Skill 2.1: Configure disks and volumes
MBR shortcomings
Selecting the MBR option creates a boot sector at the beginning of the disk that points to the locations of the partitions and provides a boot loader for the operating system. Because this vital information is stored in only one place on the disk, if that boot sector is corrupted or overwritten, the disk is not recognized by the operating system. The MBR disk partitioning style supports volumes up to 2 TB in size, and up to four primary partitions. The size limitation is due to the 32-bit maximum size of the partition entries in the MBR boot sector. At the time the MBR style was designed, the idea of a 2 TB hard drive was pure fantasy, but today they are commonplace, making this limitation a major shortcoming. The four-partition limit is also a disadvantage for some. Beginning with PC DOS 3.3 in 1987, if you wanted more than four partitions on an MBR drive, you had to create three primary partitions and make the fourth an extended partition. You could then create multiple logical drives on the extended partition, as shown in Vol4, Vol5, and Vol6
Combining NTFS and Share Permissions
Share permissions provide limited protection, but this might be sufficient on some small networks. Share permissions might also be the only alternative on a computer with FAT32 drives, because the FAT file system does not have its own permissions. However, on networks already possessing a well-planned system of NTFS permissions, share permissions are not necessary. In a case like this, you can safely grant the Full Control share permission to Everyone, and allow the NTFS permissions to provide security. Adding share permissions to the mix would only complicate the administration process, without providing any additional protection.
Configure NFS and SMB shares using workstation
Sharing server folders enables network users to access them. After you initialize, partition, and format your disks on a file server, you must create shares for users to be able to access those disks over the network. Before you begin to create shares, you should devise a sharing strategy that consists of answers to questions like the following: - Which disk folders are you sharing? - What names are you assigning to the shares? - What share permissions are you granting to your users? - What Offline Files settings are you using for the shares? If you are the designated Creator Owner of a folder, you can share it in Windows Server 2016 by right-clicking the folder in any File Explorer window, selecting Share With, and then Specific People from the context menu, and following the instructions in the File Sharing dialog box. This method of creating shares provides a simplified interface that contains only limited control over elements such as share permissions. You can specify only that the share users receive Read or Read/Write permissions to the share. If you are not the Creator Owner of the folder, you can access the Sharing tab of the folder's Properties sheet instead. Clicking the Share button on this tab launches the same File Sharing dialog box, but clicking the Advanced Sharing button and selecting the Share This Folder check box displays the dialog box
Hyper-V Allocation Unit Sizes
In Hyper-V, VHD files use 512-byte internal disk input/output (I/O) operations, and VHDX files use 4,096 byte internal I/O operations. Therefore, the default 4,096 NTFS allocation unit size aligns well with the characteristics of the VHDX virtual disk file. However, if you use a 64 KB allocation unit size on a VHDX, the system must read each 64 KB allocation unit, cache it, modify 4,096 bytes of it, and then write the whole thing back to the VHDX file, which negatively affects performance.
Mounting a VHD or VHDX with Disk Management
1. Log on to Windows Server 2016, using an account with Administrator privileges. The Server Manager window appears. 2. Click Tools, and Computer Management. 3. In the Computer Management console, click Disk Management. The Disk Management snap-in appears. 4. From the Action menu, click Attach VHD. The Attach Virtual Hard Disk dialog box appears. 5. In the Location text box, type or browse to the location and filename of the VHD or VHDX file to be mounted and click OK. The mounted disk appears in the Disk Management console. When you are finished using the disk, you can select it and choose Detach VHD from the Action menu. Any changes you have made to the disk or its contents are saved back to the original VHD or VHDX file.
Managing sessions via PowerShell: Finding/Closing Open File Session
In addition to listing sessions, you can also use the Get-SmbOpenFile cmdlet to display the files that clients are currently accessing close-smbopenfile -fileid 154618822961
Access Control List (ACL)
collection of individual permission assignments called access control entries (ACEs). Each ACE consists of a security principal (the name of the user, group, or computer granted the permissions) and the specific permissions assigned to that security principal. When you manage permissions in any of the Windows Server 2016 permission systems, you are creating and modifying the ACEs in an ACL.
ReFS (Resilient File System)
is a new file system introduced in Windows Server 2012 R2 that offers practically unlimited file and volume sizes and an increased resiliency that eliminates the need for error-checking tools, such as Chkdsk.exe. The maximum ReFS volume size is 280 bytes, or 1 yobibyte. The maximum file size is 16 exabytes (or one million terabytes), which is far larger than any storage technology available today can provide. But then again, who expected to be talking about terabyte drives a few years ago? ReFS uses checksums to protect the metadata on a volume and, optionally, the data itself. Periodic checks occur in the background, while the volume is in use. When corruption is detected, the system repairs it immediately, without the need to take the drive offline. The error detection and repair capabilities of ReFS make it particularly useful in Storage Spaces pools. In a storage pool that uses a mirror or parity space, a corrupted file detected on a ReFS volume can be repaired automatically using the duplicate mirror or parity data. On Hyper-V virtual disks, ReFS implements checkpointing and backups as file system metadata operations, increasing their speed and efficiency.
Setting up SMB version 3 Encryption for entire server or specific share on the server
set-smbserverconfiguration -encryptdata $true set-smbserverconfiguration -name data -encryptdata $true When encryption is enabled, the default behavior of the server is to reject a connection from any client that does not support SMB version 3 encryption. You can override this behavior using the following command: set-SmbServerConfiguration -rejectunencryptedaccess $false
Security identifiers (SIDs)
is a unique identifier that is used to manage any object to which permissions can be assigned.
Allocation unit
is the smallest amount of disk space that the computer can allocate when storing a file. For example, storing a 10-kilobyte file on a disk with an allocation unit size of 4 kilobytes requires three allocation units, or 12 kilobytes. It cannot be split among files, so this means that 2 kilobytes of storage space is wasted in what is called slack space. It is also commonly known as a block or a cluster. You select this setting in the size of a volume when you format it. Selecting an allocation unit size for a workload is a tradeoff between slack space and drive efficiency. You typically select an allocation unit size based on the average size of the files that you intend to store on the volume. If you select a larger allocation unit size, any small files that you store on the volume incurs a larger amount of space wasted.
Assigning basic NTFS permissions
1. Log on to Windows Server 2016, using an account with domain administrative privileges. The Server Manager window appears. 2. Click the File and Storage Services icon and, in the submenu that appears, click Shares. The Shares page appears. 3. In the Shares tile, right-click a share and, from the context menu, select Properties. The Properties sheet for the share appears. 4. Click Permissions. The Permissions page appears. 5. Click Customize Permissions. The Advanced Security Settings dialog box for the shared folder appears, displaying the Permissions tab. This dialog box is as close as the Windows graphical interface can come to displaying the contents of an ACL. Each line in the Permission Entries list is essentially an ACE and includes the following information: - Type: Specifies whether the entry allows or denies the permission. - Principal: Specifies the name of the user, group, or device receiving the permission. - Access: Specifies the name of the permission assigned to the security principal. If the entry is used to assign multiple advanced permissions, the word Special appears in this field. - Inherited From: Specifies whether the permission is inherited and, if so, from where it is inherited. - Applies: To Specifies whether the permission is to be inherited by subordinate objects and, if so, by which ones. 6. Click Add. A Permission Entry dialog box for the share appears. 7. Click the Select A Principal link to display the Select User, Computer, Service Account, or Group dialog box. 8. Type the name of or search for the security principal to which you want to assign share permissions and click OK. The Permission Entry dialog box displays the security principal you specified 9. From the Type drop-down list, select the type of permissions you want to assign (Allow or Deny). 10. From the Applies To drop-down list, specify which subfolders and files should inherit the permissions you are assigning. 11. Select the check boxes for the basic permissions you want to assign and click OK. The Advanced Security Settings dialog box displays the new access control entry you just created. 12. Click OK to close the Advanced Security Settings dialog box. 13. Click OK to close the Properties sheet.
Configure GUID partition table (GPT) disks
1. When you add a new hard disk to a computer running Windows Server 2016, your first step after installing the hardware is to initialize the disk. When you launch the Disk Management snap-in, the tool detects the new disk and presents the Initialize Disk dialog box 2. This dialog box provides the following options: - Master Boot Record (MBR): The MBR partition style has been around since PC DOS 2.0, before Windows, and provides the most compatibility. It is still a common partition style for x86-based and x64-based computers. - GUID Partition Table (GPT): GPT has existed since the late 1990s, but no x86 versions of Windows prior to Windows Server 2008 and Windows Vista support it. Today, most operating systems support GPT, including Windows Server 2016.
Quotas
Administrators can impose a quota governing the amount of storage space allowed to a specific user and specify the thresholds at which the user should receive a warning and be denied access.
Enable Access-Based Enumeration
Applies filters to shared folders based on the individual user's permissions to the files and subfolders in the share. Users who cannot access a shared resource cannot see that resource on the network. This feature prevents users from searching through files and folders they cannot access.
Understanding resource ownership
As you study the NTFS permission system, you might realize that it seems possible to lock out a file or folder—that is, assign a combination of permissions that permits access to no one at all, leaving the file or folder inaccessible. In fact, this is true. A user with administrative privileges can revoke his or her own permissions, as well as everyone else's, preventing them from accessing a resource. However, the NTFS permissions system includes a "back door" that prevents these orphaned files and folders from remaining permanently inaccessible. Every file and folder on an NTFS drive has an owner, and the owner always can modify the permissions for the file or folder, even if the owner has no permissions him or herself. By default, the owner of a file or folder is the user account that created it. However, any account possessing the Take Ownership advanced permission (or the Full Control basic permission) can take ownership of the file or folder. The Administrator user can take ownership of any file or folder, even those from which the previous owner has revoked all Administrator permissions. After the Administrator user takes ownership of a file or folder, he or she cannot assign ownership back to the previous owner. This prevents the Administrator account from accessing other users' files undetected. The other purpose for file and folder ownership is to calculate disk quotas. When you set quotas specifying the maximum amount of disk space particular users can consume, Windows calculates a user's current disk consumption by adding the sizes of all the files and folders that the user owns. To change the ownership of a file or folder, you must open the Effective Access tab of the Advanced Security Settings dialog box and select the Change link by the Owner setting.
Disadvantage for FAT File Systems
Because the FAT (File Allocation Table) file systems lack the security that NTFS provides, any user who gains access to your computer can read any file without restriction. FAT file systems also have disk size limitations. FAT32 cannot handle a partition greater than 32 GB, or a file greater than 4 GB. FAT cannot handle a hard disk greater than 4 GB, or a file greater than 2 GB. Because of these limitations, the only viable reason for using FAT16 or FAT32
Encrypt Data Access
Causes the server to encrypt the files in the share before transmitting them to the remote client.
Parameters you can configure for SMB via PowerShell
ConcurrentUserLimit #: Specifies the maximum number of users that can connect to the share simultaneously. A value of 0 allows unlimited users. CachingMode: value Specifies the type of offline file caching permitted to share clients, using the following values: - None: Disables offline file caching at the client - Manual: Enables users to select files for offline caching - Programs: Automatically caches programs and documents offline - Documents: Automatically caches documents offline - BranchCache: Enables BranchCache caching on the remote client EncryptData: True|False Causes the server to encrypt the files in the share before transmitting them to the remote client FolderEnumerationMode AccessBased:Unrestricted: Implements or disables access-based enumeration. The default setting is Unrestricted. Temporary: Causes the share to persist only to the next computer restart
Enable BranchCache On The File Share
Enables client computers at remote locations running BranchCache to cache files accessed from this share, so that other computers at the remote location can access them.
Allow Caching Of Share
Enables client systems to maintain local copies of files they access from server shares. When a client selects the Always Available Offline option for a server-based file, folder, or share, the client system copies the selected data to the local drive and updates it regularly, so that the client user can always access it, even if the server is offline.
Example of Allocation Unit
For example, storing the 10 KB file mentioned earlier on a volume with a 4 KB allocation unit size wastes 2 KB. If the volume has a 64 KB allocation unit size, only one allocation unit is needed, but 54 KB of storage space would be wasted. Multiply that by thousands of files and you end up wasting a substantial part of the volume. On the other hand, if you are storing a 1-megabyte file on a volume with a 4 KB allocation unit size, 250 allocation units are required. If the volume uses a 64 KB allocation unit size, the file only requires 16 allocation units. To access the file, the driven must seek and read each allocation unit individually. Seeking and reading 250 allocation units is inherently less efficient than seeking and reading 16 allocation units, so the drive performs better. Hard disks have grown so large that the difference between allocation unit sizes does not matter all that much. For a typical volume, the average amount of slack space per file is half of the allocation unit size. For example, on a volume with a 4 KB allocation unit size, the slack space averages 2 KB per file. On a volume with a 64 KB allocation unit size, the slack space averages 32 KB per file. If you store 10,000 files on each volume, the wasted space is 20 MB on the 4 KB volume, and 312 MB on the 64 KB volume. On a disk that is 2 TB or larger, the loss of 300 MB is not such a big deal, especially when you achieve better efficiency in the bargain. This does not mean, however, that by formatting all of your drives to use the maximum 64 KB allocation unit size, you realize a dramatic improvement in drive performance. The default allocation unit size for an NTFS volume under 16 TB is 4,096 bytes, or 4 KB, and this is usually appropriate for a system drive. However, if you have volumes on which you store mostly large files, such as databases or videos, raising the allocation unit size can enhance performance.
Configure SMB protocol
For example, you can specify what versions of the SMB protocol the server should use by running commands like the following: set-SmbServerConfiguration -enablesmb1protocol $false set-SmbServerConfiguration -enablesmb2protocol $false Windows Server 2016 uses SMB version 3, but the previous versions are available to support down level clients. Note that there is no separate parameter for enabling SMB version 3 by itself, because version 3 cannot run without version 2. SMB versions 2 and 3 provide many features that can enhance the performance of the protocol, including data encryption and multichannel link aggregation. Disabling SMB version 1 with the first command ensures that your clients are using the latest SMB versions and are taking advantage of the new features. SMB version 1 is not needed unless you have clients running Windows XP or earlier.
Configure NFS and SMB shares using Server Manager
However, to take control of the shares on all of your disks and all of your servers so that you can exercise full control over their properties, use the File And Storage Services page in Server Manager. Windows Server 2016 supports two types of folder shares: Server Message Blocks (SMB): An application layer protocol that has long been the standard for file and printer sharing on Windows networks. Network File System (NFS): A standardized file system protocol typically used by UNIX and Linux distributions. When you install Windows Server 2016, the setup program installs the Storage Services role service in the File and Storage Services role by default. To create SMB shared folders in Server Manager, however, you must first install the File Server role service. When you create your first folder share using File Explorer, the system automatically installs the File Server role service. To create NFS shares, you must install the Server for NFS role service. To install either of these role services, you can use the Add Roles And Features Wizard in Server Manager, or the Install WindowsFeature cmdlet in Windows PowerShell, as in the following commands: install-windowsfeature -name fs-fileserver install-windowsfeature -name fs-nfs-service
Configuring SMB client configuration settings
Just as you can configure SMB server configuration settings using Windows PowerShell, you can configure SMB client configuration settings as well. Running the Get- SmbClientConfiguration cmdlet displays a list of the available settings
Volume Shadow Copy
NTFS can maintain a history of file versions by copying them to an alternate location as they are written to the disk. Users can then access previous versions as needed, and backup applications can use them to protect files that are currently in use.
Encrypting File System (EFS)
NTFS can provide on-the-fly encryption of selected files and folders using the public key belonging to a specific user. The file system then decrypts the files on demand with the user's public key. EFS and NTFS compression are mutually exclusive; files can be compressed or encrypted, but not both.
File compression
NTFS supports transparent, on-the-fly compression, but only for volumes using the 4 KB allocation unit size. The rate of compression is based on the type of file, with those containing repetitive bit patterns compressing more than those that don't. Volume size, number of files, and write frequency can all affect the efficiency of the compression system, which can be significantly processor-intensive.
Windows Shared Permission and NTFS permissions.
On Windows systems, shared folders have their own permission system, which is completely independent from the NTFS and other permission systems. For network users to access a share on a file server, an administrator must grant them the appropriate share permissions. By default, the Everyone special identity receives the Allow Read share permission to any new shares you create using File Explorer. In shares you create using Server Manager, the Everyone special identity receives the Allow Full Control share permission. It is important to understand that network users can possess the share permissions required to access a folder, but still be denied access to it because they lack the necessary NTFS permissions. The opposite is also true; users with the correct NTFS permissions cannot access a share over the network if they lack the required share permissions. You should also understand that share permissions only control access to a share over the network, while NTFS permissions control access both over the network and on the local machine.
Managing sessions via PowerShell: Finding/Closing User Session
Once you have created a share, by any means, you can monitor and manage its use using PowerShell cmdlets. For example, running the Get-SmbSession cmdlet displays all the current client sessions that are connected to the server's shares With the information in this listing, you can terminate a specific session using the Close- SmbSession cmdlet, as in the following example, which uses the Session ID to specify the session to close. close-smbsession -sessionid 154618822713 By default, the cmdlet displays a warning, prompting you to confirm that you want to terminate the session. Adding the Force parameter to the command line eliminates the prompt. There is no warning displayed on the client computer, and closing the session can cause any work in progress by the client to be lost. You can also close sessions based on the other information in the Get-SmbSession output, as shown in the following examples. close-smbsession -clientcomputername 10.0.0.11 close-smbsession -clientusername adatum\Administrator
Advantages of VHD/VHDX
One of the advantages of VHD and VHDX files is that you can easily move them to any system. In addition, you can mount a VHD or VHDX file on a physical or virtual machine and access it through the file system, using a standard drive letter. Mounting an image file provides you with full read/write capabilities, enabling you to access single files or entire folders as needed.
NFS Share-Advanced
Provides NFS sharing with full share and NTFS permissions, plus access to additional services, such as access-denied assistance, folder classification, and quotas. To select this option, the computer must have the File Server Resource Manager role service installed.
NFS Share-Quick
Provides basic NFS sharing with authentication and permissions.
Disadvantages of ReFS
ReFS uses the same system of permissions as NTFS, and is completely compatible with existing ACLs. However, ReFS does not include support for NTFS features such as file compression, Encrypted File System (EFS), and disk quotas. ReFS disks also cannot be read by any operating systems older than Windows Server 2012 R2 and Windows 8.
GPT advantages
The GUID partition table style is so named because each of the partitions on the disk has a globally-unique identifier (GUID). GPT is part of the Unified Extensible Firmware Interface (UEFI) GPT varies from MBR in that the partitioning information is stored in multiple places spread throughout the disk, along with cyclical redundancy check (CRC) information that makes it possible to detect corruption in the partition table and recover the data from another location. This makes the GPT partitioning style more robust than MBR. Most importantly, GPT disks are not limited to 2 TB, as are MBR disks. The GPT disk partitioning style supports volumes up to 18 exabytes (1 exabyte = 1 billion gigabytes, or 260 bytes). GPT is also not subject to the four-partition limit of MBR. The GPT specification permits an unlimited number of partitions, but the Windows GPT implementation limits the number of partitions to 128 per disk. Therefore, it is possible to create a GPT disk with six partitions
Configuring SMB server configuration settings
The SmbShare PowerShell module in Windows Server 2012 introduced the Set- SmbServerConfiguration cmdlet, which enables administrators to configure many underlying settings for the SMB server implementation. To display all the current server configuration settings, run the Get-SmbServerConfiguration cmdlet
Booting from GPT disks
The main compatibility issue with the partition styles is the ability to boot from a GPT disk. Windows can only boot from a GPT disk if the computer has UEFI firmware and if it is running a 64-bit version of Windows. Servers must be running at least Windows Server 2008, and workstations must be running at least Windows Vista. Nearly all of the servers on the market today have UEFI firmware, and Windows Server 2016 is available only in a 64-bit version. If you are running older hardware, you must confirm that the computer is UEFI-compatible before you can boot from a GPT disk. If you cannot boot from a GPT disk, you can still use MBR for your partition style on the boot disk and GPT for the other hard disks in the computer. GPT is essential if your other disks are larger than 2 TB in size. In Windows Server 2016 Hyper-V, Generation 1 virtual machines emulate the BIOS boot firmware and must boot from a virtual MBR disk. You can create additional virtual GPT disks, just as in a physical computer. When you create a Generation 2 VM, however, the firmware is UEFI and the boot disk uses the GPT partition style. You can create additional virtual disks using either the GPT or MBR partition style, although there is no compelling reason to use MBR.
Inheriting permissions
The most important principle in permission management is that permissions tend to run downward through a hierarchy. This is called permission inheritance. Permission inheritance means that parent elements pass their permissions down to their subordinate elements. For example, when you grant Alice Allow permissions to the root of the D drive, all the folders and subfolders on the D drive inherit those permissions, and Alice can access them. The principle of inheritance simplifies the permission assignment process enormously. Without it, you would have to grant security principals individual Allow permissions for every file, folder, share, object, and key they need to access. With inheritance, you can grant access to an entire file system by creating one set of Allow permissions. In most cases, whether consciously or not, system administrators take inheritance into account when they design their file systems. The location of a system element in a hierarchy is often based on how the administrators plan to assign permissions. In some situations, you might want to prevent subordinate elements from inheriting permissions from their parents. You can do this in two ways: - Turn off inheritance: When you assign advanced permissions, you can configure an ACE not to pass permissions down to its subordinate elements. While not recommended by Microsoft best practices, this effectively blocks the inheritance process. - Deny permissions: Assigning a Deny permission to a system element overrides any Allow permissions that the element might have inherited from its parent objects.
Determine when to use NTFS and ReFS File Systems
The primary advantage of NTFS over the FAT file systems it replaces is the ability to authorize user access to files and folders using permissions stored in discretionary access control lists (DACLs). NTFS also supports long file names and larger files and volumes than FAT. The maximum size for an NTFS volume using the default 4KB allocation unit size is 16 TB; with the maximum 64 KB allocation units, the maximum volume size is 256 TB. In addition to these capabilities, NTFS also includes the following additional features: File compression Encrypting File System (EFS) Quotas Volume Shadow Copy Resizing
List all the SMB Configurations cmdlet
There are dozens of other parameters you can use with the Set-SmbServerConfiguration cmdlet. To display them and their functions, run the following command: get-help set-smbserverconfiguration -detailed
Mounting a VHD or VHDX with Windows PowerShell
There are two PowerShell cmdlets you can use to mount an existing VHD or VHDX files. Their syntaxes are similar, but not identical. The Mount-DiskImage cmdlet is part of the Storage module, and is found on all computers running Windows Server 2016. The Mount- VHD cmdlet is part of the Hyper-V module, and is only available on systems that have the Hyper-V management tools installed. To mount a VHD or VHDX file with the Mount-DiskImage cmdlet, use the following syntax: mount-diskimage -imagepath filename To dismount a mounted image, you can use the Dismount-DiskImage cmdlet with the same imagepath parameter. To mount a VHD or VHDX file with the Mount-VHD cmdlet, use the following syntax: mount-vhd -path filename To dismount a mounted image, you can use the Dismount-VHD cmdlet with the same path parameter. Examples of the command lines for the two cmdlets are as follows: mount-diskimage -imagepath c:\temp\diskimage.vhdx mount-vhd -path c:\temp\diskimage.vhdx
Parameters to configure for VHD
This simple command creates a 10 gigabyte VHDX disk called Disk1 in the c:\data folder. To configure other VHD features, you can use any of the following parameters: Path: Specifies the location where the VHD is to be created and its filename. The filename extension you use specifies whether to create a VHD or a VHDX file. SizeBytes: Specifies the size if the VHD to be created, or in the case of a dynamic disk, the maximum size. You can specify sizes using the following abbreviations: MB, GB, TB. Fixed: Allocates all of the storage space specified in the SizeBytes parameter immediately on creating the VHD. Dynamic: Creates a small-sized VHD and enables it to expand as needed to the maximum size specified in the SizeBytes parameter. Differencing: Creates a differencing disk for the parent specified in the ParentPath parameter. ParentPath: Specifies the location and filename of the parent disk for which a differencing disk is to be created. SourceDisk: Specifies the location and filename of a physical disk to be copied to the new VHD upon creation. To create a VHD and prepare it for use with one command, you can combine New-VHD with other cmdlets using the pipe character, as in the following example: new-vhd -path c:\data\disk1.vhdx -sizebytes 256gb -dynamic | mount-vhd -passthru | initialize-disk -passthru | new-partition -driveletter x -usemaximumsize | format-volume -filesystem ntfs -filesystemlabel data1 -confirm:$false -force
Creating VHD or VHDX files using Disk Management
To create a VHD in Disk Management, use the following procedure. 1. Log on to Windows Server 2016, using an account with Administrator privileges. The Server Manager window appears. 2. Click Tools, and Computer Management. 3. In the Computer Management console, click Disk Management. The Disk Management snap-in appears. 4. From the Action menu, select Create VHD. The Create And Attach Virtual Hard Disk dialog box appears, 5. In the Location text box, specify the path and name for the file you want to create. 6. In the Virtual Hard Disk Size text box, specify the maximum size of the disk you want to create. 7. In the Virtual Hard Disk Format box, select the VHD or VHDX option. 8. Select one of the following Virtual Hard Disk Type options: Fixed Size: Allocates all disk space for the entire size of the VHD or VHDX file at once Dynamically: Expanding Allocates disk space to the VHD or VHDX file as you add data to the virtual hard disk 9. Click OK. The system creates the VHD or VHDX file and attaches it, so that it appears as a new disk in the snap-in.
Create VHD and VHDX files using PowerShell
To create a VHD or VHDX in Windows PowerShell, you use the New-VHD cmdlet, which is included in the Hyper-V module. This module is installed as part of the Hyper-V Management Tools feature. If you do not have Hyper-V installed on your system, you can add just the PowerShell tools with the following command: install-windowsfeature -name hyper-v-powershell This module includes cmdlets that enable you to list, create, mount, merge, and resize VHDs. To create a new VHD, you can use the New-VHD cmdlet as in the following example: new-vhd -path c:\data\disk1.vhdx -sizebytes 10gb
Configure SMB share and session settings using Windows PowerShell
To create a new share, you use the New-SmbShare cmdlet with the following basic syntax: new-smbshare -name sharename -path pathname [-fullaccess groupname] [-readaccess groupname] [-changeaccess groupname] [-noaccess groupname] For example, to create a new share called Data from the C:\Docs folder with the Allow Full Control permission granted to the Everyone special identity, use the following command: new-smbshare -name data -path c:\docs -fullaccess everyone
Creating an NFS share
To create an NFS share using Server Manager, use the following procedure. 1. Log on to Windows Server 2016, using an account with Administrator privileges. The Server Manager window appears. 2. Click the File And Storage Services icon and, in the submenu that appears, Click Shares. The Shares page appears. 3. From the Tasks menu in the Shares tile, select New Share. The New Share Wizard appears, displaying the Select The Profile For This Share page. 4. From the File Share Profile list, select one of the following options: - NFS Share-Quick - NFS Share-Advanced 5. Click Next. The Select The Server And Path For This Share page appears. 6. Select the server on which you want to create the share, and then either select a volume on the server or specify a path to the folder you want to share. Then click Next. The Specify Share Name page appears. 7. In the Share Name text box, specify the name you want to assign to the share and click Next. The Specify Authentication Methods page appears 8. Select the check boxes for the authentication methods you want to use for share access, if any. 9. Click Next. The Specify The Share Permissions page appears. 10. Click Add. The Add Permissions dialog box appears 11. Specify the name of a host to be granted permission to the share or select the All Machines option. In the Share Permissions drop-down list, specify whether the selected host(s) should receive Read/Write, No Access, or Read Only access. 12. Click Add. The host is added to the wizard page. Repeat steps 10 to 12 to add more hosts, if necessary. 13. Click Next. The Specify Permissions To Control Access page appears. 14. Modify the default NTFS permissions as needed and click Next. The Confirm Selections page appears. 15. Click Create. The View Results page appears as the wizard creates the share. 16. Click Close. The new share appears in the Shares tile of the Shares page in Server Manager.
Creating an SMB share
To create an SMB share using Server Manager, use the following procedure. 1. Log on to Windows Server 2016, using an account with Administrator privileges. The Server Manager window appears. 2. Click the File and Storage Services icon and, in the submenu that appears, click Shares. The Shares page appears. 3. From the Tasks menu in the Shares tile, select New Share. The New Share Wizard appears, displaying the Select The Profile For This Share page 4. From the File Share Profile list, select one of the following options: SMB Share-Quick: Provides basic SMB sharing with full share and NTFS permissions. SMB Share-Advanced: Provides SMB sharing with full share and NTFS permissions, plus access to additional services, such as access-denied assistance, folder classification, and quotas. To select this option, the computer must have the File Server Resource Manager role service installed. SMB Share-Applications: Provides SMB sharing with settings suitable for Hyper-V, databases, and other applications. 5. Click Next. The Select The Server And Path For This Share page appears 6. Select the server on which you want to create the share, and then either select a volume on the server or specify a path to the folder you want to share. Then click Next. The Specify Share Name page appears. 7. In the Share Name text box, specify the name you want to assign to the share and click Next. The Configure Share Settings Page appears. 8. Select any, or all of the following options: - Enable Access-Based Enumeration - Allow Caching Of Share - Enable BranchCache On The File Share - Encrypt Data Access 9. Click Next. The Specify Permissions To Control Access page appears 10. Modify the default share and NTFS permissions as needed, and click Next. The Confirm Selections page appears. 11. Click Create. The View Results page appears as the wizard creates the share. 12. Click Close. The new share appears in the Shares tile of the Shares page in Server Manager.
Configure file and folder permissions
To manage permissions in Windows Server 2016, you use a tab in the protected element's Properties sheet, with the security principals listed at the top and the permissions associated with them at the bottom. Share permissions are typically found on a Share Permissions tab, and NTFS permissions are located on a Security tab. All Windows permission systems use the same basic interface, although the permissions themselves vary. Server Manager also provides access to NTFS and share permissions, using a slightly different interface.
Removing a share
To terminate a share completely, along with all its sessions, you can use the Remove-SmbShare cmdlet, specifying the name of the share on the command line, as in the following example: remove-smbshare -name data
Selecting a partition style
Unless the computer's architecture provides support for an Extensible Firmware Interface (EFI)-based boot partition, it is not possible to boot from a GPT disk. If this is the case, the system drive must be an MBR disk, and you can use GPT only on separate non-bootable disks used for data storage. Before Windows Server 2008 and Windows Vista, all x86-based Windows computers could use only the MBR partition style. Computers based on the x64 platform could use either the MBR or GPT partition style, if the GPT disk was not the boot disk. Now that hard disk drives larger than 2 TB are readily available, the selection of a partition style is more critical than ever. When you initialize a physical disk using the traditional Disk Management snap-in, MBR is the default partition style, as it always has been. You can also use the snap-in to convert a disk between MBR and GPT partition styles, although you can do so only on disks that do not have partitions or volumes created on them. When you use Server Manager to initialize a disk in Windows Server 2016, it uses the GPT partition style, whether the disk is physical or virtual. Server Manager has no controls supporting MBR, although it does display the partition style in the Disks tile. Check Table 2-1 for a detailed comparison.
Resizing
Users can shrink or expand NTFS volumes (other than system volumes), if there is sufficient free space in the volume or unallocated space on the disk to support the requested action.
Understanding effective access: Allow permissions are cumulative
When a security principal receives Allow permissions from more than one source, the permissions are combined to form the effective access permissions. For example, if Alice receives the Allow Read and Allow List Folder Contents permissions for a folder by inheriting them from its parent folder, and receives the Allow Write and Allow Modify permissions to the same folder from a group membership, Alice's effective access for the folder is the combination of all four permissions.
Understanding effective access: Deny permissions override Allow permissions
When a security principal receives Allow permissions, whether explicitly, by inheritance, or from a group, you can override those permissions by granting the principal Deny permissions of the same type. For example, if Alice receives the Allow Read and Allow List Folder Contents permissions for a particular folder by inheritance, and receives the Allow Write and Allow Modify permissions to the same folder from a group membership, explicitly granting the Deny permissions to that folder prevents her from accessing it in any way.
Understanding effective access: Explicit permissions take precedence over inherited permissions
When a security principal receives permissions by inheriting them from a parent or from group memberships, you can override them by explicitly assigning contradicting permissions to the security principal itself. For example, if Alice inherits the Deny Full Access permission for a folder, explicitly assigning her user account the Allow Full Access permission to that folder overrides the denial
How SID works
When a user attempts to access an NTFS file or folder, the system reads the user's security access token, which contains the SIDs for the user's account and all groups to which the user belongs. The system then compares these SIDs to those stored in the file or folder's ACEs, to determine what access the user should have. This process is called authorization.
Allowing and denying permissions
When you assign permissions to a system element, you are, in effect, creating a new ACE in the element's ACL. There are two types of ACE: Allow and Deny. This makes it possible to approach permission management tasks from two directions: Additive: Start with no permissions and then grant Allow permissions to individual security principals to provide them with the access they need. Subtractive: Start by granting all possible Allow permissions to individual security principals, providing them with full control over the system element, and then grant them Deny permissions for the access you do not want them to have. Most administrators prefer the additive approach because Windows, by default, attempts to limit access to important system elements by withholding permissions. In a properly designed permission hierarchy, the use of Deny permissions is often not needed at all. Many administrators frown on their use, because combining Allow and Deny permissions in the same hierarchy can often make determining the effective permissions for a specific system element difficult.
Configuring share permissions
When you create an SMB share using Server Manager, you can use the Specify Permissions To Control Access page to configure both NTFS and share permissions for the shared folder. Clicking Customize Permissions opens the Advanced Security Settings dialog box for the shared folder. The Permissions tab that is selected by default displays the NTFS permissions. To configure the share permissions for the folder, select the Share tab Clicking the Add button opens a Permission Entry dialog box for the folder, on which you select a principal—a user or group to receive the permissions—and the permissions you want the principal to receive. The Windows share permission system is relatively simple and has only three permissions. - Full Control - Change - Read When assigning share permissions, you must also be aware that they do not combine like NTFS permissions. If you grant a user named Alice the Allow Read and Allow Change permissions to the shared C:\Documents\Alice folder and later deny her all three permissions to the shared C:\Documents folder, the Deny permissions prevent her from accessing any files through the C:\Documents share, including those in the C:\Documents\Alice folder. However, she can still access her files through the C:\Documents\Alice share because of the Allow permissions. In other words, the C:\Documents\Alice share does not inherit the Deny permissions from the C:\Documents share.
Creating advanced shares
When you select the SMB Share-Advanced or NFS Share-Advanced profile, two additional pages appear in the New Share Wizard. The first is a Specify Folder Management Properties page on which you can select Folder Usage property values for the share. These values identify the type of data stored in the shared folder. You can use them to configure classification rules in the File Server Resource Manager (FSRM) that perform actions on files based on their classification properties. You can also specify the email addresses of the folder's owner or administrator, which are notified when a user is denied access to the share. The second added page is the Apply A Quota To A Folder Or Volume page, on which you can select a quota to be applied to the share from the list of predefined quota templates. For more granular control of quotas, you must use FSRM.
Assigning Permissions
While the security principals to which you can assign NTFS file and folder permissions can be users or groups, Microsoft recommends as a best practice that you not assign permissions to individual users, but to groups instead. This enables you to maintain your permission strategy by simply adding users to and removing them from groups
VHD vs VHDX
Windows Server 2016 supports two types of virtual hard disk images, differentiated by their file name extensions, as follows: VHD: VHD images are limited to maximum size of 2 TB and are compatible with servers running Windows Server 2008 or later, or workstations running Windows 7 or later. VHDX: VHDX image files can be as large as 64 TB, and they also support 4 KB logical sector sizes, to provide compatibility with new 4 KB native drives. VHDX files are not backward compatible and can be read only by servers running Windows Server 2012, or later or workstations running Windows 8 or later.
Configure SMB server and SMB client configuration settings using Windows PowerShell: Setting share permissions
You can modify the share permissions for a specific share, using the following cmdlets: Get-SmbShareAccess: Displays the access control list for a named share Grant-SmbShareAccess: Adds an Allow access control entry to the ACL for a named share, as in the following example grant-smbshareaccess -name data -accountname adatum\administrator -accessright full Revoke-SmbShareAccess: Removes all the Allow permissions for a specified security principal from a named share, as in the following example: revoke-smbshareaccess -name data -accountname adatum\administrator Block-SmbShareAccess Adds an Deny access control entry to the ACL for a named share, as in the following example: block-smbshareaccess -name data -accountname adatum\administrator -accessright full Unblock-SmbShareAccess Removes all of the Deny permissions for a specified security principal from a named share, as in the following example: unblock-smbshareaccess -name data -accountname adatum\administrator
