Ch 5
Configuring DFS Namespaces
A typical organization has many different file servers. Moreover, each file server usually hosts many different shared folders. While publishing shared folders makes it easier for users to locate a specific shared folder, it does not provide an easy way to browse the available shared folders within the organization. By installing DFS namespaces on a Windows Server 2019 system, you can create a dFS namespace shared folder that users can access. After accessing the DFS namespace folder, users will see subfolders (called targets) that represent the shared folders on the file servers within the organization. provides a visual representation of multiple shared folders on the network. When users navigate to a target, they are automatically forwarded to the associated shared folder on the network.
security principal
A user or group that is listed within a DACL or SACL is called ___________
Publishing a Shared Folder in Active Directory
Active Directory allows you to create objects that represent network resources, such as shared folders. This process is called publishing a resource to Active Directory. If you publish a shared folder to Active Directory, users will be able to locate that shared folder quickly using the LDAP component of Active Directory domain users can search Active Directory for shared folders using File Explorer on their Windows system
compress attribute perfomance note
As with the compress attribute, the encrypt attribute requires additional processor calculations. If you set the encrypt attribute on a large number of frequently accessed files, your server performance may degrade significantly.
File Attributes
Attributes are features of a folder or file that are used by a filesystem. They have been used within Microsoft filesystems since the FAT filesystem was introduced in 1977. Each folder and file that is stored on a filesystem contains a metadata component that stores information about the folder or file.
Security Log
Audited events are recorded in the Windows Server 2019 Security log. You can access the Security log using the Get-EventLog Security command within Windows PowerShell, or by using the Event Viewer tool. To open Event Viewer, right-click Start and click Event Viewer Be cautious about how much you choose to audit on a server. Auditing a large number of folders or files will require additional processor calculations and use additional space within the Security log, making individual audit events more difficult to locate
Audit Policy
Because auditing requires additional processor calculations and storage, it is not enabled on Windows Server 2019 by default. To enable auditing functionality, you must edit the audit policy within a Group Policy object that applies to your computer. you can edit the settings of the Default Domain Policy object to enable auditing functionality on every computer within the domain. To do this, you can select Group Policy Management from the Tools menu within Server Manager
Compression/Decompression
Because compression and decompression results in additional processor calculations, the compress attribute is not enabled by default and is typically enabled only on files that are accessed infrequently, such as accounting documents from a previous fiscal year. If you set the compress attribute on a large number of frequently accessed files, your server performance may degrade significantl
Encrypt Parent Folder
Because sensitive documents are often stored within the same folder, when you encrypt a file, you are prompted whether to encrypt the file, or the parent folder
Encrypt and compress
Because the encrypt and compress attribute use the same metadata section, you cannot enable the encrypt and compress attributes on the same file. If you attempt to enable the encrypt attribute on a compressed file, the compress attribute will be deselected automatically.
Default everyone group
By default, the special Everyone group (which includes all authenticated users by default) has Read permission to a new share when configuring advanced shared folder permissions. However, to simplify the management of shared folder permissions for folders that reside on an NTFS or ReFS filesystem, many administrators assign the Everyone group Full Control shared folder permission. While this allows all authenticated users to connect to the shared folder to perform all actions, those users are still restricted by the NTFS/ReFS permissions they are assigned on the underlying filesystem.
NTFS/ReFS - Write
Can create files, write data to files, append data to files, create folders, and modify folder and file attributes; cannot delete file
NTFS/ReFS - List folder contents
Can list (traverse) files in the folder or switch to a subfolder, view folder attributes and permissions, and execute files; cannot view file contents
NTFS/ReFS - Full Control
Can read, add, delete, execute, and modify files, change permissions and attributes, and take ownership
NTFS/ReFS - Modify
Can read, add, delete, execute, and modify files; cannot change permissions or take ownership
NTFS/ReFS - Read
Can view file contents, as well as view file and folder attributes and permissions; cannot traverse folders or execute files
Implementing Distributed File System
Distributed File System (DFS) is an optional component provided by Windows Server 2019 that delivers additional functionality for accessing and managing content on file servers. The Active Directory database uses DFS to replicate object changes by synchronizing the SYSVOL shared folder on each domain controller.
Configuring File Ownership
Each folder and file on a system must have an owner, which, by default, is the user that created the file. The owner of a folder or file is able to change the ownership to another user.
Config User Quotas
Enable NTFS quotas for a filesystem Right-click the root folder of a filesystem (e.g., C:\) within File Explorer Click Properties, highlight the Quota tab, and select the appropriate options Administrators group members receive no limits
File Screens
File Screens stores file screen entries for folders on NTFS filesystems. There are no file screen entries configured by default.
File Screens - passive screening
File screens can be used to log an event when this occurs
File Screens - active screening
File screens can be used to prevent users from storing files of a certain category within folders on an NTFS volume
Configure File Auditing
Folder and file auditing allows you to track activity on a folder or file, such as read or write activity. Some organizations choose to implement auditing on folders and files that involve financially sensitive information, such as those involving accounting and payroll. Windows Server 2019 allows you to audit successful and failed attempts to access folders and files using a combination of any or all of the basic or advanced permissions listed
Hidden folders
Folders and files can be assigned the hidden attribute to prevent users from listing their names. However, you can add an option to a command to view the folder or file. For example, the dir /ah MS-DOS command and the Get-ChildItem -hidden Windows PowerShell command will display folders and files that have the hidden attribute. Similarly, you can configure File Explorer to view hidden folders and files by clicking the View menu and enabling the Hidden items checkbox
Allow / Deny boxes
If none of the Allow or Deny boxes are checked then the associated user or group has no access to the folder. If the Deny box is checked, this overrides any other access. For instance, if your user account is granted Read permission to a file, and a group that your user account belongs to is denied Read permission to the same file, you are denied Read access to the file
Encrypting File System (EFS),
If you make changes to the file, the symmetric key encrypts the file's contents again to keep the data secure. works within a workgroup or Active Directory domain environment. In a workgroup, your local user account stores your EFS public and private keys. However, within an Active Directory domain, these keys are stored within your domain user account such that you can access them from any EFS private key is integrated into the password attribute of your user account
Folder attribute
If you modify an attribute on a folder, you will be prompted whether to apply that change to only the folder, or to the files and subfolders within that folder as well
Fat32 and shared permissions
If you share a folder on a FAT32 or exFAT filesystem, the level of access each user obtains to the folders and files within is determined solely by the shared folder permissions that you configure.
Audit Policy Powershell
If your Windows Server 2019 system is part of a workgroup, you can run the gpedit.msc command to open the local Group Policy object. Next, you can navigate to the same Audit Policy section shown in Figure 5-11 to enable auditing functionality for your computer You can also use the Set-ACL cmdlet within Windows PowerShell to configure permissions, ownership, or auditing for folders or files on an NTFS or ReFS filesystem
NTFS/ReFS - Read and execute
Implies the capabilities of both List folder contents and Read (traverse folders, view file contents, view attributes and permissions, and execute files
Compress Attribute
In order to conserve space, the contents of a file can be stored on the filesystem in compressed format. the system compresses the file on the filesystem, and automatically decompresses it when you access it. Any changes you make to the file are then compressed before being written to the filesystem. Similarly, to compress all of the files within a certain folder, you can enable the compress attribute for that folder, enabling the compress attribute on a folder ensures that new files created within the folder, or copied to the folder, are assigned the compress attribute.
NFS
NFS is a UNIX file sharing protocol that was introduced by Sun Microsystems and can be installed on Windows Server 2003 and later systems.
Quota Management
Quotas stores quota entries for folders on NTFS filesystems. There are no quota entries configured in this folder by default. • Quota Templates stores templates that contain quota settings that can be used to simplify the creation of new quota entries. There exist several default quota templates within this folder
Common Internet File System (CIFS
SMB
SMB
SMB is the default file sharing protocol used by Windows systems. SMB is also called Common Internet File System (CIFS SMB sharing is enabled by default. allow your PC to be discoverable by other PCs To enable or disable SMB sharing for your current network profile, you can open Control Panel in category view and navigate to Network and Internet,
SMB Folder permissions
SMB requires that you have a shared folder permission in order to connect to a shared folder. The permissions available in Figure 5-14 include the following: • Read—Allows groups or users to read and execute files. • Read/Write—Allows groups or users to read, execute, delete, and modify the contents of files, as well as add and delete subfolders. • Owner—Automatically assigned to the owner of the folder, it allows the owner to read, execute, delete, and modify the contents of files, as well as add and delete subfolders and modify share permissions.
Administrative Group ownership
The Administrators group always has the right to take ownership of any folder or file, regardless of the permissions set. This ensures that IT staff can always take ownership of a file and modify the permissions when necessary. If you create a folder or file as the Administrator user, the Administrators group automatically becomes the owner of it
dFS staging folder
The DFS replication service uses a temporary folder called the dFS staging folder to store files that need to replicate to other systems. By default, the size of this folder is limited to 4 GB on each system.
File Explorer
The Explorer in Windows was originally called Windows Explorer, but was renamed to avoid confusion with the Internet Explorer Web browser. You will still find Windows Explorer referenced within documentation and websites on the Internet.
Fat32 Advanced attributes
The FAT32 and exFAT filesystems only support the archive and encrypt advanced attributes, whereas the ReFS filesystem only supports the archive advanced attribute. Moreover, the encrypt attribute is only available for FAT32 and exFAT filesystems within Windows 10, Windows Server 2016, and later.
Sharing a Folder using Server Manager
The Shares section of Server Manager can also be used to create and manage NFS shared folders, using the same general process as SMB shared folders.
Windows Search Service
The Windows Search Service is a faster replacement for the Windows Indexing Service that is available on Windows Server 2019 if you install the Windows Search Service server feature.
universal Naming Convention (uNC)
The \\servername\sharedfoldername syntax is called a universal Naming Convention (uNC), and is used when connecting to shared SMB resources. You can instead specify the IP address of a server instead of the server name within a UNC (e.g., \\IPaddress\ sharedfoldername).
Archive attribute
The archive attribute indicates that the folder or file needs to be backed up. automatically enabled on files, but not folders, when they are newly created or changed. The backup software often removes the archive attribute following the backup process
Working with Basic Attributes
The main filesystems supported by Windows Server 2019 include NTFS and ReFS. Additionally, Windows Server 2019 supports the FAT32 filesystem for use on local storage and removable media, as well as the newer exFAT filesystem for use on large-capacity removable media. Each of these filesystems contains two basic attributes that are compatible with the original FAT filesystem: read-only and hidden.
Configure Shared Folders
To allow users to access the files within a folder on your Windows Server 2019 system from across a network, you must share the folder. Furthermore, there are two different protocols that can be used to share folders on Windows Server 2019 systems: Server Message Block (SMB) and Network File System (NFS)
Encrypt files within certain folder
To encrypt all of the files within a certain folder, you can enable the encrypt attribute for that folder, and select the option Apply changes to this folder, subfolders and files when prompted. Moreover, enabling the encrypt attribute on a folder ensures that new files created within the folder, or copied to the folder, are assigned the encrypt attribute.
recovery agent
To prevent data from being lost in an Active Directory environment in the event of a password reset, each time you encrypt a file using a domain user account, a second copy of the symmetric key is added to the file's metadata and encrypted with a recovery agent public key.
Sharing a Folder using Folder Properties
To share a folder using NFS, you can right-click the folder, click Properties, highlight the NFS Sharing tab, and click Manage NFS Sharing. As with SMB shared folders, shared folder permissions are required to connect to an NFS shared folder. However, NFS shared folder permissions are granted to computers instead of users. After a computer connects to an NFS shared folder successfully, the identity of the user (using Kerberos or UID/GID) is used to obtain access to the folder and files within according to the associated NTFS/ReFS permissions. NFS shared folder permissions and NTFS/ReFS permissions must both be satisfied in order to gain access to an NFS shared folder. For example, if your computer is granted Read/Write permission to an NFS shared folder, and you attempt to access a file within the shared folder
Sharing Folders Using NFS
To share folders using NFS on Windows Server 2019, you must first install the Server for NFS server role To connect to NFS shared directories from a Windows Server 2019 system, you must also install the Client for NFS feature Windows Server 2019 requires that any NFS shared folders reside on an NTFS or ReFS filesystem
remote differential compression (RDC)
When the DFS replication service replicates folder contents, it only replicates the changes made to each file by default. This feature is called remote differential compression (RdC), and can cause synchronization problems if a large number of users continually modify the same file. In this situation, you should disable RDC for each connection within the replication group
Resource owner default
When you create a resource, such as a file, folder, or printer, you become the owner of that resource by default. By default, the owner of a resource, the local Administrator user account (within a workgroup), and members of the Domain Admins group (within a domain) can change folder and file ownership as well as configure DACLs and SACLs.
Read-only file
When you enable the read-only attribute for a file, changes to its contents cannot be saved to the same file name, and it cannot be deleted by using a command within a Windows PowerShell or Command Prompt window. when you enable the read-only attribute for a folder, it applies to existing files within the folder only, and not the folder itself Most Windows Server 2019 administrators ignore the read-only attribute box and set the equivalent protection using permissions instead, because permissions apply to the folder and can be inherited by its files
Index Attribute
When you search for files within File Explorer, the legacy Windows Indexing Service is used to obtain a list of files whose name or content matches your search based on a pre-created list called an index.
Implementing Quotas and File Screens
When you share folders on an NTFS filesystem that provide permissions for users to add files and subfolders, you may need to configure additional restrictions on the size and type of files that users can add. These restrictions can prevent users from consuming too much space on your file server, or block users from adding the wrong type of files to shared folders.
Navigate to audit policy
Within the Group Policy Management tool, you can navigate to, and expand, your domain object, right-click Default Domain Policy, and click Edit. This will open the Group Policy Management Editor tool, where you can navigate to the Audit Policy section
Sharing a Folder using Server Manager
You can also manage SMB shared folders within Server Manager. To do this, you can click File and Storage Services within the navigation pane of Server Manager, and then highlight Shares To simplify the permissions associated with sharing folders on NTFS and ReFS filesystems, the New Share Wizard automatically assigns the Everyone group Full Control advanced share permission. After creating a shared folder, you can right-click it within the Shares section of Server Manager and click Properties to modify shared folder settings, or Stop Sharing to discontinue folder sharing without removing the folder on the filesystem. In addition to folder properties and Server Manager, you can use the New-SmbShare cmdlet within Windows PowerShell to share a folder with SMB.
connect SMB with linus, mac, unix
You can use the graphical file browsing app on a UNIX, Linux, or macOS system to connect to SMB shared folders. However, you will need to specify the format smb://servername/ sharedfoldername.
NTFS/ReFS permissions
You must be granted both shared folder permissions and NTFS/ReFS permissions in order to access files within a shared folder on an NTFS or ReFS filesystem. This is because file sharing and filesystem DACLs are two separate components within the Windows operating system and they maintain their own security restrictions. For example, if you are granted Read/Write share permission to a shared folder and attempt to access a file within the shared folder that grants you Read NTFS/ReFS permission, you will only be able to read the contents of the file. Alternatively, if you are granted Read share permission to a shared folder, and attempt to access a file within the shared folder that grants you Modify NTFS/ReFS permission, you will only be able to read the contents of the file.
Permissions Inheritance (folder / group level)
You receive the permissions on a folder or file that are assigned to your user account as well as any group accounts that you belong to. For instance, if your user account is granted Read permission to a file and a group that your user account belongs to is granted Full control to the same file, you effectively receive Full control when accessing the file. When you set permissions on a folder, those permissions are inherited by default to files and subfolders
Shared Folder permissions
You receive the shared folder permissions that are assigned to your user account as well as any group accounts that you belong to. Moreover, permissions that are denied to your user or group accounts override permissions that are allowed.
Configuring DFS Replication
allows each server within the replication group to replicate directly to all other members, consuming additional network bandwidth as a result. To configure folders on two or more file servers to synchronize contents, you must first create a dFS replication group. To create a DFS replication group, you can click New Replication Group within the DFS Management console shown in Figure 5-32 and specify the appropriate settings within the New Replication Group wizard. However, if you add a target that contains more than one UNC to a DFS namespace, the DFS Management tool will give you the option to automatically create a replication group that keeps the content within each shared folder synchronized using DFS replication. To ensure that replicated folder contents are updated immediately, the DFS replication service runs at all times of the day on each server within the replication group by default.
NTFS • Folder quotas
can be configured to limit the space consumed by a folder on the filesystem.
NTFS -user quotas
can be configured to limit the space that users can consume within the filesystem. NTFS user quotas are not enabled on each filesystem by default. Because user quotas are based on file ownership, they are not always accurate. User quotas require additional processor calculations and storage I/O. As a result, you should enable user quotas only on filesystems where user storage limits need to be enforced.
NTFS • File screens
can be configured to prevent certain types of files (such as audio and video files) from being stored within a folder on the filesystem
dFS Replication
can synchronize folder contents between different servers. It must be installed on every server that synchronizes folder contents.
system access control list (SACL)
contains information used to audit the access to the resource. For example, a soft drink company may decide to audit files that contain the secret recipes for their products. By configuring a SACL for each file containing a recipe, the company can monitor who has successfully viewed the file's contents and who has tried to view the contents but failed because of DACL restrictions. If no SACL is configured, auditing is disabled for the resource.
discretionary access control list (dACl)
discretionary access control list (dACl) lists the permissions given to user and group accounts and is used to grant or deny access to the resource.
Hard and Soft Quotas
hard quotas - try to save a file and it won't allow quota templates you can use soft quotas - not supposed to do it but we will let you
BranchCache
is an optional performance enhancement to offline file caching for Windows 7 and later clients that is not installed or configured by default. Search BranchCache at docs.microsoft.com for more information
Managing Folder and File Security
modify the access control lists (ACLs) on each resource and then to set them up for sharing.
dFS Namespaces
provides a central location from which users can access the different shared folders within their organization. It can be installed on one or more file servers within your organization. You can think of a DFS namespace as a home page for some or all of the shared folders within your organization. Just as users can navigate to a home page within their Web browser and click hyperlinks that take them to different websites on the Internet, they can access a DFS namespace within File Explorer and double-click targets that connect them to different shared folders on the network. You can have multiple DFS namespaces within an organization that each provide a unique list of targets. By default, you can create up to 5000 targets within a single DFS namespace. you can add targets to the DFS namespace that represent the shared folders within your organization.
File Groups
stores file groups that identify file categories by filename extension. The default file groups stored within this folder include Audio and Video Files, Backup Files, Compressed Files, E-mail Files, Executable Files, Image Files, Office Files, System Files, Temporary Files, Text Files, and Web Page Files
File Screen Templates
stores templates that contain file screen settings that can be used to simplify the creation of new file screens. There exist several default file screen templates within this folder.
Stand-alone namespace option
stores the namespace configuration on the local file server and is the only option available if the file server is not a domain controller.
Config folder quotas
when a percentage of the limit has been reached, folder quotas can be configured to email a user, log an event to the Windows Server 2019 System log, run a command, or generate a report
Encrypt Attribute
you can use an encryption algorithm to protect the data before it is stored on the filesystem
Folder Permissions
• A newly created file inherits the permissions configured on its folder. • A file that is copied from one folder to another on the same volume inherits the permissions configured on the folder to which it is copied. • A file or folder that is moved from one folder to another on the same volume retains its original permissions. For example, if a file assigns Read permission to the Accounting group, and it is moved to a folder that assigns Modify to the Accounting group, that file will continue to assign Read permissions to the Accounting group. • A file or folder that is moved or copied to a folder on a different volume inherits the permissions of the folder to which it is moved or copied. • A file or folder that is moved or copied from an NTFS or ReFS volume to a folder on a FAT32 or exFAT volume, all permissions are removed because FAT32 and exFAT do not support NTFS/ReFS permissions. • A file or folder that is moved or copied from a FAT32 or exFAT volume to a folder on an NTFS or ReFS volume inherits the permissions of the folder to which it is moved or copied
