CST8200 Windows Domain Administration PDF

Summary

These lecture notes cover Windows Server Domain Administration. The topics include File Sharing, NTFS Permissions, DFS Namespaces, DFS Replication, File Server Resource Manager, File Share Quotas, and File Screens. The document is intended for undergraduate computer science students.

Full Transcript

CST8200 –Windows
Domain Administration
Professor: Denis Latremouille
Week 06

CST8200

2
Agenda

 File Sharing
 NTFS Permissions
 DFS Namespaces
 DFS Replication
 File Server Resource Manager
 File Share Quotas
 File Screens

3
File Sharing
 A network directory service stores
information about a computer network
and offers features for retrieving and
managing that information.
 Generally considered to be an
administrative tool, but users make use of
directory services to find resources
 Directory services provide a centralized
management tool, but due to complexity,
requires careful planning prior to setup
4
NTFS Permissions
 NTFS permissions can be configured on
folders and files
 6 permissions and 14 special permissions
for folders
 5 permissions and 13 special permissions
for files

5
NTFS Permissions
 NTFS standard permissions
◼ Read
◼ Read & Execute
◼ List folder contents
◼ Write
◼ Modify
◼ Full control

6
NTFS Permissions (cont.)
NTFS Permission Inheritance
 Explicit permission
◼ Granted directly to file or folder

 Inherited
◼ Permissions that are granted to a parent
(folder) and that flow into the child
(subfolders and files)

 Effective permissions
◼ Actual permissions
◼ Consist of explicit and inherited permissions
NTFS Permission Inheritance
 By default, initial permissions
are set at the root of a
volume, and then new folders
and files inherit these settings
unless configured otherwise
 Permission inheritance can be
disabled in the Advanced
Security Settings dialog box,
by clearing the “Include
inheritable permissions from
this object’s parent” option
Securing Access to Files with Permissions (cont.)
 Share permissions apply when using a
network to access shared files, while NTFS
permissions apply whether accessing
network shares or local files
 If accessing a network share, the effective
permissions will always be the most
restrictive permissions between Share and
NTFS permissions
DFS Namespaces
 DFS (Distributed File System) Namespaces is a role service
in Windows Server that enables you to group shared folders
located on different servers into one or more logically
structured namespaces. This makes it possible to give users
a virtual view of shared folders, where a single path leads
to files located on multiple servers, as shown in the
following figure:

11
DFS Namespaces
 Namespace server - A namespace server hosts a
namespace. The namespace server can be a member
server or a domain controller.
 Namespace root - The namespace root is the starting
point of the namespace. In the previous figure, the name of
the root is Public, and the namespace path is
\\Contoso\Public. This type of namespace is a domain-
based namespace because it begins with a domain name
(for example, Contoso) and its metadata is stored in Active
Directory Domain Services (AD DS). Although a single
namespace server is shown in the previous figure, a
domain-based namespace can be hosted on multiple
namespace servers to increase the availability of the
namespace.

12
DFS Namespaces
 Folder - Folders without folder targets add structure and
hierarchy to the namespace, and folders with folder targets
provide users with actual content. When users browse a
folder that has folder targets in the namespace, the client
computer receives a referral that transparently redirects
the client computer to one of the folder targets.
 Folder targets - A folder target is the UNC path of a
shared folder or another namespace that is associated with
a folder in a namespace. The folder target is where data
and content is stored. In the previous figure, the folder
named Tools has two folder targets, one in London and one
in New York, and the folder named Training Guides has a
single folder target in New York. A user who browses to
\\Contoso\Public\Software\Tools is transparently redirected
to the shared folder \\LDN-SVR-01\Tools or \\NYC-SVR-
01\Tools, depending on which site the user is currently
13
located in.
DFS Namespaces
 DFS Namespaces will contain their own Share Permissions
 DFS Namespace Shares will still respect the NTFS
permissions on the Target Servers.
 Both sets of permissions will need to be set to ensure
proper Access Control

 If Additional Namespace servers are used ensure that the
Namespace Share permissions are identical.
 If Namespace Share permissions are incongruent the Share
permission is based on the Namespace server share
permission

14
DFS Replication
 Distributed File System Replication, or DFS
Replication, is a role service in Windows Server
that enables you to efficiently replicate folders
across multiple servers and sites. You can
replicate all types of folders, including folders
referred to by a DFS namespace path.
 DFS Replication is an efficient, multiple-master
replication engine that you can use to keep
folders synchronized between servers across
limited bandwidth network connections. The
service replaces the File Replication Service (FRS)
as the replication engine for DFS namespaces.
15
DFS Replication
 DFS Replication uses a compression algorithm
known as remote differential compression, or
RDC. RDC detects changes to the data in a file
and enables DFS Replication to replicate only the
changed file blocks instead of the entire file.
 Active Directory Domain Services (AD DS) uses
DFS Replication to replicate the sysvol folder in
domains that use the Windows Server 2008 or
later domain functional level.

16
DFS Replication
 To use DFS Replication, you create replication
groups and add replicated folders to the groups.
Replicated folders are stored on servers in the
group, which are referred to as members. DFS
Replication establishes connections between the
members of a group.

17
DFS Replication
 A replicated folder stays synchronized on each
member in a group. In the figure, there are two
replicated folders: Projects and Proposals. As the
data changes in each replicated folder, the
changes are replicated across connections
between the members of the replication group.
The connections between all members form the
replication topology.

18
DFS Replication
 Creating multiple replicated folders in a single
replication group simplifies the process of
deploying replicated folders. The topology,
schedule, and bandwidth throttling for the
replication group are applied to each replicated
folder. To deploy more replicated folders, you can
run the Dfsradmin.exe tool or use a wizard to
define the local path and permissions for the new
replicated folder.

19
File Server Resource Manager
 File Server Resource Manager (FSRM) is a
role service in Windows Server that
enables you to manage and classify data
stored on file servers. You can use FSRM
to automatically classify files, perform
tasks based on these classifications, set
quotas on folders, and create reports
monitoring storage usage.

20
File Share Quotas
 Quota management: Limit the space
that is allowed for a volume or folder.
These limits can be automatically applied
to new folders that are created on a
volume. You can also define quota
templates that can be applied to new
volumes or folders.

21
File Screens
 File screening management: Control
the types of files that the user can store
on a file server. You can limit the
extension that can be stored on your
shared files. For example, you can create
a file screen that doesn't allow files with
an MP3 extension to be stored in personal
shared folders on a file server.

22