File and print sharing have been key features of Windows operating systems for nearly twenty years. I remember when Windows for Workgroups arrived, people were excited because it installing and configuring small networks very simple, well, simple for the early 90’s! Windows for Workgroups enabled file and printer sharing, at the time one of the most important features of information networks. When Windows NT 3.1 was released 18 months later the Advanced Server version was a direct competitor to Novell’s network operating system. The marketing claims about which could share more files faster was amusing at the time. Although application servers, mail servers, and other kinds of servers can enable compelling capabilities I believe that file and print sharing is still one of the most important services on any corporate LAN.

Server Message Block (SMB) was originally developed by IBM and has been the primary resource sharing protocol in every version of Windows since Windows for Workgroups. Microsoft has extended its capabilities considerably over the years, temporarily re-named it the Common Internet File System (CIFS) before submitting the technology to the Internet Engineering Task Force (IETF) in 1996. For the purposes of the exam its not necessary for you to understand all of the details of SMB and its components, but you should understand that Microsoft introduced SMB2 in Windows Vista. When computers running Windows Vista or Windows Server 2008 access network shares they will use SMB2, but they will fall back to its predecessor when communicating with computers running older versions of Windows. SMB2 is significantly faster, consumes less network bandwidth, and it’s a clean break from SMB so that Microsoft will have less challenges maintaining backwards compatibility in future releases of Windows. Another interesting advantage for Microsoft is that the company clearly owns the intellectual property within the technology, something that was murky with SMB. In this chapter you will be taught to:

• Configure a file server
• Configure Distributed File System
• Configure shadow copy services
• Configure backup and restore
• Manage disk quotas
• Configure and monitor print services

Configure a File Server

Windows Server 2008 provides several ways to manage file sharing using the graphical interface. First, you can right-click on a folder and select Share to access the Sharing tab of the properties dialog box for the folder and then click Advanced Sharing. Second, you can open Computer Management from the Administrative Tools folder and navigate to the Shared Folders container. Finally, you can open Share and Storage Management, which is also in the Administrative Tools folder. The exercises in this section will focus on the last method since its new in this version of Windows and presumably you are already somewhat familiar with the others. To create a new shared folder in Share and Storage Management do the following:

1. Click Provision Share.
2. Specify the path to the folder in the Location text box and click Next.
3. Modify the NTFS permissions if desired, then click Next. NTFS permissions are discussed in later in this section.
4. Specify which protocols to use for the share, SMB is available by default, to select Network File Service (NFS) you need to install the Services for Network File Service, a role service available with the File Services role. NFS is not installed by default and it is not listed as a subject on the exam guide, NFS is a protocol usually supported by different versions of Linux and Unix.
5. Provide a description for the share or click the Advanced button to adjust the advanced settings if desired, click Next. Note that offline files are discussed in later in this section.
6. Configure the SMB permissions if desired and click Next. SMB permissions, also referred to as share permissions, are discussed in later in this section.
7. You will be presented with an opportunity to publish the share in the Distributed File System (DFS) namespace, click Next. DFS is discussed in later in this section.
8. Review the settings and click Create. Click Close to complete the wizard.

Note: When you use Computer Management to create a share a different, simpler wizard is presented. When you create one using Windows Explorer no wizard is launched, you are merely presented with a simple dialog box. For the purposes of the exam you do not need to memorize each step of each method, but you do need to understand what the features in the Provision a Shared Folder Wizard.

You can modify an existing shared folder by right-click on it and selecting properties. Use the folder properties dialog to modify any of the settings that you configured with the wizard.

 Configuring Permissions

People learning to manage Windows-based servers are often confused by the fact that configuring permissions on shared objects is a two-step procedure. You must configure both share permissions and NTFS permissions, a user’s effective permissions are a combination of the two types. Share permissions only apply when a file or folder is being access over an network share. A user may have several different share permissions because they may belong to several groups that have distinct permissions, if that is the case then the user has the most liberal share permission of them all. The same holds true for NTFS permissions, also called file permissions. The exception is if the user also has a deny permission of some sort, deny permissions take precedence over all others. NTFS permissions affect any kind of access, whether its local or remote. Now you have a basic understanding of share permissions and NTFS permissions, a user’s effective permissions are the most restrictive of these two. That is, if a user has write NTFS permissions and Read share permissions then the user will only be able to view, not change, files in the shared folder.

Another important characteristic of NTFS permissions is that they are inheritable. New files and folders inherit permissions from their parent folder. This means that permissions applied at the root of the system volume, typically drive C:, will be applied to every folder and file on that volume unless otherwise specified. You can block inheritance using the Advanced Security dialog box for a file or folder in Windows Explorer. You can either prevent inheritance from folders higher in the hierarchy or stop inherence from cascading down to child folders and files.

To modify permissions of a shared folder in Share and Storage Management do the following:

1. Right-click on the folder then select Properties.
2. Select the Permissions tab and then click on Share Permissions as shown in figure 1.

Figure 1: Configuring Permissions of a Shared Folder.

3. Click Share Permissions.
4. You can select a group or user that already has permissions defined for the share and then modify their permissions as shown in figure 2. Select a group or user and click Remove to stop assigning share permissions to it.

Figure 2: Configuring Share Permissions.

5. To define permissions for another group or user click Add, the standard dialog box for selecting users appears, as shown in figure 3.

Figure 3: Selected a Domain Group.

6. Click NTFS Permissions, a dialog box very similar to that shown in figure 2 appears however note that there are four additional types of permissions available and there is also an Advanced button.
7. Click on Advanced to view the Advanced Security dialog box, as shown in figure 4.

Figure 4: Configuring Advanced NTFS Permissions.

8. Select a permission entry from the list visible on the Permissions tab, and then click Edit. You can see that there are fourteen different permissions that are more precise than what is visible in the standard NTFS permissions dialog box, these are described in table 2 below.
9. Click the Owner tab to configure the owner of the folder. Do not do it now, but to change the owner select an account from the list and click Apply. In Windows, the owner of an object can do anything with it. The ability for users who belong to the Administrators group to seize ownership can be very useful, for example, when an employee leaves the firm an administrator can take ownership of the user’s data and grant permission to their supervisor.

There are three different share permissions available, as table 1 illustrates.

Permission	Description
Full Control	Users can do anything to the including take ownership, change permissions, and modify files and folders within the share.
Change	Users can read, write, rename, and delete files and folders.
Read	Users can read files and folders.

NTFS permissions are comprised of a list of Access Control Entries (ACEs) that collectively are known as a Discretionary Access Control List (DACL). Although not precisely accurate the acronym ACL is commonly used. I say this because there is another type of ACL in Windows, the System Access-Control List (SACL) defines the auditing settings on an object. Auditing was discussed in Creating and Maintaining Active Directory Objects. Table 2 illustrates what Special NTFS permissions are available, these are the permissions visible in the Advanced Security dialog box referred to in step 7 above.

Special Permission	Description
Traverse Folder/Execute File	Users can move through folders to access child folders and their contents. By default the Everyone group has the Bypass traverse checking user right, this permission only affects users who do not have the user right.
List Folder/Read Data	This only applies to folders, it allows users to view file and folder names.
Read Attributes	This only applies to files, it allows users to view file contents.
Read Extended Attributes	Allows users to view extended attributes of files and folders, extended attributes are specified applications and may be differ between applications.
Create Files/Write Data	This only applies to folders, it allows users to create files within a folder.
Create Folders/Append Data	This only applies to folders, it allows users to create folders within a folder.
Write Attributes	Allows users to change attributes of a file or folder.
Write Extended Attributes	Allows users to change extended attributes of a file or folder, extended attributes are specified applications and may be differ between applications.
Delete Subfolders and Files	Allows users to remove subfolders and files even if the user does not have delete permission on them.
Delete	Allows users to delete files and folders.
Read Permissions	Allows users to read permissions on files and folders.
Change Permissions	Allows users to alter permissions on files and folders.
Take Ownership	Allows users to seize ownership of files and folders.
Synchronize	This only affects multithreaded applications; it allows different threads to wait on the handle for the file or folder and to synchronize with another thread.

The NTFS permissions described in step 6 above consist of one or more of the special NTFS permissions defined in table 2. Table 3 shows what special NTFS permissions are included in each NTFS permission.

 

	Full Control	Modify	Read & Execute	List Folder Contents (folders only)	Read	Write
Traverse Folder/Execute File	ü	ü	ü	ü
List Folder/Read Data	ü	ü	ü	ü	ü
Read Attributes	ü	ü	ü	ü	ü
Read Extended Attributes	ü	ü	ü	ü	ü
Create Files/Write Data	ü	ü
Create Folders/Append Data	ü	ü
Write Attributes	ü	ü
Write Extended Attributes	ü	ü
Delete Subfolders and Files	ü
Delete	ü	ü
Read Permissions	ü	ü	ü	ü	ü	ü
Change Permissions	ü
Take Ownership	ü
Synchronize	ü	ü	ü	ü	ü	ü

 

 Configuring Offline Files

The Offline Files feature allows users to read and modify files stored on remote network shares even when the server hosting them is unavailable. When the file server supports this features and users choose to use it the client computer automatically downloads a local copy of the shared folder’s contents. Users can work with these files normally, when the file server is available changes are saved directly to the shared folder. When the user makes changes while the file server is unavailable they are stored locally, when the server is available the client computer automatically synchronizes the local copies with the network ones. If another user has altered the same file while the first was offline then the user will be prompted to specify which version to retain on the file server. To configure Offline Files using Share and Storage Management do the following:

Right-click on the desired share and select Properties.

Click Advanced.

Select the Caching tab as shown in figure 5.

Figure 5: Configuring Caching for a Shared Folder

Configuring the Encrypting File System

The Encrypting File System (EFS) was introduced in Windows 2000. It’s a file and folder technology that requires NTFS. EFS was designed to protect an individual user’s data, since its introduction Microsoft has published information on how to share EFS protected files between multiple users but its not easy. Microsoft’s Rights Management Services (RMS) is a much more effective way to protect documents while allowing multiple users to edit or read them. Some administrators want to protect servers against physical attack using EFS, however EFS is a lousy way to encrypt files in a shared folder that will be accessed by multiple users. BitLocker is a much better way to protect Windows computers against physical attack.

By now you may be thinking that EFS’ usefulness is limited, but actually it is quite valuable when used in a manner consistent with its capabilities. Use EFS to protect a user’s files on their local hard drive. Use EFS to protect a user’s files that are stored in a shared folder if only that user will be accessing the share, for example, if you use roaming profiles or store all user’s data in shared folders rather than their local hard drive. The latter may require some additional configuration changes because the file server must impersonate the user in order to encrypt and decrypt the file on behalf of the user. This is because EFS performs these procedures locally, that is, if a user chooses to encrypt a file on a file share the file server must perform the encryption rather than the user’s client computer. These are the requirements for using EFS with files stored on a network share:

• The user must have a valid EFS certificate. If none exists the client computer will try to request one from an enterprise certificate authority (CA). If no CA is available the client computer will generate a self-signed certificate.
• The user must have a local profile on the file server, if none exists then a new one will be created.
• The file server must impersonate the user, to do so it must:
  • Be a domain member in a domain that uses Kerberos authentication.
  • Be trusted for delegation, open Active Directory Users and Computers, right-click on the computer, select Properties, and click on the Delegation tab as shown in figure 6. Note that by default domain controllers are already trusted for delegation.
  • The user must be logged on with an account that allows delegation, right-click on the user, select Properties, and click the Account tab. Under Account Options, clear the The account is sensitive and cannot be delegated check box.

Figure 6: Enabling Delegation.

EFS versus BitLocker and RMS

I mentioned several encryption technologies in this section. In order to succeed on the exam I believe that you do not need to understand them in more detail, however when used correctly they can greatly increase the security of data stored on computers that you manage. I have spoken to a lot of people who were confused by all of the encryption solutions available from Microsoft, since data protection is so important I want to take spend a moment discussing  them.

First, you need to understand the difference between protecting data in transit and data at rest. The term data in transit refers to data that is being transmitted between computers, there are many ways to protect it including IPsec, SSL, and 802.1X. The other phrase, data at rest, concerns data that is stored on some physical medium, typically hard drives, backup tapes, CDs, DVDs, and other digital storage devices. Many companies offer solutions to help protect data at rest, Microsoft has three, two of which are included in the operating system. This section discussed EFS, which a great way for an individual user to protect their files. BitLocker is included with Windows Server 2008 and high-end editions of Windows Vista, it encrypts entire hard drives, its ideal for protecting data on mobile computers and on servers that may be exposed to physical attack. You can learn more by visiting BitLocker Drive Encryption The RMS client is included with Windows Vista and Windows Server 2008, however an additional client license is required to use it. RMS is designed to allow multiple users to collaborate while creating protected documents and to control what recipients of protected documents are able to do with them. RMS was discussed in Configuring Additional Active Directory Server Roles.

Microsoft published detailed guidance for protecting data at rest last year, Data Encryption Toolkit for Mobile PCs.

Troubleshooting Access Denied Errors

Users are likely to encounter access denied errors while browsing shared folders, it is important that you recognize which the possible causes is responsible so that you can decide whether to reconfigure the file server to grant access or to leave things as they are. If IPsec policies prevent the user or the user’s computer from connecting to the file server then they will simply see a message explaining that the server cannot be accessed. This is because the IPsec policies will cause the file server to ignore the traffic. This can be confusing though, because the same message will appear if they mistype the address or name of the server, mistype the name of the shared folder, or if the share permissions do not include the user’s account. If the user looks at the details of the error they will see that the cause of the error was access denied for the last case but for the others it may not be specified.

A user will see an access denied message when she tries to open an EFS-protected file for which she does not have the decryption key. The same message will appear if she does not have NTFS permissions that grant her access to the file. This can be confusing, one way to distinguish between them is to enable failure auditing on the shared resources, have the user attempt to access them again, and to then examine the Security Event Log. Remember that enabling auditing of files requires configuring auditing on the desired files and folders using Windows Explorer and enabling failure auditing in the Audit object access Audit Policy in Group Policy. If the NTFS permissions are the cause then an audit failure event with event ID 4656 will appear in the Security event log, as shown in figure 7. If EFS is the cause then no audit failure event will occur.

Figure 7: A Failed File Access Audit Event Entry

To connect to any shared resources on a server the user requires the Access this computer from the network user right. If they don’t have this right and failure auditing is enabled then one or more audit failure events will appear in the Security Event Log with event ID 4625, as shown in figure 8. This is a logon failure event, as opposed to 4656 which is a file system event. The event details will include the name of the user who was denied access to the server.

One more note about enabling object access auditing: be cautious because doing so will impact performance. What objects are audited, and whether failure or success auditing is enabled, and how busy the server is will determine how noticeable this impact is. I was curious when I first read about this limitation 10 years ago, I enabled success auditing on the entire system volume to see what would happen. Within a few seconds the computer became unusable, I had to reinstall the operating system in order to recover. No, it was not a production system!

Figure 8: A Failed Logon Audit Event Entry

 Configure Distributed File System

The Distributed File System (DFS) is a great way to provide users who are separated geographically dependable access to shared files. DFS provides replication and DFS namespaces. DFS namespaces are a virtual view of shared folders hosted on multiple servers. To the end user the namespace appears contiguous and the duplication of a folder across servers is transparent. Consider the following example: my company has offices in Boston, Austin, Buenos Aires, and Brussels. A project team includes users who work in all 4 offices who need to collaboratively create a new marketing presentation. DFS is installed on a server in each office, all of which share the same namespace. An administrator creates a new DFS-based share in that namespace for the project. For the users in each office the share appears to be local, file transfers are extremely fast, in the background DFS ensures that changes to files are synchronized across all four servers.

DFS is a role service available with the file server role. The installation wizard will prompt you to provide a new namespace, whether to make it domain-based or stand-alone namespace, and to add shared folders to the namespace. You can create additional namespaces and add more shoulders to each namespace after installation is complete. Install DFS on a server in your practice lab and open DFS Manager from the Administrative Tools folder. Install the DFS replication service on a second server but choose the option to create a namespace later.

After installing DFS and creating the initial namespace establishing a new, replicated shared folder involves several sets of procedures: adding the second namespace server, configuring the shared folder in the namespace, and configuring replication of the folder across the desired file servers. To add the second namespace server right-click on the namespace, select Add Namespace Server, and specify the name of the server.

Optionally, you can delegate permissions to manage the namespace but for practice purposes lets move directly to adding a new folder. To do so using DFS Management do the following:

1. Right-click on the namespace and select New Folder.
2. Click New Shared Folder. Specify a share name, the local path, and the folder permissions, as shown in figure 10. Click browse if you need to create a new folder for the share.
3. Click OK four times to close all of the dialog boxes

Figure 9: Creating a New Share.

To replicate the folder to other file servers you need to create a replication group that includes the desired servers. To do so using DFS management perform the following:

1. Expand the Replication node and right-click on the initial replication group that you created when installing DFS on the first file server, select New Member. If you did not create a replication group you can create one now by right-clicking the Replication node and selecting New Replication Group.
2. Enter the name of the server to add and click Next.
3. Select the first file server from the Available members list, click Add, click Next.
4. Adjust the replication schedule if desired, click Next.
5. Click Edit, click Enabled, then click Browse and navigate to the local folder on the second server that will replicate with the first.
6. Click OK and then click Next.
7. Click Create and then click Close to complete the wizard.

Now you need to add the folder to the replication group. You can do this by right-clicking on the folder in the navigation pane and selecting Replicate folder. You can also create an entirely new folder for the replication group by right-clicking on the replication group and selecting New Replicated Folders. The path to the DFS share is similar to a UNC path: \\domainname\namespacename\sharename, as shown in figure 10.

Figure 10: Accessing a DFS Share.

Tip: The exam appears to cover DFS superficially, however there is a great deal more to deploying and managing this powerful technology in a production environment. Before doing so be sure to visit the related website noted in the References section at the end of this chapter.

 Configure Shadow Copy Services

The Volume Shadow Copy Service (VSS) enables Windows to periodically create images of storage volumes. VSS copies can be used by other applications such as backup utilities, allowing them to even back up files that are normally locked an inaccessible. Windows Server 2008 and Windows Vista also expose VSS through Windows Explorer by allowing users to restore previous versions of their data files. To restore an older version of a file right-click on it in Windows Explorer and select Restore previous versions. Select the version to recover and click OK. Users accessing network shares hosted by computers running Windows Server 2008 can use this feature too.

To configure VSS for a volume right-click on the volume root and select Configure Shadow Copies. Click Settings to configure the volume where the shadow copies will be stored, as shown in figure 11. If possible you should configure the storage location for the shadow copies of one volume on an entirely different one to minimize the impact that VSS has on the server.

Figure 11: Configuring VSS Settings

You can also customize how frequently copies will be made by clicking Schedule. Click OK to return to the original dialog box and click Enable to enable shadow copies for the volume.

 Configure Backup and Restore

Shadow copies are great, but they do not eliminate the need to regularly back up your storage volumes. When the storage location for the shadow copies fills VSS will start overwriting older copies of files, when that happens the only way to restore old files will be from backup. The first section of Maintaining the Active Directory Environment covered installing Windows Server Backup, backing up the Active Directory database, and restoring the database. There is not much more to say about the topic, reread that section before taking exam 70-642. For this exam backing up and restoring only involves the file system and registry, you do not need to worry about the special steps needed to restore the Active Directory database such as booting into Directory Service Recovery Mode (DSRM).

Remember that you can schedule backups or perform a backup immediately. Be sure to reacquaint yourself with the backup and restore wizards as well as the command line tool, wb. You can backup the entire server or select a custom backup to specify specific storage volumes. You can store the backup locally or on a remote shared folder but you cannot backup to tape using Windows Server Backup. One feature which may arise in this exam that was not covered in chapter 18 is the ability to manage backups remotely. You need to install Windows Server Backup on both the server to be backed up and the server to use for managing the backup job. After doing that open Windows Server Backup on the management server, click Connect to Another Computer in the Actions pane and specify the name of the remote server. You manage backup jobs on the remote server the in the same manner as managing local ones.

 Manage Disk Quotas

There are two kinds of quotas for limiting how much data users can store on a computer running Windows Server 2008. NTFS quotas have been available for a long time, new to Windows Server 2008 are File Server Resource Manager (FSRM) quotas. Its very important that you understand the differences between these two features, when you sit for the exam carefully study any questions about quotes to make sure you know which type of quota is being discussed. FSRM is an optional role service available with the File Server role, but you can configure disk quotas whether or not FSRM is installed.

Configuring NTFS Quotas

To enable NTFS quotas for a storage volume right-click on the volume in Windows Explorer, select Properties, and then click on the Quota tab. First you must enable NTFS quotas, then you can configure them, as shown in figure 12. You can configure what is the maximum amount of storage users are allowed and at what level a event will be logged when the user is approaching their limit.

Figure 12: Configuring NTFS Quotas.

You can configure unique quotas for each user by clicking Quota Entries and defining a quota one user at a time, this is pretty tedious though, FSRM is much more flexible and easier to manage. While NTFS quotas can only be set per volume, FSRM quotas can be set per volume or per folder. NTFS quotas can generate event log entries while FSRM quotas can generate email messages, custom reports, executing scripts, and event log entries. FSRM makes it much easier to configure unique quotas for groups of users. I recommend that organizations that are already using NTFS quotas to shift to FSRM quotas. I think it would be a bad idea to try to use both simultaneously even though it is possible to do so.

Using File Server Resource Manager

Install FSRM from Server Manager on a domain controller in your test lab before proceeding. FSRM enables you to configure storage quotas for users and to restrict what kinds of files they can save to a file share. Open File Server Resource Manager from the Administrative Tools folder. Expand Quota Management in the navigation pane then click on Quota Templates to view the pre-defined templates for controlling how much storage space users can consume on a storage volume. To create a new quota do the following:

1. Right-click on Quotas in the navigation pane and select Create Quota.
2. Specify a path for quota enforcement.
3. Select 200 MB Limit Reports to User from the Derive properties from this quota template drop-down list.
4. Click Create.

With this quota template in place users will be able to store up to 200 megabytes (MB) of data in the specified folder. You can apply quotas at the volume or folder level. You can also create Auto Apply Quotas, when you do this all subdirectories created below the directory where the Auto Apply Quota was assigned will automatically have a quota enforced based on the template used for the Auto Apply Quota.

To create a new quota template right-click on Quota Templates in the navigation pane and select New Quota Template. You can enter a name and description for the template and specify whether it’s a hard or soft quota. A hard quota means that the user will not be able to store additional data once they’ve reached the limit whereas a soft quota can be exceeded, soft quotas are useful for monitoring disk usage. Click the Add button to define what will occur when a user exceeds the specified percentage of their quota. As shown in figure 13, you can send email messages to the user and administrators, generate an event log entry, execute a command or script, or generate a report that is mailed to the user and administrators. You can configure multiple notification thresholds for the template.

Figure 13: Defining a Notification Threshold.

Note: After you install FSRM two new pages will appear in the Provision a Shared Folder Wizard, one for configuring quota policy and a second for configuring file screen policy.

Configuring file screens is similar to configuring quotas, however instead of restricting how much data can be stored they restrict what kinds of files can be stored. For example, if you want to prevent users from storing MP3 files that may be protected by copyright you could enforce the Block Audio and Video Files file screen template. For practice you should create and apply several new file screen templates and quota templates.

Configure and Monitor Print services

Print services is a distinct server role, install it on one of the servers in your practice lab using the Add Roles Wizard in Server Manager. There are two optional role services that you do not need to install at this time, the LPD Service is designed to allow UNIX-based computers to use shared printers on the server, Internet Printing creates a web site where users can use a web browsers to submit and manage print jobs. You also need to ensure that a printer is installed on the server to conduct the exercises in this section, the Microsoft XPS Document Writer is probably installed already but you cannot configure it for sharing. You can install a generic printer using Device Manager by right-clicking on the server node, selecting Add legacy Hardware, and manually configuring it. MS Publisher Color Printer is available on the Generic category of manufacturers, as shown in figure 14.

Figure 14: Installing a New Printer.

 Open Print Manager in the Administrative Tools folder to configure printer shares. Expand all of the nodes in the navigation pane, as shown in figure 15. Use this tool to manage printers and print servers. You can configure shared printers, manage the print queue, publish the share in Active Directory, install additional drivers, and do nearly everything else involved with managing printers. You make it easier for users to locate the nearest printer by clearly describing its location and then publishing it in Active Directory. You make it simpler for users to connect and utilize the printer by ensuring drivers are available for every platform.

Figure 15: Managing Printers.

To share a printer right-click on it in the navigation pane and select Manage Sharing and do the following:

1. Make sure that the Share the printer checkbox is enabled on the Sharing tab.
2. To publish the printer in Active Directory enable the List in the directory checkbox.
3. To make additional drivers available click Additional Drivers and enable the checkbox for the appropriate driver packages, then click OK. You may be prompted to specify a location for the drivers.
4. To help users locate the physical location of the printer click the General tab and enter the information in the Location text box.

Just like file shares, you can configure permissions to limit which users are able to use the printer. This can be helpful when a printer that uses expensive supplies is on the network but should only be used by a specific group of users, for example, a plotter used by product engineers to print technical drawings in large format. Its also possible to configure color management and the printer’s default settings by clicking the appropriate tabs of the printer’s properties dialog box. You can enable printer pooling on the Ports tab.

You can deploy printers to users or computers with group policy, right-click on the printer and select Deploy with Group Policy to do so. This is useful in situations where all the users are going to access the same printer, such as a classroom. You can view additional information about the printers by selecting the Printers node in the navigation pane, clicking on More Actions in the actions pane and selecting Show Extended View. Right-click on the print server in the navigation pane to perform other actions such as exporting and importing printer settings to a file.

Open Reliability and Performance Monitor to monitor print queues, click on the Performance Monitor node in the navigation pane. Now click on the button with the green plus symbol in the details pane to add counters related to printers. Expand the Print Queue category, select _Total in the Instances of selected objects list as shown in figure 16, click Add, then click OK. All of the counters for print queues should now be displayed, they appear in the list at the bottom of the details pane. There should be counters for each printer as well as for _Total, which is the sum of the counters from all print queues. You may want to review the Monitor Active Directory section of Maintaining the Active Directory Environment for additional information on using Reliance and Performance Monitor.

Figure 16: Adding Print Queue Performance Counters

 Summary

In this chapter you learned how to install and manage file servers and print servers in Windows Server 2008.You also learned about important features related to file and print services such as share and NTFS permissions, DFS, Windows Server Backup, and FSRM Quotas You also read about using Reliability and Performance Monitor to monitor print servers. I tried to provide you with the information you need to succeed on the exam while offering additional real world advice to help you gain a deeper understanding of these technologies. I strongly encourage you to peruse the links listed in the Review section and the end of the chapter and to thoroughly explore the management interfaces for each feature you just learned about.

 Chapter Review

This section presents a list of review questions designed to help reinforce the knowledge presented earlier in the chapter. To persuade you to explore the management tools more deeply a few questions may require you to examine those tools further rather than rereading the chapter.

Questions

1. A user reports that he accidentally deleted critical financial data from a spreadsheet and then saved the file. He needs to recover the data as quickly as possible, what should you do?
   1. Tell the user to ask anyone else who regularly accesses the spreadsheet if they happen to have a copy.
   2. Tell the user to check the offline files local cache for a copy of the file.
   3. Advise the user to use the previous versions feature to recover the file.
   4. Restore the file from the most recent backup.
2. Tony belongs to these Active Directory security groups: Domain Users, Ace Project, Vendors. What will Tony be able to do with files on the share if you have configured permissions on a shared folder as follows:

• Share permissions.
  • Domain Users: Allow Read.
  • Ace Project: Allow Change and Allow Read.
  • Vendors: Deny Read.
• NTFS permissions.
  • Domain Users: Allow Read and execute, Allow list folder contents, and Allow Read.
  • Ace Project: Allow Modify, Allow Read and execute, Allow list folder contents, Allow Read, and Allow Write.
  • Vendors: Allow Read.

1. Tony will not be able to access anything on the share.
2. Tony will be able to read and modify files on the share.
3. Tony will be able to read files on the share.
4. Tony will have full control of files on the share.
2. Ariana belongs to these Active Directory security groups: Domain Users, Ace Project, Marketing. What will Ariana be able to do with files on the share if you have configured permissions on a shared folder as follows:

• Share permissions.
  • Domain Users: Allow Read.
  • Ace Project: Allow Change and Allow Read.
  • Marketing: No permissions assigned.
• NTFS permissions.
  • Domain Users: Allow Read and execute, Allow list folder contents, and Allow Read.
  • Ace Project: Allow Modify, Allow Read and execute, Allow list folder contents, Allow Read, and Allow Write.
  • Marketing: Allow Full Control.

1. Ariana will not be able to access anything on the share.
2. Ariana will be able to read and modify files on the share.
3. Ariana will be able to read files on the share.
4. Ariana will have full control of files on the share.
3. You have installed the File Server role on a computer running Windows Server 2008. You have installed the Active Directory Certificate Services role on another computer running Windows Server 2008 and established an enterprise CA. A user is able to protect files stored locally with EFS but when he tries to use EFS with files stored in his home folder on the file server an access denied error message appears. All of the computer and user accounts are in the same domain. What should you do?
   1. Configure certificate templates to allow users to automatically retrieve EFS certificates, tell the user to log off and log back on.
   2. Verify that the CA is issuing certificates correctly.
   3. Configure the computer account so that it is trusted for delegation and verify that the user account is configured to allow delegation.
   4. Export the users EFS certificate on the client computer and add it to the computer certificate store on the file server.
   5. Lay your head on your keyboard and weep.
4. You have installed the DFS role on a computer running Windows Server 2008 that is joined to an Active Directory domain. You configured a namespace and published several shared folders to it. You want to enable a degree of fault tolerance by replicating the shared folders to another server. You install the DFS role on a second computer running Windows Server 2008 that is also joined to an Active Directory domain. What is the next thing you should do?
   1. Uninstall the DFS server role on the second server, reboot, then reinstall the role but be certain to specify that you are joining the server to an existing namespace when using the Add Roles Wizard.
   2. Add the second server to the namespace using DFS Management.
   3. Configure a namespace on the second server with the same name and settings as what you did on the first server.
   4. Do nothing, the two DFS servers will identify one another through Active Directory and automatically configure themselves to replicate the shared folders.
5. You have enabled VSS on a busy file server, however after doing so users complain that the server is noticeably slower. You quickly check how the server is performing using Reliability and Performance Monitor and verify that the server’s CPU is not saturated and that there is still plenty of RAM available however the logical disk and physical disk counters suggest that the hard drive is overwhelmed. What should you do?
   1. Install another hard drive and configure it for disk mirroring.
   2. Install 2 more hard drives and configure a RAID 5 array.
   3. Reduce the size of storage allocated for VSS.
   4. Install another hard drive, configure it as a separate storage volume, and configure VSS to use the new volume for storage.
6. You manage a computer running Server Core of Windows Server 2008 and install Windows Server Backup. You want a new systems administrator to configure and manage daily backups on the server but he is not comfortable using a command prompt. What should you do?
   1. Install Windows Server Backup on another computer running the full version of Windows Server 2008 and show your colleague how to manage backups remotely using Windows Server Backup.
   2. Write scripts to perform the backup jobs, show your colleague how to log into the server and launch each script.
   3. Use group policy to configure the backup jobs.
   4. Configure scheduled tasks on the server using the at command to perform the backups.
7. You have been using soft quotas for several months and sending notifications to users via email to let them know when they have reached or exceeded the quota. Users complain that they are having trouble figuring out what files to remove from their home folder, what would be the best way for you to help them?
   1. Show the users how to use the search feature in Windows Vista to identify large files so they can remove them.
   2. Explain to the users that they need to carefully examine every file in every folder to determine which ones are no longer needed.
   3. Write a script to search the entire storage volume for files that have not been accessed in the past 12 months, send the list of these outdated files to the users.
   4. Configure a notification threshold that emails a report to each user who exceeds their threshold, make sure the report includes information that would be useful in this situation such as duplicate files and least recently accessed files.
8. You have installed the Print Services role on a computer that was upgraded from Windows 2003 to Windows Server 2008 recently. The computer has several shared printers that current users can utilize, however some users who have recently received new desktop computers with 64-bit multicore CPUs report that they can see the printers but are unable to use them. What is the best way to resolve this issue?
   1. Verify that the users are all using the 32-bit version of Windows Vista, if any are using a 64-bit edition reimage their machines with a 32-bit build.
   2. Install 64-bit drivers for each printer on each user’s computer.
   3. Add 64-bit drivers on the print server using the Add Driver Wizard.
   4. Add the user’s accounts to the local Administrators group.
9. Your organization has recently moved several hundred employees into a new office building on the corporate campus. Several shared printers are installed on each floor of the building yet many users complain that its difficult to figure out which printer is the one closest to their desk. What would be the best way to help the users?
   1. Create floor plans for each floor of the building that clearly illustrate the location and name of every printer. Provide each employee with a copy of the plan for their floor.
   2. Print a few dozen cards for each printer that includes the name and location of the printer, give copies of the card for each printer to the users sitting closest to it.
   3. Publish a list of all of the printers and their locations on an internal website so that users can quickly find a nearby one.
   4. Make sure that the properties for each printer include clear information on where each printer is located and publish each printer in Active Directory.

 Answers

1. C is correct, there should be at least one previous version of the file created by VSS, if there isn’t you could then resort to restoring the file from a recent backup.
2. A is correct, the share permission denying read access to the Vendors group trumps everything else. Deny permissions always supersede any other permission.
3. B is correct. The effective NTFS permissions are the most liberal of all assigned, in this case Full Control and the effective share permissions are the most liberal of all assigned, in this case Allow Change and Allow Read. However, the permissions Ariana will actually when accessing files on the share is the lowest level between the effective NTFS and share permissions. As confusing as this question may have been, you also have to remember how inheritance of NTFS permissions works.
4. C is correct. By default new user accounts are configured to allow delegation however new computer accounts are not, except for domain controllers.
5. B is correct. After adding it to the namespace you to configure the folders for replication and create a replication group that includes both servers.
6. D is correct. Whenever feasible you should use a separate physical hard drive for VSS storage.
7. A is correct. Managing the backups remotely would be the simplest solution.
8. D is correct. It’s a quick and easy way to help the users make appropriate decisions.
9. C is correct. It’s the simplest way to ensure all of the users have access to the 64-bit drivers. Granting users administrative privileges is almost always the wrong way to resolve issues.
10. D is correct. The other methods may work but each is unnecessarily complex. When the printers are published in Active Directory users can sort and search by building number, floor, or whatever other information you include in the location field.

References

Using Encrypting File System.

Protecting Data by Using EFS to Encrypt Hard Drives.

Step-by-Step Guide for Distributed File Systems in Windows Server 2008.

Volume Shadow Copy Service.

Step-by-Step Guide for Windows Server Backup in Windows Server 2008.

Step-by-Step Guide for File Server Resource Manager in Windows Server 2008.

Print Management Step-by-Step Guide.