click Next to continue, and then confirm your selections. Select Create
to create the sync share. If the wizard is unable to create the sync share, you’ll
get an error and will need to note the error and take appropriate corrective
action. A common error you might get occurs when the server hosts both
Work Folders (which use the hostable web core) and the full Web (IIS) role.
Before you can crate sync shares, you’ll need to modify the ports used so
they do not conflict or install Work Folders on a server that doesn’t have the
full Web (IIS) role.
12. If you did not select an existing file share during set up and want to enable
the sync share for SMB access, open File Explorer. In File Explorer, press and
hold or right-click the folder, select Share With, and then select Specific
People. Finally, configure file sharing as discussed earlier in this chapter.
Accessing Work Folders on clients
Users with a domain user account can access Work Folders from a client device over
the Internet or over the corporate network. You can configure Work Folder Access
for a user by completing the following steps:
1. In Control Panel, tap or click System And Security, and then select Work Fold-
ers. On the Manage Work Folders page, tap or click Set Up Work Folders.
2. On the Enter Your Work Email Address page, enter the user email address,
such as [email protected], and then tap or click Next. If the client device is
joined to the domain, you will not be prompted for the user’s credentials.
Otherwise, you are prompted for the user’s credentials. After the user enters
her credentials, you can select Remember My Credentials to store the user’s
credentials for future use, and then tap or click OK to continue.
3. On the Introducing Work Folders page, note where the work files for the
user will be stored. By default, work files are stored in a user profile subfolder
called Work Folders. For example, the work files for Amyh would be stored
under %SystemDrive%\Users\Amyh\WorkFolders. To store work files in
another location, tap or click Change and then use the options provided to
specify a new save location for work files. When you are ready to continue,
tap or click Next.
4. On the Security Policies page, review the security policies that will be applied,
and then have the user select the I Accept These Policies On My PC check
box. You will not be able to continue if you do not select this check box.
5. Select Set Up Work Folders to create Work Folders on the client device.
Data sharing and redundancy  CHAPTER 3
119
After you configure Work Folders for initial use on a client device, the user can
access Work Folders in File Explorer. When a user opens File Explorer, the This PC
node should be opened by default. If so, the user just needs to double-tap or
double-click Work Folders to view work files. If a user has an open Explorer window
and This PC is not the selected node, she just needs to tap or click the leftmost
option button in the address list, and then tap or click This PC.
As the user works with files, the changes the user makes trigger sync actions with
the server. If the user doesn’t change any files locally for an extended period of time,
the client connects to the server every 10 minutes to determine whether there are
changes to sync.
120
CHAPTER 3  Data sharing and redundancy
Index
Numbers & Symbols
64-bit print drivers, 300
512b drives, 5
512e drives, 5
$ symbol, 101, 103
A
A records
described, 282
updating, 267
AAAA records, 282
access-based enumeration, 92
access controls, claims-based, 132–134
access permissions. SeeВ NTFS permissions
account policies
changing template settings, 160
described, 157
Action Center
changing run time for automatic
maintenance, 75
network diagnostics and, 207
storage spaces and, 66
viewing known problems and
solutions,В 359
Active Directory
access tracking, 135
auditing policies, 135
authorizing DHCP servers in, 228
central access policies, 133
DNS and, 262, 263, 270–272
dynamic updates and, 278, 291
integrated primary server, 267
integration modes, 291
listing printer shares in, 307, 308, 313
listing printers in, 320, 323
objects, auditing, 139
publishing shares in, 94
restoring, 364
SRV records and, 283
storing data and objects, 101
Active Directory Certificate Services, 196
Active Directory Domain Services, security
policies and, 175
Active Directory Users And Computers
assigning logon scripts, 189
object auditing, 135, 139
active partition or volume, 19
adaptive query timeout, 207
Add-DhcpServerInDC cmdlet, 228
address conflict detection, 236
address records, 282–284
Address Resolution Protocol (ARP) test, 218
ADMIN$ share, 100
administrative installation, 191
administrative shares, 100
administrator access, object ownership
and,В 122
administrator command prompt, shortcuts
to, 346
Advanced Encryption Standard (AES)
algorithm, 369
Advanced Format hard drives, 5
Advanced Sharing Settings, 83
Advanced TCP/IP Settings, 266
advertising software, 191
alias (CNAME) records, 276
allocating space
storage pools and, 57, 58, 61
to virtual disks, 62
allocation unit size, 27, 29, 43
allow lists, MAC address filtering and, 253
allowing special permissions, 131
analyzing disks, 78–80
AppData (Roaming) folder, redirecting, 181
applications, recovering, 367, 368
Apply Policy To Removable Media policy, 143
applying security policies, 177, 178
archive attribute, 337
assigning drive letters and paths, 67
asynchronous DNS cache, 264
attaching VHDs, 24
Audit Account Logon Events option, 135
Audit Account Management option, 135
Audit Directory Service Access option,
135,В 139
Audit Logon Events option, 136
Audit Object Access option, 116, 136, 138
Audit Policy Change option, 136
Audit Privilege Use option, 136
Audit Process Tracking option, 136
Audit System Events option, 136
auditing
Active Directory objects, 139, 140
DHCP servers, 229
373
authentication
auditing (continued)
files and folders, 136–138
policies, 135, 136
print jobs, 329
registry, 138
security policies and, 176
system resources, 134–140
authentication
NFS sharing and, 108
security policies and, 176
authoritative restore, 364
autoconfiguration
ipconfig and, 222
IPv4 addresses, 218
IPv6 addresses, 219, 220
autoloader tape systems, 339, 340
automatic
certificate enrollment, 197
compression of files and directories, 30
defragmentation, 80
deployment and maintenance of
software, 190, 191
detection of network printers, 305, 312
installation of network printers, 305
lock screens, 115, 119
recovery from a failed start, 361
service startup mode, 163
Automatic Maintenance, 75, 79, 199
Automatic Updates, 197–200
average seek time, 6
B
backing up files
See alsoВ recovery
Backup Command-Line utility, 346–350
common solutions, 339, 340
devices for, considerations, 339
DHCP database, 257
encrypted data and certificates, 371, 372
manually, 357, 358
media rotation schedule, 341
online, 343
permissions, 344
planning, 335–337
recovery point objective (RPO), 336
recovery time objective (RTO), 336
scheduling, 350–357
selecting backup media, 340, 341
selecting utilities, 341
techniques, 337
Windows Server Backup, 2
backing up system state, 363, 364
Backup Command-Line utility, 341, 346–350
374
BackupDatabasePath key, 258
BackupInterval key, 258
bare metal recovery, 351, 358
baseline server, 174
basic disks
configuring, 19
converting to dynamic, 20
described, 13
drive sections, 19
vs. dynamic disks, 18
RAID limitations, 38
.bat files, 187
Batch implicit group, public folder
permissions and, 83
binary source files, print services and,
301,В 302
bindings, DHCP servers and, 228
BIOS vs. UEFI, 8
BitLocker Drive Encryption, 7, 22, 199
boot manager, restoring, 364–367
boot partition or volume, 19
boot sector corruption, 41
boot volumes
changing drive letters for, 67
repairing mirrored sets, 51
repairing mirror to enable boot, 52
striped sets and, 46
Bootstrap Protocol (BOOTP), enabling, 248
Branch Office Direct Printing, 307, 308,
313,В 330
BranchCache
enabling caching of shared folders, 93
SMB versions and, 86
BranchCache For Network Files
roleВ service,В 2
breaking mirrored sets, 50
broadcast messages, IP address range
for,В 239
built-in compression feature, 30
C
C drive, as local file system, 1
cache size of virtual disks, checking, 57
caching offline files, 93
canceling print jobs, 332
canonical name records, 282
CAPI2, 206
central access policies
described, 133
file and folder resources and, 82
NTFS permissions and, 125
certificate authorities (CAs), 196, 371
certificate revocation lists (CRLs), 196
data
certificates
CAPI2 and, 206
encryption and, 32, 369, 371, 372
recovery agents and, 35
Change Permissions special permission, 138
Change share permissions, 95
Change special permission, 126, 127
Check Disk (Chkdsk.exe)
enhanced scan and repair, 76–78
options and switches, 77
running interactively, 77
vs. self-healing NTFS, 74, 75
syntax, 77
checking for solutions, 359
child domains
creating in separate zones, 281, 282
creating within zones, 280
defined, 262
child objects, inheritance and, 123
CIFS, 85. See alsoВ Server Message Block
(SMB)
Cipher (Cipher.exe) utility, 36
claim types, 132
claims-based access controls, file and folder
resources and, 82
claims-based permissions, 132–134
client features, enabling and disabling, 175
Close-SMBOpenFile cmdlet, 105
Close-SMBSession cmdlet, 103, 104
cluster size, setting for file systems, 27, 29, 43
.cmd files, 187
CNAME records
adding host aliases, 284
described, 282
global names and, 276
coexistence, of IPv4 and IPv6, 206
command prompt, shortcuts to, 346
command-shell batch scripts, 187
Compact (Compact.exe) utility, 31
compound identities, file and folder access
and, 82
compression
automatic, 30
described, 30
encryption and, 30
removing from drives, 31
removing from files and directories, 31
turning on for disks, 28, 43
computer assignment, software deployment
method, 190
Computer Management
closing open files, 105, 106
configuring share permissions, 95
creating shadow copies, 110
creating shared folders, 88–91
deleting shadow copies, 111
disabling disk quotas, 150
disabling shadow copies, 112
disconnecting users from shared
resources, 104
enabling disk quotas, 145
ending all sessions, 104
Open Files node, 105
publishing shared resources, 94
reverting volumes to previous shadow
copy, 111
scheduling backups, 357
tracking connections to shared
resources, 102
viewing SMB sessions, 103
viewing SMB shares, 86, 87
computer startup scripts, assigning, 187, 188
conditional forwarding, 292, 293, 294
configuring drives, 6
connecting to
network drives, 112–114
printers, 314, 315
remote computers, 87
shared resources, 102, 103
special shares, 101, 102
constrained delegation, Hyper-V and, 93
Contacts folder, redirecting, 181
Convert (Convert.exe) utility, 70, 71
converting
basic disks to dynamic disks, 20, 21
dynamic disks to basic disks, 20, 21
volumes to NTFS, 71
copy backups, 337
corrupted system files, 360
crash dump partition, 19
Create Files/Write Data special permission,
126, 127
Create Folders/Append Data special
permission, 126, 127
Create Subkey advanced permission, 139
CryptoAPI Version 2 (CAIP2), 206
custom disk quota entries, 147–150
/CvtArea option, 71
D
daily backups, 337
DAT drives, 339
data
See alsoВ public folder sharing; standard
file sharing
compressing, 30
deduplication, 64, 65
protecting with RAID, 44
recovery, EFS and, 369
375
data backups
data (continued)
SMB encryption, 93
synced sharing, 114
synchronizing with Work Folders,
195,В 196
transfer, network awareness and, 202
data backups
Backup Command-Line utility, 346–350
common solutions, 339, 340
encryption and, 371, 372
manual, 357, 358
media rotation schedule, 341
online, 343
permissions, 344
planning, 335–337
recovery point objective (RPO), 336
recovery time objective (RTO), 336
scheduling, 350–357
selecting backup media, 340, 341
selecting utilities, 341
techniques, 337
Data Deduplication role service, 2, 54
Data Incomplete volume status, 40
Data Not Redundant volume status, 40
data scrubber, 11
data transfer rate, drive specifications and, 7
DatabaseCleanupInterval key, 258
DatabaseName key, 258
debugging DNS events, 295
debugging mode, 363
decrypting directories and files, 36
deduplication of data, 54, 64, 65
default gateways, 211, 241
defragmenting disks, 78–80
Degraded operation status, storage pools
and, 66
DELETE BACKUP command, 346
Delete special permission, 126, 127, 138, 139
Delete Subfolders And Files special
permission, 126, 127, 138
DELETE SYSTEMSTATEBACKUP command,
346, 349
deleting disk quota entries, 148
demilitarized zones, 272
deny lists, MAC address filtering and, 253
denying special permissions, 131
deploying
printer connections, 315, 316
security configurations, 170–172
security polices to multiple
computers,В 178
software through Group Policy, 190–195
Desktop folder, redirecting, 181
device claims, 132
device unique identifier (DUID), 256
376
DFS Namespaces role service, 2
DFS Replication role service, 3
DHCP
DNS and, 262, 264
purpose, 217
saving and restoring configuration,
236, 237
DHCP console
activating and deactivating scopes, 248
assigning scope options, 246
assigning server options, 246
authorizing a server in Active Directory,
227
backing up DHCP database, 257
connecting to remote servers, 226
creating IPv4 scopes, 239
creating multicast scopes, 244
deleting leases and reservations, 257
failover scopes, 250
hardware type exemptions, 253
modifying reservation properties, 257
modifying scopes, 248
opening, 225
reservation options, 247
reserving addresses, 255, 256
saving and restoring configuration, 237
starting and stopping a server, 227
superscopes and, 238
updating statistics, 229
DHCP Relay Agent Service, 223
DHCP servers
auditing, 229–231
backing up, 258
binding to a specific connection, 228
DNS and, 230, 232, 241
dynamic IPv4 addressing, 218, 219
failover, 218, 219
installing, 223–226
moving database to a new server, 258
name resolution and, 266
NAP and, 232–236
options, 246
reconciling leases and reservations, 259
regenerating the database, 259
registry keys, 230
remote servers, 227
restoring from backup, 258
starting and stopping servers, 227
statistics, updating, 229
Dhcp.mdb file, 257
Dhcpmgmt.msc command, 225
DHCPv4, 217, 219
DHCPv6, 219–222
diagnostics and resolution architecture,
358–360
disks
diagonal parity striping, 60
differential backups
described, 337
vs. incremental, 338
digital audio tape (DAT) drives, 339
Digital Identification Management Service
(DIMS), 369
Digital Linear Tape (DLT), 339
directories
compressing, 30
decrypting, 36
encrypting, 33
expanding compressed, 31
directory-integrated storage, 262
Directory Services Restore Mode, 363
Disable Automatic Restart On System Failure
option, 363
DISABLE BACKUP command, 346, 349
Disable Driver Signature Enforcement
option, 363
Disable Early Launch Anti-Malware Driver
option, 363
Disabled service startup mode, 163
disabling
automatic certificate enrollment, 197
disk quotas, 150
inheritance, 123
NFS sharing, 108
print spooling, 327
disaster recovery. SeeВ recovery
disconnecting
network drives, 113
users from shared resources, 103, 104
discovery of networks. SeeВ network
discovery
disk-based backup systems, 340
disk duplexing, 47
Disk Management snap-in
breaking mirrored sets, 50
changing drive letters and paths, 68
converting basic disks to dynamic,
20,В 21
creating partitions, logical drives, and
simple volumes, 25
creating volumes and volume sets, 42
degragmenting, 78
described, 11–13
extending volumes, 73
initializing disks, 16
marking partitions as active, 20
mirror sets, creating, 48
moving disks, 22, 23
reactiving dynamic disks, 22
shrinking volumes, 72
striped sets with parity, creating, 49
virtual hard disks and, 23
volume labels, 69
disk management, Windows Server Backup
and, 342
disk mirroring
described, 44, 45
existing volumes, creating from, 48, 49
fault tolerance and, 47
implementing, 46–49
mirrored sets, breaking, 50
mirrored sets, creating, 48
performance considerations, 47
removing volumes from set, 52
repairing mirrored sets, 50, 51
repairing to enable boot, 51, 52
resynchronizing mirrored sets, 50, 51
storage considerations, 47
storage pools and, 59
disk quotas
creating entries, 147, 148
deleting entries, 148
disabling, 150
enabling in Group Policy, 142
enabling on NTFS volumes, 145, 146
enforcing, 140
exporting settings, 149
importing settings, 149
individual entries, when to create, 147
limits, 141, 151
message variables, 153
Resource Manager, 151–155
shared folders and, 93
types, 140, 151
viewing entries, 147
warnings, 141, 151
disk quota templates, 151–155
disk space, DHCP server logs and, 230
disk striping
described, 45
implementing, 45, 46
repairing striped sets, 52
disk striping with parity
described, 44, 45
implementing, 49
performance considerations, 47
regenerating sets, 52, 53
removing volumes, 53
storage pools and, 59
diskmgmt.msc, 11
disks
See alsoВ dynamic disks
configuration types, 13, 18
configuring, 19
converting basic to dynamic, 20
defragmenting, 78–80
377
dismounting volumes
disks (continued)
drives, as backup solution, 340
failure detection, 360
initializing, 16
management options, 55
moving, 22–24
optimizing, 78–80
reactivating dynamic, 22
rescanning, 22, 41
resetting, 55
standards-based storage and, 53
storage management and, 37
dismounting volumes, 76
Distributed Scan Server role service, 300,
301, 302
distribution points, for software deployВ­
ment, 191
DNS
Active Directory and, 262, 263
adding aliases with CNAME, 284
described, 261
DHCP and, 230, 232, 241, 262, 264
enabling on the network, 263–265
forwarding, 292–294
IPv6 and, 263
name resolution and, 266
options, 266, 267
records, 264, 282–286
setting zone type, 291
suffixes, 266, 267
DNS clients
configuring name resolution, 266, 267
dynamic updates and, 291
enhancements for built-in, 207
IPv6 and, 263–265
LLMNR and, 264
.dns file extension, 262
DNS Manager console
debugging, 295
event logging, 294
forwarding, 293
managing DNS records, 283–286
managing DNS servers, 276–280
notifying secondaries of changes, 290
setting zone properties, 287–291
specifying IP addresses, 292
zone transfers, restricting, 289
DNS servers
adding and removing, 277
controlling access to, 292–294
domain controllers as, 268
event logging, 294
GlobalNames zone and, 265, 275, 276
378
installing, 267, 268
IP addresses and, 292
IPv4 and IPv6 and, 263–265
monitoring, 295, 296
primary, 270–272
restarting, 263
reverse lookup zones, 274, 275
secondary, 273
signing zones, 278–280
starting and stopping, 278
startup tasks, 263
types, 267
zone transfers, 289, 290
DNSSEC (DNS Security Extensions), 278–280
DNSKEY records, 279
dnsZone object, 262
Documents folder, redirecting, 181
dollar sign
computer names and, 103
special shares and, 101
domain controllers, as DNS servers, 268
domain name resolution. SeeВ name
resolution
Domain Name System (DNS). SeeВ DNS
domain networks, 202
domains
child, 262
deleting, 282
DNS and, 261
parent, 261
root, 261
Downloads folder, redirecting, 181
drive controllers, 6, 47
drive letters
assigning, 26
assigning to drives, 67, 68
assigning to volumes, 43, 65
changing, 55, 68
partitioning and, 25
removing, 68
drive paths
adding, 68
assigning, 26
assigning to drives, 67
assigning to volumes, 43, 65
changing, 55
purpose, 25
removing, 68
drive section types, 19
Driveletter$ share, 101
drivers
printer, 298
safe mode and, 363
extranets
drives
compressing, 30
deleting, 69
described, 1
Disk Management snap-in and, 11–13
disk types, 10, 11
encrypted, 7
expanding compressed, 31
installing new, 16
logical, 8
partitions, 8–10
physical, 5–10
selection considerations, 6, 7
status values, list of, 16, 17
storage management and, 37
storage pools and, 58
unmounted, 67
viewing in Disk Management, 12, 13
dual boot, RAID and, 45
dual parity, 59, 60
dump files, 19
dynamic disks
vs. basic disks, 18
configuring, 19
converting to basic, 20, 21
converting unallocated space, 72
described, 13
drive sections and, 19
moving, 22–24
portable computers and, 20
reactiving, 22
Dynamic Host Configuration Protocol
(DHCP). SeeВ DHCP; DHCP servers
dynamic IP addresses, 211, 217–221
dynamic updates enabling and disabling for
DNS, 291
dynamic volumes, status values, list of, 40, 41
E
editing security policies, 177
EFI vs. UEFI, 8
EFS. SeeВ Encrypting File System (EFS)
ENABLE BACKUP command, 346, 349,
354,В 355
Enable Boot Logging option, 362
Enable Disk Quotas policy, 143
Enable Low-Resolution Video option, 362
enabling
Bootstrap Protocol, 248
disk quotas, 143, 145
DNS on the network, 263–265
inheritance of permissions from a parent
object, 124
network discovery, 202
point and print restrictions, 318
print spooler, 326
encoding, NFS sharing and, 108
encrypted hard drives, 7
Encrypting File System (EFS)
NTFS and, 31
recovery policies and, 368–371
Work Folders and, 115
encryption
backing up data and certificates, 371
certificates, 32
compression and, 30
described, 32
files and directories and, 33
keys, 32
recovery policies and, 368–371
restoring data and certificates, 371
SMB, 82, 86, 93
Work Folders and, 115, 196
Enforce Disk Quota Limit policy, 143, 145
Enhanced Storage feature, 2
Enrolling, computer and user certificates,
196, 197
enterprise CAs, 197
error logs, security template analysis, 168
errors, checking disks for, 76–78
eSATA (external SATA), 6, 15
event auditing, policies for, 135, 176
event logging
disk quota variables, 153
DNS servers, 294
policies, 143, 157, 160
virtual memory exhaustion, 360
Event Trace Log (ETL) file, 207
Event Viewer, security logs and, 134
Everyone implicit group, 83, 93
exclusion ranges
for IPv4 addresses, 240
for IPv6 addresses, 243
for multicast scopes, 245
setting, 254, 255
Expand (Expand.exe) utility, 31
expiration of certificates, 197
Export-DhcpServer cmdlet, 237
exporting
disk quota settings, 149
printers, 319
extended FAT file system, 10
extended partitions, 8, 24, 25
extending volumes, 54
extensions to network awareness, 202
external storage devices, 14–16
extranets, 261
379
Failed Redundancy volume status
F
Failed Redundancy volume status
described, 40
mirrored sets and, 50
Failed volume status, 40
failover, DHCP, 218
failover scopes, 223, 249–252
failures, recovering from
failed start, 361
hardware or startup, 358–361
FAT file system, 10
FAT32 file system, 10
fault tolerance
disk mirroring and, 47
disk striping with parity and, 49
failover scopes and, 250
incomplete volumes, 40
RAID and, 44, 45
Favorites folder, redirecting, 181
FAX$ share, 100
file and printer sharing, enabling and
disabling, 302
File And Storage Services
configuring role, 4, 5
configuring share permissions, 98
creating a sync share, 117
creating shared folders, 91–93
NFS sharing, 108
role services, 2
shared folders, modifying settings
for,В 94
viewing NTFS permissions, 124
Work Folders, 117
File Explorer
accessing Work Folders, 120
claims-based permissions and, 133
connecting to special shares, 101
disconnecting network drives, 114
mapping network drives, 113
NFS sharing and, 107
restoring a shadow copy, 110
shadow copies and, 109
sharing local folders, 88
showing hidden items, 83
viewing NTFS permissions, 124
file paths, security settings for, 166
file screening, 11
File Server Resource Manager
creating disk quotas, 155, 156
creating disk quota templates, 154
modifying disk quota templates, 153
role services, 11
File Server role service, 3
File Server VSS Agent Service role service, 3
380
file servers
described, 1
role services for, 2
File Services And Storage role, 54
file sharing. SeeВ standard file sharing; public
folder sharing; shared folders
file systems
described, 1, 10, 11
local vs. remote, 1
policies for, 157, 164–167
specifying type, 27, 29, 43
files
auditing, 136–138
compressing, 30
decrypting, 36
encrypting, 32–34
expanding compressed, 31
permissions, list of, 125
recovering, 367, 368
setting basic permissions, 127–129
setting special permissions, 129–132
filesystem log buffer, time stamp update
records and, 65
filtering
by MAC address, 253
printers, 320, 321
firewalls, security policies and, 175
FireWire (IEEE 1394)
data transfer and, 14
Unreadable drive status and, 17
firmware interfaces, 8
folder redirection
based on group membership, 184–186
described, 181
removing, 186
to a single location, 182
folders
auditing, 136–138
permissions, list of, 125
permissions, setting basic, 127–129
permissions, setting special, 129
recovering, 292
forcing files to close, 106
Foreign drive status, 17
formatting partitions, 28, 29
formatting volumes, 43
Formatting volume status, 40
forward lookup zones
global names, 275, 276
primary DNS servers and, 272
purpose, 274
secondary DNS servers and, 273
updating properties, 287
forwarder servers, 292, 293
forwarding-only servers, 268, 292, 293
incremental backups
fragmentation, reducing with Optimize
Drives utility, 78
Free Space label, on partitions, 12
FSUtil, 6, 71
full backups, 337
scheduling, 341
Windows Server Backup and, 344, 345
Full Control file and folder permissions, 125,
126, 127
Full Control share permissions, 95
full integration of Active Directory and DNS
described, 262
DSN server types and, 267
full system recovery, 364–367
G
gateways, multiple default, 212, 213
Get-Disk cmdlet, 16
GET DISKS command, 346, 348
GET ITEMS command, 346, 348
Get-NetIPInterface cmdlet, 263
Get-SmbConnection cmdlet, 85
Get-SMBOpenFile cmdlet, 105
Get-SMBSession cmdlet, 103
get-smbshare cmdlet, 86
GET STATUS command, 347, 348
GET VERSIONS command, 347, 348
GET VIRTUAL MACHINES command, 347
global unicast addresses, 222
GlobalNames zone
configuring, 275, 276
described, 265
GPOs (Group Policy Objects)
redirecting special folders and, 182, 184
security policies and, 178
security templates and, 170–172
Software Installation policy and, 191
user logon and logoff scripts, 187,
189,В 190
GPT (GUID partition table), 8, 9, 10, 20
GPT partition style, storage pools and, 58
Group Policy
auditing policies, 135
automatic certificate enrollment, 197
Automatic Updates, 198, 199
deploying software through, 190–195
network management, 205–207
point and print restrictions, 317–319
printer connections, 315, 316
printers, 300
recovery agents and, 370
redirecting special folders, 182–187
security policies, 178, 179
security templates and, 157, 167,
170–172
TCP/IP and, 201
Work Folders, 196
Group Policy Management Console
(GPMC),В 35
groups
file and folder permissions and, 128, 130
removing restrictions, 162
restricting, 161
share permissions and, 96, 98
GUID partition table. SeeВ GPT (GUID
partition table)
H
hard disk drive (HDD) storage, 57
hard drives. SeeВ drives
hardware failure, recovering from, 358–361
HDD storage, 57
health policies, DHCP and, 234
health status, displaying, 66
Healthy (At Risk) volume status, 41
Healthy (Unknown Partition) volume
status,В 41
Healthy volume status, 41, 50, 51
hidden
items, showing in File Explorer, 83
shares, 89, 100
SMB folder shares, 86
host names, 108
hot spares, 56, 61, 63
hot standby
DHCP servers, 218
failover scopes and, 251
hot swapping, 16
HTTP over SSL, 206
Hyper-V
networking and, 213, 214
share permissions and, 93
I
IEEE 802.3 networks, 205
IEEE 802.11 networks, 205
IIS, Work Folders and, 195
implicit groups, public folder permissions
and, 83
importing
disk quota settings, 149
foreign disks, 17
printers, 320
security templates, 168, 169, 172
in-place file sharing, 81
inbound authentication methods, security
policies and, 176
incremental backups
described, 337
vs. differential, 338
381
inheritance of objects
incremental backups (continued)
scheduling, 341
Windows Server Backup and, 344
inheritance of objects, 123, 124
Initialize-Disk cmdlet, 16
initializing disks, 16
initializing VHDs, 24
Initializing volume status, 41
installing
DNS servers, 267–270
IPv4, 208
network printers, 305–307
new drives, 16
Print and Document Services role,
300–302
TCP/IP networking, 208
updates automatically, 197–200
Windows Server Backup, 343
integrating
Active Directory and DNS, 262, 263
DNS and DHCP, 230, 231
NAP and DHCP, 232–235
Interactive implicit group, public folder
permissions and, 83
interface types, 6
internal disks, standards-based storage
management and, 38
Internet Printing role service, 300, 301
Internet SCSI (iSCSI), 6
interoperability with UNIX, LPD Service role
service, 301
intranets
defined, 261
update service locations, 200
IP addresses
assignment, 221
avoiding conflicts, 236
checking whether in use, 210
configuring, 209
described, 209
DHCP and, 217
DNS servers and, 292
dynamic, 211, 212, 217–221
scopes, 222
ip6.arpa domain namespace, 264
IPC$ share, 100
ipconfig command, 221
deleting leases and reservations, 257
MAC address filtering and, 253
reserving DHCP addresses, 256
IPv4
addresses, 209
address records, 282
coexistence, 206
creating normal scopes for, 239–243
382
DHCP servers and, 217
dynamic addresses, configuring,
217,В 219
enabling DNS and, 264
exclusion ranges, 254
failover scopes, 249–252
installing, 208
MAC address filtering, 253
private network IDs, 210
PTR records and, 231
static addresses, configuring, 210, 211
superscopes, 238, 239
types of scopes, 223
IPv6
addresses, 209
address records, 282
coexistence, 206
creating normal scopes for, 242, 243
DHCP servers and, 217
DNS and, 263, 264
dynamic addresses, configuring,
219–222
exclusion ranges, 255
installing, 208
static addresses, configuring, 210, 211
iSCSI Target Server role service, 3, 54
iSCSI Target Storage Provider role service,
3, 54
iSCSI virtual disks, 55
J
J50.chk file, 257
J50.log file, 257
J50000NN.log file, 257
JScript, 187
K
Kerberos authentication, 108
Kerberos with Armoring, 132, 133
Kernel Transaction Manager (KTM), 74
key master, 279, 280
Key Signing Keys (KSKs), 279
keys. SeeВ registry
KTM (Kernel Transaction Manager), 74
L
L2TP/IPsec vs. SSTP and SRA, 206
LAN Manager authentication level, 176
last-access timestamp, filesystem log buffer
and, 65
Last Known Good Configuration option, 362
LDAP, security policies and, 175
multicast IPv6 addresses
leases
Bootstrap Protocol, 249
deleting, 257
for dynamic IP addresses, 218, 222
for IPv4 addresses, 240
for IPv6 addresses, 243
for multicast scopes, 245
reconciling, 259
releasing, 256
legacy MBRs, 8
limit thresholds, Resource Manager disk
quotas and, 151
Line Printer Daemon (LPD) Service, 300, 301
link-layer filtering, 253, 254
Link-Local Multicast Name Resolution
(LLMNR), 264
link-local unicast IPv6 addresses, 220,
221,В 222
Links folder, redirecting, 181
List Folder Contents file and folder
permissions, 125, 127
List Folder/Read Data special permission,
126, 127
listing printers in Active Directory, 323
LLMNR (Link-Local Multicast Name
Resolution), 264
load balancing
DHCP servers, 218
failover scopes, 250
secondary DNS servers and, 273
local printers vs. network printers, 298
local file systems, 1
local policies
changing template settings, 160
described, 157
local print devices, 298
local print spooler, 299
local volumes, disk quotas and, 142
location
printers, 322
storage of backups, 351
locked files, taking administrative ownership
of, 124
Log Event When Quota Limit Exceeded
policy, 143
Log Event When Quota Warning Level
Exceeded policy, 143
log files, DHCP, 230
logical drives
creating, 25–28
deleting, 69
extended partitions and, 8, 24
logical unit number (LUN), 37
logoff and logon scripts, 189, 190
loopback addresses, 222
Loss of Communication status, 66
M
M flag, 219, 220
MAC address filtering, 253, 254
mail exchange servers, 284
Managed Address Configuration flag, 219
manual backups, 357, 358
Manual service startup mode, 163
Map Network Drive feature, 1
mapping network drives, 101, 102
master boot code, 8
master boot record (MBR) partitioning style,
2, 8, 9, 20
master file table (MFT), 11, 71
maximum sustained data transfer rate, 7
Maximum Transmission Units (MTUs), 91
MBR partitioning style, 8, 9, 20, 58
mean time to failure (MTTF), 7
memory diagnostics, 360, 361
MFT (master file table), 11, 20
Microsoft Internet Information Services
(IIS),В 195
Microsoft Management Console (MMC), 159
Microsoft Online Backup Service
described, 341
installing, 343
Microsoft Online Crash Analysis tool, 361
migrating
printers to a new print server, 319, 320
to Windows Server 2012 R2, 300
mirroring
breaking mirrored sets, 50
described, 45
vs. disk striping with parity, 44
implementing, 46–49
removing volumes from set, 52
repairing to enable boot, 51, 52
resynchronizing and repairing mirrored
sets, 50, 51
storage pools and, 59
three-way, 59
virtual disks in storage pools and, 62
Missing volume status, mirrored sets and, 50
Modify file and folder permissions, 125,
126,В 127
monitoring
DNS servers, 295, 296
printers and printer queues, 320, 321
mounting
disks to drive paths, 25
partitions, 26
volumes, 23, 43
MS-DOS, RAID and, 45
.msi files, 191, 194
.mst files, 191
multicast IPv6 addresses, 222
383
multicast scopes
multicast scopes
creating, 244
defined, 239
Multipath I/O, 2
multiple scopes on a network, 249
Music folder, redirecting, 181
MX (mail exchanger) records
adding, 284, 285
described, 283
N
named pipes, 105
name protection, 232
name resolution
configuring for DNS clients, 266, 267
forward lookups and, 272
global names and, 275, 276
reverse lookups and, 274
Name Resolution Policy Table (NRPT), 278
NAP, DHCP and, 232–236
ncpa.cpl command, 204
net session command, 103, 104
net share command, 86
NET USE command
disconnecting network drives, 113
mapping network drives, 112
NetBIOS, DNS client service and, 264
NETLOGON share, 100
Netmon, tracing and, 207
netsh command
adding IPv6 addresses of DNS
servers,В 263
DHCP configuration and, 236
router advertisements and, 220
TCP chimney offloading, 206
Netsh Trace context, 207
Network Access Protection (NAP). SeeВ NAP
network addresses, IP address ranges
for,В 239
Network And Sharing Center
changing a static IP address, 210
configuring name resolution, 266
described, 201
disabling network connections, 215
opening, 203
public folder sharing, 83–85
viewing categories, 204
network-attached print devices
high-volume printing and, 330
installing, 311–314
network awareness, extensions to, 202
network categories
described, 202
viewing, 204
384
network connections
checking status of, 215
disabling, 215
managing, 214
renaming, 215
troubleshooting, 204
Network Diagnostics
described, 201
troubleshooting with, 204, 206
viewing reports, 207
network discovery
described, 202
enabling, 202, 203
turning on and off, 204
Work Folders and, 196
network drives
connecting to, 112–114
disconnecting, 113
mapping, 101, 102, 112, 113
Network Explorer, 201
Network File System (NFS) shares,
creating,В 55
Network Monitor (Netmon), tracing
with,В 207
Network Policy And Access Services role, 232
network print devices
access permissions, 327, 328
described, 298
installing automatically, 305
vs. local printers, 298
updating drivers, 323
network profiles, 204
network status, 203
Network Unlock, 7
networking
managing, 205–207
tools, list of, 201
New-PsDrive cmdlet, 112
NFS sharing, 91, 107–109
No Access share permissions, 95
No Media drive status, 18
nonforwarding servers, 292, 293
nonoperational temperatures, 7
nonresponsive conditions, 359
nonsystem volumes, recovering, 367, 368
normal scopes
for IPv4 addresses, 239–243
for IPv6 addresses, 242, 243
Not Initialized drive status, 18
notification thresholds, Resource Manager
disk quotas and, 151
Nps.msc command, 233
NS (name server) records
adding, 285, 286
described, 283
PCL mode
Ntdsutil.exe tool, 364
NTFS
compression and, 28, 30
converting volumes to, 70
described, 11
encryption and, 31
formatting USB flash devices with, 67
formatting volumes, 42
self-healing, 74, 75
transactional, 74
NTFS disk quotas
deleting entries, 148
described, 140
disabling, 150
enabling on NTFS volumes, 145, 146
exporting and importing settings, 149
individual entries, when to create, 147
purpose, 141
setting with Group Policy, 142
NTFS permissions
basic, list of, 125
basic, setting for files and folders,
127–129
special, list of for files, 126
special, list of for folders, 127
special, setting for files and folders, 129
standard file sharing and, 81, 83
viewing, 124
NTFS volumes
creating shadow copies on, 109
creating shared folders on, 88
disk quotas and, 140, 145, 146
O
O flag, 219
objects
auditing, 139
defining, 121
inheritance, 123, 124
management tools, list of, 122
ownership, 122
types of, 122
offline
disks, 55
file caching, 93
shared folder settings, 90
Offline drive status, 17
Offline volume status, 50
online backups, 343
Online Certificate Status Protocol
(OCSP),В 206
Online drive status, 17
Online (Errors) drive status, 17
Online (Errors) volume status
mirrored sets and, 51
striped sets with parity and, 53
Open Files node, 105, 106
operating system, recovering, 364–367
operational status, displaying, 66
Optimize Drives utility, 71, 78
optimizing disks, 78–80
organizational units (OUs), security policies
and, 178, 179
Other Stateful Configuration flag, 219
outbound authentication methods, security
policies and, 176
P
page file partition, 20
page-file volumes, changing drive letters
of, 67
Parallel ATA (PATA), 6
parallel queries, 207
parallel SCSI, 6
parent domains
defined, 261
name resolution and, 266, 267
parent objects, inheritance and, 123
parity
described, 44
disk striping with, 49
storage pools and, 59, 60
virtual disks in storage pools and, 62
partial integration of Active Directory and
DNS
described, 262
DNS server types and, 267
secondary servers and, 273
partitions
color coding, 25
creating, 25–28
defined, 8
deleting, 69
drive letters, 24, 25
error checking, 28
formatting, 24, 27, 28, 29
GPT style, 8
labels, 29
marking as active, 20
MBR style, 8, 9
mounting, 26
primary vs. extended, 24
resizing, 72, 73
pausing printers, 332
payloads, 2
PCL mode, 324
385
performance
performance
diagnostics, 360
improving with RAID, 44, 45, 46
perimeter networks, 272
permissions
See alsoВ share permissions
access-based enumeration, 92
basic, for files and folders, 127–129
claims-based, 132–134
list of, for files and folders, 125
file system paths, 164, 165, 166, 167
NFS sharing and, 108
NTFS, 81
object inheritance and, 123, 124
printer access, 327, 328
registry paths, 164, 165, 166
shared folders, 81, 90
special, for files and folders, 126, 127,
129–132
Spool folder, 329, 330
sync folders and, 118
persistent caching, 207
.pfx format, 371
physical disks
adding undectected, 66
standards-based storage and, 53
storage pools and, 58, 61
troubleshooting, 66
physical drives
described, 5
preparing for use, 8–11
physical sector size, 6
physically attached printers, 307–311
Pictures folder, redirecting, 181
ping command, 210
placeholder files, 71
point and print restrictions, 317–319
Point-to-Point Tunneling Protocol (PPTP), vs.
SSTP and SRA, 205
polling interval, sync servers and, 116
port preservation, 206
ports
eSATA, 15
FireWire, 14
printer, 325
USB, 14
PostScript mode, 324
power management, Automatic Updates
and, 198, 199
PowerShell. SeeВ Windows PowerShell
PPTP vs. SSTP and SRA, 205, 206
preboot environment, 72
preference numbers, for mail exchange
servers, 285
Previous Versions, 109, 110
386
primary DNS servers
configuring, 270–272
described, 267
reverse lookup zones and, 274
primary management tools
described, 121
list of, 122
primary partitions, 8, 24, 25, 69
primordial pools, 61
PRINT$ share, 101
Print and Document Services role, 300–302
print devices
described, 299
location, 322
multiple printers for, 311
network-attached, 311–314
physically attached, 307–311
types, 298, 311
print jobs
auditing, 329
Branch Office Direct Printing, 307,
308,В 313
canceling, 332
defined, 299
error notification, 330
prioritizing and scheduling, 325–327
separator pages, 324
viewing, 331
Print Management
described, 302–304
installing network printers, 305–307
network-attached print devices, 311
physically attached print devices, 308
print monitors, 299
print processor, 299
print queues
described, 299
emptying, 332
monitoring, 321
print routers, 299
Print Server role service, 300
print servers
adding to Print Management, 303, 304
configuring, 300–302
defined, 298
error notification, 330
high-volume printing and, 330
vs. network printers, 298
properties, 329
purpose, 297, 298
print spooler
described, 299
disabling, 327
enabling, 326
remote printing and, 299
restarting, 322
recovery point objective (RPO)
printer drivers
described, 298
downloading to clients, 299
network-attached print devices and,
312, 313
physically attached print devices and,
309–311
point and print restrictions, 317
sharing, 306
updating, 323, 324
printer filters, 320
printer queues
monitoring, 320
viewing, 331
printers
access permissions, 327, 328
comments, 322
connecting to, 314
deploying connections, 315, 316
document default settings, 329
document priorities, 333
document properties, 333
Group Policy and, 300
monitoring, 320
moving to a new print server, 319, 320
names, 306, 308, 313
network, installing, 305–307
pausing, 332
properties, 322–329
resuming, 332
setting availability, 326
sharing, 327
private networks
described, 202
vs. public networks, 272, 273
ProactiveScan task, 75
protective MBRs, 8
providers, 207
provisioning virtual disks in storage pools, 63
PTR (pointer) records
adding, 283, 284
described, 283
dynamic DNS updates and, 267
reverse lookup zones and, 231
Public Desktop folder, 83
Public Documents folder, 83
Public Downloads folder, 83
public folder sharing, 81, 82, 83. See
alsoВ shared folders
Public Music folder, 83
public networks
described, 202
vs. private networks, 272, 273
Public Pictures folder, 83
Public Videos folder, 83
publishing shared resources, 94
Q
queries, DNS clients and, 207
query coalescing, 207
quick format, for partitions, 28, 29, 43
quotas. SeeВ disk quotas
R
RAID
arrays, 38
backup solutions and, 340
breaking mirrored sets, 50
costs, 45
levels, 44, 45
MS-DOS and, 45
purpose and benefits, 44
resynchronizing and repairing mirrored
sets, 50
RAID-0, 45, 46
RAID-1, 46–49
RAID-5, 49
RDP files, 207
reactivating
disks, 17
volumes, 40, 50, 51, 53
Read Attributes special permission, 126, 127
Read & Execute file and folder permissions,
125, 126, 127
Read Extended Attributes special permission,
126, 127
Read file and folder permissions, 125, 126,
127
Read-Only Access, shared folders and, 90
read-only domain controllers (RODCs), 265
read-only primary zones, 265
Read share permissions, 95
Read special permission, 126, 127
Recenv.exe, 365
reconciling leases and reservations, 259
records, DNS, 282–286
recovering data, Windows Server Backup
and, 342
recovery
See alsoВ backing up files; restoring
agents, 33, 35, 369, 370
applications, 367, 368
EFS and, 368–371
from failed start, 361
files and folders, 367, 368
from hardware failure, 358
from startup failure, 358
nonsystem volumes, 367, 368
policies, 35, 368–371, 370
safe mode and, 361–363
recovery point objective (RPO), 336, 337
387
recovery time objective (RTO)
recovery time objective (RTO), 336, 337
recursive queries, 264, 296
redirecting
folders, 114
printers, 302
special folders, 181–186
redundancy, restoring for storage spaces,
66, 67
redundant data sets
disk mirroring and, 46
with RAID, 44
refreshing server information, 227
ReFS (Resilient File System), 74, 75
regedit command, 138
regenerating
striped sets, 49
striped sets with parity, 52, 53
Regenerating volume status, 41, 50, 51
registry
auditing, 138
keys, 230, 258
paths, security settings for, 165
policies, 157, 164–167
settings, 176
Registry Editor, 138
re-imaging the operating system, 366
relay agents, 221, 223
releasing addresses and leases, 256
remediation servers, 234
remote computers
connecting to, 87
disk quotas, 142
remote file systems, 1
remote management, Disk Management
snap-in and, 13
remote servers, 227
Removable disk type, 13
removable media, disk quotas and, 143
removable storage devices, 14–16
Remove-DhcpServerInDC cmdlet, 228
Remove-PsDrive cmdlet, 113
removing folder redirection, 186
renewing expired certificates autoВ­
matically,В 197
repairing
disk errors, 76
file system errors, 55
repairing mirrored sets, 50, 51
Repair Your Computer tool, 341, 362
rescanning
disks, 16, 17, 22, 41, 51
storage, 66
388
reservations
deleting, 257
DHCP addresses, 255, 256
IPv4 addresses, 222
modifying properties, 257
options, 247
reconciling, 259
releasing, 256
resiliency recovering, 66
Resilient File System (ReFS), 11, 74
resizing partitions and volumes, 72, 73
resource exhaustion alerts, 360
Resource Manager disk quotas, 140, 150–154
resource properties, 132
Restart Manager, 359
restarting
Automatic Update process, during, 199
DNS servers, 263
to recover from failed start, 361
restoring
See alsoВ recovery
Active Directory, 364
boot manager, 364–367
DHCP servers from backup, 258
encrypted data and certificates, 371, 372
system state, 363, 364
restricted groups policies
configuring, 161, 162
described, 157
resuming printing, 332
Resynching volume status, 41, 48
resynchronizing mirrored sets, 50, 51
reverse lookup zones
configuring, 274, 275
ip6.arpa domain namespace and, 264
updating properties, 287
revocation checking, 206
roaming profiles
encrypted files and, 32
purpose, 369
RODCs (read-only domain controllers), 265
role services for file servers, 2, 3
rollback templates, 169, 170
rolling back security policies, 178
root domains, 261
root hints, configuring, 270
rotational speed, 6
rotation schedules for data backup, 341
router advertisements, 220, 221
routers
DHCP and, 219
printer, 299
separator pages
Routing and Remote Access Service
(RRAS),В 223
routing cost, of a gateway, 212
S
safe mode, 361–363
SATA (Serial ATA), 6
Saved Games folder, redirecting, 181
Scan Management, 301
Scan Operators group, 302
scanning
drives for errors, 78
file systems for errors, 55
scheduled backups
configuring, 352–355
excluding files, 352
modifying or stopping, 355
specifying volumes, 351
storage location, 351
Wbadmin and, 356
scheduling Automatic Updates, 198
scheduling print jobs, 325–327, 333
scopes
activating and deactivating, 248
configuring multiple on a network, 249
creating, for IPv4 addresses, 239–243
creating, for IPv6 addresses, 242, 243
described, 222
failover, 249–252
modifying, 248
options, 245
reconciling, 259
removing, 249
statistics, viewing, 252
superscopes and, 238
types of, 223
screened subnets, 272
scripting engines, 187
scripts
logon and logoff, 189, 190
Read file and folder permissions
and,В 125
startup and shutdown, 187, 188
Windows PowerShell, 187
SCSI (Small Computer System Interface), 6
Scwcmd (Scwcmd.exe) utility, 172, 178
Searches folder, redirecting, 181
Secedit command-line utility, 169, 170
secondary DNS servers
configuring, 273
described, 268
notifying of changes, 290, 291
reverse lookup zones and, 274
sector size, 6
Secured Boot, 7
Secure Remote Access, 205
Secure Socket Tunneling Protocol, 205, 206
Security Configuration And Analysis snap-in
analysis database, 167
analyzing and configuring templates,
167, 168
changing settings stored in dataВ­
base,В 168
limitations, 167
opening, 159
purpose, 158
Security Configuration Wizard
applying security policies with, 177, 178
described, 172
editing security policies, 177
process, 173
rolling back security policies, 178
security logs, 134, 136
security policies
applying, 177, 178
deploying to multiple computers, 179
described, 172
editing, 177
file system, 164–167
process for creating, 172–177
registry, 164–167
rolling back, 178
saving, 177
security templates and, 157, 177
security templates
adding to security policies, 177
analyzing, 167, 168
changing settings, 160
file system, 164–167
importing, 168, 169, 172
process, 158
purpose, 157
registry policies, 164–167
Secedit command-line utility, 169, 170
system services policies, 162, 163
Security Templates snap-in
adding search paths, 159
changing settings, 160
creating new templates, 159
file path security settings, 166
file system policies, 164–167
opening, 159
purpose, 158
registry policies, 164–167, 165
restricted groups policies, 161, 162
system services policies, 162, 163
selective wipe, 115
self-healing NTFS, 74, 75
separator pages, 324
389
Serial ATA (SATA)
Serial ATA (SATA), 6
Serial Attached SCSI (SAS), 6
server bindings, configuring, 228
Server Core installations, 365
Server For NFS role service, 3, 91, 107
Server Manager
claims-based permissions, 134
installing DNS Server service, 268–270
NFS sharing and, 107, 108
Print and Document Services role,
300–302
setting file and folder permissions, 129
setting special permissions, 132
shared folders, creating, 91–93
shared folders, modifying settings, 94
starting and stopping DHCP servers, 227
starting and stopping DNS servers, 278
viewing NTFS permissions, 124
viewing share permissions, 98, 99
viewing SMB shares, 86, 87
Windows Server backup and recovery
tools, 343
Server Message Block (SMB)
encryption, 82, 86, 93
ending sessions, 103, 104
protocol described, 81
security signature options, 175
shares, 55, 91
support for MTUs, 91
versions, 85, 86
viewing sessions, 102, 103
Work Folders and, 115
server roles
enabling and disabling, 174
Print and Document Services, 300–302
Service implicit group, public folder
permissions and, 83
service location (SRV) records, 265, 283
services, security policies and, 175
sessions
ending, 103, 104
viewing user and computer, 102, 103
Set-DNSClientServerAddress cmdlet, 263
Set-DnsServerGlobalNameZone comВ­
mand,В 276
Set-FileStorageTier cmdlet, 57
Set-SyncServerSetting cmdlet, 116
Set Value advanced permission, 139
shadow copies
See alsoВ shared folders
creating, 110
deleting, 111
described, 109, 336
390
disabling, 111, 112
restoring, 110
reverting an entire volume to, 111
share permissions
access-based enumeration, 92
assigning, 95
defined, 81
list of, 95
public folders and, 83, 90
standard file sharing and, 83
viewing in Computer Management,
95–97
viewing in Server Manager, 98, 99
shared folders
See alsoВ shadow copies
changing settings, 94
claims-based permissions, 134
configuring settings, 83
creating in Computer Management,
88–91
creating in Server Manager, 91–93
disconnecting users from, 103, 104
hiding, 89
modifying settings, 94
offline settings, 90
publishing in Active Directory, 94
purpose, 85
stopping sharing, 106
viewing, 86–88
shared printers, 101, 302, 306, 307, 308, 310
shared secret keyphrases, 234, 251
sharing
See alsoВ Server Message Block (SMB)
shares; Network File System (NFS)
shares
file and printer, 302
files and folders with removable
disks,В 15
NFS, 107
printers, 327
shortcuts, Read file and folder permissions
and, 125
shrinking volumes, 72, 73
shutdown scripts, 187, 188
signing zones, 280–282
simple layout, storage pools and, 62, 63
simple volumes
See alsoВ volumes
creating, 25
extending, 42
mirrored volumes and, 48
storage pools and, 59
vs. volume sets, 38
superscopes
single-label name resolution, 265
sizing
virtual disks, 64
volumes, 43
Small Computer System Interface (SCSI), 6
SMB. SeeВ Server Message Block (SMB)
SMB 1.0/CIFS File Sharing Support
feature,В 85
SOA (Start Of Authority) records
described, 283
modifying, 287, 288
Software Installation policy, 190, 191
Solicit messages, IPv6 and, 221
Solid State Drive (SSD) storage, 57
spanned volumes
See alsoВ volumes
basic disks, adding space from, 42
defined, 38
extending, 42, 72
incomplete, 40
special folders, redirecting, 181–186
special permissions, 126, 127, 129–132
special shares, 100–102
Specify Default Quota Limit And Warning
Level policy, 143
Specify Intranet Microsoft Update Service
Location policy, 200
Spindles. SeeВ physical disks
Spool folder, 329, 330
spooler
described, 299
restarting, 322
SRV (service location) records, 283
SSD storage, 57
SSL connections, 196
Stale Data volume status, 41
standard file sharing, 81, 82, 83
Standard Format hard drives, 5
standard volumes, 64, 65
standards-based storage
described, 37
layers, 54
storage spaces, 54
START BACKUP command, 347, 349, 356, 357
Start Menu folder, redirecting, 181
Start Of Authority (SOA) records, 283,
287,В 288
START RECOVERY command, 347, 350
START SYSTEMSTATEBACKUP command, 347,
350, 363
START SYSTEMSTATERECOVERY command,
347, 350, 363
Start Windows Normally option, 363
startup
failure, recovering from, 358–361
mode, security policies and, 175
safe mode, 361–363
scripts, assigning, 188
system services policy configuration,
162, 163
Windows Boot Manager and, 72
Startup Recovery Options, 365
Startup Repair tool (StR), 360, 365
stateless and stateful addresses, 219
static IP addresses, configuring, 209
statistics for scopes, viewing, 252
STOP JOB command, 347, 349
stopping file and folder sharing, 106
storage management
disk mirroring, 46–49
disk striping, 45, 46
disk striping with parity, 49
fault tolerance, 44, 45
performance, improving, 44, 45
traditional vs. standards-based, 37
volumes and volume sets, 38–44
storage pools
allocating space, 57, 58, 61
creating, 58–62
defined, 53
hot spare errors, 63
troubleshooting, 66, 67
virtual disks, creating in, 62–64
storage reporting, 11
Storage Services role service, 3, 54
storage spaces
checking version, 56
creating storage pools, 58–62
defined, 53
file systems and, 11
resetting, 63
troubleshooting, 66, 67
upgrading version, 56
storage subsystem, 53, 54
storage tiers, 57, 63
striping, 45, 46, 52
striping with parity, 44, 45, 52, 53, 59
subdomains, 280
subnet masks, 211
subnets, deleting, 282
suffixes, DNS, 266, 267
suggested value changes, security templates
and, 160, 161
Super DLT (SDLT), 339
superscopes, 223, 238, 239
391
sync folders
sync folders
permissions, 118
redirected folders and, 114
sync shares, 114–120
synchronizing data, Work Folders and,
195,В 196
System Image Recovery tool, 365
system partition or volume, 20
system recovery, 364–367
system resources, auditing, 134–140
system services policies
configuring, 162, 163
described, 157
system state, backing up and restoring,
363,В 364
system volumes
changing drive letters for, 67
repairing, 76
repairing mirrored sets, 51
repairing mirror to enable boot, 52
striped sets and, 46
SYSVOL share, 101
T
Take Ownership special permission, 126, 127
taking ownership of an object, 122, 123
tape drives as backup devices, 339
TCP Chimney offloading, 206
TCP/IP
configuring, 209
described, 201
DHCP and, 217
Group Policy and, 201
installing, 208, 209
temperatures, drive specifications and, 7
templates, certificates, 197. See alsoВ security
templates
Teredo, 206
three-way mirrors, 59
timeout intervals, 207
time stamp update records, filesystem log
buffer and, 65
time to failure, drive specifications and, 7
Tmp.edb file, 257
touch-enabled computers, xv
tracing, 207
traditional storage management, 37
transactional NTFS, 74
transferring object ownership, 122
transform (.mst) files, 191
392
Traverse Folder/Execute File special
permission, 126, 127
troubleshooting
networks, 206, 207
printer connections, 315
print spooler problems, 322
startup issues, 361–363
storage spaces, 66, 67
trust anchors, 280
trusted publishers list, 207
two-way mirrors, 59
U
UEFI (Unified Extensible Firmware
Interface),В 8, 9
UI changes since Windows Server 2012,
xv,В xvi
Unallocated label, on partitions, 12
Unallocated volume status, mirrored sets
and, 52
Unified Extensible Firmware Interface
(UEFI),В 8, 9
uninstalling dynamic disks, 23
UNIX computers, NFS sharing and, 108
Unknown volume status, 41
unmounted drives, 67
Unreadable drive status, 17
Unreadable volume status
mirrored sets and, 51
striped sets with parity and, 53
Unrecognized drive status, 18
unresponsive applications, 359
unsigned files, 207
unspecified services, 175
untrusted publishers, 207
updates, automating, 197–200
updating
certificate templates, 197
deployed software, 194
printer drivers, 323, 324
upgrading deployed software, 194, 195
USB devices
data transfer and, 14
Unreadable drive status and, 17
user assignment, software deployment
method, 190, 191
user claims, 132
user interface changes since Windows Server
2012, xv, xvi
user logon and logoff scripts, 189, 190
User publishing, software deployment
method, 191
wired policies
V
variables for disk quota messages, 153
VBScript, 187
VHDs
disk type, 13
managing, 23, 24
Videos folder, redirecting, 181
viewing
disk quota entries, 147
existing shares, 86
NTFS permissions, 124
printer queues, 331
print jobs, 331
share permissions, 95–99
virtual disks
defined, 53
creating in storage spaces, 62–64
provisioning, 63
sizing, 64
troubleshooting, 66
virtual hard disks (VHDs)
disk type, 13
managing, 23, 24
virtual machines, networking and, 214
virtual memory, running out of, 360
virtual networks, 213, 214
volume sets
advantages and disadvantages, 40
creating, 42, 43
described, 38
deleting, 44
segmentation, 39, 40
sizing, 43
Volume Shadow Copy Service (VSS), 342
volumes
assigning drive letters, 26, 43
capabilities, 39
changing drive letters, 67
color coding, 38
compression, 43
converting dynamic disks to basic disks
and, 20
converting to NTFS, 70, 71
creating, 25–28, 42, 43
defined, 38
deleting, 44, 54, 69
dismounting, 76
drive letters and, 23
formatting, 27, 28, 54
labels, 27, 43, 68, 69
management options, 54, 55
mounting, 23, 43
properties, 38, 55
reactivating, 40, 50, 51, 53
resizing, 72, 73
scheduled backups and, 351
shrinking, 54, 72
sizing, 25, 26, 43
standard, 64, 65
status values, list of, 40, 41
W
warning limits, disk quotas and, 144, 145, 151
Wbadmin, 343, 346–350, 354
Web Services for Devices (WSD) printers,
311, 312
WIM (Windows Imaging) format.
SeeВ Windows Imaging (WIM) format
Windows Boot Manager, 72
Windows Diagnostics framework, 75, 197
Windows Installer packages (.msi)
described, 191
updating deployed software, 194
upgrading deployed software, 194, 195
Windows Memory Diagnostics, 360, 361, 365
Windows Network Diagnostics, 201, 204, 206
Windows PowerShell, 187
Windows Script Host (WSH), 187
Windows Server 2012 R2 diagnostics and
resolution architecture, 358–360
Windows Server Backup
default performance settings, 345
described, 2, 341, 342
extensions, 344
full backups, 345
full system recovery and, 365
installing, 343
manual backups, 357
permissions, 344
Recovery Wizard, 367
requirements, 342
scheduling automated backups,
352–355
scheduling limitations, 344
starting, 343
Windows Server Backup Module for
Windows PowerShell, 341
Windows Server Update Services
(WSUS),В 200
Windows Standards-Based Storage
Management feature, 54
Windows Update
binary source files for print servers, 301
Group Policy, managing with, 197–200
printer drivers, 310, 313
WINS vs. GlobalNames resolution, 265
Winspool.drv, 299
Wire AutoConfig service, 205
wired policies, 205
393
wireless policies
wireless policies, 205
Work Folders, 114
accessing, 119, 120
deploying, 195
discovery, 196
purpose, 195
Work Folders role service, 3, 195
Write Attributes special permission, 126,
127, 138
write-back caching, 57
Write Extended Attributes special
permission, 126, 127, 138
Write file and folder permissions, 125,
126,В 127
Z
.zap files, 191
ZAW Down-Level Application Packages
(.zap), 191
zones
creating child domains in separate, 281
creating child domains within, 280
DNS, 262
global names, 275, 276
setting type, 291
signing, 279, 280
updating properties, 287–291
Zone Signing Keys (ZSKs), 279
zone transfers, 289, 290
394
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement