70-412: Configuring Advanced Windows Server 2012 services Chapter 2 Configure File and Storage Solutions

70-412: Configuring Advanced Windows

Server 2012 services

Chapter 2Configure File and Storage Solutions

Objective 2.1: Configuring Advanced

File Services

© 2013 John Wiley & Sons, Inc. 3

Network File System (NFS)

• Network File System (NFS) is a distributed file system protocol used to access files over a network, similar to accessing a file using a shared folder in Windows, which uses Server Message Block (SMB).

• It is used with UNIX and Linux file server clients and VMware.

• Therefore, to support these clients, Windows Server 2012 supports NFS.


Network File System (NFS)

• For the Windows Server 2012 NFS server to grant the UNIX user access to the requested file, it must associate the UID and GID with a Windows or Active Directory account and use that account to authenticate the client.

• NFS uses Active Directory lookup and User Name Mappings to obtain user and group information when accessing NFS shared files.


Identity Managementfor UNIX

• Identity Management for UNIX enables you to o Integrate Windows users into an existing UNIX or

Linux environmento Manage user accounts and passwords on Windows

and UNIX systems using Network Information Service (NIS)

o Automatically synchronize passwords between Windows and UNIX operating systems.

• Install Identity Management for UNIX using the Deployment Image Servicing and management command-line tool, Dism.exe.


BranchCache• Branch offices typically have slow connectivity to the

central office and limited infrastructure for security servers.

• When users access files over the slower WAN links, there might be a delay when opening files and when opening large files or many files at the same time, which can cause other programs to be slow or delayed.

• When using BranchCache, you are essentially creating a WAN accelerator where information is cached on branch computers or local servers.

• If the document is cached, it is accessed from the local branch office rather than going across a slower WAN link.


BranchCache Modes• BranchCache can operate in one of two modes:

o Hosted cache modeo Distributed cache mode

• Starting with Windows 8 and Windows Server 2012, Windows 8 Clients can be configured through Group Policy as distributed cache mode clients by default.

• The clients will search for a hosted cache server, and if one is found, it will automatically configure itself into hosted cache mode clients so that it can use the local server.


File Server Resource Manager (FSRM)

• File Server Resource Manager (FSRM) is a suite of tools that enables you to control and manage the quantity and type of data stored on a file server. You can o Define how much data a person can store.o Define what type of files a user can store on a file

server.o Generate reports about the file server being used.

• You can classify files based on defined properties and apply policies based on the classification.

• You can restrict access to files, encrypt files, and have files expire.


File Classification• File classification allows you to configure

automatic procedures for defining a desired property on a file, based on the conditions specified in classification rules.

• For example, if the content contains “sales figure,” you can automatically set the Confidentiality property to High.

• By using file classification, you can automate file and folder maintenance tasks, such as deleting old data or protecting sensitive information.


Authentication, Authorization, and

Auditing• Security can be divided into three areas:

o Authentication: Used to prove the identity of a user. o Authorization: Gives access to the user who was

authenticated. o Auditing: Gives you a record of the users who have

logged in, what those users accessed or tried to access, and what action those users performed (e.g., rebooting, shutting down a computer, or accessing a file).

• When you want to audit files, you must first enable object access auditing. Then you must specify what files you want to audit.


Global Object Access Auditing

• Starting with Windows 7 and Windows Server 2008 R2, you can enable Global Object Access Auditing so that you cano Configure object access auditing for every file

and folder in a computer’s file system. o Centrally manage and configure Windows to

monitor files without going to each computer to configure the auditing of each computer or folder.


Global Object Access Auditing

• To use global object access to audit files, you must enable two settings:o Computer Configuration\Windows Settings\Security

Settings\Advanced Audit Policy\Audit Policies\Object Access\Audit File System

o Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy\Audit Policy\Global Object Access Auditing\File System (see Figure 5-15).

• Additionally, you must configure the System Access Control List (SACL), where you define the principal that you want to monitor, the type of event (success, failure, or all), the permission that you want to monitor, and a condition.

Objective 2.2: Implementing Dynamic

Access Control


Windows Deployment Services (WDS)

• Dynamic Access Control (DAC), originally called claims-based access control, was introduced with Windows Server 2012 and is used for access management.

• It provides an automatic mechanism to secure and control access to resources.


Claims-Based Access Control

• Claims-based access control uses a trusted identity provider to provide authentication.

• The trusted identity provider issues a token to the user, which the user then presents to the application or service as proof of identity.

• Identity is based on a set of information. Each piece of information is referred to as a claim (e.g., who the user or computer claims to be) and is stored as a token, which is a digital key.

• The token is digital identification for the user or computer that is accessing a network resource.

• As users or computers need access to a resource, the user or computer presents the token to get access to the resource.


Security Token Service (STS)

• In Windows Server 2012, the identity provider is the Security Token Service (STS) and the claims are the Active Directory attributes assigned to a user or device (e.g., a computer).

• The claims, the user’s security identifier (SID), and group membership are stored inside the Kerberos ticket.

• The ticket is then used to access protected resources.

• Claims authorization relies on the Kerberos Key Distribution Center (KDC).


Attribute-Based Claims

• Attribute-based claims areo The most common types of claimso Usually configured with Active Directory

Administrative Center, specifically using the Dynamic Access Control node.

• All claims are stored in the configuration partition in AD DS, which is a forest-wide partition. As a result, all domains in the forest share the claim dictionary.


Configuring File Classification

• Classification management and file management tasks enable administrators to manage groups of files based on various file and folder attributes.

• After folders and files are classified, you can automate file and folder maintenance tasks (e.g., cleaning up stale data or protecting sensitive information).

• Although classification management can be done manually, you can automate this process with the File Server Resource Manager console.


Central Access Policy• A Central Access Policy contains

Central Access Rules that grant permissions to objects for a defined group of resources.

• By default the rules apply to all resources, but you can limit the resources to which the rule will apply.

• Once the rule is defined, you can choose to apply it live or you can choose to use a “staging” mode.


Expression-Based Audit Policies

• Windows Server 2012 has new advanced audit policies that implement more detailed and precise auditing on the file system, including the configuration of global-based audit policies and expression-based auditing.

• Expression-based audit policies let you specify what to audit based on defined properties or document attributes (e.g., a department or country).

• With Global Object Access Auditing you define computer-wide system access control lists (ACLs) for either the file system or registry instead of manually altering and maintaining System Access Control Lists (SACLs) on large sets of shared files or registry entry.

• In addition, the auditing is implicitly specified, which does not actually modify the files.


Access-Denied Remediation

• When users are denied access to a shared folder or file, Windows Server 2012 provides Access-Denied Assistance, which helps users determine why they cannot access the folder or file and directs users to resolve the issue without calling the help desk.

• At this time, Access-Denied Remediation works only with Windows 8 and Windows Server 2012.

Objective 2.3: Configuring and

Optimizing Storage


Understanding Shared Storage

• To provide services and resources, many of the servers used in an organization require large amounts of disk space.

• Shared storage devices have many hard drives to provide huge amounts of disk space.

• There are two network storage solutions used in networking:o Network attached storage (NAS): A NAS is a file-level data

storage device that is connected to the server over a computer network to provide shared drives or folders usually using Server Message Block (SMB) or Network File System (NFS).

o Storage area networks (SANs): A SAN is a type of storage architecture that allows systems to attach to the storage in the SAN and that presents the drives to the server just as if attached locally.


Understanding Shared Storage

• Most SANs use the SCSI protocol for communication between servers and disk drive devices.

• By using SCSI protocol, you can attach disks to a server using copper Ethernet cables or fiber optic cables.

• The two standards used in SANs include:o Fibre Channelo iSCSI


Logical Unit Number (LUN)

• A Logical Unit Number (LUN) is a logical reference to a portion of a storage subsystem.

• The LUN can be a disk, part of a disk, an entire disk array, or part of the disk array.

• When configuring servers to attach to a SAN, you usually configure the SAN to assign a LUN to a specific server.

• The LUN allows the administrator to break the SAN storage into manageable pieces.

• If the LUN is not mapped to a specific server, the server cannot see or access the LUN.


ISCSI• iSCSI is an Internet Protocol-based storage

network standard that allows servers and other devices to connect to a data storage device or devices.

• As the name indicates, it carries SCSI commands over IP networks.

• Unlike standard local SCSI drives, iSCSI allows data transfers over intranets and can be used over long distances.

• iSCSI allows clients, called iSCSI initiators, to send SCSI commands to iSCSI storage devices, which are known as iSCSI targets.


iSCSI Qualified Name (IQN)

• iSCSI Qualified Name (IQN) is a unique identifier used to address initiators and targets on an iSCSI network.

• The IQN uses the following format:o Literal iqno Date (yyyy-mm) that the naming authority took

ownership of the domaino Reversed domain name of the authorityo Optional ":" prefixing a storage target name specified

by the naming authority

• An example of an IQN is:iqn.1991-05.com.contoso:storage01-target1-target


iSCSI Target• In April 2011, the iSCSI target was available to

Windows Server 2008 R2 as a free download. • Starting with Windows Server 2012, you can

install the iSCSI Target Server role, so that other Windows servers can provide iSCSI storage to other clients (including other Windows servers).

• After installing the iSCSI Target Server role, you use Server Manager to create the volumes that will be presented to clients and specify which servers can access the iSCSI LUNs.


Internet Storage Name Service (iSNS)

• The Internet Storage Name Service (iSNS) protocol is used to automatically discover, manage, and configure iSCSI devices on a TCP/IP network. o iSNS is used to emulate Fibre Channel fabric

services to provide a consolidated configuration point for an entire storage network.

o The iSNS provides a registration function to allow entities in a storage network to register a query in the iSNS database.

o Both targets and initiators can register in the iSNS database.


Discovery Domain (DD)

• The discovery domain (DD) service allows the partitioning of storage nodes into management groupings (called discovery domains) for administrative and logon control purposes.

• You can create a new discovery domain by using the Create button and typing the name of the discovery domain.


Features on Demand• Starting with Windows Server 2012, you

can use Features on Demand, which allows administrators too Completely remove the installation binaries for

roles and features that are not needed for the server.

o Save disk space and enhance security by removing binaries for features that will not be needed.

Documents

70-412: Configuring Advanced Windows Server 2012 services Chapter 2 Configure File and Storage Solutions