Contents - Pearsoncmg
Add to my manualsadvertisement
◉
Touch to zoom
The practical, portable guide for Windows Server administrators! Portable and precise, this pocket-sized guide delivers ready answers for administering storage, security, and networking features in Windows Server 2012 R2. Zero in on core procedures and operations through quickreference tables, instructions, and lists. You’ll get the focused information you need to save time and get the job done—whether at your desk or in the п¬Ѓeld. Get fast facts to: • • • • • • • • • • Administer п¬Ѓle systems and drives Conп¬Ѓgure storage and implement RAID About the Author William R. Stanek is a Microsoft MVP with 20+ years of experience in systems management and advanced programming. He is an awardwinning author of more than 150 books, including Windows Server 2012 Inside Out and the Pocket Consultants for Microsoft Exchange Server 2013, Windows 8.1, and SQL Server 2012. He is the series editor for the Pocket Consultant line of books. Conп¬Ѓgure п¬Ѓle sharing and permissions Audit system resources and implement quotas Administer Group Policy and security settings Install and conп¬Ѓgure DHCP servers Also Look For Set up and optimize DNS on a network Manage TCP/IP and network connections Manage and troubleshoot print services Encrypt, back up, and restore data Windows Server 2012 R2 Conп¬Ѓguration, Storage, & Essentials Inside Out William Stanek ISBN 9780735682672 microsoft.com/mspress ISBN: 978-0-7356-8259-7 U.S.A. $39.99 Canada $41.99 [Recommended] Operating Systems/ Windows Server Celebrating 30 years! Windows Server 2012 R2 Pocket Consultant Storgae, Security, & Networking Windows Server 2012 R2 Storage, Security, & Networking Pocket Consultant Stanek Windows Server 2012 R2 Storage, Security, & Networking William R. Stanek Author and Series Editor Pocket Consultant PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright В© 2014 by William R. Stanek All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number: 2013956655 ISBN: 978-0-7356-8259-7 Printed and bound in the United States of America. First Printing Microsoft Press books are available through booksellers and distributors worldВВВwide. IfВ you need support related to this book, email Microsoft Press Book SupportВ atВ [email protected]. Please tell us what you think of this book at http://www.microsoft.com/learning/booksurvey. Microsoft and the trademarks listed at http://www.microsoft.com/en-us/legal/ intellectualproperty/trademarks/en-us.aspx are trademarks of the Microsoft group ofВ companies. All other marks are property of their respective owners. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. This book expresses the author’s views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book. Acquisitions Editor: Anne Hamilton Developmental Editor: Karen Szall Editorial Production: Online Training Solutions, Inc. (OTSI) Project Editor: Karen Szall Technical Reviewer: Charlie Russell; Technical Review services provided by ContentВ Master, a member of CM Group, Ltd. Copyeditor: Denise Bankaitis (OTSI) Indexer: Krista Wall (OTSI) Cover: Best & Company Design Contents Introductionxv Chapter 1 Managing file systems andВ drives 1 Managing the File And Storage Services role. . . . . . . . . . . . . . . . . . . 1 Adding hard drives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Physical drives 5 Preparing a physical drive for use 8 Using Disk Management 11 Using removable storage devices 14 Installing and checking for a new drive 16 Understanding drive status 16 Working with basic, dynamic, and virtual disks. . . . . . . . . . . . . . . . 18 Using basic and dynamic disks 18 Special considerations for basic and dynamic disks 19 Changing drive types 20 Reactivating dynamic disks 22 Rescanning disks 22 Moving a dynamic disk to a new system 22 Managing virtual hard disks 23 Using basic disks and partitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Partitioning basics 24 Creating partitions and simple volumes 25 Formatting partitions 28 Compressing drives and data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Compressing drives 30 Compressing directories and files 30 Expanding compressed drives 31 Expanding compressed directories and files 31 What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit: microsoft.com/learning/booksurvey iii Encrypting drives and data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Understanding encryption and the encrypting file system Chapter 2 32 Encrypting directories and files 33 Working with encrypted files and folders 34 Configuring recovery policies 35 Decrypting files and directories 36 Configuring storage 37 Using volumes and volume sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Understanding volume basics 38 Understanding volume sets 39 Creating volumes and volume sets 42 Deleting volumes and volume sets 44 Managing volumes 44 Improving performance and fault tolerance with RAID. . . . . . . . . 44 Implementing RAID on Windows Server 2012 R2. . . . . . . . . . . . . . 45 Implementing RAID-0: disk striping 45 Implementing RAID-1: disk mirroring 46 Implementing RAID-5: disk striping with parity 49 Managing RAID and recovering from failures . . . . . . . . . . . . . . . . . 50 Breaking a mirrored set 50 Resynchronizing and repairing a mirrored set 50 Repairing a mirrored system volume to enable boot 51 Removing a mirrored set 52 Repairing a striped set without parity 52 Regenerating a striped set with parity 52 Standards-based storage management. . . . . . . . . . . . . . . . . . . . . . . 53 Getting started with standards-based storage 53 Working with standards-based storage 54 Using storage pools and allocating space 57 Creating a storage pool 58 Creating a virtual disk in a storage space 62 Creating a standard volume 64 Troubleshooting storage spaces 66 Managing existing partitions and drives. . . . . . . . . . . . . . . . . . . . . . 67 iv Contents Assigning drive letters and paths 67 Changing or deleting the volume label 68 Deleting partitions and drives 69 Converting a volume to NTFS 70 Resizing partitions and volumes 72 Repairing disk errors and inconsistencies automatically 73 Analyzing and optimizing disks 78 CHAPTER 3 Data sharing and redundancy 81 Using and enabling file sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Configuring standard file sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Understanding SMB changes 85 Viewing existing shares 86 Creating shared folders in Computer Management 88 Creating shared folders in Server Manager 91 Changing shared folder settings 94 Managing share permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Understanding the various share permissions 95 Viewing and configuring share permissions 95 Managing existing shares. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Understanding special shares 100 Connecting to special shares 101 Viewing user and computer sessions 102 Stopping file and folder sharing 106 Configuring NFS sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Using shadow copies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Understanding shadow copies 109 Creating shadow copies 110 Restoring a shadow copy 110 Reverting an entire volume to a previous shadow copy 111 Deleting shadow copies 111 Disabling shadow copies 111 Connecting to network drives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Mapping a network drive 112 Disconnecting a network drive 113 Configuring synced sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Getting started with Work Folders 114 Creating sync shares and enabling SMB access 116 Accessing Work Folders on clients 119 Contents v CHAPTER 4 Data security and auditing 121 Object management, ownership, and inheritance. . . . . . . . . . . . 121 Objects and object managers 121 Object ownership and transfer 122 Object inheritance 123 File and folder permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Understanding file and folder permissions 125 Setting basic file and folder permissions 127 Setting special permissions on files and folders 129 Setting claims-based permissions 132 Auditing system resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Setting auditing policies 135 Auditing files and folders 136 Auditing the registry 138 Auditing Active Directory objects 139 Using, configuring, and managing NTFS disk quotas. . . . . . . . . 140 Understanding NTFS disk quotas and how NTFS quotas areВ used 141 Setting NTFS disk quota policies 142 Enabling NTFS disk quotas on NTFS volumes 145 Viewing disk quota entries 147 Creating disk quota entries 147 Deleting disk quota entries 148 Exporting and importing NTFS disk quota settings 149 Disabling NTFS disk quotas 150 Using, configuring, and managing Resource Manager disk quotas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Understanding Resource Manager disk quotas 151 Managing disk quota templates 152 Creating Resource Manager disk quotas 155 CHAPTER 5Enhancing computer security 157 Using security templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Using the Security Templates and Security Configuration And Analysis snap-ins vi Contents 159 Reviewing and changing template settings 159 Analyzing, reviewing, and applying security templates 167 Deploying security templates to multiple computers 170 Using the Security Configuration Wizard . . . . . . . . . . . . . . . . . . . . 172 Creating security policies 172 Editing security policies 177 Applying security policies 177 Rolling back the last applied security policy 178 Deploying a security policy to multiple computers 178 CHAPTER 6 Managing users and computers with Group Policy 181 Centrally managing special folders. . . . . . . . . . . . . . . . . . . . . . . . . 181 Redirecting a special folder to a single location 182 Redirecting a special folder based on group membership 184 Removing redirection 186 User and computer script management . . . . . . . . . . . . . . . . . . . . 187 Assigning computer startup and shutdown scripts 187 Assigning user logon and logoff scripts 189 Deploying software through Group Policy. . . . . . . . . . . . . . . . . . 190 Getting to know Software Installation policy 190 Deploying software throughout your organization 191 Configuring software deployment options 192 Updating deployed software 194 Upgrading deployed software 194 Automatically configuring Work Folders. . . . . . . . . . . . . . . . . . . . 195 Automatically enrolling computer and user certificates. . . . . . . 196 Managing Automatic Updates in Group Policy . . . . . . . . . . . . . . 197 Configuring Automatic Updates 198 Optimizing Automatic Updates 199 Using intranet update service locations 200 CHAPTER 7 Managing TCP/IP networking 201 Navigating networking in Windows Server 2012 R2. . . . . . . . . . 201 Managing networking in Windows 8.1 and Windows Server 2012 R2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Installing TCP/IP networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Configuring TCP/IP networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Configuring static IP addresses 209 Contents vii Configuring dynamic IP addresses and alternate IPВ addressing 211 Configuring multiple gateways 212 Configuring networking for Hyper-V 213 Managing network connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Checking the status, speed, and activity for network connections 215 Enabling and disabling network connections 215 Renaming network connections 215 CHAPTER 8 Running DHCP clients andВ servers 217 Understanding DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Using dynamic IPv4 addressing and configuration 217 Using dynamic IPv6 addressing and configuration 219 Checking IP address assignment 221 Understanding scopes 222 Installing a DHCP server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Installing DHCP components 223 Starting and using the DHCP console 225 Connecting to remote DHCP servers 227 Starting and stopping a DHCP server 227 Authorizing a DHCP server in Active Directory 228 Configuring DHCP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Configuring server bindings 228 Updating DHCP statistics 229 Auditing and troubleshooting DHCP 229 Integrating DHCP and DNS 230 Integrating DHCP and NAP 232 Avoiding IP address conflicts 236 Saving and restoring the DHCP configuration 236 Managing DHCP scopes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Creating and managing superscopes 238 Creating and managing scopes 239 Creating and managing failover scopes 249 Managing the address pool, leases, and reservations. . . . . . . . . . 252 viii Contents Viewing scope statistics 252 Enabling and configuring MAC address filtering 253 Setting a new exclusion range 254 Reserving DHCP addresses 255 Modifying reservation properties 257 Deleting leases and reservations 257 Backing up and restoring the DHCP database. . . . . . . . . . . . . . . . 257 Chapter 9 Backing up the DHCP database 257 Restoring the DHCP database from backup 258 Using backup and restore to move the DHCP database to a new server 258 Forcing the DHCP Server service to regenerate the DHCP database 259 Reconciling leases and reservations 259 Optimizing DNS 261 Understanding DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Integrating Active Directory and DNS 262 Enabling DNS on the network 263 Configuring name resolution on DNS clients. . . . . . . . . . . . . . . . 266 Installing DNS servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 Installing and configuring the DNS Server service 268 Configuring a primary DNS server 270 Configuring a secondary DNS server 273 Configuring reverse lookups 274 Configuring global names 275 Managing DNS servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Adding and removing servers to manage 277 Starting and stopping a DNS server 278 Using DNSSEC and Signing Zones 278 Creating child domains within zones 280 Creating child domains in separate zones 281 Deleting a domain or subnet 282 Managing DNS records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Adding address and pointer records 283 Adding DNS aliases with CNAME 284 Adding mail exchange servers 284 Adding name servers 285 Viewing and updating DNS records 286 Updating zone properties and the SOA record. . . . . . . . . . . . . . 287 Modifying the SOA record 287 Contents ix Allowing and restricting zone transfers 289 Notifying secondaries of changes 290 Setting the zone type 291 Enabling and disabling dynamic updates 291 Managing DNS server configuration and security. . . . . . . . . . . . 292 Enabling and disabling IP addresses for a DNS server 292 Controlling access to DNS servers outside the organization 292 Enabling and disabling event logging 294 Using debug logging to track DNS activity 294 Monitoring a DNS server 295 Chapter 10 Administering network printers and print services 297 Managing the Print and Document Services role . . . . . . . . . . . . 297 Using print devices 298 Printing essentials 298 Configuring print servers 300 Enabling and disabling file and printer sharing 302 Getting started with Print Management. . . . . . . . . . . . . . . . . . . . 302 Installing printers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Using the autoinstall feature of Print Management 305 Installing and configuring physically attached print devices 307 Installing network-attached print devices 311 Connecting to printers created on the network 314 Deploying printer connections 315 Configuring point and print restrictions 317 Moving printers to a new print server 319 Monitoring printers and printer queues automatically 320 Solving spooling problems 322 Configuring printer properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 x Contents Adding comments and location information 322 Listing printers in Active Directory 323 Managing printer drivers 323 Setting a separator page and changing print device mode 324 Changing the printer port 325 Scheduling and prioritizing print jobs 325 Starting and stopping printer sharing 327 Setting printer access permissions 327 Auditing print jobs 329 Setting document defaults 329 Configuring print server properties. . . . . . . . . . . . . . . . . . . . . . . . 329 Locating the Spool folder and enabling printing on NTFS 329 Managing high-volume printing 330 Enabling print job error notification 330 Managing print jobs on local and remote printers. . . . . . . . . . . . 331 Viewing printer queues and print jobs 331 Pausing the printer and resuming printing 332 Emptying the print queue 332 Pausing, resuming, and restarting individual document printing 332 Removing a document and canceling a print job 332 Checking the properties of documents in the printer 333 Setting the priority of individual documents 333 Scheduling the printing of individual documents 333 Chapter 11 Data backup and recovery 335 Creating a backup and recovery plan. . . . . . . . . . . . . . . . . . . . . . . . 335 Figuring out a backup plan 335 Basic types of backup 337 Differential and incremental backups 338 Selecting backup devices and media 339 Common backup solutions 339 Buying and using backup media 340 Selecting a backup utility 341 Backing up your data: the essentials. . . . . . . . . . . . . . . . . . . . . . . . 342 Installing the Windows backup and recovery utilities 343 Getting started with Windows Server Backup 343 Getting started with the Backup Command-Line utility 346 Working with Wbadmin commands 348 Using general-purpose commands 348 Using backup management commands 349 Using recovery management commands 350 Contents xi Performing server backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Configuring scheduled backups 352 Modifying or stopping scheduled backups 355 Creating and scheduling backups with Wbadmin 356 Running manual backups 357 Recovering your server from hardware or startup failure 358 Recovering from a failed start 361 Starting a server in safe mode 361 Backing up and restoring the system state 363 Restoring Active Directory 364 Restoring the operating system and the full system 364 Restoring applications, nonsystem volumes, and files and folders 367 Managing encryption recovery policy. . . . . . . . . . . . . . . . . . . . . . 368 Understanding encryption certificates and recovery policy 368 Configuring the EFS recovery policy 370 Backing up and restoring encrypted data and certificates . . . . 371 Backing up encryption certificates 371 Restoring encryption certificates 372 Index 373 About the author 395 What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you. To participate in a brief online survey, please visit: microsoft.com/learning/booksurvey xii Contents Acknowledgments T o my readers—thank you for being there with me through many books and many years. It has been an honor and a privilege to be your pocket consultant. To my wife—for many years, through many books, many millions of words, and many thousands of pages she’s been there, providing support and encouragement and making every place we’ve lived a home. To my kids—for helping me see the world in new ways, forВ having exceptional patience and boundless love, and for making every day an adventure. To Anne, Karen, Martin, Lucinda, Juliana, and many others who’ve helped out in ways both large and small. Special thanks to my son Will for not only installing and managing my extensive dev lab for all my books since Windows 8 Pocket Consultant but for also performing checkВ reads of all those books as well. —William R. Stanek xiii Introduction W indows Server 2012 R2 Pocket Consultant: Storage, Security, & Networking is designed to be a concise and compulsively usable resource for Windows administrators, developers, and programmers, and for anyone else who wants to use the storage, networking, and security features of Windows Server 2012 R2. This is the readable resource guide that you’ll want on your desk or in your pocket at all times. The book discusses everything you need to perform core tasks. Because the focus is directed on providing you with the maximum value in a pocket-sized guide, you don’t have to wade through hundreds of pages of extraneous information to find what you’re looking for. Instead, you’ll find exactly what you need to get the job done. In short, the book is designed to be the one resource you consult whenever you have questions regarding storage, networking, and security in Windows Server 2012В R2. To this end, the book concentrates on configuration options, frequently used tasks, documented examples, and options that are representative but not necessarily inclusive. One of the goals is to keep the content so concise that the book remains compact and easy to navigate while ensuring that the book is packed with as much information as possible—making it a valuable resource. Anyone transitioning to Windows Server 2012 R2 from Windows Server 2012 might be surprised at just how much has been updated, as changes both subtle and substantial have been made throughout the operating system. Like Windows Server 2012, Windows Server 2012 R2 supports a touch user interface (UI), in addition to the traditional mouse and keyboard. Although you might not install Windows Server 2012 R2 on touch UI–capable computers, you can manage Windows Server 2012 R2 from your touch UI–capable computers. If you do end up managing it this way, understanding the touch UI in addition to the revised interface options will be crucial to your success. For this reason, I discuss both the touch UI and the traditional mouse and keyboard techniques throughout this book. When you are working with touch-enabled computers, you can manipulate on-screen elements in ways that weren’t possible previously. You can do any of the following: в– в– в– в– в– в– Tap  Tap an item by touching it with your finger. A tap or double-tap of elements on the screen generally is the equivalent of a mouse click or double-click. Press and hold  Press your finger down and leave it there for a few seconds. Pressing and holding elements on the screen generally is the equivalent of a right-click. Swipe to select  Slide an item a short distance in the opposite direction compared to how the page scrolls. This selects the items and might also bring up related commands. If press and hold doesn’t display commands andВ options for an item, try using swipe to select instead. xv в– в– в– в– в– в– Swipe from edge (slide in from edge)  Starting from the edge of the screen, swipe or slide in. Sliding in from the right edge opens the Charms panel. Sliding in from the left edge shows open apps and enables you to switch between them easily. Sliding in from the top or bottom edge shows commands for the active element. Pinch  Touch an item with two or more fingers, and then move the fingers toward each other. Pinching zooms out. Stretch  Touch an item with two or more fingers, and then move the fingers away from each other. Stretching zooms in. You are also able to enter text using the on-screen keyboard. Although the UI changes are substantial, they aren’t the most significant changes to the operating system. The most significant changes are below the surface, affecting the underlying architecture and providing many new features. Some of these features are revolutionary in that they forever change the way we use Windows. As you’ve probably noticed, a great deal of information about Windows Server 2012 R2 is available on the Web and in other printed books. You can find tutorials, reference sites, discussion groups, and more to make using Windows Server 2012 R2 easier. However, the advantage of reading this book is that much of the information you need to learn about Windows Server 2012 R2 is organized in one place and presented in a straightforward and orderly fashion. This book has everything you need to customize Windows Server 2012 R2 installations, master Windows Server 2012 R2 configurations, and maintain Windows Server 2012 R2 servers. In this book, I teach you how features work, why they work the way they do, and how to customize them to meet your needs. I also offer specific examples of how certain features can meet your needs, and how you can use other features to troubleshoot and resolve issues you might have. In addition, this book provides tips, best practices, and examples of how to optimize Windows Server 2012 R2. This book won’t just teach you how to configure Windows Server 2012 R2, it will teach you how to squeeze every last bit of power out of it and make the most from the features and options it includes. Unlike many other books about managing Windows Server 2012 R2, this book doesn’t focus on a specific user level. This isn’t a lightweight beginner book. Regardless of whether you are a beginning administrator or a seasoned professional, many of the concepts in this book will be valuable to you, and you can apply them to your Windows Server 2012 R2 installations. Who is this book for? Windows Server 2012 R2 Pocket Consultant: Storage, Security, & Networking covers all editions of Windows Server 2012 R2. The book is designed for the following readers: xvi в– в– Current Windows system administrators в– в– Accomplished users who have some administrator responsibilities в– в– Administrators upgrading to Windows Server 2012 R2 from previous versions в– в– Administrators transferring from other platforms Introduction To pack in as much information as possible, I had to assume that you have basic networking skills and a basic understanding of Windows Server. With this in mind, I don’t devote entire chapters to explaining Windows Server architecture or why you want to use Windows Server. I do, however, cover configuring storage, security, auditing, and much more. I also assume that you are fairly familiar with Windows commands and procedures in addition to the Windows user interface. If you need help learning Windows basics, you should read other resources (many of which are available from Microsoft Press). How is this book organized? Rome wasn’t built in a day, nor was this book intended to be read in a day, in a week, or even in a month. Ideally, you’ll read this book at your own pace, a little each day as you work your way through all the features Windows Server 2012 R2 has to offer. This book is organized into 11 chapters. The chapters are arranged in aВ logical order, taking you from planning and deployment tasks to configuration and maintenance tasks. Ease of reference is an essential part of this hands-on guide. This book has an expanded table of contents and an extensive index for finding answers to problems quickly. Many other quick-reference features have been added to the book as well, including quick step-by-step procedures, lists, tables with fast facts, and extensive cross references. Conventions used in this book I’ve used a variety of elements to help keep the text clear and easy to follow. You’ll find code listings in monospace type. When I tell you to actually enter a command, the command appears in bold type. When I introduce and define a new term or use a code term in a paragraph of text, I put it in italics. NOTE  Group Policy includes both policies and preferences. Under the Computer Configuration and User Configuration nodes, you find two nodes: Policies and Preferences. Settings for general policies are listed under the Policies node. Settings forВ general preferences are listed under the Preferences node. When referencing settings under the Policies node, I sometimes use shortcut references, such as User Configuration\Administrative Templates\Windows Components, or specify that the policies are found in the Administrative Templates for User Configuration under Windows Components. Both references tell you that the policy setting being disВcussed is under User Configuration rather than Computer Configuration and can beВ found under Administrative Templates\Windows Components. Other conventions include the following: в– в– в– в– Best Practices  To examine the best technique to use when working with advanced configuration and maintenance concepts Caution  To warn you about potential problems Introduction xvii в– в– Important  To highlight important concepts and issues в– в– More Info  To provide more information on a subject в– в– Note  To provide additional details on a particular point that needs emphasis в– в– Real World  To provide real-world advice when discussing advanced topics в– в– Security Alert  To point out important security issues в– в– Tip  To offer helpful hints or additional information I truly hope you find that Windows Server 2012 R2 Pocket Consultant: Storage, Security, & Networking provides everything you need to perform the essential administrative tasks on Windows servers as quickly and efficiently as possible. You are welcome to send your thoughts to me at [email protected]. Follow me on Twitter atВ WilliamStanek and on Facebook at www.facebook.com/William.Stanek. Author. Other resources No single magic bullet for learning everything you’ll ever need to know about Windows Server 2012 R2 exists. Even though some books are offered as all-in-one guides, there’s just no way one book can do it all. With this in mind, I hope you use this book as it is intended to be used—as a concise and easy-to-use resource. It covers everything you need to perform core administration tasks for Windows servers, but it is by no means exhaustive. Your current knowledge will largely determine your success with this or any other Windows resource or book. As you encounter new topics, take the time to practice what you’ve learned and read about. Seek out further information as necessary to get the practical hands-on know-how and knowledge you need. I recommend that you regularly visit the Microsoft website for Windows Server (microsoft.com/windowsserver) and support.microsoft.com to stay current with theВ latest changes. To help you get the most out of this book, you can visit my corresponding website at williamstanek.com/windows. This site contains information about Windows Server 2012 R2 and updates to the book. Errata and book support We’ve made every effort to ensure the accuracy of this book and its companion content. Any errors that have been reported since this book was published are listed at: http://aka.ms/WSR2PC2/errata If you find an error that is not already listed, you can report it to us through the same page. If you need additional support, email Microsoft Press Book Support at: [email protected] Please note that product support for Microsoft software is not offered through the addresses above. xviii Introduction We want to hear from you At Microsoft Press, your satisfaction is our top priority, and your feedback is our most valuable asset. Please tell us what you think of this book at: http://aka.ms/tellpress The survey is short, and we read every one of your comments and ideas. Thanks in advance for your input! Stay in touch Let’s keep the conversation going! We’re on Twitter: http://twitter.com/MicrosoftPress. Introduction xix CHAPTER 3 Data sharing and redundancy в– в– Using and enabling file sharing  82 в– в– Configuring standard file sharing  85 в– в– Managing share permissions  95 в– в– Managing existing shares  100 в– в– Configuring NFS sharing  107 в– в– Using shadow copies  109 в– в– Connecting to network drives  112 в– в– Configuring synced sharing  114 T he Server Message Block (SMB) protocol is the primary file sharing protocol used by computers running Windows. When folders are shared over a network, an SMB client reads and writes to files and requests services from computers hosting SMB-shared folders. With SMB, Windows Server 2012 R2 supports standard file sharing and public folder sharing. Standard file sharing makes it possible for remote users to access network resources such as files, folders, and drives. When you share a folder or a drive, you make all its files and subfolders available to a specified set of users. Because you don’t need to move files from their current location, standard file sharing is also referred to as in-place file sharing. You can enable standard file sharing on disks formatted with FAT, FAT32, exFAT, NTFS, or Resilient File System (ReFS). One set of permissions apply to disks formatted with exFAT, FAT, or FAT32. These permissions are called share permissions. Two sets of permissions apply to disks formatted with NTFS or ReFS: NTFS permissions (also referred to as access permissions) and share permissions. Having two sets of permissions allows you to determine precisely who has access to shared files and the level of access assigned. With either NTFS permissions or share permissions, you do not need to move the files you are sharing. With public folder sharing, you share files by just copying or moving files to the computer’s Public folder. Public files are available to anyone who logs on to a computer locally regardless of whether that person has a standard user account or an administrator user account on the computer. You can also grant network access to the Public folder; however, if you do this, there are no access restrictions. The Public folder and its contents are open to everyone who can access the computer over the local network. 81 Using and enabling file sharing The sharing settings on a computer determine the way files can be shared. The two file sharing models that Windows Server 2012 R2 supports have the following differences: в– в– в– в– Standard (in-place) file sharing  Allows remote users to access files, folders, and drives over the network. When you share a folder or a drive, you make all its files and subfolders available to a specified set of users. Share permissions and access permissions together enable you to control who has access to shared files and the level of access assigned. You do not need to move the files you are sharing. Public folder sharing  Allows local users and (optionally) remote users to access any files placed in the computer’s %SystemDrive%\Users\Public folder. Access permissions on the Public folder determine which users and groups have access to publicly shared files in addition to the level of access those users and groups have. When you copy or move files to the Public folder, access permissions are changed to match those of the Public folder. Some additional permissions are added as well. When a computer is part of a workgroup, you can add password protection to the Public folder. Separate password protection isn’t needed in a domain because only domain users can access Public folder data. With standard file sharing, local users don’t have automatic access to any data stored on a computer. You control local access to files and folders by using the security settings on the local disk. With public folder sharing, on the other hand, files copied or moved to the Public folder are available to anyone who logs on locally. You can grant network access to the Public folder as well; however, doing soВ makes the Public folder and its contents open to everyone who can access the computer over the network. Windows Server 2012 R2 adds new layers of security through compound identities, claims-based access controls, and central access policies. With both Windows 8.1 and Windows Server 2012 R2, you can assign claims-based access controls to file and folder resources on NTFS and ReFS volumes. With Windows Server 2012 R2, users are granted access to file and folder resources, either directly with access permissions and share permissions or indirectly with claims-based access controls and central access policies. SMB 3.0 makes it possible to encrypt data being transferred over the network. You can enable SMB encryption for shares configured on NTFS and ReFS volumes. SMB encryption works only when the computer requesting data from an SMB-based share (either a standard file share or a DFS share) and the server supplying the data support SMB 3.0. Both Windows 8.1 and Windows Server 2012 R2 support SMB 3.0. (They have an SMB 3.0 client.) Public folder sharing is designed to enable users to share files and folders from a single location. With public folder sharing, you copy or move files you want to share to a computer’s %SystemDrive%\Users\Public folder. You can access public folders in 82 CHAPTER 3  Data sharing and redundancy File Explorer by double-tapping or double-clicking the system drive, and then accessing the Users\Public folder. The Public folder has several subfolders you can use to help organize public files: в– в– в– в– в– в– Public Desktop  Used for shared desktop items. Any files and program shortcuts placed in the Public Desktop folder appear on the desktop of all users who log on to the computer (and to all network users if network access has been granted to the Public folder). Public Documents, Public Music, Public Pictures, Public Videos Used for shared document and media files. All files placed in one of these subfolders are available to all users who log on to the computer (and to all network users if network access has been granted to the Public folder). Public Downloads  Used for shared downloads. Any downloads placed in the Public Downloads subfolder are available to all users who log on to the computer (and to all network users if network access has been granted to the Public folder). NOTE  By default, the Public Desktop folder is hidden from view. If hidden items aren’t being displayed in File Explorer, tap or click View, and then select Hidden Items. By default, anyone with a user account and password on a computer can access that computer’s Public folder. When you copy or move files to the Public folder, access permissions are changed to match that of the Public folder, and some additional permissions are added as well. You can change the default Public folder sharing configuration in two key ways: в– в– в– в– Allow users logged on to the computer to view and manage public files but restrict network users from accessing public files. When you configure this option, the implicit groups Interactive, Batch, and Service are granted special permissions on public files and public folders. Allow users with network access to view and manage public files. This allows network users to open, change, create, and delete public files. When you configure this option, the implicit group Everyone is granted Full Control permission to public files and public folders. Windows Server 2012 R2 can use either or both sharing models at any time. However, standard file sharing offers more security and better protection than public folder sharing, and increasing security is essential to protecting your organization’s data. With standard file sharing, share permissions are used only when a user attempts to access a file or folder from a different computer on the network. Access permissions are always used, whether the user is logged on to the console or is using a remote system to access a file or folder over the network. When data is accessed remotely, first the share permissions are applied, and then the access permissions are applied. As shown in Figure 3-1, you can configure the basic file sharing settings for a server by using Advanced Sharing Settings in Network And Sharing Center. Separate options are provided for network discovery, file and printer sharing, and public folder sharing. Data sharing and redundancy  CHAPTER 3 83 FIGURE 3-1  Network And Sharing Center shows the current sharing configuration. You can manage a computer’s sharing configuration by following these steps: 1. In Control Panel, tap or click View Network Status And Tasks under the Net- work And Internet heading to open Network And Sharing Center. 2. In Network And Sharing Center, tap or click Change Advanced Sharing Settings in the left pane. Select the network profile for the network on which you want to enable file and printer sharing. Typically, this will be the Domain profile. 3. Standard file and printer sharing controls network access to shared resources. To configure standard file sharing, do one of the following: в– в– Select Turn On File And Printer Sharing to enable file sharing. в– в– Select Turn Off File And Printer Sharing to disable file sharing. 4. Public folder sharing controls access to a computer’s Public folder. To config- ure public folder sharing, expand the All Networks panel by tapping or clicking the related expand button. On the Public Folder Sharing panel, choose one of the following options: в– в– 84 Turn On Sharing So Anyone With Network Access Can Read And Write Files In The Public Folders  Enables public folder sharing by granting access to the Public folder and all public data to anyone who can access the computer over the network. Windows Firewall settings might prevent external access. CHAPTER 3  Data sharing and redundancy в– в– Turn Off Public Folder Sharing  Disables public folder sharing, preventing local network access to the Public folder. Anyone who logs on locally to your computer can still access the Public folder and its files. 5. Tap or click Save Changes. Configuring standard file sharing You use shares to control access for remote users. Permissions on shared folders have no effect on users who log on locally to a server or to a workstation that has shared folders. Understanding SMB changes SMB is the primary file sharing protocol used by Windows operating systems. As Windows itself has changed over the years, so has SMB. To allow for version and feature changes, SMB was designed to enable clients and servers to negotiate and then use the highest version supported by both the client attempting to connect an SMB share and the server hosting the share. The current version of SMB is version 3.02, which is supported by Windows 8.1 and Windows Server 2012 R2. Thus, when a Windows 8.1 computer connects to an SMB share hosted on a server running Windows Server 2012 R2, SMB 3.02 is the version used for the SMB session. The earliest implementation of SMB was called CIFS, which was introduced with Windows NT 4.0, followed by SMB 1.0, which was used by all versions of Windows from Windows 2000 to Windows Server 2003 R2. Beginning with Windows 8.1 and Windows Server 2012 R2, support for CIFS and SMB 1.0 is an optional feature that must be enabled. Because CIFS and SMB 1.0 are outdated, perform poorly, and are less secure than their predecessors, SMB 1.0/CIFS File Sharing Support should not be enabled unless required. That said, if a computer running Windows 8.1 needs to connect to a server running a legacy Windows operating system, the computer must have the SMB 1.0/CIFS File Sharing Support feature enabled. In addition, if a computer running a legacy Windows operating system needs to connect to a server running Windows Server 2012 R2, the server must have the SMB 1.0/CIFS File Sharing Support feature enabled. Table 3-1 provides a summary of the current versions of SMB, the associated versions of Windows, and the major features introduced. You can enter Get-SmbConnection at an elevated, administrator Windows PowerShell prompt to determine the version of SMB a client has negotiated with a file server. In the command output, the version is listed in the Dialect column, as shown in the following sample output: ServerName ---------Server36 Server36 ShareName --------IPC$ PrimaryData UserName -------CPANDL\williams CPANDL\williams Credential Dialect ---------------CPANDL\williams 3.02 CPANDL\williams 3.02 NumOpens -------0 14 Data sharing and redundancy  CHAPTER 3 85 TABLE 3.1  Overview of current SMB versions SMB VERSION WINDOWS VERSION FEATURES SMB 2.0 Windows Vista SP1, Windows Server 2008 Increasing scalability and security, asynchronous operations, larger reads/writes, request compounding SMB 2.1 Windows 7, Windows Server 2008 R2 Large MTU support, BranchCache support SMB 3.0 Windows 8, Windows Server 2012 Enhancements for server clusters, BranchCache v2 support, SMB over RDMA, improved security SMB 3.02 Windows 8.1, Windows Server 2012 R2 Improved performance for SMB over RDMA, additional scale-out options, Hyper-V live migration support IMPORTANT  SMB 3.0 and SMB 3.02 brought many enhancements for performance, especially when you use clustered file servers. A key enhancement that doesn’t rely on a special configuration is end-to-end encryption of SMB data, which eliminates the need to use Internet Protocol security (IPsec), specialized hardware, or wide area network (WAN) accelerators to protect data from eavesdropping. SMB encryption can be enabled on a per-share basis. Viewing existing shares You can use both Computer Management and Server Manager to work with shares. You also can view current shares on a computer by entering net share at a command prompt or by entering get-smbshare at a Windows PowerShell prompt. TIP  The get-smbshare cmdlet is only one of many cmdlets associated with the smbshare module. To get a list of other cmdlets available for working with SMB shares, enter get-command –module smbshare at a Windows PowerShell prompt. NOTE  Computer Management, net share, and get-smbshare display information about SMB-based shares, including standard SMB folder shares, hidden SMB folder shares (those ending with the $ suffix), and SMB folders shared by using Distributed File System (DFS). Server Manager displays information about standard SMB folder shares, SMB folders shared by using DFS, and folders shared by using Network File System (NFS). Server Manager does not display information about hidden SMB folder shares. 86 CHAPTER 3  Data sharing and redundancy In Computer Management, you can view the shared folders on a local or remote computer by following these steps: 1. You’re connected to the local computer by default. If you want to connect to a remote computer, press and hold or right-click the Computer Management node and then tap or click Connect To Another Computer. Choose Another Computer, type the name or IP address of the computer you want to connect to, and then tap or click OK. 2. In the console tree, expand System Tools, expand Shared Folders, and then select Shares. The current shares on the system are displayed, as shown in Figure 3-2. FIGURE 3-2  Available shares are listed in the Shared Folders node. 3. The columns for the Shares node provide the following information: в– в– Share Name  Name of the shared folder. в– в– Folder Path  Complete path to the folder on the local system. в– в– Type  What kind of computers can use the share. This typically shows as Windows because SMB shares are for Windows-based computers. в– в– # Client Connections  Number of clients currently accessing the share. в– в– Description  Description of the share. In Server Manager, you can view the shared folders on a local or remote computer by following these steps: 1. Select the File And Storage Services node, and then select the related Shares subnode. 2. As Figure 3-3 shows, the Shares subnode provides information about shares on each file server that has been added for management. The columns for the Shares subnode provide the following information: в– в– Share  Name of the shared folder. в– в– Local Path  Complete path to the folder on the local system. в– в– Protocol  What protocol the share uses, either SMB or NFS. в– в– Cluster Role  If the server sharing the folder is part of a cluster, the cluster role is shown here. Otherwise, the cluster role is listed as None. Data sharing and redundancy  CHAPTER 3 87 FIGURE 3-3  Tap or click Shares in the main pane (on the left) to view the available shares. 3. When you tap or click a share in the Shares pane, information about the related volume is displayed in the Volume pane. REAL WORLD  NFS is the file sharing protocol used by UNIX-based systems, which includes computers running Apple OS X. As discussed in “Configuring NFS sharing” later in this chapter, you can enable support for NFS by installing the Server For NFS role service as part of the file server configuration. Creating shared folders in Computer Management Windows Server 2012 R2 provides several ways to share folders. You can share local folders by using File Explorer, and you can share local and remote folders by using Computer Management or Server Manager. When you create a share with Computer Management, you can configure its share permissions and offline settings. When you create a share with Server Manager, you can provision all aspects of sharing, including NTFS permissions, encrypted data access, offline settings for caching, and share permissions. Typically, you create shares on NTFS volumes because NTFS offers the most robust solution. In Computer Management, you share a folder by following these steps: 1. If necessary, connect to a remote computer. In the console tree, expand System Tools, expand Shared Folders, and then select Shares. The current shares on the system are displayed. 2. Press and hold or right-click Shares, and then tap or click New Share. This starts the Create A Shared Folder Wizard. Tap or click Next. 3. In the Folder Path text box, enter the local file path to the folder you want to share. The file path must be exact, such as C:\EntData\Documents. If you don’t know the full path, tap or click Browse, use the Browse For Folder dialog box to find the folder you want to share, and then tap or click OK. Tap or click Next. 88 CHAPTER 3  Data sharing and redundancy TIP  If the file path you specified doesn’t exist, the wizard can create it for you. Tap or click Yes when prompted to create the necessary folder or folders. 4. In the Share Name text box, enter a name for the share, as shown in Figure 3-4. This is the name of the folder to which users will connect. Share names must be unique for each system. FIGURE 3-4  Use the Create A Shared Folder Wizard to configure the essential share proper- ties, including name, description, and offline resource usage. TIP  If you want to hide a share from users (which means that they won’t be able to view the shared resource when they try to browse to it in File Explorer or at the command line), enter a dollar sign ($) as the last character of the shared resource name. For example, you could create a share called PrivEngData$, which would be hidden from File Explorer, NET VIEW, and other similar utilities. Users can still connect to the share and access its data if they’ve been granted access permission and they know the share’s name. Note that the $ must be typed as part of the share name when mapping to the shared resource. 5. If you want to, enter a description of the share in the Description text box. When you view shares on a particular computer, the description is displayed in Computer Management. 6. By default, the share is configured so that only files and programs that users specify are available for offline use. Typically, this is the option you want to use because this option also enables users to take advantage of the new Always Offline feature. If you want to use different offline file settings, tap orВ click Change, select the appropriate options in the Offline Settings dialog Data sharing and redundancy  CHAPTER 3 89 box, and then tap or click OK. The offline availability settings available include the following: в– в– в– в– в– в– Only The Files And Programs That Users Specify Are Available Offline  Select this option if you want client computers to cache only the files and programs that users specify for offline use. Optionally, if the BranchCache For Network Files role service is installed on the file server, select Enable BranchCache to enable computers in a branch office to cache files that are downloaded from the shared folder, and then securely share the files to other computers in the branch office. No Files Or Programs From The Shared Folder Are Available Offline Select this option if you don’t want cached copies of the files and programs in the share to be available on client computers for Вoffline use. All Files And Programs That Users Open From The Shared Folder Are Automatically Available Offline  Select this option if you want client computers to automatically cache all files and programs that users open from the share. Optionally, select Optimize For Performance to run cached program files from the local cache instead of the shared folder on the server. 7. Tap or click Next, and then set basic permissions for the share. You’ll find helpful pointers in “Managing share permissions” later in the chapter. The available options are as follows: в– в– в– в– в– в– в– в– All Users Have Read-Only Access  Gives users access to view files and read data. They can’t create, modify, or delete files and folders. Administrators Have Full Access; Other Users Have Read-Only Access Gives administrators complete control over the share. Full access allows administrators to create, modify, and delete files and folders. On an NTFS volume or partition, it also gives administrators the right to change permissions and to take ownership of files and folders. Other users can view files and read data; however, they can’t create, modify, or delete files and folders. Administrators Have Full Access; Other Users Have No Access Gives administrators complete control over the share, but prevents other users from accessing the share. Customize Permissions  Allows you to configure access for specific users and groups, which is usually the best technique to use. Setting share permissions is discussed fully in “Managing share permissions.” 8. When you tap or click Finish, the wizard creates the share and displays a status report, which should state “Sharing Was Successful.” If an error is displayed instead, note the error and take corrective action as appropriate before repeating this procedure to create the share. Tap or click Finish. 90 CHAPTER 3  Data sharing and redundancy Individual folders can have multiple shares. Each share can have a different name and a different set of access permissions. To create additional shares on an existing share, just follow the preceding steps for creating a share with these changes: в– в– в– в– In step 4, when you name the share, make sure that you use a different name. In step 5, when you add a description for the share, use a description that explains what the share is used for and how it’s different from the other shares for the same folder. Creating shared folders in Server Manager In Server Manager, you share a folder by following these steps: 1. The Shares subnode of the File And Storage Services node shows existing shares for file servers that have been added for management. In the Shares pane, tap or click Tasks, and then tap or click New Share to start the New Share Wizard. 2. Choose one of the available file share profiles, and then tap or click Next. TheВ New Share Wizard has the following file share profiles: в– в– в– в– в– в– SMB Share—Quick  A basic profile for creating SMB file shares that allows you to configure the settings and permissions of the shares. SMB Share—Advanced  An advanced profile for creating SMB file shares that allows you to configure the settings, permissions, management properties, and NTFS quota profile (if applicable) of the shares. SMB Share—Applications  A custom profile for creating SMB file shares with settings appropriate for Hyper-V, certain databases, and other server applications. It’s essentially the same as the quick profile, but it doesn’t allow you to enable access-based enumeration or offline caching. NOTE  If you are using the Server For NFS role service, options are available for creating NFS shares as well. REAL WORLD  SMB 3.0 includes enhancements for server-based applications. These enhancements improve performance for small random reads and writes, which are common with server-based applications, such as Microsoft SQL Server OLTP. With SMB 3.0, packets use large Maximum Transmission Units (MTUs) as well, which enhance performance for large, sequential data transfers, such as those used for deploying and copying virtual hard disks (VHDs) over the network, database backup and restore over the network, and SQL Server data warehouse transactions over the network. Data sharing and redundancy  CHAPTER 3 91 3. On the Select The Server And Path For This Share page, select the server and volume on which you want the share to be created. Only file servers you’ve added for management are available. When you are ready to continue, tap or click Next. By default, Server Manager creates the file share as a new folder in the \Shares directory on the selected volume. To override this, choose the Type A Custom Path option, and then either enter the share path, such as C:\Data, or click Browse to use the Select Folder dialog box to select the share path. 4. On the Specify Share Name page, enter a name for the share, as shown in Figure 3-5. This is the name of the folder to which users will connect. Share names must be unique for each system. FIGURE 3-5  Set the name and description for the share. 5. If you want to, enter a description of the share in the Description text box. When you view shares on a particular computer, the description is displayed in Computer Management. 6. Note the local and remote paths to the share. These paths are set based on the share location and share name you specified. When you are ready to continue, tap or click Next. 7. On the Configure Share Settings page, use the following options to configure the way the share is used: в– в– 92 Enable Access-Based Enumeration  Configures permissions so that when users browse the folder, only files and folders a user has been granted at least Read access to are displayed. If a user doesn’t have at least Read (or equivalent) permission for a file or folder within the shared CHAPTER 3  Data sharing and redundancy folder, that file or folder is hidden from view. (This option is dimmed if you are creating an SMB share optimized for applications.) в– в– в– в– Allow Caching Of Share  Configures the share to cache only the files and programs that users specify for offline use. Although you can later edit the share properties and change the offline files’ availability settings, you typically want to select this option because it allows users to take advantage of the new Always Offline feature. Optionally, if the BranchCache For Network Files role service is installed on the file server, select Enable BranchCache to enable computers in a branch office to cache files that are downloaded from the shared folder and then securely share the files to other computers in the branch office. (This option is dimmed if you are creating an SMB share optimized for applications.) Encrypt Data Access  Configures the share to use SMB encryption, which protects file data from eavesdropping while being transferred over the network. This option is useful on untrusted networks. 8. On the Specify Permissions To Control Access page, the default permissions assigned to the share are listed. By default, the special group Everyone is granted the Full Control share permission and the underlying folder permissions are as listed. To change share, folder, or both permissions, tap or click Customize Permissions, and then use the Advanced Security Settings dialog box to configure the required permissions. Setting share permissions is discussed fully in “Managing share permissions” later in this chapter. Setting folder permissions is discussed fully in “Understanding file and folder permissions” in Chapter 4 “Data security and auditing.” NOTE  If the share will be used for Hyper-V, you might need to enable constrained delegation for remote management of the Hyper-V host. 9. If you are using the advanced profile, optionally set the folder management properties, and then tap or click Next. These properties specify the purpose of the folder and the type of data stored in it so that data management policies, such as classification rules, can then use these properties. 10. If you are using the advanced profile, optionally apply a quota based on a template to the folder, and then tap or click Next. You can select only quota templates that have already been created. For more information, see “Managing disk quota templates” in Chapter 4. 11. On the Confirm Selections page, review your selections. When you tap or click Create, the wizard creates the share, configures it, and sets permissions. The status should state, “The share was successfully created.” If an error is displayed instead, note the error and take corrective action as appropriate before repeating this procedure to create the share. Tap or click Close. Data sharing and redundancy  CHAPTER 3 93 Changing shared folder settings When you create a share, you can configure many basic and advanced settings, including those for access-based enumeration, encrypted data access, offline settings for caching, and management properties. In Server Manager, you can modify these settings by following these steps: 1. The Shares subnode of the File And Storage Services node shows existing shares for file servers that have been added for management. Press and hold or right-click the share with which you want to work, and then tap or click Properties. 2. In the Properties dialog box, shown in Figure 3-6, you have several options panels that can be accessed by using controls in the left pane. You can expand the panels one by one or tap or click Show All to expand all the panels at the same time. FIGURE 3-6  Modify share settings by using the options provided. 3. Use the options provided to modify the settings as necessary, and then tap or click OK. The options available are the same whether you use the basic, advanced, or applications profile to create the shared folder. TIP  If you’re creating a share for general use and general access, you can publish the shared resource in Active Directory. Publishing the resource in Active Directory makes finding the share easier for users; however, this option is not available in Server Manager. To publish a share in Active Directory, press and hold or right-click the share in Computer Management, and then tap or click Properties. On the Publish tab, select the Publish This Share In Active Directory check box, add an optional description and owner information, and then tap or click OK. 94 CHAPTER 3  Data sharing and redundancy Managing share permissions Share permissions set the maximum allowable actions available within a shared folder. By default, when you create a share, everyone with access to the network has Read access to the share’s contents. This is an important security change—in previous editions of Windows Server, the default permission was Full Control. With NTFS and ReFS volumes, you can use file and folder permissions and ownership, in addition to share permissions, to further constrain actions within the share. With FAT volumes, share permissions control only access. Understanding the various share permissions From the most restrictive to the least restrictive, the share permissions available are as follows: в– в– No Access  No permissions are granted for the share. в– в– Read  Users can do the following: • • • • в– в– Access the subfolders in the share Read file data and attributes Run program files Change  Users have Read permission and the ability to do the following: • • • • в– в– View file and subfolder names Create files and subfolders Modify files Change attributes on files and subfolders Delete files and subfolders Full Control  Users have Read and Change permissions, in addition to the following capabilities on NTFS volumes: • Change file and folder permissions • Take ownership of files and folders You can assign share permissions to users and groups. You can even assign permissions to implicit groups. For details on implicit groups, see Chapter 9, “Creating user and group accounts” In Windows Server 2012 R2 Pocket Consultant: Essentials & Configuration. Viewing and configuring share permissions You can view and configure share permissions in Computer Management or Server Manager. To view and configure share permissions in Computer Management, follow these steps: 1. In Computer Management, connect to the computer on which the share is created. In the console tree, expand System Tools, expand Shared Folders, and then select Shares. 2. Press and hold or right-click the share with which you want to work, and then tap or click Properties. Data sharing and redundancy  CHAPTER 3 95 3. In the Properties dialog box, tap or click the Share Permissions tab, shown in Figure 3-7. You can now view the users and groups that have access to the share and the type of access they have. FIGURE 3-7  The Share Permissions tab shows which users and groups have access to the share and what type of access they have. 4. Users or groups that already have access to the share are listed in the Group Or User Names list. You can remove permissions for these users and groups by selecting the user or group you want to remove, and then tapping or clicking Remove. You can change permissions for these users and groups by doing the following: a. Select the user or group you want to change. b. Allow or deny access permissions in the Permissions list box. 5. To add permissions for another user or group, tap or click Add. This opens the Select Users, Computers, Service Accounts, Or Groups dialog box, shown in Figure 3-8. 96 CHAPTER 3  Data sharing and redundancy FIGURE 3-8  Add users and groups to the share. 6. Enter the name of a user, computer, or group in the current domain, and then tap or click Check Names. This produces one of the following results: в– в– в– в– в– в– If a single match is found, the dialog box is automatically updated and the В entry is underlined. If no matches are found, you either entered an incorrect name part or you’re working with an incorrect location. Modify the name and try again, or tap or click Locations to select a new location. If multiple matches are found, select the name or names you want to use, and then tap or click OK. To assign permissions to other users, computers, or groups, enter a semicolon (;) and then repeat this step. NOTE  The Locations button enables you to access account names in other domains. Tap or click Locations to find a list of the current domains, trusted domains, and other resources you can access. Because of the transitive trusts in Windows Server, you can usually access all the domains in the domain tree or forest. 7. Tap or click OK. The users and groups are added to the Group Or User Names list for the share. 8. Configure access permissions for each user, computer, and group by select- ing an account name and then allowing or denying access permissions. Keep in mind that you’re setting the maximum allowable permissions for a particular account. 9. Tap or click OK. To assign additional security permissions for NTFS, see “File and folder permissions” in Chapter 4. IMPORTANT  Keep in mind that you can select the opposite permission to override an inherited permission. Note also that Deny typically overrides Allow, so if you explicitly deny permission to a user or group for a child folder or file, this permission should be denied to that user or group of users. Data sharing and redundancy  CHAPTER 3 97 To view and configure share permissions in Server Manager, follow these steps: 1. The Shares subnode of the File And Storage Services node shows existing shares for file servers that have been added for management. 2. Press and hold or right-click the share with which you want to work, and then tap or click Properties. 3. In the Properties dialog box, tap or click the Permissions in the left pane. You can now view the users and groups that have access to the share and the type of access they have. 4. To change share, folder, or both permissions, tap or click Customize Permis- sions. Next, select the Share tab in the Advanced Security Settings dialog box, as shown in Figure 3-9. FIGURE 3-9  The Share tab shows which users and groups have access to the share and what type of access they have. 5. Users or groups that already have access to the share are listed in the Permis- sion Entries list. You can remove permissions for these users and groups by selecting the user or group you want to remove, and then tapping or clicking Remove. You can change permissions for these users and groups by doing the following: a. Select the user or group you want to change, and then select Edit. b. Allow or deny access permissions in the Permission Entries list, and then tap or click OK. 6. To add permissions for another user or group, tap or click Add. This opens the Permission Entry dialog box, shown in Figure 3-10. 98 CHAPTER 3  Data sharing and redundancy FIGURE 3-10  Add permission entries for a particular user or group. 7. Tap or click Select A Principal to display the Select User, Computer, Service Account Or Group dialog box. Enter the name of a user or a group account. Be sure to reference the user account name rather than the user’s full name. Only one name can be entered at a time. 8. Tap or click Check Names. If a single match is found for each entry, the dialog box is automatically updated, and the entry is underlined. Otherwise, you’ll get an additional dialog box. If no matches are found, you either entered the name incorrectly or you’re working with an incorrect location. Modify the name in the Name Not Found dialog box and try again, or tap or click Locations to select a new location. When multiple matches are found, in the Multiple Names Found dialog box, select the name you want to use, and then tap or click OK. 9. Tap or click OK. The user and group is added as the Principal, and the Permis- sion Entry dialog box is updated to show this. 10. Use the Type list to specify whether you are configuring allowed or denied permissions, and then select the permissions you want to allow or deny. 11. Tap or click OK to return to the Advanced Security Settings dialog box. To assign additional security permissions for NTFS, see “File and folder permissions” in Chapter 4. Data sharing and redundancy  CHAPTER 3 99 Managing existing shares As an administrator, you often have to manage shared folders. This section covers the common administrative tasks of managing shares. Understanding special shares When you install Windows Server, the operating system creates special shares automatically. These shares are known as administrative shares and hidden shares, and they are designed to help make system administration easier. You can’t set access permissions on automatically created special shares; Windows Server assigns access permissions. You can create your own hidden shares by adding the $ symbol as the last character of the share name. You can delete special shares temporarily if you’re certain the shares aren’t needed; however, the shares are re-created automatically the next time the operating system starts. To permanently disable the administrative shares, change the following registry values to 0 (zero): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver \parameters\AutoShareServer в– в– HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver \parameters\AutoShareWks в– в– Which special shares are available depends on your system configuration. Table 3-2 lists special shares you might find and how they’re used. TABLE 3-2  Special shares used by Windows Server 2012 R2 SHARE NAME DESCRIPTION USAGE ADMIN$ A share used during remote administration of a system. It provides access to the operating system %SystemRoot%. On workstations and servers, administrators and backup operators can access these shares. On domain controllers, server operators also have access. FAX$ Supports network faxes. Used by fax clients when sending faxes. IPC$ Supports named pipes durUsed by programs when performing ing remote interprocess remote administration and when communications (IPC) access. viewing shared resources. NETLOGON Supports the Net Logon service. 100 CHAPTER 3  Data sharing and redundancy Used by the Net Logon service when processing domain logon requests. Everyone has Read access. SHARE NAME DESCRIPTION USAGE PRINT$ Supports shared printer Used by shared printers. Everyone resources by providing access has Read access. Administrators, to printer drivers. server operators, and printer operators have Full Control. SYSVOL Supports Active Directory. Used to store data and objects for Active Directory. Driveletter$ A share that allows administrators to connect to a drive’s root folder. These shares are shown as C$, D$, E$, and so on. On workstations and servers, administrators and backup operators can access these shares. On domain controllers, server operators also have access. Connecting to special shares Most special shares end with the $ symbol. Although these shares aren’t displayed in File Explorer, administrators and certain operators can connect to them (except for NETLOGON and SYSVOL). If your current logon account has appropriate permissions, you can connect directly to a special share or any standard share by typing the UNC path for the share in File Explorer’s address box. The basic syntax is: \\ServerName\ShareName ServerName is the DNS name or IP address of the server and ShareName is the name of the share. In the following example, you connect to the D$ share on CorpServer25: \\CorpServer25\D$ If you always want the drive to be listed as a network location in This PC or need to specify credentials, you can connect to a special share by following these steps: 1. When you open File Explorer, the This PC node should be opened by default. If you have an open Explorer window and This PC is not the selected node, select the leftmost option button in the address list, and then select This PC. 2. Next, tap or click the Map Network Drive button on the Computer panel, and then tap or click Map Network Drive. This displays the Map Network Drive dialog box, shown in Figure 3-11. Data sharing and redundancy  CHAPTER 3 101 FIGURE 3-11  Connect to special shares by mapping them with the Map Network Drive dialog box. 3. In the Drive list, select a free drive letter. This drive letter is used to access the special share. 4. In the Folder text box, enter the Universal Naming Convention (UNC) path to the share. For example, to access the C$ share on a server called Twiddle, you would use the path \\TWIDDLE\C$. 5. The Reconnect At Sign-In check box is selected automatically to ensure that the network drive is connected each time you log on. If you need to access the share only during the current logon session, clear this check box. 6. If you need to connect to the share using different user credentials, select the Connect Using Different Credentials check box. 7. Tap or click Finish. If you are connecting using different credentials, enter the user name and password when prompted. Enter the user name in Domain \Username format, such as Cpandl\Williams. Before tapping or clicking OK, select Remember My Credentials if you want the credentials to be saved. Otherwise, you’ll need to provide credentials in the future. After you connect to a special share, you can access it as you would any other drive. Because special shares are protected, you don’t have to worry about ordinary users accessing these shares. The first time you connect to the share, you might be prompted for a user name and password. If you are prompted, provide that inforВmation. Viewing user and computer sessions You can use Computer Management to track all connections to shared resources on a Windows Server 2012 R2 system. Whenever a user or computer connects to a shared resource, Windows Server 2012 R2 lists a connection in the Sessions node. 102 CHAPTER 3  Data sharing and redundancy To view connections to shared resources, enter net session at an elevated command prompt or Get-SMBSession at an elevated Windows PowerShell prompt. You also can follow these steps: 1. In Computer Management, connect to the computer on which you created the shared resource. 2. In the console tree, expand System Tools, expand Shared Folders, and thenВ select Sessions. You can now view connections to shares for users andВ computers. The columns for the Sessions node provide the following important information about user and computer connections: в– в– User  The names of users or computers connected to shared resources. Computer names are shown with a $ suffix to differentiate them from users. в– в– Computer  The name of the computer being used. в– в– Type  The type of network connection being used. в– в– в– в– # Open Files  The number of files with which the user is actively working. For more detailed information, access the Open Files node. Connected Time  The time that has elapsed since the connection was established. в– в– Idle Time  The time that has elapsed since the connection was last used. в– в– Guest  Whether the user is logged on as a guest. As shown in the following example, the output of Get-SMBSession provides the session ID, client computer name, client user name and the number of open files for each session: SessionId ClientComputerName -------------------------601295421497 10.0.0.60 ClientUserName -------------CPANDL\williams NumOpens -------2 Managing sessions and shares Managing sessions and shares is a common administrative task. Before you shut down a server or an application running on a server, you might want to disconnect users from shared resources. You might also need to disconnect users when you plan to change access permissions or delete a share entirely. Another reason to disconnect users is to break locks on files. You disconnect users from shared resources by ending the related user sessions. ENDING INDIVIDUAL SESSIONS To disconnect individual users from shared resources, enter net session \\computername /delete at an elevated command prompt or Close-SMBSession at –Computer Name computername an elevated Windows PowerShell prompt. In both instances, computername is the DNS name or IP address of computer from which the session originates. Data sharing and redundancy  CHAPTER 3 103 You also can disconnect users by following these steps: 1. In Computer Management, connect to the computer on which you created the share. 2. In the console tree, expand System Tools, expand Shared Folders, and then select Sessions. 3. Press and hold or right-click the user sessions you want to end, and then tap or click Close Session. 4. Tap or click Yes to confirm the action. ENDING ALL SESSIONS To disconnect all users from shared resources, follow these steps: 1. In Computer Management, connect to the computer on which you created the share. 2. In the console tree, expand System Tools, expand Shared Folders, and then press and hold or right-click Sessions. 3. Tap or click Disconnect All Sessions, and then tap or click Yes to confirm the action. NOTE  Keep in mind that you’re disconnecting users from shared resources, not from the domain. You can use only logon hours and Group Policy to force users to log off after they’ve logged on to the domain. Thus, disconnecting users doesn’t log them off the network. It just disconnects them from the shared resource. To disconnect individual users from shared resources, enter net session \\ computername /delete at an elevated command prompt or Close-SMBSession at –ComputerName computername an elevated Windows PowerShell prompt. In both instances, computername is the DNS name or IP address of computer from which the session originates. You also can use Windows PowerShell to disconnect all users from a shared resource. The key here is to ensure you only close the sessions you want to close. Consider the following example: ForEach-Object ($Session in (Get-SMBSession)) { Close-SMBSession –force} This example uses a ForEach loop to get all active SMB sessions and then close each SMB session in turn. Thus, if you enter this example at an elevated Windows PowerShell prompt, you will disconnect all users from all shared resources. To close all connections only for a specific share, you must create a ForEach loop that only examines the connections for that share, such as: ForEach-Object ($Session in (Get-SMBShare CorpData | Get-SMBSession)) {Close-SMBSession –force} This example uses a ForEach loop to get all active SMB sessions for the CorpData share and then close each of those sessions in turn. Thus, if you enter this example at an elevated Windows PowerShell prompt, you only disconnect users from the CorpData share. 104 CHAPTER 3  Data sharing and redundancy Managing open resources Any time users connect to shares, the individual file and object resources they are working with are displayed in the Open Files node. The Open Files node might show the files the user has open but isn’t currently editing. You can access the Open Files node by following these steps: 1. In Computer Management, connect to the computer on which you created the share. 2. In the console tree, expand System Tools, expand Shared Folders, and then select Open Files. This displays the Open Files node, which provides the following information about resource usage: в– в– Open File  The file or folder path to the open file on the local system. The path might also be a named pipe, such as \PIPE\spools, which is used for printer spooling. в– в– Accessed By  The name of the user accessing the file. в– в– Type  The type of network connection being used. в– в– # Locks  The number of locks on the resource. в– в– Open Mode  The access mode used when the resource was opened, such as read, write, or write+read. You also can use Get-SMBOpenFile to list open files. As shown in the following example, Get-SMBOpenFile provides the file ID, session ID, path, share relative path, client computer name, and client user name for each open file: FileId SessionId Path ShareRelativePath ClientComputerName ClientUserN ------ --------- ---- ----------------- ------------------ -----------601295424973 601295421497 C:\PrimaryData\ 10.0.0.60 CPANDL\williams 601295425045 601295421577 C:\Windows\SYSVOL cpan... 10.0.0.60 CPANDL\ CORPPC29$ CLOSING AN OPEN FILE To close an open file on a computer’s shares, follow these steps: 1. In Computer Management, connect to the computer with which you want toВ work. 2. In the console tree, expand System Tools, expand Shared Folders, and then select Open Files. 3. Press and hold or right-click the open file you want to close, and then tap or click Close Open File. 4. Tap or click Yes to confirm the action. You also can use Close-SMBOpenFile to close open files. When you close a file, you use the –FileID parameter to specify the identifier for the file to close, such as: Close-SMBOpenFile –FileID 601295424973 Add the –Force parameter to force close the file if needed. However, if the file has been modified by a user, any changes to the file could be lost. Data sharing and redundancy  CHAPTER 3 105 CLOSING ALL OPEN FILES To close all open files on a computer’s shares, follow these steps: 1. In Computer Management, connect to the computer on which the share is created. 2. In the console tree, expand System Tools, expand Shared Folders, and then press and hold or right-click Open Files. 3. Tap or click Disconnect All Open Files, and then tap or click Yes to confirm the action. You also can use Windows PowerShell to close all open files on a computer’s share. The key here is to ensure that you only close the files you want to close. Consider the following example: ForEach-Object ($Session in (Get-SMBOpenFile)) { Close-SMBOpenFile –force} This example uses a ForEach loop to get all open SMB files, and then close each SMB file in turn. Thus, if you enter this example at an elevated Windows PowerShell prompt, you will close all open files for all shared resources. To close open files on a specific share, you must create a ForEach loop that only examines the open files for that share, such as: ForEach-Object ($Session in (Get-SMBShare CorpData | Get-SMBOpenFile)) {Close-SMBOpenFile –force} This example uses a ForEach loop to get all open SMB files for the CorpData share and then close each of those files in turn. Thus, if you enter this example at an elevated Windows PowerShell prompt, you only close open files for the CorpData share. Stopping file and folder sharing To stop sharing a folder, follow these steps: 1. Do one of the following: в– в– в– в– In Server Manager, select the share you want to manage on the Shares subnode of the File And Storage Services node. In Computer Management, connect to the computer on which you created the share, and then access the Shares node. 2. Press and hold or right-click the share you want to remove, tap or click Stop Sharing, and then tap or click Yes to confirm the action. CAUTION  You should never delete a folder containing shares without first stopping the shares. If you fail to stop the shares, Windows Server 2012 R2 attempts to reestablish the shares the next time the computer is started, and the resulting error is logged in the system event log. 106 CHAPTER 3  Data sharing and redundancy Configuring NFS sharing As discussed in Chapter 1, “Managing file systems and drives,” you can install Server For NFS as a role service on a file server. Server For NFS provides a file sharing solution for enterprises with mixed Windows, OS X, and UNIX environments, allowing users to transfer files between Windows Server 2012 R2, OS X, and UNIX operating systems by using the NFS protocol. You can configure NFS sharing for local folders on NTFS volumes by using File Explorer. You can also configure NFS sharing of local and remote folders on NTFS volumes by using Server Manager. In File Explorer, follow these steps to enable and configure NFS sharing: 1. Press and hold or right-click the share you want to manage, and then tap or click Properties to display a Properties dialog box for the share. 2. On the NFS Sharing tab, tap or click Manage NFS Sharing. 3. In the NFS Advanced Sharing dialog box, select the Share This Folder check box, as shown in Figure 3-12. FIGURE 3-12  You can use NFS sharing to share resources between Windows and UNIX computers. 4. In the Share Name text box, enter a name for the share. This is the name ofВ the folder to which UNIX users will connect. NFS share names must be unique for each system and can be the same as those used for standard file sharing. Data sharing and redundancy  CHAPTER 3 107 5. ANSI is the default encoding for text associated with directory listings and file names. If your UNIX computers use a different default encoding, you can choose that encoding in the Encoding list. 6. UNIX computers use Kerberos v5 authentication by default. Typically, you want to allow Kerberos integrity and authentication in addition to standard Kerberos authentication. Select the check boxes for the authentication mechanisms you want to use. Clear the check boxes for those you don’t want to use. 7. The share can be configured so that no server authentication is required. If you want to require server authentication, select the No Server Authentication check box, and then choose additional options as appropriate. Unmapped user access can be allowed and enabled. If you want to allow anonymous access to the NFS share, select the Allow Anonymous Access option, and then enter the anonymous user UID and anonymous group GID. 8. For UNIX computers, you configure access primarily based on the computer names (also referred to as host names). By default, no UNIX computers have access to the NFS share. If you want to grant read-only or read/write permissions, tap or click Permissions, set the permissions you want to use in the NFS Share Permissions dialog box, and then tap or click OK. You can configure no access, read-only access, or read/write access by client computer name and client computer groups. 9. Tap or click OK twice to close the open dialog boxes and save your settings. In File Explorer, you can disable NFS sharing by following these steps: 1. Press and hold or right-click the share you want to manage, and then tap or click Properties. This displays a Properties dialog box for the share. 2. On the NFS Sharing tab, tap or click Manage NFS Sharing. 3. In the NFS Advanced Sharing dialog box, clear the Share This Folder check box, and then tap or click OK twice. With Server Manager, you can configure NFS permissions as part of the initial share configuration when you are provisioning a share. On the Shares subnode of the File And Storage Services node, you can create an NFS share by following these steps: 1. In the Shares pane, tap or click Tasks, and then tap or click New Share to start the New Share Wizard. Choose NFS Share—Quick or NFS Share—ВAdvanced as the share profile, and then tap or click Next. 2. Specify the share name and location as you would for an SMB share. 3. On the Specify Authentication Methods page, configure Kerberos v5 Authen- tication and No Server Authentication. The options provided are similar to those discussed previously in this section. 4. On the Specify Share Permissions page, configure access for UNIX hosts. Hosts can be set for no access, read-only access, or read/write access to the share. 5. On the Specify Permissions To Control Access, optionally set NTFS permissions for the share. 108 CHAPTER 3  Data sharing and redundancy 6. On the Confirm Selections page, review your selections. When you tap or click Create, the wizard creates the share, configures it, and sets permissions. The status should state, “The share was successfully created.” If an error is displayed instead, note the error and take corrective action. However, because typical errors relate to configuring host access, you probably won’t need to repeat this procedure to create the share. Instead, you might need to modify only the share permissions. Tap or click Close. Using shadow copies Any time your organization uses shared folders, you should consider creating shadow copies of these shared folders as well. Shadow copies are point-in-time backups of data files that users can access directly in shared folders. These point-in-time backups can save you and the other administrators in your organization a lot of work, especially if you routinely have to retrieve lost, overwritten, or corrupted data files from backups. The usual procedure for retrieving shadow copies is to use the Previous Versions or Shadow Copy client. Windows Server 2012 R2 includes a feature enhancement that enables you to revert an entire (nonsystem) volume to a previous shadow copy state. Understanding shadow copies You can create shadow copies only on NTFS volumes. You use the Shadow Copy feature to create automatic backups of the files in shared folders on a per-volume basis. For example, on a file server that has three NTFS volumes, each containing shared folders, you need to configure this feature for each volume separately. If you enable this feature in its default configuration, shadow copies are created twice each weekday (Monday–Friday) at 7:00 A.M. and 12:00 P.M. You need at least 100 megabytes (MB) of free space to create the first shadow copy on a volume. The total disk space used beyond this depends on the amount of data in the volume’s shared folders. You can restrict the total amount of disk space used by Shadow Copy by setting the allowable maximum size of the point-in-time backups. You configure and view current Shadow Copy settings on the Shadow Copies tab of the disk’s Properties dialog box. In File Explorer or Computer Management, press and hold or right-click the icon for the disk with which you want to work, tap or click Properties, and then tap or click the Shadow Copies tab. The Select A Volume panel shows the following: в– в– в– в– Volume  The volume label of NTFS volumes on the selected disk drive Next Run Time  The status of Shadow Copy as Disabled, or the next time a shadow copy of the volume will be created в– в– Shares  The number of shared folders on the volume в– в– Used  The amount of disk space used by Shadow Copy Individual shadow copies of the currently selected volume are listed in the Shadow Copies Of Selected Volume panel by date and time. Data sharing and redundancy  CHAPTER 3 109 Creating shadow copies To create a shadow copy on an NTFS volume with shared folders, follow these steps: 1. Open Computer Management. If necessary, connect to a remote computer. 2. In the console tree, expand Storage, and then select Disk Management. The volumes configured on the selected computer are displayed in the details pane. 3. Press and hold or right-click Disk Management, point to All Tasks, and then tap or click Configure Shadow Copies. 4. On the Shadow Copies tab, select the volume with which you want to work in the Select A Volume list. 5. Tap or click Settings to configure the maximum size of all shadow copies for this volume and to change the default schedule. Tap or click OK. 6. After you configure the volume for shadow copying, tap or click Enable if necessary. When prompted to confirm this action, tap or click Yes. Enabling shadow copying creates the first shadow copy and sets the schedule for later shadow copies. NOTE  If you create a run schedule when configuring the Shadow Copy settings, shadow copying is enabled automatically for the volume when you tap or click OK to close the Settings dialog box. However, the first shadow copy won’t be created until the next scheduled run time. If you want to create a shadow copy of the volume now, select the volume and then tap or click Create Now. Restoring a shadow copy Users working on client computers access shadow copies of individual shared folders by using the Previous Versions or Shadow Copy client. The best way to access shadow copies on a client computer is to follow these steps: 1. In File Explorer, press and hold or right-click the share for which you want to access previous file versions, tap or click Properties, and then tap or click the Previous Versions tab. 2. On the Previous Versions tab, select the folder version with which you want to work. Each folder has a date and time stamp. Tap or click the button corresponding to the action you want to perform: в– в– в– в– в– в– 110 Tap or click Open to open the shadow copy in File Explorer. Tap or click Copy to display the Copy Items dialog box, which lets you copy the snapshot image of the folder to the location you specify. Tap or click Restore to roll back the shared folder to its state at the time ofВ the snapshot image you selected. CHAPTER 3  Data sharing and redundancy Reverting an entire volume to a previous shadow copy Windows Server 2012 R2 features a shadow copy enhancement that enables you to revert an entire volume to the state it was in when a particular shadow copy was created. Because volumes containing operating system files can’t be reverted, the volume you want to revert must not be a system volume. The same goes for volumes on a cluster shared disk. To revert an entire volume to a previous state, follow these steps: 1. Open Computer Management. If necessary, connect to a remote computer. 2. In the console tree, expand Storage. Press and hold or right-click Disk Manage- ment, point to All Tasks, and then tap or click Configure Shadow Copies. 3. On the Shadow Copies tab, select the volume with which you want to work in the Select A Volume list. 4. Individual shadow copies of the currently selected volume are listed by date and time in the Shadow Copies Of Selected Volume panel. Select the shadow copy with the date and time stamp to which you want to revert, and then tap or click Revert. 5. To confirm this action, select the Check Here If You Want To Revert This Vol- ume check box, and then tap or click Revert Now. Tap or click OK to close the Shadow Copies dialog box. Deleting shadow copies Each point-in-time backup is maintained separately. You can delete individual shadow copies of a volume as necessary, and this recovers the disk space used by the shadow copies. To delete a shadow copy, follow these steps: 1. Open Computer Management. If necessary, connect to a remote computer. 2. In the console tree, expand Storage. Press and hold or right-click Disk Man- agement, point to All Tasks, and then tap or click Configure Shadow Copies. 3. On the Shadow Copies tab, select the volume with which you want to work in the Select A Volume list. 4. Individual shadow copies of the currently selected volume are listed by date and time in the Shadow Copies Of Selected Volume panel. Select the shadow copy you want to delete, and then tap or click Delete Now. Tap or click Yes to confirm the action. Disabling shadow copies If you no longer want to maintain shadow copies of a volume, you can disable the Shadow Copy feature. Disabling this feature turns off the scheduling of automated point-in-time backups and removes any existing shadow copies. Data sharing and redundancy  CHAPTER 3 111 To disable shadow copies of a volume, follow these steps: 1. Open Computer Management. If necessary, connect to a remote computer. 2. In the console tree, expand Storage. Press and hold or right-click Disk Man- agement, point to All Tasks, and then tap or click Configure Shadow Copies. 3. On the Shadow Copies tab, select the volume with which you want to work in the Select A Volume list, and then tap or click Disable. 4. When prompted, confirm the action by tapping or clicking Yes. Tap or click OK to close the Shadow Copies dialog box. Connecting to network drives Users can connect to a network drive and to shared resources available on the network. This connection is shown as a network drive that users can access like any other drive on their systems. NOTE  When users connect to network drives, they’re subject not only to the permissions set for the shared resources, but also to Windows Server 2012 R2 file and folder permissions. Differences in these permission sets are usually the reason users might not be able to access a particular file or subfolder within the network drive. Mapping a network drive In Windows Server 2012 R2, you connect to a network drive by mapping to it using NET USE and New-PsDrive. The syntax for NET USE is the following: net use DeviceName \\ComputerName\ShareName DeviceName specifies the drive letter or an asterisk (*) to use the next available drive letter, and \\ComputerName\ShareName is the UNC path to the share, such as either of the following: net use g: \\ROMEO\DOCS or net use * \\ROMEO\DOCS NOTE  To ensure that the mapped drive is available each time the user logs on, make the mapping persistent by adding the /Persistent:Yes option. The syntax for New-PsDrive is: New-PsDrive –Name DriveLetter –Root \\ServerName\ShareName -PsProvider FileSystem DriveLetter is the drive letter to use and ServerName is the DNS name or IP address of the server hosting the share and ShareName is the name of the share, such as: New-PsDrive –Name g –Root \\CorpServer21\CorpData -PsProvider FileSystem 112 CHAPTER 3  Data sharing and redundancy NOTE  To ensure that the mapped drive is available each time the user logs on, add the –Persist parameter. If the client computer is running Windows 8.1, you can map network drives by completing the following steps: 1. When you open File Explorer, the This PC node should be opened by default. If you have an open Explorer window and This PC is not the selected node, select the leftmost option button in the address list, and then select This PC. 2. Next, tap or click the Map Network Drive button in the Computer panel, and then tap or click Map Network Drive. 3. Use the Drive list to select a free drive letter to use, and then tap or click the Browse button to the right of the Folder list. In the Browse For Folder dialog box, expand the network folders until you can select the name of the workgroup or the domain with which you want to work. 4. When you expand the name of a computer in a workgroup or a domain, you’ll get a list of shared folders. Select the shared folder with which you want to work, and then tap or click OK. 5. Select Reconnect At Logon if you want Windows to connect to the shared folder automatically at the start of each session. 6. Tap or click Finish. If the currently logged-on user doesn’t have appropriate access permissions for the share, select Connect Using Different Credentials, and then tap or click Finish. After you tap or click Finish, you can enter the user name and password of the account with which you want to connect to the shared folder. Enter the user name in Domain\UserName format, such asВ Cpandl\Williams. Before tapping or clicking OK, select Remember My Credentials if you want the credentials to be saved. Otherwise, you’ll need to provide credentials in the future. Disconnecting a network drive In Windows Server 2012 R2, you disconnect a network drive using NET USE and Remove-PsDrive. The syntax for NET USE is: net use DeviceName /delete DeviceName specifies the network drive to remove, such as: net use g: /delete The syntax for Remove-PsDrive is: Remove-PsDrive –Name DriveLetter DriveLetter is the network drive to remove, such as: Remove-PsDrive –Name g NOTE  If the network drive has open connections, you can force remove the network drive using –Force parameter. Data sharing and redundancy  CHAPTER 3 113 In File Explorer, you can disconnect a network drive by following these steps: 1. When you open File Explorer, the This PC node should be opened by default. If you have an open Explorer window and This PC is not the selected node, select the leftmost option button in the address list, and then select This PC. 2. Under Network Location, press and hold or right-click the network drive icon, and then tap or click Disconnect. Configuring synced sharing Although the standard approach to sharing files requires a computer that is joined and connected to a domain, synced sharing does not. With sync shares, users can use an Internet or corporate network connection to sync data to their devices from folders located on enterprise servers. You implement synced sharing by using Work Folders. Work Folders is a feature that you can add to servers running Windows Server 2012 R2 or later. Work Folders use a client-server architecture. A Work Folders client is natively integrated into Windows 8.1, and clients for Windows 7, Apple iPad, and other devices are becoming available as well. Getting started with Work Folders You deploy Work Folders in the enterprise by performing these procedures: 1. Add the Work Folders role to servers that you want to host sync shares. 2. Use Group Policy to enable discovery of Work Folders. 3. Create sync shares on your sync servers and optionally, enable SMB access to sync shares. 4. Configure clients to access Work Folders. NOTE  Group Policy is discussed in detailed in Chapter 6 “Managing users and computers with Group Policy.” For detailed information about configuring Group Policy to enable discovery of Work Folders, see “Automatically configuring Work Folders,” in Chapter 6. Work Folders use a remote web gateway configured as part of the IIS hostable web core. When users access a sync share via a URL provided by an administrator and configured in Group Policy, a user folder is created as a subfolder of the sync share and this subfolder is where the user’s data is stored. The folder naming format for the user-specific folder is set when you create a sync share. The folder can be named by using only the user alias portion of the user’s logon name or the full logon name in alias@domain format. The format you choose primarily depends on the level of compatibility required. Using the full logon name eliminates potential conflicts when users from different domains have identical user aliases, but this format is not compatible with redirected folders. To maintain compatibility with redirected folders, you should configure sync folders to use aliases. However, in enterprises with multiple domains, the drawback 114 CHAPTER 3  Data sharing and redundancy to this approach is that there could be conflicts between identical user aliases in different domains. Although the automatically configured permissions for a user folder would prevent amyh from the cpandl.com domain from accessing a user folder created for amyh from the pocket-consultant.com domain, the conflict would cause problems. If there was an existing folder for amyh from the cpandl.com domain, the server would not be able to create a user folder for amyh from the pocket-consultant.com. With Work Folders, you have several important options during initial setup. You can encrypt files in Work Folders on client devices and ensure that the screens on client devices lock automatically and require an access password. Encryption is implemented by using the Encrypting File System (EFS). EFS encrypts files with an enterprise encryption key rather than an encryption key generated by the client device. The enterprise encryption key is specific to the enterprise ID of the user (which by default is the primary SMTP address of the user). Having an enterprise encryption key that is separate from a client’s standard encryption key is important toВ ensure that encrypted personal files and encrypted work files are managed separately. When files are encrypted, administrators can use a selective wipe to remove enterprise files from a client device. The selective wipe removes the enterprise encryption key and thus renders the work files unreadable. Selective wipe does not affect any encrypted personal files. As the work files remain encrypted, there’s no need to actually delete the work files from the client device. That said, you could run Disk Optimizer on the drive where the work files were stored. During optimization, Disk Optimizer should then overwrite the sectors where the work files were stored. Selective wipe only works when you’ve enabled the encryption option on Work Folders. Although encryption is one way to protect enterprise data, another way is to configure client devices to lock screens and require a password for access. The exact policy enforced requires: в– в– A minimum password length of 6 characters в– в– A maximum password retry of 10 в– в– A screen that automatically locks in 15 minutes or less If you enforce the use of automatic lock screens and passwords, any device that doesn’t support these requirements is prevented from connecting to the Work Folder. By default, sync shares are not available in the same way as standard file shares. Because of this, users can only access sync shares by using the Work Folders client. IfВ you want to make sync shares available to users as standard file shares, you must enable SMB access. After you enable SMB access, users can access files stored in Work Folders by using syncing and by mapping network drives. When a user makes changes to files in Work Folders, the changes might not be immediately apparent to others using the same Work Folders. For example, if a user deletes a file from a Work Folder by using SMB, other users accessing the Work Folder might still see the file as available. This inconsistency can occur because by default clients only poll the sync server every 10 minutes for SMB changes. Data sharing and redundancy  CHAPTER 3 115 A sync server also uses a Work Folders client to check periodically for changes users have made using SMB; the default polling interval is 5 minutes. When the server identifies changes, the server relays the changes the next time a client syncs. Following this, you can determine that it could take up to 15 minutes for a change made using SMB to fully propagate. REAL WORLD  To minimize support issues related to Work Folders, you’ll want to let users know how the technology works. Specifically, you’ll want to let users know changes might not be immediately apparent, and they’ll need to be patient when waiting for changes to propagate. You can specify how frequently the server checks for changes made locally on the server or through SMB by using the –MinimumChangeDetectionMins parameter of the Set-SyncServerSetting cmdlet. However, as the server must check the change information for each file stored in the sync share, you need to be careful that you don’t configure a server to try to detect changes too frequently. A server that checks for changes too frequently can become overloaded. Remember, change detection uses more resources as the number of files stored in the sync share increases. If you deploy roles and features that require a full version of the Web (IIS) role, you might find that these roles and features or the Work Folders feature itself don’t work together. A conflict can occur because the full version of the Web (IIS) role has a Default Web Site that uses port 80 for HTTP communications and port 443 for secure HTTP communications. For example, running Windows Essentials Experience and Work Folders together on the same server requires a special configuration. Typically, you need to change the ports used by Windows Essentials Experience so that they don’t conflict with the ports used by Work Folders. To enable detailed logging of Work Folders, you can enable and configure the Audit Object Access policy setting for a Group Policy Object (GPO) processed by the server. You’ll find this setting in the Administrative Templates for Computer Configuration under Windows Settings\Security Settings\Local Policies Audit Policies. After you enable Audit Object Access, add an audit entry for the specific folders you want to audit. In File Explorer, press and hold or right-click a folder you want to audit, and then select Properties. In the Properties dialog box, on the Security tab, select Advanced. In the Advanced Security Settings dialog box, use the options on the Auditing tab to configure auditing. Creating sync shares and enabling SMB access You create a sync share to identify a local folder on a sync server that will be synchronized and accessible to domain users via the Work Folders client. As sync shares are mapped to local paths on sync servers, I recommend that you create any folders that you want to use before creating sync shares. This will make it easier to select the exact folders with which you want to work. For details on adding the Work Folders role and configure Work Folders in Group Policy, see “Automatically configuring Work Folders” in Chapter 6. 116 CHAPTER 3  Data sharing and redundancy To create a sync share, complete the following steps: 1. In Server Manager, select File And Storage Services, and then select Work Folders. On the Work Folders panel, select Tasks, and then select New Sync Share to open the New Sync Share Wizard. If the Before You Begin page is displayed, tap or click Next. 2. On the Select The Server And Path page, shown in Figure 3-13, select the server with which you want to work. Keep in mind that only servers that have the Work Folders role installed are available for selection. FIGURE 3-13  Specify the server and folder to use. 3. When configuring sync shares, you have several options. You can: в– в– в– в– в– в– Add syncing to an existing file share by choosing the Select By File Share option, and then selecting the file share that should also be synced. Add syncing to an existing local folder by choosing Enter A Local Path, selecting Browse, and then using the Select Folder dialog box to locate and chose the folder to sync. Add syncing to a new local folder by choosing Enter A Local Path, and then entering the path to use. 4. When you are ready to continue, tap or click Next. If you specified a new folder location, you are prompted to confirm whether you want to create thisВ folder. Select OK to create the folder and continue. 5. On the Specify The Structure For User Folders page, choose a folder nam- ing format for the subfolders where user data is stored. To use only the userВ alias portion of the user’s logon name for naming user folders, choose User Alias. To use the full logon name for naming user folders, choose User alias@domain. Data sharing and redundancy  CHAPTER 3 117 6. By default, all folders and files stored under the user folder are synced auto- matically. If you’d prefer that only a specific folder is synced, select the Sync Only The Following Folder check box, and then enter the name of the folder, such as Documents. Tap or click Next to continue 7. On the Enter The Sync Share Name page, enter a share name and description before tapping or clicking Next to continue. 8. On the Grant Sync Access To Groups page, shown in Figure 3-14, use the options provided to specify the users and groups that should be able to access the sync share. To add a user or group, tap or click Add, and then use the Select User Or Group dialog box to specify the user or group that should have access to the sync share. SECURITY ALERT  Any users and groups you specify will be granted permissions on the base folder that allows the users and groups to create folders and access files in their folders. Specifically, Creator/Owner is granted Full Control on subfolders and files only. The users and groups are granted List Folder/Read Data, Create Folders/Append Data, Traverse Folder/Execute File, Read/Write attributes on the base folder. Local System is granted Full Control of the base folder, subfolders, and files. Administrator is granted Read permission on the base folder. FIGURE 3-14  Specify the users and groups that should have access to the sync share. 9. By default, inherited permissions are disabled and users have exclusive access to their user folders. Because of this, only the user who stores a file has access to this file on the share. If the base folder for the share has permissions that you want to be applied to user folders, such as those that would grant administrators access to user folders, clear the Disable Inherited Permissions check box. When you are ready to continue, tap or click Next. 118 CHAPTER 3  Data sharing and redundancy 10. On the Specify Device Policies page, you have two options. You can select Encrypt Work Folders to encrypt files in Work Folders on client devices. You can select Automatically Lock Screen And Require A Password to ensure that the screens on client devices lock automatically and require a password for access. 11. Tap or click Next to continue, and then confirm your selections. Select Create to create the sync share. If the wizard is unable to create the sync share, you’ll get an error and will need to note the error and take appropriate corrective action. A common error you might get occurs when the server hosts both Work Folders (which use the hostable web core) and the full Web (IIS) role. Before you can crate sync shares, you’ll need to modify the ports used so they do not conflict or install Work Folders on a server that doesn’t have the full Web (IIS) role. 12. If you did not select an existing file share during set up and want to enable the sync share for SMB access, open File Explorer. In File Explorer, press and hold or right-click the folder, select Share With, and then select Specific People. Finally, configure file sharing as discussed earlier in this chapter. Accessing Work Folders on clients Users with a domain user account can access Work Folders from a client device over the Internet or over the corporate network. You can configure Work Folder Access for a user by completing the following steps: 1. In Control Panel, tap or click System And Security, and then select Work Fold- ers. On the Manage Work Folders page, tap or click Set Up Work Folders. 2. On the Enter Your Work Email Address page, enter the user email address, such as [email protected], and then tap or click Next. If the client device is joined to the domain, you will not be prompted for the user’s credentials. Otherwise, you are prompted for the user’s credentials. After the user enters her credentials, you can select Remember My Credentials to store the user’s credentials for future use, and then tap or click OK to continue. 3. On the Introducing Work Folders page, note where the work files for the user will be stored. By default, work files are stored in a user profile subfolder called Work Folders. For example, the work files for Amyh would be stored under %SystemDrive%\Users\Amyh\WorkFolders. To store work files in another location, tap or click Change and then use the options provided to specify a new save location for work files. When you are ready to continue, tap or click Next. 4. On the Security Policies page, review the security policies that will be applied, and then have the user select the I Accept These Policies On My PC check box. You will not be able to continue if you do not select this check box. 5. Select Set Up Work Folders to create Work Folders on the client device. Data sharing and redundancy  CHAPTER 3 119 After you configure Work Folders for initial use on a client device, the user can access Work Folders in File Explorer. When a user opens File Explorer, the This PC node should be opened by default. If so, the user just needs to double-tap or double-click Work Folders to view work files. If a user has an open Explorer window and This PC is not the selected node, she just needs to tap or click the leftmost option button in the address list, and then tap or click This PC. As the user works with files, the changes the user makes trigger sync actions with the server. If the user doesn’t change any files locally for an extended period of time, the client connects to the server every 10 minutes to determine whether there are changes to sync. 120 CHAPTER 3  Data sharing and redundancy Index Numbers & Symbols 64-bit print drivers, 300 512b drives, 5 512e drives, 5 $ symbol, 101, 103 A A records described, 282 updating, 267 AAAA records, 282 access-based enumeration, 92 access controls, claims-based, 132–134 access permissions. SeeВ NTFS permissions account policies changing template settings, 160 described, 157 Action Center changing run time for automatic maintenance, 75 network diagnostics and, 207 storage spaces and, 66 viewing known problems and solutions,В 359 Active Directory access tracking, 135 auditing policies, 135 authorizing DHCP servers in, 228 central access policies, 133 DNS and, 262, 263, 270–272 dynamic updates and, 278, 291 integrated primary server, 267 integration modes, 291 listing printer shares in, 307, 308, 313 listing printers in, 320, 323 objects, auditing, 139 publishing shares in, 94 restoring, 364 SRV records and, 283 storing data and objects, 101 Active Directory Certificate Services, 196 Active Directory Domain Services, security policies and, 175 Active Directory Users And Computers assigning logon scripts, 189 object auditing, 135, 139 active partition or volume, 19 adaptive query timeout, 207 Add-DhcpServerInDC cmdlet, 228 address conflict detection, 236 address records, 282–284 Address Resolution Protocol (ARP) test, 218 ADMIN$ share, 100 administrative installation, 191 administrative shares, 100 administrator access, object ownership and,В 122 administrator command prompt, shortcuts to, 346 Advanced Encryption Standard (AES) algorithm, 369 Advanced Format hard drives, 5 Advanced Sharing Settings, 83 Advanced TCP/IP Settings, 266 advertising software, 191 alias (CNAME) records, 276 allocating space storage pools and, 57, 58, 61 to virtual disks, 62 allocation unit size, 27, 29, 43 allow lists, MAC address filtering and, 253 allowing special permissions, 131 analyzing disks, 78–80 AppData (Roaming) folder, redirecting, 181 applications, recovering, 367, 368 Apply Policy To Removable Media policy, 143 applying security policies, 177, 178 archive attribute, 337 assigning drive letters and paths, 67 asynchronous DNS cache, 264 attaching VHDs, 24 Audit Account Logon Events option, 135 Audit Account Management option, 135 Audit Directory Service Access option, 135,В 139 Audit Logon Events option, 136 Audit Object Access option, 116, 136, 138 Audit Policy Change option, 136 Audit Privilege Use option, 136 Audit Process Tracking option, 136 Audit System Events option, 136 auditing Active Directory objects, 139, 140 DHCP servers, 229 373 authentication auditing (continued) files and folders, 136–138 policies, 135, 136 print jobs, 329 registry, 138 security policies and, 176 system resources, 134–140 authentication NFS sharing and, 108 security policies and, 176 authoritative restore, 364 autoconfiguration ipconfig and, 222 IPv4 addresses, 218 IPv6 addresses, 219, 220 autoloader tape systems, 339, 340 automatic certificate enrollment, 197 compression of files and directories, 30 defragmentation, 80 deployment and maintenance of software, 190, 191 detection of network printers, 305, 312 installation of network printers, 305 lock screens, 115, 119 recovery from a failed start, 361 service startup mode, 163 Automatic Maintenance, 75, 79, 199 Automatic Updates, 197–200 average seek time, 6 B backing up files See alsoВ recovery Backup Command-Line utility, 346–350 common solutions, 339, 340 devices for, considerations, 339 DHCP database, 257 encrypted data and certificates, 371, 372 manually, 357, 358 media rotation schedule, 341 online, 343 permissions, 344 planning, 335–337 recovery point objective (RPO), 336 recovery time objective (RTO), 336 scheduling, 350–357 selecting backup media, 340, 341 selecting utilities, 341 techniques, 337 Windows Server Backup, 2 backing up system state, 363, 364 Backup Command-Line utility, 341, 346–350 374 BackupDatabasePath key, 258 BackupInterval key, 258 bare metal recovery, 351, 358 baseline server, 174 basic disks configuring, 19 converting to dynamic, 20 described, 13 drive sections, 19 vs. dynamic disks, 18 RAID limitations, 38 .bat files, 187 Batch implicit group, public folder permissions and, 83 binary source files, print services and, 301,В 302 bindings, DHCP servers and, 228 BIOS vs. UEFI, 8 BitLocker Drive Encryption, 7, 22, 199 boot manager, restoring, 364–367 boot partition or volume, 19 boot sector corruption, 41 boot volumes changing drive letters for, 67 repairing mirrored sets, 51 repairing mirror to enable boot, 52 striped sets and, 46 Bootstrap Protocol (BOOTP), enabling, 248 Branch Office Direct Printing, 307, 308, 313,В 330 BranchCache enabling caching of shared folders, 93 SMB versions and, 86 BranchCache For Network Files roleВ service,В 2 breaking mirrored sets, 50 broadcast messages, IP address range for,В 239 built-in compression feature, 30 C C drive, as local file system, 1 cache size of virtual disks, checking, 57 caching offline files, 93 canceling print jobs, 332 canonical name records, 282 CAPI2, 206 central access policies described, 133 file and folder resources and, 82 NTFS permissions and, 125 certificate authorities (CAs), 196, 371 certificate revocation lists (CRLs), 196 data certificates CAPI2 and, 206 encryption and, 32, 369, 371, 372 recovery agents and, 35 Change Permissions special permission, 138 Change share permissions, 95 Change special permission, 126, 127 Check Disk (Chkdsk.exe) enhanced scan and repair, 76–78 options and switches, 77 running interactively, 77 vs. self-healing NTFS, 74, 75 syntax, 77 checking for solutions, 359 child domains creating in separate zones, 281, 282 creating within zones, 280 defined, 262 child objects, inheritance and, 123 CIFS, 85. See alsoВ Server Message Block (SMB) Cipher (Cipher.exe) utility, 36 claim types, 132 claims-based access controls, file and folder resources and, 82 claims-based permissions, 132–134 client features, enabling and disabling, 175 Close-SMBOpenFile cmdlet, 105 Close-SMBSession cmdlet, 103, 104 cluster size, setting for file systems, 27, 29, 43 .cmd files, 187 CNAME records adding host aliases, 284 described, 282 global names and, 276 coexistence, of IPv4 and IPv6, 206 command prompt, shortcuts to, 346 command-shell batch scripts, 187 Compact (Compact.exe) utility, 31 compound identities, file and folder access and, 82 compression automatic, 30 described, 30 encryption and, 30 removing from drives, 31 removing from files and directories, 31 turning on for disks, 28, 43 computer assignment, software deployment method, 190 Computer Management closing open files, 105, 106 configuring share permissions, 95 creating shadow copies, 110 creating shared folders, 88–91 deleting shadow copies, 111 disabling disk quotas, 150 disabling shadow copies, 112 disconnecting users from shared resources, 104 enabling disk quotas, 145 ending all sessions, 104 Open Files node, 105 publishing shared resources, 94 reverting volumes to previous shadow copy, 111 scheduling backups, 357 tracking connections to shared resources, 102 viewing SMB sessions, 103 viewing SMB shares, 86, 87 computer startup scripts, assigning, 187, 188 conditional forwarding, 292, 293, 294 configuring drives, 6 connecting to network drives, 112–114 printers, 314, 315 remote computers, 87 shared resources, 102, 103 special shares, 101, 102 constrained delegation, Hyper-V and, 93 Contacts folder, redirecting, 181 Convert (Convert.exe) utility, 70, 71 converting basic disks to dynamic disks, 20, 21 dynamic disks to basic disks, 20, 21 volumes to NTFS, 71 copy backups, 337 corrupted system files, 360 crash dump partition, 19 Create Files/Write Data special permission, 126, 127 Create Folders/Append Data special permission, 126, 127 Create Subkey advanced permission, 139 CryptoAPI Version 2 (CAIP2), 206 custom disk quota entries, 147–150 /CvtArea option, 71 D daily backups, 337 DAT drives, 339 data See alsoВ public folder sharing; standard file sharing compressing, 30 deduplication, 64, 65 protecting with RAID, 44 recovery, EFS and, 369 375 data backups data (continued) SMB encryption, 93 synced sharing, 114 synchronizing with Work Folders, 195,В 196 transfer, network awareness and, 202 data backups Backup Command-Line utility, 346–350 common solutions, 339, 340 encryption and, 371, 372 manual, 357, 358 media rotation schedule, 341 online, 343 permissions, 344 planning, 335–337 recovery point objective (RPO), 336 recovery time objective (RTO), 336 scheduling, 350–357 selecting backup media, 340, 341 selecting utilities, 341 techniques, 337 Data Deduplication role service, 2, 54 Data Incomplete volume status, 40 Data Not Redundant volume status, 40 data scrubber, 11 data transfer rate, drive specifications and, 7 DatabaseCleanupInterval key, 258 DatabaseName key, 258 debugging DNS events, 295 debugging mode, 363 decrypting directories and files, 36 deduplication of data, 54, 64, 65 default gateways, 211, 241 defragmenting disks, 78–80 Degraded operation status, storage pools and, 66 DELETE BACKUP command, 346 Delete special permission, 126, 127, 138, 139 Delete Subfolders And Files special permission, 126, 127, 138 DELETE SYSTEMSTATEBACKUP command, 346, 349 deleting disk quota entries, 148 demilitarized zones, 272 deny lists, MAC address filtering and, 253 denying special permissions, 131 deploying printer connections, 315, 316 security configurations, 170–172 security polices to multiple computers,В 178 software through Group Policy, 190–195 Desktop folder, redirecting, 181 device claims, 132 device unique identifier (DUID), 256 376 DFS Namespaces role service, 2 DFS Replication role service, 3 DHCP DNS and, 262, 264 purpose, 217 saving and restoring configuration, 236, 237 DHCP console activating and deactivating scopes, 248 assigning scope options, 246 assigning server options, 246 authorizing a server in Active Directory, 227 backing up DHCP database, 257 connecting to remote servers, 226 creating IPv4 scopes, 239 creating multicast scopes, 244 deleting leases and reservations, 257 failover scopes, 250 hardware type exemptions, 253 modifying reservation properties, 257 modifying scopes, 248 opening, 225 reservation options, 247 reserving addresses, 255, 256 saving and restoring configuration, 237 starting and stopping a server, 227 superscopes and, 238 updating statistics, 229 DHCP Relay Agent Service, 223 DHCP servers auditing, 229–231 backing up, 258 binding to a specific connection, 228 DNS and, 230, 232, 241 dynamic IPv4 addressing, 218, 219 failover, 218, 219 installing, 223–226 moving database to a new server, 258 name resolution and, 266 NAP and, 232–236 options, 246 reconciling leases and reservations, 259 regenerating the database, 259 registry keys, 230 remote servers, 227 restoring from backup, 258 starting and stopping servers, 227 statistics, updating, 229 Dhcp.mdb file, 257 Dhcpmgmt.msc command, 225 DHCPv4, 217, 219 DHCPv6, 219–222 diagnostics and resolution architecture, 358–360 disks diagonal parity striping, 60 differential backups described, 337 vs. incremental, 338 digital audio tape (DAT) drives, 339 Digital Identification Management Service (DIMS), 369 Digital Linear Tape (DLT), 339 directories compressing, 30 decrypting, 36 encrypting, 33 expanding compressed, 31 directory-integrated storage, 262 Directory Services Restore Mode, 363 Disable Automatic Restart On System Failure option, 363 DISABLE BACKUP command, 346, 349 Disable Driver Signature Enforcement option, 363 Disable Early Launch Anti-Malware Driver option, 363 Disabled service startup mode, 163 disabling automatic certificate enrollment, 197 disk quotas, 150 inheritance, 123 NFS sharing, 108 print spooling, 327 disaster recovery. SeeВ recovery disconnecting network drives, 113 users from shared resources, 103, 104 discovery of networks. SeeВ network discovery disk-based backup systems, 340 disk duplexing, 47 Disk Management snap-in breaking mirrored sets, 50 changing drive letters and paths, 68 converting basic disks to dynamic, 20,В 21 creating partitions, logical drives, and simple volumes, 25 creating volumes and volume sets, 42 degragmenting, 78 described, 11–13 extending volumes, 73 initializing disks, 16 marking partitions as active, 20 mirror sets, creating, 48 moving disks, 22, 23 reactiving dynamic disks, 22 shrinking volumes, 72 striped sets with parity, creating, 49 virtual hard disks and, 23 volume labels, 69 disk management, Windows Server Backup and, 342 disk mirroring described, 44, 45 existing volumes, creating from, 48, 49 fault tolerance and, 47 implementing, 46–49 mirrored sets, breaking, 50 mirrored sets, creating, 48 performance considerations, 47 removing volumes from set, 52 repairing mirrored sets, 50, 51 repairing to enable boot, 51, 52 resynchronizing mirrored sets, 50, 51 storage considerations, 47 storage pools and, 59 disk quotas creating entries, 147, 148 deleting entries, 148 disabling, 150 enabling in Group Policy, 142 enabling on NTFS volumes, 145, 146 enforcing, 140 exporting settings, 149 importing settings, 149 individual entries, when to create, 147 limits, 141, 151 message variables, 153 Resource Manager, 151–155 shared folders and, 93 types, 140, 151 viewing entries, 147 warnings, 141, 151 disk quota templates, 151–155 disk space, DHCP server logs and, 230 disk striping described, 45 implementing, 45, 46 repairing striped sets, 52 disk striping with parity described, 44, 45 implementing, 49 performance considerations, 47 regenerating sets, 52, 53 removing volumes, 53 storage pools and, 59 diskmgmt.msc, 11 disks See alsoВ dynamic disks configuration types, 13, 18 configuring, 19 converting basic to dynamic, 20 defragmenting, 78–80 377 dismounting volumes disks (continued) drives, as backup solution, 340 failure detection, 360 initializing, 16 management options, 55 moving, 22–24 optimizing, 78–80 reactivating dynamic, 22 rescanning, 22, 41 resetting, 55 standards-based storage and, 53 storage management and, 37 dismounting volumes, 76 Distributed Scan Server role service, 300, 301, 302 distribution points, for software deployВ ment, 191 DNS Active Directory and, 262, 263 adding aliases with CNAME, 284 described, 261 DHCP and, 230, 232, 241, 262, 264 enabling on the network, 263–265 forwarding, 292–294 IPv6 and, 263 name resolution and, 266 options, 266, 267 records, 264, 282–286 setting zone type, 291 suffixes, 266, 267 DNS clients configuring name resolution, 266, 267 dynamic updates and, 291 enhancements for built-in, 207 IPv6 and, 263–265 LLMNR and, 264 .dns file extension, 262 DNS Manager console debugging, 295 event logging, 294 forwarding, 293 managing DNS records, 283–286 managing DNS servers, 276–280 notifying secondaries of changes, 290 setting zone properties, 287–291 specifying IP addresses, 292 zone transfers, restricting, 289 DNS servers adding and removing, 277 controlling access to, 292–294 domain controllers as, 268 event logging, 294 GlobalNames zone and, 265, 275, 276 378 installing, 267, 268 IP addresses and, 292 IPv4 and IPv6 and, 263–265 monitoring, 295, 296 primary, 270–272 restarting, 263 reverse lookup zones, 274, 275 secondary, 273 signing zones, 278–280 starting and stopping, 278 startup tasks, 263 types, 267 zone transfers, 289, 290 DNSSEC (DNS Security Extensions), 278–280 DNSKEY records, 279 dnsZone object, 262 Documents folder, redirecting, 181 dollar sign computer names and, 103 special shares and, 101 domain controllers, as DNS servers, 268 domain name resolution. SeeВ name resolution Domain Name System (DNS). SeeВ DNS domain networks, 202 domains child, 262 deleting, 282 DNS and, 261 parent, 261 root, 261 Downloads folder, redirecting, 181 drive controllers, 6, 47 drive letters assigning, 26 assigning to drives, 67, 68 assigning to volumes, 43, 65 changing, 55, 68 partitioning and, 25 removing, 68 drive paths adding, 68 assigning, 26 assigning to drives, 67 assigning to volumes, 43, 65 changing, 55 purpose, 25 removing, 68 drive section types, 19 Driveletter$ share, 101 drivers printer, 298 safe mode and, 363 extranets drives compressing, 30 deleting, 69 described, 1 Disk Management snap-in and, 11–13 disk types, 10, 11 encrypted, 7 expanding compressed, 31 installing new, 16 logical, 8 partitions, 8–10 physical, 5–10 selection considerations, 6, 7 status values, list of, 16, 17 storage management and, 37 storage pools and, 58 unmounted, 67 viewing in Disk Management, 12, 13 dual boot, RAID and, 45 dual parity, 59, 60 dump files, 19 dynamic disks vs. basic disks, 18 configuring, 19 converting to basic, 20, 21 converting unallocated space, 72 described, 13 drive sections and, 19 moving, 22–24 portable computers and, 20 reactiving, 22 Dynamic Host Configuration Protocol (DHCP). SeeВ DHCP; DHCP servers dynamic IP addresses, 211, 217–221 dynamic updates enabling and disabling for DNS, 291 dynamic volumes, status values, list of, 40, 41 E editing security policies, 177 EFI vs. UEFI, 8 EFS. SeeВ Encrypting File System (EFS) ENABLE BACKUP command, 346, 349, 354,В 355 Enable Boot Logging option, 362 Enable Disk Quotas policy, 143 Enable Low-Resolution Video option, 362 enabling Bootstrap Protocol, 248 disk quotas, 143, 145 DNS on the network, 263–265 inheritance of permissions from a parent object, 124 network discovery, 202 point and print restrictions, 318 print spooler, 326 encoding, NFS sharing and, 108 encrypted hard drives, 7 Encrypting File System (EFS) NTFS and, 31 recovery policies and, 368–371 Work Folders and, 115 encryption backing up data and certificates, 371 certificates, 32 compression and, 30 described, 32 files and directories and, 33 keys, 32 recovery policies and, 368–371 restoring data and certificates, 371 SMB, 82, 86, 93 Work Folders and, 115, 196 Enforce Disk Quota Limit policy, 143, 145 Enhanced Storage feature, 2 Enrolling, computer and user certificates, 196, 197 enterprise CAs, 197 error logs, security template analysis, 168 errors, checking disks for, 76–78 eSATA (external SATA), 6, 15 event auditing, policies for, 135, 176 event logging disk quota variables, 153 DNS servers, 294 policies, 143, 157, 160 virtual memory exhaustion, 360 Event Trace Log (ETL) file, 207 Event Viewer, security logs and, 134 Everyone implicit group, 83, 93 exclusion ranges for IPv4 addresses, 240 for IPv6 addresses, 243 for multicast scopes, 245 setting, 254, 255 Expand (Expand.exe) utility, 31 expiration of certificates, 197 Export-DhcpServer cmdlet, 237 exporting disk quota settings, 149 printers, 319 extended FAT file system, 10 extended partitions, 8, 24, 25 extending volumes, 54 extensions to network awareness, 202 external storage devices, 14–16 extranets, 261 379 Failed Redundancy volume status F Failed Redundancy volume status described, 40 mirrored sets and, 50 Failed volume status, 40 failover, DHCP, 218 failover scopes, 223, 249–252 failures, recovering from failed start, 361 hardware or startup, 358–361 FAT file system, 10 FAT32 file system, 10 fault tolerance disk mirroring and, 47 disk striping with parity and, 49 failover scopes and, 250 incomplete volumes, 40 RAID and, 44, 45 Favorites folder, redirecting, 181 FAX$ share, 100 file and printer sharing, enabling and disabling, 302 File And Storage Services configuring role, 4, 5 configuring share permissions, 98 creating a sync share, 117 creating shared folders, 91–93 NFS sharing, 108 role services, 2 shared folders, modifying settings for,В 94 viewing NTFS permissions, 124 Work Folders, 117 File Explorer accessing Work Folders, 120 claims-based permissions and, 133 connecting to special shares, 101 disconnecting network drives, 114 mapping network drives, 113 NFS sharing and, 107 restoring a shadow copy, 110 shadow copies and, 109 sharing local folders, 88 showing hidden items, 83 viewing NTFS permissions, 124 file paths, security settings for, 166 file screening, 11 File Server Resource Manager creating disk quotas, 155, 156 creating disk quota templates, 154 modifying disk quota templates, 153 role services, 11 File Server role service, 3 File Server VSS Agent Service role service, 3 380 file servers described, 1 role services for, 2 File Services And Storage role, 54 file sharing. SeeВ standard file sharing; public folder sharing; shared folders file systems described, 1, 10, 11 local vs. remote, 1 policies for, 157, 164–167 specifying type, 27, 29, 43 files auditing, 136–138 compressing, 30 decrypting, 36 encrypting, 32–34 expanding compressed, 31 permissions, list of, 125 recovering, 367, 368 setting basic permissions, 127–129 setting special permissions, 129–132 filesystem log buffer, time stamp update records and, 65 filtering by MAC address, 253 printers, 320, 321 firewalls, security policies and, 175 FireWire (IEEE 1394) data transfer and, 14 Unreadable drive status and, 17 firmware interfaces, 8 folder redirection based on group membership, 184–186 described, 181 removing, 186 to a single location, 182 folders auditing, 136–138 permissions, list of, 125 permissions, setting basic, 127–129 permissions, setting special, 129 recovering, 292 forcing files to close, 106 Foreign drive status, 17 formatting partitions, 28, 29 formatting volumes, 43 Formatting volume status, 40 forward lookup zones global names, 275, 276 primary DNS servers and, 272 purpose, 274 secondary DNS servers and, 273 updating properties, 287 forwarder servers, 292, 293 forwarding-only servers, 268, 292, 293 incremental backups fragmentation, reducing with Optimize Drives utility, 78 Free Space label, on partitions, 12 FSUtil, 6, 71 full backups, 337 scheduling, 341 Windows Server Backup and, 344, 345 Full Control file and folder permissions, 125, 126, 127 Full Control share permissions, 95 full integration of Active Directory and DNS described, 262 DSN server types and, 267 full system recovery, 364–367 G gateways, multiple default, 212, 213 Get-Disk cmdlet, 16 GET DISKS command, 346, 348 GET ITEMS command, 346, 348 Get-NetIPInterface cmdlet, 263 Get-SmbConnection cmdlet, 85 Get-SMBOpenFile cmdlet, 105 Get-SMBSession cmdlet, 103 get-smbshare cmdlet, 86 GET STATUS command, 347, 348 GET VERSIONS command, 347, 348 GET VIRTUAL MACHINES command, 347 global unicast addresses, 222 GlobalNames zone configuring, 275, 276 described, 265 GPOs (Group Policy Objects) redirecting special folders and, 182, 184 security policies and, 178 security templates and, 170–172 Software Installation policy and, 191 user logon and logoff scripts, 187, 189,В 190 GPT (GUID partition table), 8, 9, 10, 20 GPT partition style, storage pools and, 58 Group Policy auditing policies, 135 automatic certificate enrollment, 197 Automatic Updates, 198, 199 deploying software through, 190–195 network management, 205–207 point and print restrictions, 317–319 printer connections, 315, 316 printers, 300 recovery agents and, 370 redirecting special folders, 182–187 security policies, 178, 179 security templates and, 157, 167, 170–172 TCP/IP and, 201 Work Folders, 196 Group Policy Management Console (GPMC),В 35 groups file and folder permissions and, 128, 130 removing restrictions, 162 restricting, 161 share permissions and, 96, 98 GUID partition table. SeeВ GPT (GUID partition table) H hard disk drive (HDD) storage, 57 hard drives. SeeВ drives hardware failure, recovering from, 358–361 HDD storage, 57 health policies, DHCP and, 234 health status, displaying, 66 Healthy (At Risk) volume status, 41 Healthy (Unknown Partition) volume status,В 41 Healthy volume status, 41, 50, 51 hidden items, showing in File Explorer, 83 shares, 89, 100 SMB folder shares, 86 host names, 108 hot spares, 56, 61, 63 hot standby DHCP servers, 218 failover scopes and, 251 hot swapping, 16 HTTP over SSL, 206 Hyper-V networking and, 213, 214 share permissions and, 93 I IEEE 802.3 networks, 205 IEEE 802.11 networks, 205 IIS, Work Folders and, 195 implicit groups, public folder permissions and, 83 importing disk quota settings, 149 foreign disks, 17 printers, 320 security templates, 168, 169, 172 in-place file sharing, 81 inbound authentication methods, security policies and, 176 incremental backups described, 337 vs. differential, 338 381 inheritance of objects incremental backups (continued) scheduling, 341 Windows Server Backup and, 344 inheritance of objects, 123, 124 Initialize-Disk cmdlet, 16 initializing disks, 16 initializing VHDs, 24 Initializing volume status, 41 installing DNS servers, 267–270 IPv4, 208 network printers, 305–307 new drives, 16 Print and Document Services role, 300–302 TCP/IP networking, 208 updates automatically, 197–200 Windows Server Backup, 343 integrating Active Directory and DNS, 262, 263 DNS and DHCP, 230, 231 NAP and DHCP, 232–235 Interactive implicit group, public folder permissions and, 83 interface types, 6 internal disks, standards-based storage management and, 38 Internet Printing role service, 300, 301 Internet SCSI (iSCSI), 6 interoperability with UNIX, LPD Service role service, 301 intranets defined, 261 update service locations, 200 IP addresses assignment, 221 avoiding conflicts, 236 checking whether in use, 210 configuring, 209 described, 209 DHCP and, 217 DNS servers and, 292 dynamic, 211, 212, 217–221 scopes, 222 ip6.arpa domain namespace, 264 IPC$ share, 100 ipconfig command, 221 deleting leases and reservations, 257 MAC address filtering and, 253 reserving DHCP addresses, 256 IPv4 addresses, 209 address records, 282 coexistence, 206 creating normal scopes for, 239–243 382 DHCP servers and, 217 dynamic addresses, configuring, 217,В 219 enabling DNS and, 264 exclusion ranges, 254 failover scopes, 249–252 installing, 208 MAC address filtering, 253 private network IDs, 210 PTR records and, 231 static addresses, configuring, 210, 211 superscopes, 238, 239 types of scopes, 223 IPv6 addresses, 209 address records, 282 coexistence, 206 creating normal scopes for, 242, 243 DHCP servers and, 217 DNS and, 263, 264 dynamic addresses, configuring, 219–222 exclusion ranges, 255 installing, 208 static addresses, configuring, 210, 211 iSCSI Target Server role service, 3, 54 iSCSI Target Storage Provider role service, 3, 54 iSCSI virtual disks, 55 J J50.chk file, 257 J50.log file, 257 J50000NN.log file, 257 JScript, 187 K Kerberos authentication, 108 Kerberos with Armoring, 132, 133 Kernel Transaction Manager (KTM), 74 key master, 279, 280 Key Signing Keys (KSKs), 279 keys. SeeВ registry KTM (Kernel Transaction Manager), 74 L L2TP/IPsec vs. SSTP and SRA, 206 LAN Manager authentication level, 176 last-access timestamp, filesystem log buffer and, 65 Last Known Good Configuration option, 362 LDAP, security policies and, 175 multicast IPv6 addresses leases Bootstrap Protocol, 249 deleting, 257 for dynamic IP addresses, 218, 222 for IPv4 addresses, 240 for IPv6 addresses, 243 for multicast scopes, 245 reconciling, 259 releasing, 256 legacy MBRs, 8 limit thresholds, Resource Manager disk quotas and, 151 Line Printer Daemon (LPD) Service, 300, 301 link-layer filtering, 253, 254 Link-Local Multicast Name Resolution (LLMNR), 264 link-local unicast IPv6 addresses, 220, 221,В 222 Links folder, redirecting, 181 List Folder Contents file and folder permissions, 125, 127 List Folder/Read Data special permission, 126, 127 listing printers in Active Directory, 323 LLMNR (Link-Local Multicast Name Resolution), 264 load balancing DHCP servers, 218 failover scopes, 250 secondary DNS servers and, 273 local printers vs. network printers, 298 local file systems, 1 local policies changing template settings, 160 described, 157 local print devices, 298 local print spooler, 299 local volumes, disk quotas and, 142 location printers, 322 storage of backups, 351 locked files, taking administrative ownership of, 124 Log Event When Quota Limit Exceeded policy, 143 Log Event When Quota Warning Level Exceeded policy, 143 log files, DHCP, 230 logical drives creating, 25–28 deleting, 69 extended partitions and, 8, 24 logical unit number (LUN), 37 logoff and logon scripts, 189, 190 loopback addresses, 222 Loss of Communication status, 66 M M flag, 219, 220 MAC address filtering, 253, 254 mail exchange servers, 284 Managed Address Configuration flag, 219 manual backups, 357, 358 Manual service startup mode, 163 Map Network Drive feature, 1 mapping network drives, 101, 102 master boot code, 8 master boot record (MBR) partitioning style, 2, 8, 9, 20 master file table (MFT), 11, 71 maximum sustained data transfer rate, 7 Maximum Transmission Units (MTUs), 91 MBR partitioning style, 8, 9, 20, 58 mean time to failure (MTTF), 7 memory diagnostics, 360, 361 MFT (master file table), 11, 20 Microsoft Internet Information Services (IIS),В 195 Microsoft Management Console (MMC), 159 Microsoft Online Backup Service described, 341 installing, 343 Microsoft Online Crash Analysis tool, 361 migrating printers to a new print server, 319, 320 to Windows Server 2012 R2, 300 mirroring breaking mirrored sets, 50 described, 45 vs. disk striping with parity, 44 implementing, 46–49 removing volumes from set, 52 repairing to enable boot, 51, 52 resynchronizing and repairing mirrored sets, 50, 51 storage pools and, 59 three-way, 59 virtual disks in storage pools and, 62 Missing volume status, mirrored sets and, 50 Modify file and folder permissions, 125, 126,В 127 monitoring DNS servers, 295, 296 printers and printer queues, 320, 321 mounting disks to drive paths, 25 partitions, 26 volumes, 23, 43 MS-DOS, RAID and, 45 .msi files, 191, 194 .mst files, 191 multicast IPv6 addresses, 222 383 multicast scopes multicast scopes creating, 244 defined, 239 Multipath I/O, 2 multiple scopes on a network, 249 Music folder, redirecting, 181 MX (mail exchanger) records adding, 284, 285 described, 283 N named pipes, 105 name protection, 232 name resolution configuring for DNS clients, 266, 267 forward lookups and, 272 global names and, 275, 276 reverse lookups and, 274 Name Resolution Policy Table (NRPT), 278 NAP, DHCP and, 232–236 ncpa.cpl command, 204 net session command, 103, 104 net share command, 86 NET USE command disconnecting network drives, 113 mapping network drives, 112 NetBIOS, DNS client service and, 264 NETLOGON share, 100 Netmon, tracing and, 207 netsh command adding IPv6 addresses of DNS servers,В 263 DHCP configuration and, 236 router advertisements and, 220 TCP chimney offloading, 206 Netsh Trace context, 207 Network Access Protection (NAP). SeeВ NAP network addresses, IP address ranges for,В 239 Network And Sharing Center changing a static IP address, 210 configuring name resolution, 266 described, 201 disabling network connections, 215 opening, 203 public folder sharing, 83–85 viewing categories, 204 network-attached print devices high-volume printing and, 330 installing, 311–314 network awareness, extensions to, 202 network categories described, 202 viewing, 204 384 network connections checking status of, 215 disabling, 215 managing, 214 renaming, 215 troubleshooting, 204 Network Diagnostics described, 201 troubleshooting with, 204, 206 viewing reports, 207 network discovery described, 202 enabling, 202, 203 turning on and off, 204 Work Folders and, 196 network drives connecting to, 112–114 disconnecting, 113 mapping, 101, 102, 112, 113 Network Explorer, 201 Network File System (NFS) shares, creating,В 55 Network Monitor (Netmon), tracing with,В 207 Network Policy And Access Services role, 232 network print devices access permissions, 327, 328 described, 298 installing automatically, 305 vs. local printers, 298 updating drivers, 323 network profiles, 204 network status, 203 Network Unlock, 7 networking managing, 205–207 tools, list of, 201 New-PsDrive cmdlet, 112 NFS sharing, 91, 107–109 No Access share permissions, 95 No Media drive status, 18 nonforwarding servers, 292, 293 nonoperational temperatures, 7 nonresponsive conditions, 359 nonsystem volumes, recovering, 367, 368 normal scopes for IPv4 addresses, 239–243 for IPv6 addresses, 242, 243 Not Initialized drive status, 18 notification thresholds, Resource Manager disk quotas and, 151 Nps.msc command, 233 NS (name server) records adding, 285, 286 described, 283 PCL mode Ntdsutil.exe tool, 364 NTFS compression and, 28, 30 converting volumes to, 70 described, 11 encryption and, 31 formatting USB flash devices with, 67 formatting volumes, 42 self-healing, 74, 75 transactional, 74 NTFS disk quotas deleting entries, 148 described, 140 disabling, 150 enabling on NTFS volumes, 145, 146 exporting and importing settings, 149 individual entries, when to create, 147 purpose, 141 setting with Group Policy, 142 NTFS permissions basic, list of, 125 basic, setting for files and folders, 127–129 special, list of for files, 126 special, list of for folders, 127 special, setting for files and folders, 129 standard file sharing and, 81, 83 viewing, 124 NTFS volumes creating shadow copies on, 109 creating shared folders on, 88 disk quotas and, 140, 145, 146 O O flag, 219 objects auditing, 139 defining, 121 inheritance, 123, 124 management tools, list of, 122 ownership, 122 types of, 122 offline disks, 55 file caching, 93 shared folder settings, 90 Offline drive status, 17 Offline volume status, 50 online backups, 343 Online Certificate Status Protocol (OCSP),В 206 Online drive status, 17 Online (Errors) drive status, 17 Online (Errors) volume status mirrored sets and, 51 striped sets with parity and, 53 Open Files node, 105, 106 operating system, recovering, 364–367 operational status, displaying, 66 Optimize Drives utility, 71, 78 optimizing disks, 78–80 organizational units (OUs), security policies and, 178, 179 Other Stateful Configuration flag, 219 outbound authentication methods, security policies and, 176 P page file partition, 20 page-file volumes, changing drive letters of, 67 Parallel ATA (PATA), 6 parallel queries, 207 parallel SCSI, 6 parent domains defined, 261 name resolution and, 266, 267 parent objects, inheritance and, 123 parity described, 44 disk striping with, 49 storage pools and, 59, 60 virtual disks in storage pools and, 62 partial integration of Active Directory and DNS described, 262 DNS server types and, 267 secondary servers and, 273 partitions color coding, 25 creating, 25–28 defined, 8 deleting, 69 drive letters, 24, 25 error checking, 28 formatting, 24, 27, 28, 29 GPT style, 8 labels, 29 marking as active, 20 MBR style, 8, 9 mounting, 26 primary vs. extended, 24 resizing, 72, 73 pausing printers, 332 payloads, 2 PCL mode, 324 385 performance performance diagnostics, 360 improving with RAID, 44, 45, 46 perimeter networks, 272 permissions See alsoВ share permissions access-based enumeration, 92 basic, for files and folders, 127–129 claims-based, 132–134 list of, for files and folders, 125 file system paths, 164, 165, 166, 167 NFS sharing and, 108 NTFS, 81 object inheritance and, 123, 124 printer access, 327, 328 registry paths, 164, 165, 166 shared folders, 81, 90 special, for files and folders, 126, 127, 129–132 Spool folder, 329, 330 sync folders and, 118 persistent caching, 207 .pfx format, 371 physical disks adding undectected, 66 standards-based storage and, 53 storage pools and, 58, 61 troubleshooting, 66 physical drives described, 5 preparing for use, 8–11 physical sector size, 6 physically attached printers, 307–311 Pictures folder, redirecting, 181 ping command, 210 placeholder files, 71 point and print restrictions, 317–319 Point-to-Point Tunneling Protocol (PPTP), vs. SSTP and SRA, 205 polling interval, sync servers and, 116 port preservation, 206 ports eSATA, 15 FireWire, 14 printer, 325 USB, 14 PostScript mode, 324 power management, Automatic Updates and, 198, 199 PowerShell. SeeВ Windows PowerShell PPTP vs. SSTP and SRA, 205, 206 preboot environment, 72 preference numbers, for mail exchange servers, 285 Previous Versions, 109, 110 386 primary DNS servers configuring, 270–272 described, 267 reverse lookup zones and, 274 primary management tools described, 121 list of, 122 primary partitions, 8, 24, 25, 69 primordial pools, 61 PRINT$ share, 101 Print and Document Services role, 300–302 print devices described, 299 location, 322 multiple printers for, 311 network-attached, 311–314 physically attached, 307–311 types, 298, 311 print jobs auditing, 329 Branch Office Direct Printing, 307, 308,В 313 canceling, 332 defined, 299 error notification, 330 prioritizing and scheduling, 325–327 separator pages, 324 viewing, 331 Print Management described, 302–304 installing network printers, 305–307 network-attached print devices, 311 physically attached print devices, 308 print monitors, 299 print processor, 299 print queues described, 299 emptying, 332 monitoring, 321 print routers, 299 Print Server role service, 300 print servers adding to Print Management, 303, 304 configuring, 300–302 defined, 298 error notification, 330 high-volume printing and, 330 vs. network printers, 298 properties, 329 purpose, 297, 298 print spooler described, 299 disabling, 327 enabling, 326 remote printing and, 299 restarting, 322 recovery point objective (RPO) printer drivers described, 298 downloading to clients, 299 network-attached print devices and, 312, 313 physically attached print devices and, 309–311 point and print restrictions, 317 sharing, 306 updating, 323, 324 printer filters, 320 printer queues monitoring, 320 viewing, 331 printers access permissions, 327, 328 comments, 322 connecting to, 314 deploying connections, 315, 316 document default settings, 329 document priorities, 333 document properties, 333 Group Policy and, 300 monitoring, 320 moving to a new print server, 319, 320 names, 306, 308, 313 network, installing, 305–307 pausing, 332 properties, 322–329 resuming, 332 setting availability, 326 sharing, 327 private networks described, 202 vs. public networks, 272, 273 ProactiveScan task, 75 protective MBRs, 8 providers, 207 provisioning virtual disks in storage pools, 63 PTR (pointer) records adding, 283, 284 described, 283 dynamic DNS updates and, 267 reverse lookup zones and, 231 Public Desktop folder, 83 Public Documents folder, 83 Public Downloads folder, 83 public folder sharing, 81, 82, 83. See alsoВ shared folders Public Music folder, 83 public networks described, 202 vs. private networks, 272, 273 Public Pictures folder, 83 Public Videos folder, 83 publishing shared resources, 94 Q queries, DNS clients and, 207 query coalescing, 207 quick format, for partitions, 28, 29, 43 quotas. SeeВ disk quotas R RAID arrays, 38 backup solutions and, 340 breaking mirrored sets, 50 costs, 45 levels, 44, 45 MS-DOS and, 45 purpose and benefits, 44 resynchronizing and repairing mirrored sets, 50 RAID-0, 45, 46 RAID-1, 46–49 RAID-5, 49 RDP files, 207 reactivating disks, 17 volumes, 40, 50, 51, 53 Read Attributes special permission, 126, 127 Read & Execute file and folder permissions, 125, 126, 127 Read Extended Attributes special permission, 126, 127 Read file and folder permissions, 125, 126, 127 Read-Only Access, shared folders and, 90 read-only domain controllers (RODCs), 265 read-only primary zones, 265 Read share permissions, 95 Read special permission, 126, 127 Recenv.exe, 365 reconciling leases and reservations, 259 records, DNS, 282–286 recovering data, Windows Server Backup and, 342 recovery See alsoВ backing up files; restoring agents, 33, 35, 369, 370 applications, 367, 368 EFS and, 368–371 from failed start, 361 files and folders, 367, 368 from hardware failure, 358 from startup failure, 358 nonsystem volumes, 367, 368 policies, 35, 368–371, 370 safe mode and, 361–363 recovery point objective (RPO), 336, 337 387 recovery time objective (RTO) recovery time objective (RTO), 336, 337 recursive queries, 264, 296 redirecting folders, 114 printers, 302 special folders, 181–186 redundancy, restoring for storage spaces, 66, 67 redundant data sets disk mirroring and, 46 with RAID, 44 refreshing server information, 227 ReFS (Resilient File System), 74, 75 regedit command, 138 regenerating striped sets, 49 striped sets with parity, 52, 53 Regenerating volume status, 41, 50, 51 registry auditing, 138 keys, 230, 258 paths, security settings for, 165 policies, 157, 164–167 settings, 176 Registry Editor, 138 re-imaging the operating system, 366 relay agents, 221, 223 releasing addresses and leases, 256 remediation servers, 234 remote computers connecting to, 87 disk quotas, 142 remote file systems, 1 remote management, Disk Management snap-in and, 13 remote servers, 227 Removable disk type, 13 removable media, disk quotas and, 143 removable storage devices, 14–16 Remove-DhcpServerInDC cmdlet, 228 Remove-PsDrive cmdlet, 113 removing folder redirection, 186 renewing expired certificates autoВ matically,В 197 repairing disk errors, 76 file system errors, 55 repairing mirrored sets, 50, 51 Repair Your Computer tool, 341, 362 rescanning disks, 16, 17, 22, 41, 51 storage, 66 388 reservations deleting, 257 DHCP addresses, 255, 256 IPv4 addresses, 222 modifying properties, 257 options, 247 reconciling, 259 releasing, 256 resiliency recovering, 66 Resilient File System (ReFS), 11, 74 resizing partitions and volumes, 72, 73 resource exhaustion alerts, 360 Resource Manager disk quotas, 140, 150–154 resource properties, 132 Restart Manager, 359 restarting Automatic Update process, during, 199 DNS servers, 263 to recover from failed start, 361 restoring See alsoВ recovery Active Directory, 364 boot manager, 364–367 DHCP servers from backup, 258 encrypted data and certificates, 371, 372 system state, 363, 364 restricted groups policies configuring, 161, 162 described, 157 resuming printing, 332 Resynching volume status, 41, 48 resynchronizing mirrored sets, 50, 51 reverse lookup zones configuring, 274, 275 ip6.arpa domain namespace and, 264 updating properties, 287 revocation checking, 206 roaming profiles encrypted files and, 32 purpose, 369 RODCs (read-only domain controllers), 265 role services for file servers, 2, 3 rollback templates, 169, 170 rolling back security policies, 178 root domains, 261 root hints, configuring, 270 rotational speed, 6 rotation schedules for data backup, 341 router advertisements, 220, 221 routers DHCP and, 219 printer, 299 separator pages Routing and Remote Access Service (RRAS),В 223 routing cost, of a gateway, 212 S safe mode, 361–363 SATA (Serial ATA), 6 Saved Games folder, redirecting, 181 Scan Management, 301 Scan Operators group, 302 scanning drives for errors, 78 file systems for errors, 55 scheduled backups configuring, 352–355 excluding files, 352 modifying or stopping, 355 specifying volumes, 351 storage location, 351 Wbadmin and, 356 scheduling Automatic Updates, 198 scheduling print jobs, 325–327, 333 scopes activating and deactivating, 248 configuring multiple on a network, 249 creating, for IPv4 addresses, 239–243 creating, for IPv6 addresses, 242, 243 described, 222 failover, 249–252 modifying, 248 options, 245 reconciling, 259 removing, 249 statistics, viewing, 252 superscopes and, 238 types of, 223 screened subnets, 272 scripting engines, 187 scripts logon and logoff, 189, 190 Read file and folder permissions and,В 125 startup and shutdown, 187, 188 Windows PowerShell, 187 SCSI (Small Computer System Interface), 6 Scwcmd (Scwcmd.exe) utility, 172, 178 Searches folder, redirecting, 181 Secedit command-line utility, 169, 170 secondary DNS servers configuring, 273 described, 268 notifying of changes, 290, 291 reverse lookup zones and, 274 sector size, 6 Secured Boot, 7 Secure Remote Access, 205 Secure Socket Tunneling Protocol, 205, 206 Security Configuration And Analysis snap-in analysis database, 167 analyzing and configuring templates, 167, 168 changing settings stored in dataВ base,В 168 limitations, 167 opening, 159 purpose, 158 Security Configuration Wizard applying security policies with, 177, 178 described, 172 editing security policies, 177 process, 173 rolling back security policies, 178 security logs, 134, 136 security policies applying, 177, 178 deploying to multiple computers, 179 described, 172 editing, 177 file system, 164–167 process for creating, 172–177 registry, 164–167 rolling back, 178 saving, 177 security templates and, 157, 177 security templates adding to security policies, 177 analyzing, 167, 168 changing settings, 160 file system, 164–167 importing, 168, 169, 172 process, 158 purpose, 157 registry policies, 164–167 Secedit command-line utility, 169, 170 system services policies, 162, 163 Security Templates snap-in adding search paths, 159 changing settings, 160 creating new templates, 159 file path security settings, 166 file system policies, 164–167 opening, 159 purpose, 158 registry policies, 164–167, 165 restricted groups policies, 161, 162 system services policies, 162, 163 selective wipe, 115 self-healing NTFS, 74, 75 separator pages, 324 389 Serial ATA (SATA) Serial ATA (SATA), 6 Serial Attached SCSI (SAS), 6 server bindings, configuring, 228 Server Core installations, 365 Server For NFS role service, 3, 91, 107 Server Manager claims-based permissions, 134 installing DNS Server service, 268–270 NFS sharing and, 107, 108 Print and Document Services role, 300–302 setting file and folder permissions, 129 setting special permissions, 132 shared folders, creating, 91–93 shared folders, modifying settings, 94 starting and stopping DHCP servers, 227 starting and stopping DNS servers, 278 viewing NTFS permissions, 124 viewing share permissions, 98, 99 viewing SMB shares, 86, 87 Windows Server backup and recovery tools, 343 Server Message Block (SMB) encryption, 82, 86, 93 ending sessions, 103, 104 protocol described, 81 security signature options, 175 shares, 55, 91 support for MTUs, 91 versions, 85, 86 viewing sessions, 102, 103 Work Folders and, 115 server roles enabling and disabling, 174 Print and Document Services, 300–302 Service implicit group, public folder permissions and, 83 service location (SRV) records, 265, 283 services, security policies and, 175 sessions ending, 103, 104 viewing user and computer, 102, 103 Set-DNSClientServerAddress cmdlet, 263 Set-DnsServerGlobalNameZone comВ mand,В 276 Set-FileStorageTier cmdlet, 57 Set-SyncServerSetting cmdlet, 116 Set Value advanced permission, 139 shadow copies See alsoВ shared folders creating, 110 deleting, 111 described, 109, 336 390 disabling, 111, 112 restoring, 110 reverting an entire volume to, 111 share permissions access-based enumeration, 92 assigning, 95 defined, 81 list of, 95 public folders and, 83, 90 standard file sharing and, 83 viewing in Computer Management, 95–97 viewing in Server Manager, 98, 99 shared folders See alsoВ shadow copies changing settings, 94 claims-based permissions, 134 configuring settings, 83 creating in Computer Management, 88–91 creating in Server Manager, 91–93 disconnecting users from, 103, 104 hiding, 89 modifying settings, 94 offline settings, 90 publishing in Active Directory, 94 purpose, 85 stopping sharing, 106 viewing, 86–88 shared printers, 101, 302, 306, 307, 308, 310 shared secret keyphrases, 234, 251 sharing See alsoВ Server Message Block (SMB) shares; Network File System (NFS) shares file and printer, 302 files and folders with removable disks,В 15 NFS, 107 printers, 327 shortcuts, Read file and folder permissions and, 125 shrinking volumes, 72, 73 shutdown scripts, 187, 188 signing zones, 280–282 simple layout, storage pools and, 62, 63 simple volumes See alsoВ volumes creating, 25 extending, 42 mirrored volumes and, 48 storage pools and, 59 vs. volume sets, 38 superscopes single-label name resolution, 265 sizing virtual disks, 64 volumes, 43 Small Computer System Interface (SCSI), 6 SMB. SeeВ Server Message Block (SMB) SMB 1.0/CIFS File Sharing Support feature,В 85 SOA (Start Of Authority) records described, 283 modifying, 287, 288 Software Installation policy, 190, 191 Solicit messages, IPv6 and, 221 Solid State Drive (SSD) storage, 57 spanned volumes See alsoВ volumes basic disks, adding space from, 42 defined, 38 extending, 42, 72 incomplete, 40 special folders, redirecting, 181–186 special permissions, 126, 127, 129–132 special shares, 100–102 Specify Default Quota Limit And Warning Level policy, 143 Specify Intranet Microsoft Update Service Location policy, 200 Spindles. SeeВ physical disks Spool folder, 329, 330 spooler described, 299 restarting, 322 SRV (service location) records, 283 SSD storage, 57 SSL connections, 196 Stale Data volume status, 41 standard file sharing, 81, 82, 83 Standard Format hard drives, 5 standard volumes, 64, 65 standards-based storage described, 37 layers, 54 storage spaces, 54 START BACKUP command, 347, 349, 356, 357 Start Menu folder, redirecting, 181 Start Of Authority (SOA) records, 283, 287,В 288 START RECOVERY command, 347, 350 START SYSTEMSTATEBACKUP command, 347, 350, 363 START SYSTEMSTATERECOVERY command, 347, 350, 363 Start Windows Normally option, 363 startup failure, recovering from, 358–361 mode, security policies and, 175 safe mode, 361–363 scripts, assigning, 188 system services policy configuration, 162, 163 Windows Boot Manager and, 72 Startup Recovery Options, 365 Startup Repair tool (StR), 360, 365 stateless and stateful addresses, 219 static IP addresses, configuring, 209 statistics for scopes, viewing, 252 STOP JOB command, 347, 349 stopping file and folder sharing, 106 storage management disk mirroring, 46–49 disk striping, 45, 46 disk striping with parity, 49 fault tolerance, 44, 45 performance, improving, 44, 45 traditional vs. standards-based, 37 volumes and volume sets, 38–44 storage pools allocating space, 57, 58, 61 creating, 58–62 defined, 53 hot spare errors, 63 troubleshooting, 66, 67 virtual disks, creating in, 62–64 storage reporting, 11 Storage Services role service, 3, 54 storage spaces checking version, 56 creating storage pools, 58–62 defined, 53 file systems and, 11 resetting, 63 troubleshooting, 66, 67 upgrading version, 56 storage subsystem, 53, 54 storage tiers, 57, 63 striping, 45, 46, 52 striping with parity, 44, 45, 52, 53, 59 subdomains, 280 subnet masks, 211 subnets, deleting, 282 suffixes, DNS, 266, 267 suggested value changes, security templates and, 160, 161 Super DLT (SDLT), 339 superscopes, 223, 238, 239 391 sync folders sync folders permissions, 118 redirected folders and, 114 sync shares, 114–120 synchronizing data, Work Folders and, 195,В 196 System Image Recovery tool, 365 system partition or volume, 20 system recovery, 364–367 system resources, auditing, 134–140 system services policies configuring, 162, 163 described, 157 system state, backing up and restoring, 363,В 364 system volumes changing drive letters for, 67 repairing, 76 repairing mirrored sets, 51 repairing mirror to enable boot, 52 striped sets and, 46 SYSVOL share, 101 T Take Ownership special permission, 126, 127 taking ownership of an object, 122, 123 tape drives as backup devices, 339 TCP Chimney offloading, 206 TCP/IP configuring, 209 described, 201 DHCP and, 217 Group Policy and, 201 installing, 208, 209 temperatures, drive specifications and, 7 templates, certificates, 197. See alsoВ security templates Teredo, 206 three-way mirrors, 59 timeout intervals, 207 time stamp update records, filesystem log buffer and, 65 time to failure, drive specifications and, 7 Tmp.edb file, 257 touch-enabled computers, xv tracing, 207 traditional storage management, 37 transactional NTFS, 74 transferring object ownership, 122 transform (.mst) files, 191 392 Traverse Folder/Execute File special permission, 126, 127 troubleshooting networks, 206, 207 printer connections, 315 print spooler problems, 322 startup issues, 361–363 storage spaces, 66, 67 trust anchors, 280 trusted publishers list, 207 two-way mirrors, 59 U UEFI (Unified Extensible Firmware Interface),В 8, 9 UI changes since Windows Server 2012, xv,В xvi Unallocated label, on partitions, 12 Unallocated volume status, mirrored sets and, 52 Unified Extensible Firmware Interface (UEFI),В 8, 9 uninstalling dynamic disks, 23 UNIX computers, NFS sharing and, 108 Unknown volume status, 41 unmounted drives, 67 Unreadable drive status, 17 Unreadable volume status mirrored sets and, 51 striped sets with parity and, 53 Unrecognized drive status, 18 unresponsive applications, 359 unsigned files, 207 unspecified services, 175 untrusted publishers, 207 updates, automating, 197–200 updating certificate templates, 197 deployed software, 194 printer drivers, 323, 324 upgrading deployed software, 194, 195 USB devices data transfer and, 14 Unreadable drive status and, 17 user assignment, software deployment method, 190, 191 user claims, 132 user interface changes since Windows Server 2012, xv, xvi user logon and logoff scripts, 189, 190 User publishing, software deployment method, 191 wired policies V variables for disk quota messages, 153 VBScript, 187 VHDs disk type, 13 managing, 23, 24 Videos folder, redirecting, 181 viewing disk quota entries, 147 existing shares, 86 NTFS permissions, 124 printer queues, 331 print jobs, 331 share permissions, 95–99 virtual disks defined, 53 creating in storage spaces, 62–64 provisioning, 63 sizing, 64 troubleshooting, 66 virtual hard disks (VHDs) disk type, 13 managing, 23, 24 virtual machines, networking and, 214 virtual memory, running out of, 360 virtual networks, 213, 214 volume sets advantages and disadvantages, 40 creating, 42, 43 described, 38 deleting, 44 segmentation, 39, 40 sizing, 43 Volume Shadow Copy Service (VSS), 342 volumes assigning drive letters, 26, 43 capabilities, 39 changing drive letters, 67 color coding, 38 compression, 43 converting dynamic disks to basic disks and, 20 converting to NTFS, 70, 71 creating, 25–28, 42, 43 defined, 38 deleting, 44, 54, 69 dismounting, 76 drive letters and, 23 formatting, 27, 28, 54 labels, 27, 43, 68, 69 management options, 54, 55 mounting, 23, 43 properties, 38, 55 reactivating, 40, 50, 51, 53 resizing, 72, 73 scheduled backups and, 351 shrinking, 54, 72 sizing, 25, 26, 43 standard, 64, 65 status values, list of, 40, 41 W warning limits, disk quotas and, 144, 145, 151 Wbadmin, 343, 346–350, 354 Web Services for Devices (WSD) printers, 311, 312 WIM (Windows Imaging) format. SeeВ Windows Imaging (WIM) format Windows Boot Manager, 72 Windows Diagnostics framework, 75, 197 Windows Installer packages (.msi) described, 191 updating deployed software, 194 upgrading deployed software, 194, 195 Windows Memory Diagnostics, 360, 361, 365 Windows Network Diagnostics, 201, 204, 206 Windows PowerShell, 187 Windows Script Host (WSH), 187 Windows Server 2012 R2 diagnostics and resolution architecture, 358–360 Windows Server Backup default performance settings, 345 described, 2, 341, 342 extensions, 344 full backups, 345 full system recovery and, 365 installing, 343 manual backups, 357 permissions, 344 Recovery Wizard, 367 requirements, 342 scheduling automated backups, 352–355 scheduling limitations, 344 starting, 343 Windows Server Backup Module for Windows PowerShell, 341 Windows Server Update Services (WSUS),В 200 Windows Standards-Based Storage Management feature, 54 Windows Update binary source files for print servers, 301 Group Policy, managing with, 197–200 printer drivers, 310, 313 WINS vs. GlobalNames resolution, 265 Winspool.drv, 299 Wire AutoConfig service, 205 wired policies, 205 393 wireless policies wireless policies, 205 Work Folders, 114 accessing, 119, 120 deploying, 195 discovery, 196 purpose, 195 Work Folders role service, 3, 195 Write Attributes special permission, 126, 127, 138 write-back caching, 57 Write Extended Attributes special permission, 126, 127, 138 Write file and folder permissions, 125, 126,В 127 Z .zap files, 191 ZAW Down-Level Application Packages (.zap), 191 zones creating child domains in separate, 281 creating child domains within, 280 DNS, 262 global names, 275, 276 setting type, 291 signing, 279, 280 updating properties, 287–291 Zone Signing Keys (ZSKs), 279 zone transfers, 289, 290 394
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project