Windows Server 2008 R2 Unleashed (215 page)

GPO to leave it in; instead, define it within the member policy setting of a

restricted group.

. When naming group policies, try to use naming conventions that will more easily

help identify the function of the policies for the organization.

. Assign or publish software to high-level Active Directory objects. Because Group

Policy settings apply by default to child containers, it is simpler to assign or publish

applications by linking a Group Policy Object to a parent organizational unit or

ptg

domain as long as each of the objects in the child containers requires the application.

. Assign or publish just once per Group Policy Object. When multiple packages are

included in a single policy, often only one package gets applied and they do not

necessarily get processed in order.

. When using folder redirection for user profile folders, allow the system to create the

folders and ensure that the share and root folder permissions are set up appropri-

ately to allow this.

. Configure policies with application control policies to be processed by machines

running Windows 7 Enterprise and Ultimate operating systems and/or Window

Server 2008 R2 systems.

. Use fully qualified (UNC) paths, such as \\server.companyabc.com\share or DFS

links such as \\companyabc.com\share.

. Have systems administrators use standard user accounts to do their day-to-day tasks

and use User Account Control to allow for prompting of elevation when administra-

tor privileges are required.

CHAPTER 28

IN THIS CHAPTER

File System Management
. Windows Server 2008 R2 File

System Overview/Technologies

and Fault Tolerance
. File System Access Services

and Technologies

. Windows Server 2008 R2 Disks

. Utilizing External Disk

Subsystems

Computer networks were created to share data. The most

. Managing Windows Server

primitive form of sharing data on computer networks, of

2008 R2 Disks

course, is accessing files and folders stored on networked

. System File Reliability

systems or central file servers, such as Windows Server 2008

R2 file servers.

. Adding the File Services Role

As data storage needs and computer services have evolved

. Managing Data Access Using

Windows Server 2008 R2

in the past 20 or so years, many different methods have

Shares

become available to present, access, secure, and manage

ptg

data. As an example, data can be accessed through a web

. Volume-Based NTFS Quota

browser; by accessing data stored on external storage media,

Management

such as USB drives, floppy disks, CDs, and DVDs; and by

. File Server Resource Manager

accessing data stored on any of the different types of media

(FSRM)

for the many different operating systems, network storage

devices, and file systems available.

. The Distributed File System

. Planning a DFS Deployment

This chapter covers the file system features and services

included with Windows Server 2008 R2. The goal of this

. Installing DFS

chapter is to introduce administrators to the Windows Server

. Managing and Troubleshooting

2008 R2 file services and give them the tools they require to

DFS

deploy fault-tolerant and reliable enterprise file services for

their organizations using Windows Server 2008 R2.

. Backing Up DFS

. Using the Volume Shadow

Copy Service

Windows Server 2008 R2 File

System Overview/Technologies

Windows Server 2008 R2 provides many services that can

be leveraged to deploy a highly reliable, manageable, and

fault-tolerant file system infrastructure. This section of the

chapter provides an overview of these services.

1098

CHAPTER 28

File System Management and Fault Tolerance

Windows Volume and Partition Formats

When a new disk is added to a Windows Server 2008 R2 system, it must be configured by

choosing what type of disk, type of volume, and volume format type will be used. To

introduce some of the file system services available in Windows Server 2008 R2, you must

understand a disk’s volume partition format types.

Windows Server 2008 R2 enables administrators to format Windows disk volumes by

choosing either the file allocation table (FAT) format, FAT32 format, or NT File System

(NTFS) format. FAT-formatted partitions are legacy-type partitions used by older operating

systems and floppy disk drives and are limited to 2GB in size. FAT32 is an enhanced

version of FAT that can accommodate partitions up to 2TB and is more resilient to disk

corruption. Data stored on FAT or FAT32 partitions is not secure and does not provide

many features. NTFS-formatted partitions have been available since Windows NT 3.51 and

provide administrators with the ability to secure files and folders, as well as the ability to

leverage many of the services provided with Windows Server 2008 R2.

NTFS-Formatted Partition Features

NTFS enables many features that can be leveraged to provide a highly reliable, scalable,

secure, and manageable file system. Base features of NTFS-formatted partitions include

ptg

support for large volumes, configuring permissions or restricting access to sets of data,

compressing or encrypting data, configuring per-user storage quotas on entire partitions

and/or specific folders, and file classification tagging, which is discussed later in this chapter.

Several Windows services require NTFS volumes; as a best practice, we recommend that

all partitions created on Windows Server 2008 R2 systems are formatted using NT File

System (NTFS).

File System Quotas

File system quotas enable administrators to configure storage thresholds on particular sets

of data stored on server NTFS volumes. This can be handy in preventing users from inad-

vertently filling up a server drive or taking up more space than is designated for them.

Also, quotas can be used in hosting scenarios where a single storage system is shared

between departments or organizations and storage space is allocated based on subscription

or company standards.

The Windows Server 2008 R2 file system quota service provides more functionality than

was included in versions older that Windows Server 2008. Introduced in Windows 2000

Server as an included service, quotas could be enabled and managed at the volume level

only. This did not provide granular control; furthermore, because it was at the volume

level, to deploy a functional quota-managed file system, administrators were required to

create several volumes with different quota settings. Windows Server 2003 also included

the volume-managed quota system, and some limitations or issues with this system

included the fact that data size was not calculated in real time. This resulted in users

exceeding their quota threshold after a large copy was completed.

Windows Server 2008 R2 File System Overview/Technologies

1099

Windows Server 2008 and Windows Server 2008 R2 include the volume-level quota

management feature but also can be configured to enable and/or enforce quotas at the

folder level on any particular NTFS volume using the File Server Resource Manager service.

Included with this service is the ability to screen out certain file types, as well as real-time

calculation of file copies to stop operations that would exceed quotas thresholds.

Reporting and notifications regarding quotas can also be configured to inform end users

and administrators during scheduled intervals, when nearing a quota threshold, or when

the threshold is actually reached.

Data Compression

NTFS volumes support data compression, and administrators can enable this functionality

at the volume level, allowing users to compress data at the folder and file level. Data

compression reduces the required storage space for data. Data compression, however, does

have some limitations, as follows:

. Additional load is placed on the system during read, write, and compression and

decompression operations.

. Compressed data cannot be encrypted.

Data Encryption

ptg

NTFS volumes support the ability for users and administrators to encrypt the entire

volume, a folder, or a single file. This provides a higher level of security for data. If the

disk, workstation, or server the encrypted data is stored on is stolen or lost, the encrypted

data cannot be accessed. Enabling, supporting, and using data encryption on Windows

volumes and Active Directory domains needs to be considered carefully as there are

administrative functions and basic user issues that can cause the inability to access previ-

ously encrypted data.

File Screening

28

File screening enables administrators to define the types of files that can be saved within a

Windows volume and folder. With a file screen template enabled, all file write or save

operations are intercepted and screened and only files that pass the file screen policy are

allowed to be saved to that particular volume or folder. The one implication with the file

screening functionality is that if a new file screening template is applied to an existing

volume, files that would normally not be allowed on the volume would not be removed if

they are already stored on it. File screening is a function of the File Server Resource

Manager service, covered in the “File Server Resource Manager (FSRM)” section later in

this chapter.

File Classification Infrastructure

Windows Server 2008 R2 includes a new feature called the File Classification Infrastructure

(FCI). The FCI enables administrators to create classification policies that can be used to

identify files and tag or classify files according to properties and policies defined by the

file server administrators. FCI can be managed by using the File Server Resource Manager

1100

CHAPTER 28

File System Management and Fault Tolerance

console and allows for file server administrators to identify files and classify these files by

setting specific FCI property values to these files based on the folder they are stored in

and/or based on the content stored within the file itself. When a file is classified by FCI, if

the file is a Microsoft Office file, the FCI information is stored within the file itself and

follows the file wherever it is copied or moved to. If the file is a different type of file, the

FCI information is stored within the NTFS volume itself, but the FCI information follows

the file to any location it is copied or moved to, provided that the destination is an NTFS

volume hosted on a Windows Server 2008 R2 system. More information on FCI is detailed

later in this chapter.

Volume Shadow Copy Service (VSS)

Windows Server 2003 introduced a file system service called the Volume Shadow Copy

Service (VSS). The VSS enables administrators and third-party independent software

vendors to take snapshots of the file system to allow for faster backups and, in some cases,

point-in-time recovery without the need to access backup media. VSS copies of a volume

can also be mounted and accessed just like another Windows volume if that should

become necessary.

Shadow Copies of Shared Folders

ptg

Volume shadow copies of shared folders can be enabled on Windows volumes to allow

administrators and end users to recover data deleted from a network share without having

to restore from backup. The shadow copy runs on a scheduled basis and takes a snapshot

copy of the data currently stored in the volume. In previous versions of Windows prior to

Windows Server 2003, if a user mistakenly deleted data in a network shared folder, it was

immediately deleted from the server and the data had to be restored from backup. A

Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2 NTFS volume

that has shadow copies enabled allows a user with the correct permissions to restore

deleted or overwritten data from a previously stored shadow copy backup. It is important

to note that shadow copies are stored on local volumes and if the volume hosting the

shadow copy becomes inaccessible or corrupted, so does the shadow copy. Shadow copies

are not a replacement for backups and should not be considered a disaster recovery tool.

Volume Shadow Copy Service Backup

The Volume Shadow Copy Service in Windows Server 2008 R2 also provides the ability for

Windows Backup and third-party software vendors to utilize this technology to improve

backup performance and integrity. A VSS-compatible backup program can call on the

Volume Shadow Copy Service to create a shadow copy of a particular volume or database,

and then the backup can be created using that shadow copy. A benefit of utilizing VSS-

aware backups is that the reliability and performance of the backup is increased as the

backup window will be shorter and the load on the system disk will be reduced during the

backup. More information on volume shadow copy backups is detailed in Chapter 30,

“Backing Up the Windows Server 2008 R2 Environment.”

Windows Server 2008 R2 File System Overview/Technologies