Wednesday, December 9, 2015
Tuesday, December 8, 2015
Friday, December 4, 2015
Tuesday, December 1, 2015
Reapply default security settings
- Open Security Configuration and Analysis.
- In the console tree, right-click Security Configuration and Analysis, and then click Open Database.
Where?- ConsoleRoot/Security Configuration and Analysis
- ConsoleRoot/Security Configuration and Analysis
- In File name, type the file name, and then click Open.
- Do one of the following:
- For a domain controller, in the console tree, right-click Security Configuration and Analysis, click Import Template, and then click DC security.
- For other computers, in the console tree, right-click Security Configuration and Analysis, click Import Template, and then click setup security.
- For a domain controller, in the console tree, right-click Security Configuration and Analysis, click Import Template, and then click DC security.
- Select the Clear this database before importing check box, and then click Open.
- In the console tree, right-click Security Configuration and Analysis, and then click Configure Computer Now.
- Do one of the following:
- To use the default log specified in Error log file path, click OK.
- To specify a different log, in Error log file path, type a valid path and file name, and then click OK.
- To use the default log specified in Error log file path, click OK.
- When the configuration is done, right-click Security Configuration and Analysis, and then click View Log File.
Important
- Applying the entire setup security template is a drastic measure that should be avoided. Instead, use the secedit command-line tool to apply default settings for specific areas. See the Using a command line section of this procedure.
Notes
- Different permissions are required to perform this procedure, depending on the environment in which you reapply default security settings:
- If you reapply default security settings to your local computer: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
- If you reapply default security settings to a computer that is joined to a domain: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
- If you reapply default security settings to your local computer: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
- To open Security Configuration and Analysis, click Start, click Run, type mmc, and then click OK. On the File menu, click Open, click the console that you want to open, and then click Open. In the console tree, click Security Configuration and Analysis.
- The default path for the log file is:
systemroot\Documents and Settings\UserAccount\My Documents\Security\Logs\ - When you reapply default security settings, all settings that are defined in Setup security.inf are set as the template specifies, but other settings that are not defined in the template may persist. For more information, see Applying security settings.
Assign user rights for your local computer
- Open Local Security Settings.
- In the console tree, click User Rights Assignment.
Where?- Security Settings/Local Policies/User Rights Assignments
- Security Settings/Local Policies/User Rights Assignments
- In the details pane, double-click the user right you want to change.
- In UserRight Properties, click Add User or Group.
- Add the user or group and click OK.
Note
- To open Local Security Policy, click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.
Authorize WMI users and set permissions
- Open WMI Control.
- In the console tree, right-click WMI Control, and then click Properties.
- Click the Security tab.
- Select the namespace for which you want to give a user or group access, and then click Security.
- In the Security dialog box, click Add.
- In the Select Users, Computers, or Groups dialog box, enter the name of the object (user or group) that you want to add. Click the Check Names button to verify your entry and then click OK. You might have to change the location or use the Advanced button to query for objects. See the dialog box help for more details.
- In the Security dialog box, under Permissions, select the permissions to allow or deny the new user or group.
Notes
- To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
- To open the WMI Control console, click Start, click Run, type wmimgmt.msc, and then click OK.
- You can set permissions on a remote computer or a local computer. To access a remote computer, right-click WMI Control, click Connect to another computer, clickAnother computer, and then type the name of the computer to which you want to connect. If you are using WMI Control from the Computer Management console, right-click the Computer Management node to connect to the other computer.
- On computers running Windows 95, Windows 98, or Windows ME, all users have full control locally. Security settings are only relevant for remote connection to a computer running Windows 95, Windows 98, or Windows ME.
- You can delete a user's or group's authorization to access WMI services by selecting that user or group and clicking Remove.
Change the permissions a user or group has to a connection
- Open Terminal Services Configuration.
- In the console tree, click Connections.
- In the details pane, right-click the connection for which you want to change permissions, and then click Properties.
- On the Permissions tab, click Advanced to open the Advanced Security Settings dialog box.
- In Permission Entries, select the user or group for which you want to change permissions, and then click Edit... to open the Permission Entry dialog box.
- In Permissions, select or clear, as appropriate, the Allow or Deny check boxes next to the permissions you want to set for the group.
Notes
- To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
- To open Terminal Services Configuration, click Start, click Control Panel, double-click Administrative Tools, and then double-click Terminal Services Configuration.
- You must use the Remote Desktop Users group to control remote access to Terminal Server and Remote Desktop for Administration.
Set or remove permissions for a printer
- Open Printers and Faxes.
- Right-click the printer for which you want to set permissions, click Properties, and then click the Security tab.
- Do one of the following:
- To change or remove permissions from an existing user or group, click the name of the user or group.
- To set up permissions for a new user or group, click Add. In Select Users, Computers, or Groups, type the name of the user or group you want to set permissions for, and then click OK to close the dialog box.
- To change or remove permissions from an existing user or group, click the name of the user or group.
- In Permissions, click Allow or Deny for each permission you want to allow or deny, if necessary. Or, to remove the user or group from the permissions list, click Remove.
Notes
- To change device settings, you must have the Manage Printers permission. For information about printing security permissions, see Related Topics.
- To open Printers and Faxes, click Start, and then click Printers and Faxes.
- To view or change the underlying permissions that make up Print, Manage Printers, and Manage Documents, click the Advanced button.
- A printer must be shared in order for the permission settings to affect the users and groups listed.
- You can also view the permissions assigned to you by clicking the group you belong to on the Security tab. For information on finding out what group you belong to, see Related Topics.
Assign permissions to a registry key
- Open Registry Editor.
- Click the key to which you want to assign permissions.
- On the Edit menu, click Permissions.
- Assign an access level to the selected key as follows:
- To grant the user permission to read the key contents, but not save any changes made to the file, under Permissions for name, for Read, select the Allow check box.
- To grant the user permission to open, edit, and take ownership of the selected key, under Permissions for name, for Full Control, select the Allow check box.
- To grant the user special permission in the selected key, click Advanced.
- To grant the user permission to read the key contents, but not save any changes made to the file, under Permissions for name, for Read, select the Allow check box.
- If you are assigning permissions to a subkey and you want the inheritable permissions assigned to the parent key to apply to the subkey also, click Advanced and select theInherit from parents the permission entries that apply to child objects. Include these with entries explicitly defined here check box.
Caution
- Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.
Notes
- To open Registry Editor, click Start, click Run, type regedit, and then click OK.
- You must have appropriate permissions to make changes to a registry key. To maintain security when making changes to a registry key for which you need administrative credentials, log in as a member of the Users group and run Regedit as an administrator by right-clicking the Regedit icon, clicking Run as, and clicking an account in the local Administrators group. The Regedit icon does not appear by default from the Start menu. To access the icon, open the Windows or WINNT folder on your computer.
- If you own a registry key, you can specify the users and groups that can open that key. To determine who can open your registry keys, you need to assign permissions to them. You can add or remove users or groups from those authorized to access your registry keys at any time.
- The Special Permissions check boxes indicate whether custom permissions have been set for this key, but you cannot set special permissions by clicking these check boxes. Click Advanced to set special permissions.
Set permissions on a shared resource
Using Shared Folders
- To open a Control Panel item, click Start, click Control Panel, and then double-click the appropriate icon.
- In the console tree, click Shares.
Where?- Computer Management/System Tools/Shared Folders/Shares
- Computer Management/System Tools/Shared Folders/Shares
- In the details pane, right-click the shared resource that you want to set permissions for, and then click Properties.
- On the Share Permissions tab, make any of the following changes, and then click OK:
- To assign permissions to a user or group for a shared resource, click Add. In the Select Users, Computers, or Groups dialog box, look for or type the user or group name, and then click OK.
- To revoke access to the shared resource, click Remove.
- To set individual permissions for the user or group, in the Permissions forgroup or user box, select the Allow or Deny check boxes.
- To assign permissions to a user or group for a shared resource, click Add. In the Select Users, Computers, or Groups dialog box, look for or type the user or group name, and then click OK.
Note
- To open Computer Management, click Start, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.
Using Windows Explorer
- Open Windows Explorer.
- Right-click the shared folder or drive that you want to set permissions for, and then click Sharing and Security.
- On the Sharing tab, click Permissions, make any of the following changes, and then click OK:
- To assign permissions to a user or group for a shared resource, click Add. In the Select Users, Computers, or Groups dialog box, look for or type the user or group name, and then click OK.
- To revoke access to a shared resource, click Remove.
- To set individual permissions for the user or group, in the Permissions for group or user box, select the Allow or Deny check boxes.
- To assign permissions to a user or group for a shared resource, click Add. In the Select Users, Computers, or Groups dialog box, look for or type the user or group name, and then click OK.
Note
- To open a Control Panel item, click Start, click Control Panel, and then double-click the appropriate icon.
Important
- Share permissions apply only to users who gain access to the resource over the network. They do not apply to users who log on locally, such as on a terminal server. In these cases, use access control on the NTFS file system to set permissions. For more information, see Related Topics.
Notes
- You must be logged on as a member of the Administrators group, Server Operators group, or Power Users group to complete this procedure. If your computer is connected to a network, network policy settings might also prevent you from completing this procedure.
- You can use Shared Folders to manage shared resources on both local and remote computers. For information about how to connect to another computer, see Related Topics. With Windows Explorer and the command line, you can manage shared resources on your local computer only.
- When permissions have been assigned both to the shared resource and at the file system level, the more restrictive permission always applies.
- It is usually easier to assign permissions to groups and then add users to groups, rather than assigning identical permissions to individual users.
- If you change permissions on special shared resources, such as ADMIN$, the default settings may be restored when the Server service is stopped and restarted or when the computer is restarted. Note that this does not apply to user-created shared resources whose share name ends in $. For more information about special shared resources, see Related Topics.
- File sharing options may be limited if simple file sharing is enabled. For more information about simple file sharing, see article Q304040, "How to configure file sharing in Windows XP," in the Microsoft Knowledge Base.
Set, view, change, or remove permissions on files and folders
- Open Windows Explorer.
- Right-click the file or folder for which you want to set permissions, click Properties, and then click the Security tab.
- Do one of the following:
- To set permissions for a group or user that does not appear in the Group or user names box, click Add. Type the name of the group or user you want to set permissions for and then click OK.
- To change or remove permissions from an existing group or user, click the name of the group or user.
- To set permissions for a group or user that does not appear in the Group or user names box, click Add. Type the name of the group or user you want to set permissions for and then click OK.
- Do one of the following:
- To allow or deny a permission, in the Permissions for User or Group box, select the Allow or Deny check box.
- To remove the group or user from the Group or user names box, click Remove.
- To allow or deny a permission, in the Permissions for User or Group box, select the Allow or Deny check box.
Notes
- To open Windows Explorer, click Start, point to All programs, point to Accessories, and then click Windows Explorer.
- In the Windows Server 2003 family, the Everyone group no longer includes Anonymous Logon.
- You can only set file and folder permissions on drives formatted to use NTFS.
- To change permissions, you must be the owner or have been granted permission to do so by the owner.
- Groups or users that are granted Full Control for a folder can delete files and subfolders within that folder, regardless of the permissions that protect the files and subfolders.
- If the check boxes under Permissions for User or Group are shaded or if the Remove button is unavailable, then the file or folder has inherited permissions from the parent folder. For more information on how inheritance affects files and folders, see Related Topics.
- When adding a new user or group, by default, this user or group will have Read & Execute, List Folder Contents, and Read permissions.
Setting File and Folder Permissions Server 2008
- In Windows Explorer, right-click the file or folder you want to work with.
- From the pop-up menu, select Properties, and then in the Properties dialog box click the Security tab, shown in Figure 13-12.
- Users or groups that already have access to the file or folder are listed in the Name list box. You can change permissions for these users and groups by doing the following:
- Select the user or group you want to change.
- Use the Permissions list box to grant or deny access permissions.
Tip Inherited permissions are shaded. If you want to override an inherited permission, select the opposite permission. - To set access permissions for additional users, contacts, computers, or groups, click Add. This displays the Select Users, Computers, Or Groups dialog box shown in Figure 13-13.Figure 13-12: Use the Security tab to configure basic permissions for the file or folder.
- Use the Select Users, Computers, Or Groups dialog box to select the users, computers, or groups for which you want to set access permissions. You can use the fields of this dialog box as follows:
- Look In This drop-down list box allows you to access account names from other domains. Click Look In to see a list of the current domain, trusted domains, and other resources that you can access. Select Entire Directory to view all the account names in the folder.
- Name This column shows the available accounts of the currently selected domain or resource.
- Add This button adds selected names to the selection list.
- Check Names This button validates the user, contact, and group names entered into the selection list. This is useful if you type names in manually and want to make sure they're available.
- In the Name list box, select the user, computer, or group you want to configure, and then use the fields in the Permissions area to allow or deny permissions. Repeat for other users, computers, or groups.
- Click OK when you're finished.Figure 13-13: Select users, computers, and groups that should be granted or denied access.
Auditing System Resources
Auditing is the best way to track what's happening on your Windows 2000 systems. You can use auditing to collect information related to resource usage, such as file access, system logon, and system configuration changes. Anytime an action occurs that you've configured for auditing, the action is written to the system's security log, where it's stored for your review. The security log is accessible from Event Viewer.
Note: For most auditing changes, you'll need to be logged on using an account that is a member of the Administrators group or be granted the Manage Auditing And Security Log right in Group Policy.
Setting Auditing Policies
Auditing policies are essential to ensure the security and integrity of your systems. Just about every computer system on the network should be configured with some type of security logging. You configure auditing policies with Group Policy. Through Group Policy, you can set auditing policies for an entire site, domain, or organizational unit. You can also set policies for an individual workstation or server.
Once you access the Group Policy container you want to work with, you can set auditing policies by completing the following steps:
- As shown in Figure 13-14, access the Audit Policy node by working your way down through the console tree. Expand Computer Configuration, Windows Settings, Security Settings, and Local Policies. Then select Audit Policy.
- The auditing options are
- Audit Account Logon Events Tracks events related to user logon and logoff.
- Audit Account Management Tracks account management by means of Active Directory Users And Computers. Events are generated anytime user, computer, or group accounts are created, modified, or deleted.
- Audit Directory Service Access Tracks access to the Active Directory. Events are generated any time users or computers access the directory.
- Audit Logon Events Tracks events related to user logon, logoff, and remote connections to network systems.
- Audit Object Access Tracks system resource usage for files, directories, shares, printers, and Active Directory objects.
- Audit Policy Change Tracks changes to user rights, auditing, and trust relationships.
- Audit Privilege Use Tracks the use of user rights and privileges, such as the right to back up files and directories.Note: The Audit Privilege Use policy doesn't track system access–related events, such as the use of the right to log on interactively or the right to access the computer from the network. These events are tracked with Logon and Logoff auditing.
- Audit Process Tracking Tracks system processes and the resources they use.
- Audit System Events Tracks system startup, shutdown, and restart, as well as actions that affect system security or the security log.
- To configure an auditing policy, double-click its entry or right-click and select Security. This opens a Properties dialog box for the policy.
- Select Define These Policy Settings, and then select either the Success check box or the Failure check box, or both. Success logs successful events, such as successful logon attempts. Failure logs failed events, such as failed logon attempts.
- Click OK when you're finished.Figure 13-14: Set auditing policies using the Audit Policy node in Group Policy.
Auditing Files and Folders
If you configure a group policy to enable the Audit Object Access option, you can set the level of auditing for individual folders and files. This allows you to control precisely how folder and file usage is tracked. Auditing of this type is only available on NTFS volumes.
You can configure file and folder auditing by completing the following steps:
- In Windows Explorer, right-click the file or folder to be audited, and then from the pop-up menu select Properties.
- Choose the Security tab, and then click Advanced.
- In the Access Control Settings dialog box, select the Auditing tab, shown in Figure 13-15.
- If you want to inherit auditing settings from a parent object, ensure that Allow Inheritable Auditing Entries From Parent To Propagate To This Object is selected.
- If you want child objects of the current object to inherit the settings, select Reset Auditing Entries On All Child Objects And Enable Propagation Of Inheritable Auditing Entries.Figure 13-15: Once you audit object access, you can use the Auditing tab to set auditing policies on individual files and folders.
- Use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list box, and then click Remove.
- To add specific accounts, click Add, and then use the Select Users, Contacts, Computers, Or Groups dialog box to select an account name to add. When you click OK, you'll see the Auditing Entry For New Folder dialog box, shown in Figure 13-16.Note: If you want to audit actions for all users, use the special group Everyone. Otherwise, select the specific user groups or users, or both, that you want to audit.
- As necessary, use the Apply Onto drop-down list box to specify where objects are audited.
- Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events, such as successful file reads. Failed logs failed events, such as failed file deletions. The events you can audit are the same as the special permissions listed in Table 13-5—except you can't audit synchronizing of offline files and folders.
- Choose OK when you're finished. Repeat this process to audit other users, groups, or computers.Figure 13-16: Use the Auditing Entry For New Folder dialog box to set auditing entries for a user, contact, computer, or group.
Auditing Active Directory Objects
If you configure a group policy to enable the Audit Directory Service Access option, you can set the level of auditing for Active Directory objects. This allows you to control precisely how object usage is tracked.
To configure object auditing, follow these steps:
- In Active Directory Users And Computers, access the container for the object.
- Right-click the object to be audited, and then from the pop-up menu select Properties.
- Choose the Security tab, and then click Advanced.
- In the Access Control Settings dialog box, select the Auditing tab. To inherit auditing settings from a parent object, make sure that Allow Inheritable Auditing Entries From Parent To Propagate To This Object is selected.
- Use the Auditing Entries list box to select the users, contacts, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list box, and then click Remove.
- To add specific accounts, click Add, and then use the Select Users, Contacts, Computers, Or Groups dialog box to select an account name to add. When you click OK, the Auditing Entry For dialog box is displayed.
- Use the Apply Onto drop-down list box to specify where objects are audited.
- Select the Successful or Failed check boxes, or both, for each of the events you want to audit. Successful logs successful events, such as successful file reads. Failed logs failed events, such as failed file deletions.
- Choose OK when you're finished. Repeat this process to audit other users, contacts, groups, or computers.
Monday, November 30, 2015
Share a folder in Windows Server 2012
Open Server Manager and navigate to File and Storage Services. Once there, go to Shares and, from the Tasks menu, choose the New Share option (Figure A).
Figure A
Starting the share creation process
The first question you're asked is one regarding the protocol you'd like to use for the new share. You can choose between SMB and, if the service is installed, NFS. For both, there are multiple profiles from which you can choose. In the table below, you can see a list of the profiles, along with a short description of each.
Profile | Description |
SMB Share - Quick | This basic profile represents the fastest way to create an SMB file share, typically used to share files with Windows-based computers.
|
SMB Share - Advanced | This advanced profile offers additional options to configure a SMB file share.
|
SMB Share - Applications | This profile creates an SMB file share with settings appropriate for Hyper-V, certain databases, and other server applications. |
NFS Share - Quick | This basic profile represents the fastest way to create a NFS file share, typically used to share files with UNIX-based computers.
|
NFS Share - Advanced | This advanced profile offers additional options to configure a NFS file share.
|
Note that I've chosen to create a standard SMB share with the Advanced option so you can see more options later on.
Figure B
Choose a profile for the share
Next, provide the path to the folder that you'd like to share. You can also choose to share a whole drive, as you can see in Figure C. I'm sharing a folder named C:\MySharedFolder.Figure C
Provide a path for the shared folder
Next, provide the name of the share and a description of the share. The share name does not have to match the folder name. I've named my shareTechRepublic. Note in Figure D that you are also shown the full share name/network path.Figure D
Give the new share a name and description
There are a number of additional settings that you can enable for the share. Access-based enumeration used to be an add on for Windows. It allows users to see just the files and folders to which they have been granted access and not even be able to see that other items exist. You can also choose to allow the shared folder to be cached on other systems using BranchCache. Finally, you're able to encrypt remote access to the newly shared resource.
Figure E
Choose advanced sharing settings
If you've used NTFS permissions in the past, the next step is familiar. Provide the permissions that should be in force for this resource.
Figure F
Set permissions for the shared folder
Windows Server 2012 has new content management capabilities that can span the organization. The step of the wizard shown in Figure G is a part of this new classification system.Figure G
Identify the purpose of this folder
Windows Server 2012 comes with a number of predefined quotas. If you want to apply a quota to this share, choose the quota type.
Figure H
Apply a predefined quota
Review your selections and click the Create button when you're ready to create the share.
Figure I
Review your selections
You're provided with a full progress update.
Figure J
The share was created successfully
You've now successfully shared a folder in Windows Server 2012.
Installing the General Use File Server Role and Scale-Out Server 2012
- Click on Configure Role in the Actions pane in Failover Cluster Manager.
- Click Next on the Before You Begin page.
- On the Select Role page, select the File Server role. Make sure there are no errors indicating the role is not installed on all nodes in the cluster, and click Next.
Figure 1
- On the File Server Type page, select File Server for general use and click Next. Note that when you select this option, you have support for SMB and NFS shares, and you can also use File Server Resource Manager, Distributed File System Replication and other File Services role services.
Figure 2
- On the Client Access Point page, enter the information for the Client Access Point (CAP) and click Next.
- On the Select Storage page, enter a storage location for the data and click Next.
- On the Confirmation page, read the Confirmation information and click Next.
- On the Summary page, you can click the View Report button if you want to see details of the configuration. Click Finish.
Now that the role is installed, you can create file shares on the failover cluster.
Perform the following steps to create the file shares:
- Click the File Server Role in the Failover Cluster Manager and in the Actions pane, click Add File Share.
- The server configuration will be retrieved as a connection is made to the File and Storage ServicesManagement interface.
- The Select Profile page presents you with five options. For our purposes, you can choose either SMB Share - Basic or SMB Share - Advanced and click Next
Figure 3
- On the Share Location page, choose a Share Location and click Next.
- On the Share Name page, provide a Share Name and click Next.
- On the Other Settings page, there are a number of additional share settings from which you can choose. Notice that Enable Continuous Availability is checked by default; this is to take advantage of the new SMB v3 functionality (Transparent Failover). Another new feature in SMB v3 enables you to encrypt the SMB connection without requiring the overhead of IPsec. You can find out more about SMB v3 here. Click Next.
Figure 4
- On the Permissions page, you can configure permissions to control access (both NTFS and share permissions). Click Next
Figure 5
- On the Confirmation page, review the information and click Create.
When the share is configured, it will appear in the Shares tab.
Figure 6
If you prefer the command line, you can also get information about the share by using the PowerShell cmdlet Get-SMBShare.
Another place you can find share information is in the File and Storage Services Management Interface in Server Manager.
Installing the Scale-Out File Server Role
The Scale-Out File Server role is new in Windows Server 2012. With the many new technologies in Windows Server 2012, you can provide continuously available file services for application data and, at the same time, respond to increased demands quickly by bringing more servers online. Scale-Out File Servers take advantage of new features included in Windows Server 2012 Failover Clustering. The key new features that are included in Windows Server 2012, which enable the Scale Out Server Role, include the following:
- Distributed Network Name (DNN) – this is the name that client systems use to connect to cluster shared resources
- Scale-Out File Server resource type
- Cluster Shared Volumes Version 2 (CSVv2)
- Scale-Out File Server Role
Note that Failover Clustering is required for Scale-Out File Servers and the clusters of Scale Out File Servers are limited to four servers. Also, the File Server role service must be enabled on all nodes in the cluster.
SMB v3, which is installed and enabled by default in Windows Server 2012, provides several features that support continuous availability of file shares to end users and applications. It’s important to point out that Scale-Out File Servers support storing application data on file shares and that SMB v3 will provide continuous availability for those shares for the two supported applications, which are Hyper-V and SQL Server. Specific capabilities that exist as part of the new SMBv2.2 functionality include:
- SMB2 Transparent Failover – this allows all members of the cluster to host the shared resources and makes it possible for clients to connect to other members of the cluster transparently, without any perceptible disconnection on the client side.
- MB2 Multichannel – this enables the use of multiple network connections to connect to cluster hosted resources and enables the cluster members to be highly available by supporting out of the box NIC teaming and bandwidth aggregation.
- SMB2 Direct (RDMA) – this makes it possible to take advantage of the full speed of the NICs without impacting the processors on the cluster members; it also makes it possible to obtain full wire speed and network access speeds comparable to direct attached storage.
For more information about the Scale-Out File Server role, check out this link.
Perform the following steps to create a Scale-Out File Server Role:
- Click Configure Role in the Actions pane in Failover Cluster Manager.
- On the Before You Begin page, click Next.
- On the Select Role page, click the File Server role. Make sure there are no errors indicating the role is not installed on all nodes in the cluster and click Next.
Figure 7
- On the File Server Type page, select File Server for scale-out application data and click Next. Note that when you select this role, there is support only for SMB v3 shares; that is, there is no support for NFS shares. In addition, with this configuration you will not be able to use some file server role services, such as FSRM and DFS replication.
Figure 8
- On the Client Access Point page, enter a valid NetBIOS name for the Client Access Point and click Next.
- On the Confirmation page, review the information and click Next.
- When the wizard completes, you can click the View Report button to see details of the configuration. ClickFinish.
Now that the role is installed, you’re ready to create file shares for applications where you can place the application data.
Perform the following steps to create shared folders:
- Click the File Server Role in the Failover Cluster Manager, and in the Actions pane, click on Add File Share.
- The server configuration will be retrieved as a connection is made to the File and Storage Services Management interface.
- On the Select Profile page of the New Share Wizard, choose SMB Share - Server Application for the profile and click Next.
Figure 9
- On the Share Location page, you should see only Cluster Shared Volumes. Select a volume where you want to place the share and click Next.
Figure 10
- On the Share Name page, enter a Share Name and click Next.
- On the Other settings page, note that Enable continuous availability is selected by default. Click Next.
- On the Permissions page, you can configure permissions to control access (both NTFS and share permissions) as needed. Click Next.
- Review the information on the Confirmation screen and click Create.
The Shares tab reflects all the shares that are configured on the CSV volumes.
Figure 11
The Distributed Network Name resource, which is part of the Scale-Out File Server role, has no dependencies on IP addresses; that means you don’t have to configure anything in advance for this to work. The reason for this is that the resource registers the node IP addresses for each node in the cluster in DNS. These IP addresses can be static IP addresses or they can be managed by DHCP. The IP address of each of the nodes in the cluster is recorded in DNS and is mapped to the Distributed Network Name. Clients then receive up to six addresses from the DNS server and DNS round robin is used to distribute the load.
Deploying a Namespace
Step 1 - Create a Namespace
- In the console tree of the DFS Management snap-in, right-click the Namespaces node, and then click New Namespace.
- Follow the steps in the New Namespace Wizard
- In the console tree of the DFS Management snap-in, right-click \\domain\Public, and then click Add Namespace Server.
- In Namespace server, type the name of another server to host the namespace, and then click OK.
1-Namespace Server:
Enter the name of the server to host the namespace. The server can be a domain controller or a member server.
2-Namespace Name and Settings:
In Name, type Public.
3-Namespace Type:
If AD DS is deployed in your test lab and you are a member of the Domain Admins group or have been delegated permission to create domain-based namespaces, choose Domain-based namespace. Otherwise, choose Stand-alone namespace. For more information about namespace types, see "Namespace types and modes" earlier in this guide.
To learn how a member of the Domain Admins group can delegate permission to create domain-based namespaces, see Delegate Management Permissions for DFS Namespaces.
4-Review Settings and Create Namespace:
Click Create to create the namespace.
5-Confirmation:
Click Close to close the wizard.
When the wizard finishes, your new namespace will be added to the console tree. Double-click the Namespaces node, if necessary, to view your namespace, which should be similar to the following figure.
To browse the new namespace, type the following command in the Run dialog box, substituting either the server name (if you created a stand-alone namespace) or the domain name (if you created a domain-based namespace) as appropriate:
\\ server_or_domain \Public
For information about how to migrate an existing namespace to Windows Server 2008 mode, see Migrate a Domain-based Namespace to Windows Server 2008 Mode.
Add Namespace Server:
After you finish this procedure, click the \\domain\Public namespace in the console tree and review the contents of the Namespace Servers tab in the details pane, which should look similar to the following figure. Notice that two UNC paths are listed. The site of each namespace server is also displayed.
Step 3 Delegate permission to manage an existing namespace
- In the console tree of the DFS Management snap-in, right-click \\server_or_domain\Public, and then click Delegate Management Permissions.
- Type the name of a user or group that you want to manage the namespace, and then click OK.
After you finish this procedure, review the contents of the Delegation tab in the details pane. It should look similar to the following figure.
Notice that the user or group you added shows "Explicit" in the How Permission Is Granted column. "Explicit" means that you can remove the user or group from the delegation list by right-clicking the user or group, and then clicking Remove. Any users or groups that show "Inherited" have inherited management permissions from AD DS, and you cannot remove them from the delegation list using the DFS Management snap-in.
Step 4 Add Folders to the Namespace
To create a folder named Tools in the namespace
To add a second folder target to the Tools folder
To create a folder named Training Guides in the namespace
Step 5 Rename and Move a Folder
To rename the Training Guides folder
To move the Training Demos folder
Step 6 Replicate a Folder in the Namespace Using DFS Replication
Step 4 Add Folders to the Namespace
- In the console tree of the DFS Management snap-in, right-click \\server_or_domain\Public, and then click New Folder.
- In Name, type Software, and then click OK.
Note that the previous procedure creates a new folder in the namespace to build depth in the namespace hierarchy. You are not specifying the name of an existing folder, nor will you store data in this folder. This folder will not have folder targets that direct clients to other servers.
After you finish this procedure, the Software folder is added to the console tree as shown in the following figure. (You might need to double-click the\\server_or_domain\Public root to display the Software folder.
Next, you add two folders with targets to the namespace. You create one folder named Tools within the Software folder, and you create another folder named Training Guides directly under the root named Public.
To create a folder named Tools in the namespace
- In the console tree of the DFS Management snap-in, right-click the Software folder, and then click New Folder.
- In Name, type Tools.
- Click Add to add a folder target.
- Click Browse to open the Browse for Shared Folders dialog box.
- In Server, enter the name of the server that will host the Tools shared folder.
- Click New Shared Folder.
- In the Create Share dialog box, in the Share name box, type Tools, and then enter the local path where you want the shared folder to be created. If the folder does not exist, you are prompted to create it. Click OK to close all dialog boxes.
After you finish this procedure, the Tools folder is added to the console tree as shown in the following figure. (You might need to double-click the Software folder to display the Tools folder.) Notice the icon next to the Tools folder and how it differs from the Software folder’s icon. This icon appears next to all folders that have targets to differentiate them from folders that do not have targets.
Now, select the Tools folder and review the contents of the Folder Targets tab in the details pane. Notice there is a single path shown. This means that only one server hosts the folder target that corresponds to the Tools folder. If that server becomes unavailable, the shared folder is also unavailable.
To increase the availability of the Tools folder, you can add a second folder target.
To add a second folder target to the Tools folder
- In the console tree of the DFS Management snap-in, right-click the Tools folder, and then click Add Folder Target.
- Click Browse to open the Browse for Shared Folders dialog box.
- In Server, enter the name of another server that will host the Tools shared folder. Be sure to enter a different server from the one you specified in the previous procedure.
- Click New Shared Folder.
- In the Create Share dialog box, in the Share name box, type Tools, and then enter the local path where you want the shared folder to be created. If the folder does not exist, you are prompted to create it. Click OK to close all dialog boxes.
- You are prompted to choose whether to create a replication group for these folder targets. For now, click No. You will enable DFS Replication on this folder in a later task.
To create a folder named Training Guides in the namespace
- In the console tree of the DFS Management snap-in, right-click \\server_or_domain\Public, and then click New Folder.
- In Name, type Training Guides.
- Click Add to add a folder target.
- Click Browse to open the Browse for Shared Folders dialog box.
- In Server, enter the name of the server that will host the Training Guides shared folder.
- Click New Shared Folder.
- In the Create Share dialog box, in the Share name box, type Training Guides, and then enter the local path where you want the shared folder to be created. If the folder does not exist, you are prompted to create it. Click OK to close all dialog boxes.
When you finish these procedures, your namespace will look like the following figure.
Step 5 Rename and Move a Folder
You can use the DFS Management snap-in to rename folders or move folders to another location in the namespace. This is useful if you need to change a folder name or restructure the namespace.
In this task, you rename the Training Guides folder to Training Demos and move it to the Software folder. Currently, your namespace should look similar to the following figure.
To rename the Training Guides folder
- In the console tree of the DFS Management snap-in, right-click the Training Guides folder, and then click Rename Folder.
- In the Rename Folder dialog box, in New name, type Training Demos.
To move the Training Demos folder
- In the console tree of the DFS Management snap-in, click the Training Demos folder, and then drag it to the Software folder.
After you finish these procedures, your namespace should look like this:
Step 6 Replicate a Folder in the Namespace Using DFS Replication
In this task, you enable DFS Replication on the Tools folder. If you recall from "Task 4: Add Folders to the Namespace," you created two folder targets for the Tools folder. Because users can be directed to either one of the folder targets, you need to ensure that the contents of the folders are kept synchronized.
If you are familiar with File Replication Service (FRS) in Windows Server 2003, you know that FRS is only supported in domain-based namespaces. In Windows Server 2008, you can use DFS Replication in both stand-alone and domain-based namespaces. Therefore, you can complete this task regardless of the type of namespace you created in "Task 1: Create a Namespace."
- In the console tree of the DFS Management snap-in, right-click the Tools folder, and then click Replicate Folder.
- Follow the steps in the Replicate Folder Wizard
1-Replication Group and Replicated Folder Name:
Accept the defaults.
2-Replication Eligibility:
Accept the defaults.
3-Primary Member:
If the folder targets are empty, choose either member. If both folder targets contain content, choose the member that has the most up-to-date content.
4-Topology Selection:
Select Full mesh.
5-Replication Group Schedule and Bandwidth:
Select Replicate continuously using the specified bandwidth.
6-Review Settings and Create Replication Group:
Click Create to create the replication group.
7-Confirmation:
Click Close to close the wizard.
8-Replication Delay:
Click OK to close the dialog box that warns you about the delay in initial replication.
After you finish the previous procedure, navigate to the Replication node in the console tree. Notice that a new replication group has been created, as shown in the following figure.
If you are not familiar with DFS Replication terminology, a replication group is a set of servers, known as members, that participates in the replication of one or more replicated folders. A replicated folder is a folder that is kept synchronized on each member. When you enable DFS Replication on a folder with targets, the servers that host the folder targets become members of the replication group, and the folder targets are associated with the replicated folder. The name of the replication group matches the namespace path (Contoso.com\Public\Software\Tools), and the name of the replicated folder matches the folder name (Tools).
From the Replication node, you can manage aspects of DFS Replication, such as the schedule and bandwidth usage, file and subfolder filters, and the topology (a framework of replication paths between members). On the Replicated Folders tab in the details pane, you can also view the namespace path that corresponds to the replicated folder, as shown in the following figure.
If you navigate back to the Tools folder in the Namespaces node, notice that the Replication tab in the details pane shows that the Tools folder is being replicated using DFS Replication.
If one of the folders targets contained data when you enabled DFS Replication, you can verify that replication has completed by clicking the Folder Targets tab, right-clicking the folder target that initially held no data, and then clicking Open in Explorer. After the initial replication delay, the files in this folder target should match the files in the target that initially held the data.
Another way to view the status of replication is to create a diagnostic report. You will do this in the following task.
Step 7 Create a Diagnostic Report
Step 7 Create a Diagnostic Report
- In the console tree of the DFS Management snap-in, under the Replication node, right-click the \\domain\Public\Software\Tools replication group, and then clickCreate Diagnostic Report.
- Follow the steps in the Diagnostic Report Wizard
1-Type of Diagnostic Report or Test:
Accept the defaults.
2-Path and Name:
Accept the defaults.
3-Members to Include:
Accept the defaults.
4-Options:
Ensure that Yes, count backlogged files in this report is selected, select the server that has the most up-to-date files from Reference Member, and then select the Count the replicated files and their sizes on each member check box.
5-Review Settings and Create Report:
Click Create to create the diagnostic report.
6-Confirmation:
The wizard closes automatically, and the diagnostic report appears.
Review the health report created for the Tools replication group. In particular, take a look at the following sections:
- Note the DFS Replication bandwidth savings. This savings will change over time as files are added and changed.
- Review any errors or warnings, if any, for the members. These are typically event log errors that appear in the member's respective DFS Replication event log.
- In the informational section for each member, review the replicated folder status (the status will be "Normal" after initial replication is complete) and other information. Notice that the primary member will show different statistics from the non-primary member; this is because data originated from the primary member and replicated to the non-primary member during initial replication.
The Diagnostic Report Wizard creates the health report by default. Note that you can set the wizard to perform the following operations as well:
- Run a propagation test.
- Create a propagation report.
A propagation test measures replication progress by creating a test file in a replicated folder. A propagation report provides information about the replication progress for the test file created during a propagation test.
To browse to the Tools and Training Demos folders and view their folder referrals
- Click Start, click Run, type \\server_or_domain\Public, and then click OK.Windows Explorer opens and your view of the namespace looks similar to the following figure:
- In Windows Explorer, click the Folders button to display the Public root in the folder tree.
- In the folder tree, right-click Public, and then click Properties to open the Properties dialog box.
- On the DFS tab, review the paths listed under Referral list. These are the root targets in the root referral that the client received when it accessed\\server_or_domain\Public. These should match the root targets you created earlier in this guide. The target marked Active is the target currently connected to your client computer.
- Click OK to close the dialog box.
To browse to the Tools and Training Demos folders and view their folder referrals
- In Windows Explorer, double-click the Software folder. You should see two folders, Tools and Training Demos.
- Double-click the Tools folder to open it.
- In the folder tree, right-click the Tools folder, and then click Properties.
- On the DFS tab, review the paths listed under Referral list. These are the folder targets in the folder referral that the client received when it accessed\\server_or_domain\Public\Software\Tools. These should match the folder targets you created earlier in this guide. The target marked Active is the target currently connected to your client computer, which should be a different target from the one you marked as Last among all targets when you set the target priority.
- Click OK to close the dialog box.
- Click the Training Demos folder in the folder tree to open it.
- Right-click the Training Demos folder in the folder tree, click Properties, and then click the DFS tab. Notice that only one folder target is listed in the referral list. Your client computer is currently connected to this folder target.
Subscribe to:
Posts (Atom)