Friday, May 9, 2014

SHARE IN STORAGE MANAGEMENT ROLE IN WINDOWS 2008

What is User Account?
An AD Object that allows users to access network resources.

What is computer account?
An AD object that allows AD to have a security relationship with a computer, and allows you to control what that computer does on the network.

What is OU?
Organization Unit is object in AD that provides a place for User acconts, computer accounts, and groups to live. Also provides control over what those computers and users can and can't do.

What are groups?
An AD object that allows or denies access to network resources (Like folders and printers) for users and computers.

What is Distinguished Name?

The name of an object as it appears in the AD database.

What are SHARE LEVEL PERMISSIONS?
Share level permissions only work at the Folder level. All files in the folder inherit the permissions from the folder.
Suppose if I give full control to all members of SalesUsers and SalesManagers. Then only they can access that shared folder.

What are SECURITY LEVEL(NTFS) Permissions?
We can Use NTFS Permissions on individual Files and folders inside the Shared folder. When you create files and folders inside of Folders (parent folder), those new Files and Folders initially inherit the permissions from the parent folder.

What are Mapped  Drives?

Most Shared drives or Mapped Drives are just folders that we assign a Drive letter to so they are easier to find.



Adding the File Services role and management tools

A base Windows Server 2008 installation does not include file serving capabilities. This is a good thing. With Windows Server 2008, Microsoft has significantly enhanced the role-based capabilities in Windows Server, which helps to secure the operating system from attack. To add the File Services role:
  1. Start the Server Manager. Start | Server Manager.
  2. In the navigation pane, choose Roles.
  3. Roles information will show in the work pane, as shown in Figure A below. Choose Add Roles.

Figure A


The Windows Server 2008 role management screen.
  1. On the Select Server Roles dialog box, choose File Services and click the Next button. This screen is shown in Figure B.

Figure B

Choose the File Services role.
  1. When you get to the Select Role Services dialog box, decide which services are necessary and click the Next button. At a minimum, choose the File Server Resource Manager option in addition to the required File Server service. In Figure C, note that the Windows Search Service is also selected.

Figure C

  1. When requested, decide which volumes (if any) should be monitored for use. Use the Options button to make changes to the reports that will be installed and to change the threshold at which alerts will begin. You can see this in Figure D.

Figure D

Choose your usage monitoring options.
  1. On the Set Report Options screen, choose the location at which storage reports will be saved. The default location is C:\StorageReports. Optionally, if e-mailed usage reports are desired, provide the information requested.
  2. If the Windows Search Service is selected, as it has been in this example, select the volumes that should be indexed. The Search service makes finding files much easier.
  3. On the confirmation window, click the Install button to install the File Services role with the specified options. Installation is generally pretty quick and should take only a couple of minutes.
When all is done, the File Services role is installed and, along with it, the File Server Resource Manager and the Share and Storage Management tools. The File Server Resource Manager helps administrators manage quotas and other high level functionality. The Share and Storage Management tool replaces the File Server Management tool that was present in Windows Server 2003 and is the focus of this article.

Share and Storage Management Console capabilities

With Windows Server 2008, Microsoft has revamped the File Services role and created the Share and Storage Management Console to help administrators better manage storage volumes and shared folders and volumes. Here's a short list of the major administrative tasks that can be accomplished with the Share and Storage Management Console:
  • Add or remove disks and volumes to and from the server.
  • Enable or disable shared access to server resources, including files, folders and volumes.
  • Secure access to shared resources based on a variety of factors.
  • View the users currently accessing a resource and, if necessary, disconnect them.
All of these areas will be discussed and demonstrated in this article. To start the Share and Storage Management Console, go to Start | Administrative Tools | Share and Storage Management. Figure E shows you the console.

Figure E


The Share and Storage Management console.

Add storage to a file server

Storage needs are not decreasing. Even with more and more information making its way into more hierarchical storage systems, the need for the unstructured storage capabilities offered by the File Services role is growing all the time. As such, the time will likely come when even the most overbuilt file server will need to have more storage space added in order to support burgeoning needs. Adding storage to a server is generally pretty easy. If you're using a hardware RAID controller, follow the instructions for your controller. These instructions assume that your new storage is ready to use. For this example, I've added an external hard drive to my Windows Server 2008 computer. To add storage to a server:
  1. From the Share and Storage Management console, choose Provision Storage. This starts a wizard that walks you through the steps necessary to make a new hard disk active. If you have no new storage, you'll get a message indicating such.
  2. The first screen of the wizard, shown in Figure F, asks you to indicate the location at which the storage should be provisioned. If you've attached a local disk, choose the first option. If your storage resides on a Fibre Channel or iSCSI SAN, choose the On a storage subsystem option.

Figure F

The Provision Storage Wizard.
  1. On the Disk Drive portion of the wizard, choose the drive that should be added to your server.
  2. After selecting the disk to add, choose how much space should be allocated to your new volume. Remember, you can have multiple logical volumes per physical disk. You can see this in Figure G.

Figure G

How much space should be allocated to the new volume?
  1. Next, on the Volume Creation screen, decide how you want to mount this volume on your server. For this example, I have opted to mount this volume as drive J.
  2. The final decision to make before the volume is added is to decide if the volume should be formatted and, if so, how large the allocation unit size should be on the new volume.
Once you've made your selections, review your settings and click the Create button. The wizard will display the progress of the action and let you know when everything is done. When you're done, from the work pane, choose the Volumes tab. In Figure H, see that volume J, named External, has been added to my lab server.

Figure H

The new volume was successfully added.

Add a shared resource to the server and secure the resource

Earlier, you saw a list of the default shared resources on a Windows Server 2008 server that has the File Services role installed. You might wonder why these resources are shared by default and your own default shares may differ somewhat depending on your configuration. The list below explains the purpose of each share:
  • Admin$: This share points to the location on the server to which Windows Server 2008 was installed, usually C:\Windows.
  • C$: Each drive on your server is shared through what is called an administrative share denoted by a $ after the drive name. On my server, I have both C$ and J$ shares, although you don't see J$ in Figure G since that screen was shot before I added my new drive.
  • IPC$: IPC stands for Inter-Process Communication. The IPC$ share assists in communication between processes and computers.
  • NETLOGON: Used for user authentication on domain controllers.
  • SYSVOL: Used to help distribute group policy information between domain controllers.
As is the case with adding storage, Microsoft has provided a wizard that helps administrators add shares to a Windows Server 2008-based file server. You can still add shares in the more traditional way by using Windows Explorer, but the process discussed here uses just the Share and Storage Management console. To add a share:
  1. From the Action pane, choose Provision Share to start the wizard.
  2. The first screen of the wizard asks you to specify the location that you would like to share. Use the Browse button to do so. For this example, I'm sharing the C:\StorageReports folder.
  3. Any time you open up access to a resource, you should limit who can access that resource to just those that require access. On the NTFS Permissions page of the wizard, you can opt to keep the default NTFS permissions or change permissions depending on your needs. In Figure I, note that I've shown both the NTFS Permissions page as well as the Edit Permissions dialog box to give you a look at how to change permissions. If you want to change permissions, in the Permissions for dialog box click the Add button, select the user that should be added to the permissions list and choose the appropriate permissions.

Figure I

How do you want to handle NTFS permissions?
  1. The next step of the wizard asks you to choose the protocol(s) allowed to access the share. If you've opted to install the NFS portion of the File Services role, the NFS option will be available. If not, just SMB (Server Message Block), the Windows default, is available. The Share name field is automatically populated with the name of the folder you selected.
  2. On the SMB Settings page, provide a description of the share that will show up when people browse the server. Lower on the page, note the Advanced settings area. If you want to change these settings, click the Advanced button. Figure J shows you the Advanced options page. On the Advanced page, note the Enable access-based enumeration checkbox. Access-based enumeration was introduced in an add-on in previous versions of Windows Server and brings to Windows the ability to limit user's visibility to just the folders that the user has rights to see.

Figure J

SMB settings.
  1. Next up... SMB permissions. On the SMB Permissions page, decide how you want users to be able to access the resource over the network. Note that this set of permissions is separate from the NTFS permissions you worked with previously. The SMB permissions (also called share permissions) are combined with NTFS permissions and the most restrictive permissions will apply. I recommend that you simply set SMB permissions to Administrators have Full Control; all other users and groups have only Read access and Write access and use just NTFS permissions to limit access.
  2. I'm going to skip the next few screen shots, but will briefly describe their purpose. On the Quota Policy page, you can apply a quota template that you previously created with the File Server Resource Manager tool. By doing so, you can prevent users from eating up all of your available space. The File Screen Policy page, with templates also managed by the File Server Resource Manager tool, allows you to allow or disallow file storage based on the type of file saved. Finally, the DFS Namespace Publishing page provides a way to publish an SMB share into a DFS namespace. This feature is beyond the scope of this article.
  3. On the review page, review your selections and click the Create button. When you're done, choose the Shares tab in the main console. You should see your new share listed, as shown in Figure K.

Figure K

The StorageReports share has been created.

View and manage user access to shared resources

Once you have your file server completely up and running and allow users to access the system, you need to be able to perform administrative tasks that keep the server in good working order. Specifically, you should be able to see who is accessing your server and get a list of exactly what is being accessed. If necessary, you should also be able to disconnect users. All of these tasks are easily accomplished using the Share and Storage Management console. On the main page of the console, take note of the Manage Sessions and Manage Open Files options. Manage Sessions gives you a place from which you can control a user's overall access to your shares. Manage Open Files gives you a way to see which sessions (user from a particular computer) have which files open. If a user has seven files open from his desktop computer, only a single session is required. If, however, the same user walks over to another computer and opens a server-based file, another session is created for that user. In Figure L, note that the user Administrator has two open sessions--one from the computer named Vista1 and another from the computer named Vista-VM1. If you want to close a session, choose the session and click Close Selected. To close all sessions, click Close All.

Figure L

Manage open sessions.
Finally, let's look at the Manage Open Files window. Take a look at Figure M. Note that the file named Sample Document.txt is open by the user named Administrator. You'll also note that there are a number of directories open. Each time you open a folder on your server, it's considered an open file.

Figure M

Manage files that are open on your file server.
To close an open file or folder, choose that file or folder and click Close Selected. To close all open files and folder, click Close All.

Summary

With Windows Server 2008, Microsoft has made a number of improvements to the venerable File Services role. Beyond enhanced management capability, Microsoft has also improved the underlying SMB transport mechanism to provide better performance with Vista.

No comments:

Post a Comment