290 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7 The extend command will automatically extend the disk to take up all of the available space you just added. Remember that disk expansion can only be done on non-system disks. You can also use scripts with DISKPART.EXE. Simply insert your commands in a text file. Scripts are especially useful when you are staging servers with either the unattended or disk imaging installation techniques. In this case, you’ll also want to log all errors. To do so, use the following command: diskpart /s scriptfile.txt >logfile.txt Disk Structure Preparation Expanded disks ensure that your main disk partitions always remain the same. This means that you can create a standard disk structure for all servers. This structure should include the following: • C: drive This is the system disk. • D: drive The data storage disk. • E: drive An optional disk for servers hosting database applications. In the Microsoft world, this includes servers hosting Active Directory (domain controllers), SQL Server, Exchange, and SharePoint Portal Server. This disk is used to store transaction journals for these database applications. It can also be used to store shadow copies for file servers. • F: drive The DVD/CDRW server drive. No matter how your server is constructed, it should use this structure for its logical appearance. Since all disks can be extended, no other drive letters should be required. The disk that requires the most structure is the D: drive since it is the disk that will store user and group shared data and documents. This disk should include a master folder for each of the different data types identified earlier. In addition, it is a good idea to structure the disk folders according to content. Thus, the D: drive would appear as illustrated in Figure 7-1. There are a few principles to use when creating the folders in the D: drive. • First, group information according to content. This means that three top-level folders are required: Data, Applications, and Administration. Each will be used to regroup subfolders that will store similar content. • Second, use representative folder names. If a folder will be used to store user data, call it UserData. • Third, use combined words. That is, do not include spaces or special characters between words. Thus, if your folder name is User Data, type it as UserData. Unfortunately, there are still some vestiges of NetBIOS in WS03. NetBIOS prefers word strings that do not use spaces or other special characters. • Fourth, name your folders the way you will want to have your shares appear. A good example here is the use of the dollar sign ($) at the end of a folder name. Remember that when you share  QUICK TIP Microsoft has written a knowledge base article on disk and volume management. Search for article number Q329707 at http://support.microsoft.com/. P:\010Comp\Tip&Tec\343-x\ch07.vp Monday, March 24, 2003 12:32:17 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com a folder with the dollar sign at the end, it becomes a “hidden” share—that is, it cannot be seen through the network browsing mechanism. • Fifth, create the same folder structure on all servers that have a file and print vocation even though you will not share each of the folders on each server. This strategy allows you to quickly activate a folder share when a file server is down. Since each server has the same folder structure, activating a shared folder in an emergency is quick and easy. This also facilitates file server replication modifications in case of a server crash. Using these guidelines, folders should be created according to the details outlined in Table 7-1. NTFS Permissions Windows Server 2003 is similar to Windows NT and Windows 2000 in that permissions on shared folders are based on a combination of NTFS and shared folder permissions. As such, the same rules apply. This means that since it is complex to manage both file and share permissions, it becomes much easier to focus on NTFS permissions since these are the last permissions applied when users access files through network shares. This process is illustrated in Figure 7-2. Chapter 7: Designing the Network Services Infrastructure 291 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7 Figure 7-1 D: drive folder and share structure P:\010Comp\Tip&Tec\343-x\ch07.vp Monday, March 24, 2003 12:32:19 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 292 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7 Folder Name Share Name Offline Settings NTFS Permissions Share Permissions Comment Applications Applications Automatically available offline and Optimized for performance Users: Read Administrators: Full Control Everyone: Read This folder shares centrally-located applications. Departmentn Departmentn User-determined Department: Read User Representative: Change Administrators: Full Control Everyone: Change Data can be encrypted, but should not be compressed. This folder is the main folder for the department; only user representatives can write to this folder and create subfolders. Projectn Projectn User-determined Project Members: Change Administrators: Full Control Everyone: Change Data can be encrypted, but should not be compressed. Public Public Not available offline Everyone: Change Administrators: Full Control Everyone: Change Data should not be either encrypted or compressed. UserData$ UserData$ Automatically available offline and Optimized for performance Everyone: Change Administrators: Full Control Everyone: Change Data can be encrypted, but should not be compressed. This folder will be used to redirect the My Documents, Application Data, Desktop, and Start Menu folders for all users. HotFixes$ HotFixes$ Not available offline Everyone: Read Administrators: Full Control Everyone: Read Data should not be either encrypted or compressed. ServicePacks$ ServicePacks$ Not available offline Everyone: Read Administrators: Full Control Everyone: Read Data should not be either encrypted or compressed. Sources$ Sources$ Not available offline Everyone: Read Administrators: Full Control Everyone: Read Data should not be either encrypted or compressed. Tools$ Tools$ Not available offline Everyone: Read Administrators: Full Control Everyone: Read Data should not be either encrypted or compressed. Table 7-1 Folder and Share Structure P:\010Comp\Tip&Tec\343-x\ch07.vp Monday, March 24, 2003 12:32:19 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Combining shared folder permissions with NTFS permissions can become very confusing and difficult to troubleshoot if you mix and match them. In order to simplify the process, you should only use NTFS permissions because the most restrictive permissions are always applied. In Windows Server 2003, every new shared folder receives the same basic permissions: Everyone Read. This is different from all previous versions of Windows! If users need to write into a shared folder, these permissions must be modified to Everyone Change. If not, the most restrictive permissions apply and no one is allowed to write into a shared folder.  CAUTION It will be important for you to ensure that you take the time to verify shared folder permissions before finalizing the share. Otherwise, you will receive several support calls on nonfunctioning shares. It is quite all right to set share permissions on just about anything to Everyone Change because NTFS permissions will apply even though your share permissions are not restrictive. Microsoft modified the default behavior of the shared folder process in order to provide better security for enterprises that did not prepare their NTFS settings beforehand. Thus, if you use the share preparation process outlined here, you will be quite safe from prying users when you share your folders because NTFS permissions are always applied before the share is enabled. Nevertheless, the best practice in terms of shared folder permissions is to set permissions according to the following: • Set Everyone Read for all shared application folders, installation folders, support tool folders, and so on. • Set Everyone Change for all shared data folders and set appropriate NTFS permissions on a folder per folder basis. There is rarely any need for the Everyone Full Control shared folder permission setting. Chapter 7: Designing the Network Services Infrastructure 293 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7 Figure 7-2 The File Permission Process P:\010Comp\Tip&Tec\343-x\ch07.vp Monday, March 24, 2003 12:32:19 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com  CAUTION It is important to set Everyone Change as the shared folder permissions for the shared folder hosting the redirection of user data. Otherwise, the automatic folder creation process that is enabled whenever the policy applies to a new user will not be able to create the user’s data folders. Disk Quotas Another important factor in file sharing is disk quotas. Windows Server 2003 offers a disk quota management process that supports the assignation of quotas on a per user, per disk basis. In addition, WS03 quota usage is identified by file ownership. This means that if you create all of your shared folders on the same disk, a user’s total quota usage will apply to every file on the disk that was created or is owned by the user no matter which shared folder it is located in. You begin by setting general quotas on a disk, and then you can set different quotas for users who require more than the average amount of space. You cannot manage quotas on a per group basis. This is not very practical in an enterprise network. WS03 quotas do not apply to administrators. Some rules apply if you intend to use WS03 quotas: • Use the quota tracking option to analyze disk usage before enforcing quotas. This will tell you the size of the quotas you need to apply. • Group users according to file types; if some users have a tendency to work with files that have large formats, such as graphic files, then place them on a separate disk and assign a higher quota to this disk. This is the same as assigning quotas to groups, but instead of using groups, you use different disks. • Create separate disks for private user data and group shared folders and assign different quotas to each disk. If you find that these rules are too constricting, then use a commercial quota management tool. These tools will allow you to perform policy-based management of quotas on a user or group basis no matter how many disks you have for shared folder storage. Shadow Copies Windows Server 2003 includes a new feature for shared folder support: volume shadow copies (VSC). This feature automatically takes a snapshot of the files located in a shared folder at regular intervals (in fact, it takes a copy of the entire disk on which the shared folder resides). The shadow copy feature is designed to assist in the process of recovering previous versions of files without having to resort to backups. The shadow copy feature is very much like a server “undelete” feature. It is useful for users who often require a return to either a previous version of a file or who accidentally destroy files they still require. WS03 uses a default schedule for creating shadow copies: 7:00 A.M. and 12:00 noon. If you find that this schedule does not meet your requirements, you can change it. For example, you might prefer to create shadow copies at 12:00 noon and 5:30 P.M. if your staff tends to start early in the morning. Also, use a separate disk for shadow copies and set the maximum size of the shadow copies on this disk. The number of copies kept on the shadow copy disk will depend on the amount of space allocated 294 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7 P:\010Comp\Tip&Tec\343-x\ch07.vp Monday, March 24, 2003 12:32:19 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com to shadow copies. Once full, shadow copies are overwritten by newer versions. There is also a hard limit of 64 versions. Once you reach this limit, older versions are automatically overwritten. If you expect a large number of file changes, you should assign a larger amount of space for shadow copies. Shadow copies do not replace backups. Even though the WS03 Backup tool uses the shadow copy process to perform backups, the automatic shadow copies the system creates are not backed up so you cannot count on previous versions of a shadow copy. Finally, the shadow copy process is in fact a scheduled task. If you intend to delete the disk on which a shadow copy is performed, begin by deleting the shadow copy scheduled task. Otherwise, this task will generate errors in the event log. Indexing Service The Indexing Service is one of Windows’ best features for the support of knowledge management. WS03 can index all sorts of information and documents inside shared folders and on internal and external Web sites. The Indexing Service is installed by default, but it is not activated. Therefore, one of the most important steps in preparing a file share server is to set the Indexing Service startup to automatic. The Indexing Service will index documents in the following formats: • Text • HTML • Office 95 and later • Internet mail and news • Any other document for which a filter is available For example, Adobe Corporation provides an indexing filter for documents in the PDF format. The Adobe PDF IFilter can be found at http://download.adobe.com/pub/adobe/acrobat/win/all/ifilter50.exe. Installing this filter will ensure that all PDF documents will be indexed and searchable. In addition, the Indexing Service can index files for which it doesn’t have specific filters. In this case, it will do the best it can. In general, the default settings of the Indexing Service are sufficient for shared folders storing data and documents. This is because even though all documents on a file server are indexed, users will only see the query results for which they have access rights. So even if you have five documents about system administration on a file share, but the user performing the query has access to only one of those, the Indexing Service will respond with only one query result. Chapter 7: Designing the Network Services Infrastructure 295 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7  QUICK TIP One of the great advantages of disk shadow copies is the ability for users to recover their own files. The VSC service adds a tab to file and folder properties that allows users to retrieve older versions of a file from the shadow copy so long as the image of the shadow copy has not been overwritten. This feature is a boon to disk administrators because it greatly reduces the number of restores they need to perform. To enable this feature, you will have to deploy the Previous Versions client on Windows XP systems. The client software is located in \\%systemroot%\system32\clients\twclient. P:\010Comp\Tip&Tec\343-x\ch07.vp Monday, March 24, 2003 12:32:20 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com If you find you require more refined filtering, you can use the Indexing Service to create special indexing catalogs for groups of users. These catalogs increase the speed of a search since they limit the number of possible hits for user queries. Indexing is a memory intensive task. This means that your file server will require sufficient RAM to support the indexing of documents. For large file shares including more than 100,000 documents to index, you should dedicate at least 128 MB of RAM to the Indexing Service. Offline File Caching By default each share that is created with Windows Server 2003 is set to allow the user to determine if they want to make the files available offline. Offline file caching allows users to transport files with them if they are using a portable computer or to continue working in the event of a network failure. Through offline files, users actually work on local copies of the files and the Windows Synchronization Manager automatically synchronizes files between the server and the client. Synchronization Manager includes a conflict resolution process allowing even multiple users to work with offline files without fear of damaging information created by one or the other. There are some issues with offline files. The most important of these is that not all files are supported through the offline files process. Database files, in particular, are not supported. Thus if you intend to use offline folders, you must educate your users to store their database files elsewhere, either locally or in file shares that do not offer offline file possibilities. Non-supported file types cause error messages during the synchronization process which occurs at either logon or logoff. This can cause a security breach because the logoff process is not completed when non-supported file types are included in an offline folder until the error message dialog box is closed manually. And, if the user leaves before the logoff is complete, their system remains in this state until they return. Of course, it would be difficult for a hacker to reopen the session, but leaving a session in a semi-open state is not good practice. Caching options include: • No caching Files or programs from the share are not available offline. • Manual caching Only the files and programs that users specify will be available offline (this is the default setting). • Automatic caching All files and programs that users open from the share will be automatically available offline. This setting can be optimized for performance. Offline files are a boon, especially for mobile users, because they offer local access to files while at the same time allowing central backup and protection of data. Creating the File Server There are several process involved in the creation of a File Server. The overall File Server Creation Process is outlined in Figure 7-3. The place to start is with the creation of the server itself. Use the process outlined in Chapter 2 to create a basic Member Server. This server is based on the Server Kernel, but its primary role will be 296 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7 P:\010Comp\Tip&Tec\343-x\ch07.vp Monday, March 24, 2003 12:32:20 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com file sharing. Thus, you now need to add a server role on top of the kernel. This server should include a disk structure as outlined previously in the “Disk Structure Preparation” section. Once the server has been prepared, move to the first activity: Creating the Folder Structure. Creating the Folder Structure The folder structure is not the same as the shared folder structure because shares are regrouped by content type (refer to Figure 7-1). Though WS03 provides a Share a Folder Wizard that supports the creation of a folder structure on a NTFS disk, it is easier to use Windows Explorer to create the folders that will host file sharing. 1. Move to Windows Explorer (Quick Launch Area | Windows Explorer). 2. Select the D: drive. 3. Create the three top level folders: Administration, Applications, and Data. To do so, right-click in the right pane of Explorer, select New | Folder and type in the name of the folder. Press ENTER when done. Repeat for each folder you require. 4. Apply appropriate NTFS security settings for each folder. Security settings are applied according to the details of Table 7-1. To do so, right-click on each folder name and select Properties. Move to the Security tab. Add the appropriate groups and assign appropriate security settings to each group. Also, modify the default security settings per the requirements in Table 7-1. You modify security settings now because they are inherited whenever you create subfolders. Thus, you will only need to fine-tune subfolder security settings from now on instead of recreating them all. Chapter 7: Designing the Network Services Infrastructure 297 Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7 Figure 7-3 The File Server Creation Process P:\010Comp\Tip&Tec\343-x\ch07.vp Monday, March 24, 2003 12:32:20 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 298 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7 5. Create all of the subfolders for each section: • In Administration, create HotFixes$, ServicePacks$, Sources$, and SupportTools$. • In Data, create Departments and Projects. These subfolders are parent folders for each of the department-specific and project-specific shared folders. Also create Public and UserData$ at this level. • Within Departments and Projects, create the required subfolders for each department and each project. 6. Modify the NTFS security settings for each folder. Remember to modify the parent folders first before creating their subfolders in order to simplify your creation process. Once the folder creation process is complete, make a copy of the entire structure in another secure place on the network. This way, you will not have to recreate the entire folder structure each time you create a file server. You will simply have to copy it from your file structure template. Ensure that this master folder structure is always up to date in order to simplify the file server creation process. Enabling File Server Services Three special services must be put in place to support file sharing: quotas, shadow copies, and indexing. These are activated next. 1. Once again, move to Windows Explorer. 2. Right-click on the D: drive and select Properties. 3. Move to the Quota tab and activate quotas for this disk: • Select Enable quota management. • Select Deny disk space to users exceeding quota limit. • Select Limit disk space to and assign at least 200 MB per user. • Set warning level to 15 to 20 percent lower than the assigned quota limit.  QUICK TIP It is very important to assign appropriate quota levels to users. It is highly recommended to validate the space required on a per user basis before assigning quota levels. Do not deny disk space to users exceeding quota limits to test required quota levels. To test these limits, you will need to monitor quota usage through the use of the Quota Entries button at the bottom of the dialog box. P:\010Comp\Tip&Tec\343-x\ch07.vp Monday, March 24, 2003 12:32:20 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Chapter 7: Designing the Network Services Infrastructure 299 • Select both Log event when a user exceeds their quota limit and Log event when a user exceeds their warning level. Both of these tools are used to identify long-term quota requirements. 4. You can select Apply if you want to, but you don’t have to because you aren’t done with this dialog box yet. Move to the Shadow Copies tab. 5. Before enabling this feature, you must modify the drive that will store shadow copies. To do so, click the Settings button. In the new dialog box, use the drop-down list to select the E: drive. Set the limit for the copy as appropriate and change the schedule if required. Click OK when done. 6. The default schedule is at 7:00 A.M. and at 12:00 noon. If this schedule is not appropriate, click the Schedule button to modify it. This is a scheduled task. Its scheduling features are the same as all scheduled tasks. Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7  QUICK TIP Event logs don’t actually provide the name of the person who exceeds the limit. You have to use WMI scripts to extract this information. But event logs will tell you that someone has exceeded the limit. Don’t worry, you’ll know who it is soon enough because users who exceed their limits are quick to call the help desk to complain. P:\010Comp\Tip&Tec\343-x\ch07.vp Monday, March 24, 2003 12:32:21 PM Color profile: Generic CMYK printer profile Composite Default screen Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... Files and Printers for Non -Windows Clients Windows Server 2003 also supports printing and file sharing for non -Windows computers These include the Macintosh as well as UNIX computers Chances are that most enterprise networks will contain either one or the other or even both Macintosh Computers Windows NT has supported Macintosh connectivity since its very earliest versions Windows Server 2003 is no different... and Windows Server 2003 networks, you can acquire Services for UNIX, a comprehensive set of tools that is designed to integrate UNIX and WS03 networks and even allow UNIX applications to run on WS03 servers NOTE More information on WS03 File and Print Services can be found at http://www.microsoft.com/ windowsserver2003/evaluation/overview/technologies/fileandprint.mspx and http://www.microsoft.com/ windowsserver2003/techinfo/overview/print.mspx... http://www.microsoft.com/ windowsserver2003/techinfo/overview/print.mspx Preparing Application Servers The Application Server is a multifunctional server role because it is required to support commercial server software as well as corporate applications Whether it is for software or applications, this server role, like all others, is based on the core Server Kernel installation Thus, you need to stage this server in the... allows you to change the default setting for client caching of link targets By default this setting is 1800 seconds or 30 minutes This setting is usually appropriate for DFS links QUICK TIP The DFS process is fully detailed in the book Windows Server 2003 Deployment Kit: Designing and Deploying File Servers in the Planning Server Deployments (Microsoft Press, 2003) It is highly recommended reading if... File Servers • When you have more than one Print Server, create redundancy in your shared printer setups Create all of the printers on each server, then share only a portion (for example, half) of the printers on one server and the other portion on the other server Thus if one of your print servers goes down, you can quickly share and thus reactivate the lost printers on the other server Each server. .. more It also performs much better These are not the only considerations you will need to take into account for your enterprise shared printer policy, but they are often elements that are forgotten Remember, printers are really there for users and should be designed in a way that facilitates the printing process for them Creating the Print Server Print servers are normally linked with file servers Thus,... upgrade everything or redesign your applications, don’t despair Like Windows XP, Windows Server 2003 now boasts a Compatibility Mode that can emulate Windows 95, Windows 98, Windows NT, or Windows 2000 operating systems In addition, WS03 includes a Program Compatibility Wizard that steps you through the assignment of compatibility parameters for legacy software or older applications The wizard can be launched... with Windows Server 2003 It is available at http:// www.microsoft.com/downloads/release.asp?ReleaseID=42 071 &area=search&ordinal=2 One of the important aspects of application compatibility is security Microsoft changed the security model for applications between Windows NT and Windows 2000 Now neither users nor applications have the right to change or modify information in critical folders Therefore,... is because Windows 2000 and Windows Server 2003 drivers are user-mode drivers Drivers can be either user-mode or kernel-mode In Windows NT, drivers were moved to kernel-mode because kernel-mode drivers provided better performance Kernel-mode drivers are Version 2 drivers But a faulty kernel-mode driver can crash the entire kernel, or rather, the entire server Thus, to provide better performance and... client /server model Organizations who are using Windows NT or Windows 2000 today will also know that both software and applications hosted on these operating systems must conform to a specific set of guidelines in order to operate This is outlined as the “Designed for Windows specification Ideally, all applications and software can be upgraded to versions that are completely compatible to Windows Server . 290 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7 The. http://www.simpopdf.com 292 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7 Folder. http://www.simpopdf.com 298 Windows Server 2003: Best Practices for Enterprise Deployments Tip&Tec / Windows Server 2003: Best Practices for Enterprise Deployments / Ruest & Ruest / 222343-x / Chapter 7 5.