MCITP Guide to Microsoft Windows Server 2008 Server
Administration (Exam #70-646)
Chapter 5
Configuring, Managing, and Troubleshooting Resource Access
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
2
Learning Objectives
• Set up security for folders and files
• Configure shared folders and shared folder security
• Install and set up the Distributed File System
• Configure disk quotas
• Implement UNIX compatibility
Managing Folder and File Security
• Steps for sharing resources– Creating accounts and groups– Create access control lists (ACLs)
• Types of ACLs – Discretionary ACL (DACL)
• Configured by a server administrator or owner of an object
– System control ACL (SACL) • Contains information used to audit the access to an
object
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
3
Managing Folder and File Security (cont’d.)
• DACL and SACL controls for folders and files– Attributes– Permissions– Auditing– Ownership
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
4
Configuring Folder and File Attributes
• Attributes – Stored as header information with each folder and file– Along with other characteristics including volume
label, designation as a subfolder, date of creation, and time of creation
• Read-only and hidden attributes– Set on General tab in an NTFS folder’s or file’s
properties dialog box
• Advanced attributes – Archive, index, compress, and encrypt
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
5
Configuring Folder and File Attributes (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
6
Figure 5-1 Attributes of a folder on an NTFS formatted diskCourtesy Course Technology/Cengage Learning
Configuring Folder and File Attributes (cont’d.)
• Archive attribute– Checked to indicate that the folder or file needs to be
backed up because it is new or changed
• Index Attribute vs. Windows Search Service – Index attribute and accompanying Indexing Service
are legacy features for continuity with earlier operating systems
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
7
Configuring Folder and File Attributes (cont’d.)
• Windows Search Service– Install the File Services role via Server Manager
• Indexed files include:– Files in the Documents folder for an account– e-mail files – Photos and multimedia files– Files that are commonly accessed
• Maintain Windows Search Service through Control Panel
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
8
Configuring Folder and File Attributes (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
9
Figure 5-3 Configuring advanced indexing optionsCourtesy Course Technology/Cengage Learning
Configuring Folder and File Attributes (cont’d.)
• Compress Attribute– Reduce the amount of disk space used for files– Disadvantage of compressed files is increased CPU
overhead to open the files and to copy them
• Encrypt Attribute– Only user who encrypts folder or file is able to read it
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
10
Configuring Folder and File Attributes (cont’d.)
• Microsoft Encrypting File System (EFS)– Sets up a unique, private encryption key associated
with the user account that encrypted the folder or file– Uses both symmetric and asymmetric encryption
techniques
• Activity 5-1: Encrypting Files– Objective: Encrypt files in a folder
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
11
Configuring Folder and File Permissions
• Permissions– Control access to an object,
such as a folder or file
• Use Edit button on the folder properties Security tab – Change which groups and
users have permissions to a folder
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
12
Figure 5-4 Configuring folder permissionsCourtesy Course Technology/Cengage Learning
Configuring Folder and File Permissions (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
13
Table 5-1 NTFS folder and file permissions
Configuring Folder and File Permissions (cont’d.)
• Activity 5-2: Configuring Folder Permissions– Objective: Configure permissions on a folder so that
users can modify its contents
• Inherited permissions– Parent object permissions apply to child object
• Activity 5-3: Removing Inherited Permissions– Objective: Remove inherited permissions on a folder
• Activity 5-4: Configuring Special Permissions– Objective: Configure special permissions for a folder
to grant a group expanded access
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
14
Configuring Folder and File Permissions (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
15
Figure 5-5 Advanced Security Settings dialog boxCourtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
16
Table 5-2 NTFS folder and file special permissions
Configuring Folder and File Auditing
• Auditing– Track activity on a folder or file, such as read or write
activity
• NTFS folders and files – Audit combination of any or all of activities listed as
special permissions
• Activity 5-5: Auditing a Folder– Objective: Configure auditing on a folder to monitor
how it is accessed and who is making changes to the folder
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
17
Configuring Folder and File Auditing (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
18
Figure 5-8 Folder auditing selectionsCourtesy Course Technology/Cengage Learning
Configuring Folder and File Ownership
• Folders– Owned by the account that creates them
• Owners have ability to change permissions for folders they create
• Taking ownership– Transfer ownership– Administrator can always take ownership
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
19
Configuring Folder and File Ownership (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
20
Figure 5-9 Taking ownership of a folderCourtesy Course Technology/Cengage Learning
Configuring Shared Folders and Shared Folder Permissions
• Shared folder – Users can access over the network
• Changed in Windows Server 2008 from previous versions – Make person offering share more aware of security
options
• Activity 5-6: Enabling Sharing a Folder– Objective: Turn on file sharing and public folder
sharing
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
21
Configuring Shared Folders and Shared Folder Permissions (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
22
Figure 5-10 File Sharing dialog boxCourtesy Course Technology/Cengage Learning
Configuring Shared Folders and Shared Folder Permissions (cont’d.)
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
23
Figure 5-11 Sharing tabCourtesy Course Technology/Cengage Learning
Configuring Shared Folders and Shared Folder Permissions (cont’d.)
• Share permissions for an object – Differ from the NTFS access permissions set through
the Security tab– NTFS and share permissions are cumulative
• Four share permissions associated with a folder– Reader– Contributor– Co-owner– Owner
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
24
Configuring Shared Folders and Shared Folder Permissions (cont’d.)
• Folder caching options– Only the files and programs that users specify will be
available offline– All files and programs that users open from the share
will be automatically available offline– Files or programs from the share will not be available
offline
• Activity 5-7: Configuring a Shared Folder– Objective: Configure a shared folder, share
permissions, and offline access
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
25
Publishing a Shared Folder in Active Directory
• Publish an object – Make it available for users to access when they view
Active Directory contents
• Directory Service Client (DSClient)– Software that enables older operating systems to
search Active Directory
• Activity 5-8: Publishing a Shared Folder– Objective: Publish a shared folder in Active Directory
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
26
Troubleshooting a Security Conflict
• Review folder and share permissions for:– User account – All of the groups to which user belongs
• Effective Permissions tab – Helps troubleshoot permissions conflicts– To access:
• Right-click a folder or file, click Properties, click the Security tab, click the Advanced button, and click the Effective Permissions tab
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
27
Troubleshooting a Security Conflict (cont’d.)
• Take into account what happens when a folder or files in a folder are copied or moved
• Activity 5-9: Troubleshooting Permissions– Objective: View the effective permissions on a folder
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
28
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
29
Figure 5-13 Examining effective permissions as a troubleshooting aidCourtesy Course Technology/Cengage Learning
Implementing a Distributed File System
• Distributed File System (DFS) – Simplify access to the shared folders on a network
• By setting up folders to appear as though they are accessed from only one place
– Makes managing folder access easier for server administrators
– Configured using the DFS Management tool in the Administrative Tools menu
– Shared folder contents can be replicated to one or more DCs or member servers
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
30
Implementing a Distributed File System (cont’d.)
• Advantages– Save time searching– NTFS access permissions apply– Fault tolerance– Load balancing– Improved access for Web-based internet and intranet– Backups made more easily– Important information is not lost when a disk drive on
one server fails– Users always have access to shared folders even in
the event of a disk failureMCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
31
DFS Models
• Stand-alone – No Active Directory implementation available to help
manage the shared folders– Provides only a single or flat level share
• Domain-based– Takes full advantage of Active Directory – Available only to servers and workstations that are
members of a domain
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
32
DFS Topology
• Hierarchical structure of DFS in domain-based model
• Namespace root – Main container in Active Directory – Holds links to shared folders that can be accessed
from the root– Populated by shared folders for users to access
• Replication group – Set of shared folders replicated or copied to one or
more servers in a domain
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
33
Installing DFS
• Installed as a service within the File Services role
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
34
Figure 5-14 Selecting to install DFSCourtesy Course Technology/Cengage Learning
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
35
Figure 5-15 Configuring the namespace typeCourtesy Course Technology/Cengage Learning
Installing DFS (cont’d.)
• Activity 5-10: Creating a Namespace Root– Objective: Configure a namespace root
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
36
Managing a Domain-Based Namespace Root System
• Tasks involved in managing the namespace root– Creating a folder in a namespace– Delegating management– Tuning a namespace– Deleting a namespace root– Using DFS replication
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
37
Managing a Domain-Based Namespace Root System (cont’d.)
• Creating a Folder in a Namespace– Folder target is a path in the Universal Naming
Convention (UNC) format– Universal Naming Convention (UNC)
• Naming convention that designates network servers, computers, and shared resources
• Activity 5-11: Adding a Folder and Folder Target in DFS– Objective: Add a folder in DFS
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
38
Managing a Domain-Based Namespace Root System (cont’d.)
• Delegating Management– Day-to-day activities can be managed by an assistant
or by another person– Right-click namespace and click Delegate
Management Permissions
• Tuning a Namespace– Configure the order for referrals– Configure cache duration for a namespace or folder– Configure namespace polling– Configure folder targets as enabled or disabled
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
39
Managing a Domain-Based Namespace Root System (cont’d.)
• Deleting a Namespace Root– Delete namespace root via the DFS Management tool – Click namespace root and click Delete
• Using DFS Replication– Defined two or more folder targets– Decide which server is to be the primary group
member– Click a folder under the namespace root in the tree of
the DFS Management tool– Replication is handled by the File Replication Service
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
40
Managing a Domain-Based Namespace Root System (cont’d.)
• Important improvements to DFS replication– Enables faster and more reliable recovery– Faster for all sizes of files– More efficient over LANs and WANs
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
41
Configuring Disk Quotas
• Advantages of disk quotas– Prevent users from filling the disk capacity– Encourage users to help manage disk space– Track disk capacity needs– Provide server administrators with information about
when users are nearing or have reached their quota limits
• Quotas can be set on any local or shared volume
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
42
Configuring Disk Quotas (cont’d.)
• Parameters– Enable quota management– Deny disk space to users exceeding quota limit– Do not limit disk usage– Limit disk space to– Set warning level to– Log event when a user exceeds their quota limit– Log event when the user exceeds their warning level
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
43
Configuring Disk Quotas (cont’d.)
• Activity 5-12: Configuring Disk Quotas– Objective: Enable disk quotas and then set a disk
quota for a specific group of users
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
44
Using UNIX Interoperability in Windows Server 2008
• Subsystem for UNIX-based Applications (SUA) – Provides compatibility with UNIX and Linux systems
• SUA functionality– Run UNIX/Linux applications with few or no changes
to the program source code.– Run UNIX/Linux scripts– Use popular UNIX/Linux shells– Run most UNIX/Linux commands– Run the popular vi UNIX/Linux editor
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
45
Using UNIX Interoperability in Windows Server 2008 (cont’d.)
• Compiler – Program that reads lines of program code in a source
file and converts the code into machine-language instructions the computer can execute
• Script – Consists of lines of commands that are executed
when you run the script
• Shell– Interface between the user and the operating system– Korn or C shell
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
46
Using UNIX Interoperability in Windows Server 2008 (cont’d.)
• Dynamic-link library (DLL)– Contain program code that can be called and run by
Windows applications
• Server for Network Information Services– Provides a naming system for shared resources on a
UNIX/Linux network
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
47
Using UNIX Interoperability in Windows Server 2008 (cont’d.)
• New features for SUA– More transparent ability for UNIX/Linux applications to
connect to Oracle and SQL Server databases– Inclusion of true 64-bit libraries– New utilities– Use Microsoft Visual Studio for designing UNIX/Linux
applications
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
48
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
49
Summary
• Discretionary access control lists – Manage access to resources
• Folder and file attributes provide one level of security
• Permissions provide another level of security
• Folders can be shared for users to access over a network
• Use Effective Permissions capability to troubleshoot a security conflict
Summary (cont’d.)
• Distributed File System (DFS) – Set up shared folders that are easier for users to
access and can be replicated for backup and load distribution
• Disk quotas– Manage the resources put on a server disk volume
• Subsystem for UNIX-based Applications– Provides compatibility with UNIX and Linux systems
MCITP Guide to Microsoft Windows Server 2008, Server Administration (Exam #70-646)
50