Module10:ImplementingFileandPrintServicesContents:ModuleOverview
Lesson1:SecuringFilesandFolders
Lesson2:ProtectingSharedFilesandFoldersbyUsingShadowCopies
Lesson3:ConfiguringWorkFolders
Lesson4:ConfiguringNetworkPrinting
Lab:ImplementingFileandPrintServices
ModuleReviewandTakeaways
ModuleOverviewAccessingfilesandprintersonthenetworkisoneofthemostcommonactivitiesintheWindowsServerenvironment.Reliable,secureaccesstofilesandfoldersandprintresourcesisoftenthefirstrequirementofaWindowsServer2012-basednetwork.Toprovideaccesstofileandprintresourcesonyournetwork,youmustunderstandhowtoconfiguretheseresourceswithinWindowsServer2012server,andhowtoconfigureappropriateaccesstotheresourcesforusersinyourenvironment.ThismodulediscusseshowtoprovidetheseimportantfileandprintresourceswithWindowsServer2012.Itdescribeshowtosecurefilesandfolders,howtoprotectpreviousversionsoffilesandfoldersbyusingshadowcopies,andhowtogiveworkersremoteaccesstocorporatefilesbyimplementingthenewWorkFoldersroleservice.Italsodescribesnewnetworkprintingfeaturesthathelpmanagethenetworkprintingenvironment.ObjectivesAftercompletingthismodule,youwillbeableto:Securesharedfilesandfolders.
Protectsharedfilesandfoldersbyusingshadowcopies.
ConfiguretheWorkFoldersroleservice.
Configurenetworkprinting.
Lesson1 :SecuringFilesandFoldersThefilesandfoldersthatyourserversstoretypicallycontainyourorganizationsbusinessandfunctionaldata.Providingappropriateaccesstothesefilesandfolders,usuallyoverthenetwork,isanimportantpartofmanagingfileandprintservicesinWindowsServer2012.ThislessongivesyouinformationnecessarytosecurefilesandfoldersonyourWindowsServer2012servers,sothatyourorganizationsdataisavailableyetprotected.LessonObjectivesAftercompletingthislesson,youwillbeableto:DescribeNTFSfilesystempermissions.
Describeasharedfolder.
Describepermissionsinheritance.
Explainhoweffectiveaccessandpermissionsworkwhenyouaccesssharedfolders.
Describeaccess-basedenumeration.
DescribeOfflinefiles.
Explainhowtocreateandconfigureasharedfolder.
WhatAreNTFSPermissions?
NTFSpermissionsareassignedtofilesorfoldersonastoragevolumethatisformattedwithNTFS.ThepermissionsthatyouassigntoNTFSfilesandfoldersgovernuseraccesstothesefilesandfolders.ThefollowingpointsdescribethekeyaspectsofNTFSpermissions:NTFSpermissionscanbeconfiguredforanindividualfileorfolder,orsetsoffilesorfolders.
NTFSpermissionscanbeassignedindividuallytoobjectsthatincludeusers,groups,andcomputers.
NTFSpermissionsarecontrolledbygrantingordenyingspecifictypesofNTFSfileandfolderaccess,suchasReadorWrite.
NTFSpermissionscanbeinheritedfromparentfolders.Bydefault,theNTFSpermissionsthatareassignedtoafolderarealsoassignedtonewlycreatedfoldersorfileswithinthatparentfolder.
NTFSPermissionTypesTherearetwoassignableNTFSpermissionstypes:standard,andadvanced.StandardPermissionsStandardpermissionsprovidethemostcommonlyusedpermissionsettingsforfilesandfolders.YouassignstandardpermissionsinthePermissionsforfoldernamedialogbox.ThefollowingtabledetailsthestandardpermissionsoptionsforNTFSfilesandfolders.FilepermissionsDescription
FullControlGrantstheusercompletecontrolofthefileorfolder,includingcontrolofpermissions.
ModifyGrantstheuserpermissiontoread,write,ordeleteafileorfolder,includingcreatingafileorfolder.Italsograntspermissiontoexecutefiles.
ReadandExecuteGrantstheuserpermissiontoreadafileandstartapps.
ReadGrantstheuserpermissiontoviewfileorfoldercontent.
WriteGrantstheuserpermissiontowritetoafile.
Listfoldercontents (foldersonly)Grantstheuserpermissiontoviewalistofthefolderscontents.
Note:GrantingusersFullControlpermissionsonafileorafoldergivesthemtheabilitytoperformanyfilesystemoperationontheobject,andtheabilitytochangepermissionsontheobject.Theycanalsoremovepermissionsontheresourceforanyorallusers,includingyou.AdvancedPermissionsAdvancedpermissionscanprovideamuchgreaterlevelofcontroloverNTFSfilesandfolders.AdvancedpermissionsareaccessiblebyclickingtheAdvancedbuttonfromtheSecuritytabofafileorfoldersPropertiesdialogbox.ThefollowingtabledetailstheAdvancedpermissionsforNTFSfilesandfolders.FilepermissionsDescription
TraverseFolder/ExecuteFileTheTraverseFolderpermissionappliesonlytofolders.Thispermissiongrantsordeniesuserstherighttobrowsethroughfolderstoreachotherfilesorfolders,eveniftheuserhasnopermissionsforthetraversedfolders.TheTraverseFolderpermissiontakeseffectonlywhenthegrouporuserisnotgrantedtheBypassTraverseCheckinguserright.Bydefault,theEveryonegroupisgiventheBypassTraverseCheckinguserright.TheExecuteFilepermissiongrantsordeniesaccesstorunprogramfiles.IfyousettheTraverseFolderpermissiononafolder,theExecuteFilepermissionisnotautomaticallysetonallfilesinthatfolder.
ListFolder/ReadDataTheListFolderpermissiongrantstheuserpermissiontoviewfilenamesandsubfoldernames.Thispermissionappliesonlytofoldersandaffectsonlythecontentsofthatfolderitdoesnotaffectwhetherthefolderitselfislisted.Inaddition,thissettinghasnoeffectonviewingthefilestructurefromacommand-lineinterface.TheReadDatapermissiongrantsordeniestheuserpermissiontoviewdatainfiles.TheReadDatapermissionappliesonlytofiles.
ReadAttributesTheReadAttributespermissiongrantstheuserpermissiontoviewthebasicattributesofafileorafoldersuchasRead-onlyandHiddenattributes.AttributesaredefinedbyNTFS.
ReadExtendedAttributesTheReadExtendedAttributespermissiongrantstheuserpermissiontoviewtheextendedattributesofafileorfolder.Extendedattributesaredefinedbyapps,andcanvarybyapp.
CreateFiles/WriteDataTheCreateFilespermissionappliesonlytofolders,andgrantstheuserpermissiontocreatefilesinthefolder.TheWriteDatapermissiongrantstheuserpermissiontomakechangestothefileandoverwriteexistingcontentbyNTFS.TheWriteDatapermissionappliesonlytofiles.
CreateFolders/AppendDataTheCreateFolderspermissiongrantstheuserpermissiontocreatefolderswithinthefolder.TheCreateFolderspermissionappliesonlytofolders.TheAppendDatapermissiongrantstheuserpermissiontomakechangestotheendofthefile,butnottodeleteoroverwriteexistingdata.TheAppendDatapermissionappliesonlytofiles.
WriteAttributesTheWriteAttributespermissiongrantstheuserpermissiontochangethebasicattributesofafileorfolder,suchasRead-onlyorHidden.AttributesaredefinedbyNTFS.TheWriteAttributespermissiondoesnotimplythatyoucancreateordeletefilesorfolders;itincludesonlythepermissiontomakechangestotheattributesofafileorfolder.TograntCreateorDeletepermissions,seetheCreateFiles/WriteData,CreateFolders/AppendData,DeleteSubfoldersandFiles,andDeleteentriesinthistable.
WriteExtendedAttributesTheWriteExtendedAttributespermissiongrantstheuserpermissiontochangetheextendedattributesofafileorfolder.Extendedattributesaredefinedbyprogramsandapps,andcanvarybyeachone.TheWriteExtendedAttributespermissiondoesnotimplythattheusercancreateordeletefilesorfolders;itincludesonlythepermissiontomakechangestotheattributesofafileorfolder.TograntCreateorDeletepermissions,seetheCreateFiles/WriteData,CreateFolders/AppendData,DeleteSubfoldersandFiles,andDeleteentriesinthistable.
DeleteSubfoldersandFilesTheDeleteSubfoldersandFilespermissiongrantstheuserpermissiontodeletesubfoldersandfiles,eveniftheDeletepermissionisnotgrantedonthesubfolderorfile.TheDeleteSubfoldersandFilespermissionappliesonlytofolders.
DeleteTheDeletepermissiongrantstheuserpermissiontodeletethefileorfolder.IfyouhavenotbeenassignedDeletepermissiononafileorfolder,youcanstilldeletethefileorfolderifyouaregrantedDeleteSubfoldersandFilespermissionsontheparentfolder.
ReadPermissionsReadPermissionsgrantstheuserpermissiontoreadpermissionsaboutthefileorfolder,suchasFullControl,Read,andWrite.
ChangePermissionsChangePermissionsgrantstheuserpermissiontochangepermissionsonthefileorfolder,suchasFullControl,Read,andWrite.
TakeOwnershipTheTakeOwnershippermissiongrantstheuserpermissiontotakeownershipofthefileorfolder.Theownerofafileorfoldercanchangepermissionsonit,regardlessofanyexistingpermissionsthatprotectthefileorfolder.
SynchronizeTheSynchronizepermissionassignsdifferentthreadstowaitonthehandleforthefileorfolder,andthensynchronizewithanotherthreadthatmaysignalit.Thispermissionappliesonlytomultiple-threaded,multiple-processprogramsandapps.
Note:StandardpermissionsarecombinationsofseveralindividualAdvancedpermissionsthataregroupedintocommonlyusedfileandfolderscenarios.NTFSPermissionsExamplesThefollowingarebasicexamplesofassigningNTFSpermissions:ForafoldercalledMarketingPictures,anadministratorhaschosentoassignAdamCarterAllowpermissionsfortheReadpermissiontype.UnderdefaultNTFSpermissionsbehavior,AdamCarterwillhaveReadaccesstothefilesandfoldersthatarecontainedintheMarketingPicturesfolder.
WhenapplyingNTFSpermissions,theresultsarecumulative.Forexample,inthepreviousexample,saythatAdamCarterisalsoapartoftheMarketinggroup.TheMarketinggrouphasbeengivenWritepermissionsontheMarketingPicturesfolder.WhenwecombinethepermissionsassignedtoAdamCartersuseraccountwiththepermissionsassignedtotheMarketinggroup,AdamwillhavebothReadandWritepermissionsfortheMarketingPicturesfolder.
ImportantRulesforNTFSPermissionsTherearetwoimportantgroupsofNTFSpermissions:Explicitvs.Inherited.WhenyouapplyNTFSpermissions,permissionsthatareexplicitlyappliedtoafileorafoldertakeprecedenceoverthosethatareinheritedfromaparentfolder.
Denyvs.Allow.AfterNTFSpermissionshavebeendividedintoexplicitandinheritedpermissions,anyexistingDenypermissionsoverrideconflictingAllowpermissionswithinthegroup.
Therefore,takingtheserulesintoaccount,NTFSpermissionsareappliedinthefollowingorder:1.ExplicitDeny
2.ExplicitAllow
3.InheritedDeny
4.InheritedAllow
ItisimportanttorememberthatNTFSpermissionsarecumulative,andtheserulesapplyonlywhentwoNTFSpermissionsettingsconflictwitheachother.HowtoConfigureNTFSPermissionsYoucanviewandconfigureNTFSpermissionsbyfollowingthesesteps:1.Right-clickthefileorfolderforwhichyouwanttoassignpermissions,andthenclickProperties.
2.InthePropertiesdialogbox,clicktheSecuritytab.
3.IntheSecuritytab,selecttheuserorgroupthatyouwanttovieworeditthespecificpermissionsof.
4.Tomodifyexistingpermissionsoraddnewusersorgroups,clicktheEditbutton.ThisopensthePermissionsdialogbox.
WhatAreSharedFolders?
Sharedfoldersareakeycomponenttograntingaccesstofilesonyourserverfromthenetwork.Whenyoushareafolder,thefolderandallofitscontentsaremadeavailabletomultipleuserssimultaneouslyoverthenetwork.SharedfoldersmaintainaseparatesetofpermissionsfromtheNTFSpermissions,whichapplytothefolderscontents.Thesepermissionsprovideanextralevelofsecurityforfilesandfoldersthataremadeavailableonthenetwork.Mostorganizationsdeploydedicatedfileserverstohostsharedfolders.Youcanstorefilesinsharedfoldersaccordingtocategoriesorfunctions.Forexample,youcanputsharedfilesfortheSalesdepartmentinonesharedfolder,andsharedfilesfortheMarketingdepartmentinanother.Note:Thesharingprocessappliesonlytothefolderlevel.Youcannotshareanindividualfileoragroupoffiles.AccessingaSharedFolderUserstypicallyaccessasharedfolderoverthenetworkbyusingitsUniversalNamingConvention (UNC)address.TheUNCaddresscontainsthenameoftheserveronwhichthefolderishosted,andtheactualsharedfoldername,separatedbyabackwardslash (\)andprecededbytwobackwardslashes (\\).Forexample,theUNCpathfortheSalessharedfolderontheLON-SVR1serveris\\LON-SVR1\Sales.SharingaFolderontheNetworkWindowsServer2012providesdifferentwaystoshareafolder:Clicktheappropriatedrive,andthenintheFilesandStorageServicessectioninServerManager,clicktheNewSharetask.
UsetheFileSharingWizard,eitherfromthefoldersshortcutmenu,orbyclickingtheSharebuttonontheSharingtabofthefoldersPropertiesdialogbox.
UseAdvancedSharingbyclickingtheAdvancedSharingbuttonontheSharingtabofthefoldersPropertiesdialogbox.
UsetheNetsharecommand-linetoolfromacommandlinewindow.
UsetheNew-SMBSharecmdletinWindowsPowerShell.Note:Whenyouaresettingupasharedfolder,youwillbeaskedtogiveitaname.Thisnamedoesnothavetobethesamenameastheactualfolder;itcanbeadescriptivenamethatbetterdescribesthefoldercontentstonetworkusers.
AdministrativeSharesIfyouhavesharedfoldersthatneedtobeavailablefromthenetwork,butshouldbehiddenfromusersbrowsingthenetwork,youcancreateadministrative (orhidden)sharedfolders.YoucanaccessanadministrativesharedfolderbytypinginitsUNCpath,butthefolderwillnotbevisibleifyoubrowsetheserverbyusingFileExplorer.Administrativesharedfoldersalsotypicallyhaveamorerestrictivesetofpermissionstoreflecttheadministrativenatureofthefolderscontents.Tohideasharedfolder,appendthedollarsymbol ($)tothefoldersname.Forexample,asharedfolderonLON-SVR1namedSalescanbemadeintoahiddensharedfolderbynamingitSales$.ThesharedfolderisaccessibleoverthenetworkbyusingtheUNCpath\\LON-SVR1\Sales$.Note:Sharedfolderpermissionsapplyonlytouserswhoaccessthefolderoverthenetwork.Theydonotaffectuserswhoaccessthefolderlocallyonthecomputerwherethefolderisstored.SharedFolderPermissionsJustlikeNTFSpermissions,youcanassignsharedfolderpermissionstousers,groups,orcomputers.However,unlikeNTFSpermissions,sharedfolderpermissionsarenotconfigurableforindividualfilesorfolderswithinthesharedfolder.Sharedfolderpermissionsaresetonceforthesharedfolderitself,andapplyuniversallytotheentirecontentsofthesharedfolderforuserswhoaccessthefolderoverthenetwork.Whenyoucreateasharedfolder,thedefaultassignedsharedpermissionfortheEveryonegroupissettoRead.Thefollowingtableliststhepermissionsthatyoucangranttoasharedfolder.SharedfolderpermissionDescription
ReadUserscanviewfolderandfilenames,viewfiledataandattributes,runprogramfilesandscripts,andnavigatethefolderstructurewithinthesharedfolder.
ChangeUserscancreatefolders,addfilestofolders,changedatainfiles,appenddatatofiles,changefileattributes,deletefoldersandfiles,andperformalltaskspermittedbytheReadpermission.
FullControlUserscanchangefilepermissions,takeownershipoffiles,andperformalltaskspermittedbytheChangepermission.
Note:WhenyouassignFullControlpermissionsonasharedfoldertoauser,thatusercanmodifypermissionsonthesharedfolder,whichincludesremovingallusers (includingadministrators),fromthesharedfolderspermissionslist.Inmostcases,youshouldgrantChangePermissioninsteadofFullControlpermission.PermissionsInheritance
Bydefault,NTFSandsharedfoldersuseinheritancetopropagatepermissionsthroughoutafolderstructure.Whenyoucreateafileorafolder,itisautomaticallyassignedthepermissionsthataresetonanyfoldersthatexistaboveit (parentfolders)inthehierarchyofthefolderstructure.HowInheritanceIsAppliedConsiderthefollowingexample.AdamCarterisamemberoftheMarketinggroupandtheNewYorkEditorsgroup.Thefollowingtableisasummaryofthepermissionsforthisexample:FolderorFileAssignedPermissionsAdamsPermissions
Marketing (folder)MarketingPictures (folder)NewYork (folder)Fall_Composite.jpg (file)ReadMarketingNonesetWriteNewYorkEditorsNonesetReadRead (inherited)Read(i)+WriteRead(i)+Write(i)
Inthisexample,Adamisamemberoftwogroupsthatareassignedpermissionsforfilesorfolderswithinthefolderstructure.Theyareasfollows:Thetop-levelfolder,Marketing,hasanassignedpermissionfortheMarketingGroupgivingthemReadaccess.
Inthenextlevel,theMarketingPicturesfolderhasnoexplicitpermissionsset,butbecauseofpermissionsinheritanceAdamhasReadaccesstothisfolderanditscontentsfromthepermissionsthataresetontheMarketingfolder.
Inthethirdlevel,theNewYorkfolderhasWritepermissionsassignedtooneofAdamsgroupsNewYorkEditors.InadditiontothisexplicitlyassignedWritepermission,theNewYorkfolderalsoinheritstheReadpermissionfromtheMarketingfolder.Thesepermissionspassdowntofileandfolderobjects,cumulatingwithanyexplicitReadandWritepermissionssetonthosefiles.
ThefourthandlastlevelistheFall_Composite.jpgfile.Eventhoughnoexplicitpermissionshavebeensetforthisfile,AdamhasbothReadandWriteaccesstothefileduetotheinheritedpermissionsfromboththeMarketingfolderandtheNewYorkfolder.
PermissionConflictsSometimes,explicitlysetpermissionsonafileorfolderconflictwithpermissionsinheritedfromaparentfolder.Inthesecases,theexplicitlyassignedpermissionsalwaysoverridetheinheritedpermissions.Inthegivenexample,ifAdamCarterwasdeniedWriteaccesstotheparentMarketingfolder,butthenexplicitlygrantedWriteaccesstotheNewYorkfolder,thegrantedWriteaccesspermissionstakeprecedenceovertheinheriteddenyWriteaccesspermission.BlockingInheritanceYoucanalsodisabletheinheritancebehaviorforafileorafolder (anditscontents)onanNTFSdrive.Youdothiswhenyouwanttoexplicitlydefinepermissionsforasetofobjectswithoutincludinganyoftheinheritedpermissionsfromanyparentfolders.WindowsServer2012providesanoptionforblockinginheritanceonafileorafolder.Toblockinheritanceonafileorfolder,completethefollowingsteps:1.Right-clickthefileorfolderwhereyouwanttoblockinheritance,andthenclickProperties.
2.InthePropertiesdialogbox,clicktheSecuritytab,andthenclickAdvanced.
3.IntheAdvancedSecuritySettingsdialogbox,clickChangePermissions.
4.InthenextAdvancedSecuritySettingsdialogbox,clickDisableinheritance.
5.Atthispoint,youarepromptedtoeitherconverttheinheritedpermissionsintoexplicitpermissionsorremoveallinheritedpermissionsfromtheobjecttostartwithablankpermissionsslate.
ResettingDefaultInheritanceBehaviorAfteryoublockinheritance,changesmadetopermissionsontheparentfolderstructurenolongerhaveaneffectonthepermissionsforthechildobject (anditscontents)thathasblockedinheritance,unlessyouresetthatbehaviorfromoneoftheparentfoldersbyselectingtheReplaceAllChildObjectsWithInheritablePermissionsFromThisObjectoption.Whenyouselectthisoption,theexistingsetofpermissionsonthecurrentfolderarepropagateddowntoallchildobjectsinthetreestructure,andoverrideallexplicitlyassignedpermissionsforthosefilesandfolders.ThischeckboxislocateddirectlyundertheIncludeInheritablePermissionsFromThisObjectsParentcheckbox.EffectivePermissions
AccesstoafileorfolderinWindowsServer2012isgrantedbasedonacombinationofpermissions.Whenauserattemptstoaccessafileorfolder,thepermissionthatappliesisdependentonvariousfactors,including:Explicitlydefinedandinheritedpermissionsthatapplytotheuser
Explicitlydefinedandinheritedpermissionsthatapplytothegroupstowhichtheuserbelongs
Howtheuserisaccessingthefileorfolders:locally,oroverthenetwork
EffectiveNTFSpermissionsarethecumulativepermissionsthatareassignedtoauserforafileoffolderbasedonthefactorslistedabove.ThefollowingprinciplesdetermineeffectiveNTFSpermissions:CumulativepermissionsarethecombinationofthehighestNTFSpermissionsgrantedtotheuserandtoallthegroupsofwhichtheuserisamember.Forexample,ifauserisamemberofagroupthathasReadpermissionandisamemberofagroupthathasModifypermission,theuserisassignedcumulativeModifypermissions.
DenypermissionsoverrideequivalentAllowpermissions.However,anexplicitAllowpermissioncanoverrideaninheritedDenypermission.Forexample,ifauserisdeniedWriteaccesstoafolderviaaninheritedDenypermission,butisexplicitlygrantedWriteaccesstoasubfolderoraparticularfile,theexplicitAllowoverridestheinheritedDenyfortheparticularsubfolderorfile.
Youcanapplypermissionstoauserortoagroup.Assigningpermissionstogroupsispreferredbecausetheyaremoreefficientthanmanagingpermissionsthataresetformanyindividuals.
NTFSfilepermissionstakepriorityoverfolderpermissions.Forexample,ifauserhasReadpermissiontoafolder,buthasbeengrantedModifypermissiontocertainfilesinthatfolder,theeffectivepermissionforthosefileswillbesettoModify.
EveryobjectinanNTFSdriveorinActiveDirectoryDomainServices (ADDS)isowned.Theownercontrolshowpermissionsaresetontheobjectandtowhompermissionsaregranted.Forexample,auserwhocreatesafileinafolderwheretheyhaveModifypermissionscanchangethepermissionsonthefiletoFullControl.
EffectiveAccessToolWindowsServer2012providesanEffectiveAccesstoolthatshowstheeffectiveNTFSpermissionsonafileorfolderforauser,basedonpermissionsassignedtotheuseraccountandgroupstowhichtheuseraccountbelongs.YoucanaccessEffectiveAccesstoolbythefollowingsteps:1.Right-clickthefileorfolderforwhichyouwanttoanalyzepermissions,andthenclickProperties.
2.InthePropertiesdialogbox,clicktheAdvancedbutton.
3.IntheAdvancedSecuritySettingsdialogbox,clicktheEffectiveAccesstab.
4.ChooseauserorgrouptoevaluatebyusingSelectauser.
CombiningNTFSPermissionsandSharedFolderPermissionsNTFSpermissionsandsharedfolderpermissionsworktogethertocontrolaccesstofileandfolderresourcesthatareaccessedfromanetwork.WhenyouconfigureaccesstonetworkresourcesonanNTFSdrive,usethemostrestrictiveNTFSpermissionstocontrolaccesstofoldersandfiles,andcombinethemwiththemostrestrictivesharedfolderpermissionstocontrolaccesstothenetwork.HowCombiningNTFSandSharedFolderPermissionsWorksWhenyouapplybothNTFSandsharedfolderpermissions,rememberthatthemorerestrictiveofthetwopermissionsdictatestheaccessthatauserwillhavetoafileorfolder.Thefollowingtwoexamplesexplainthisfurther:IfyousettheNTFSpermissionsonafoldertoFullControl,butyousetthesharedfolderpermissionstoRead,thenthatuserhasonlyReadpermissionwhenaccessingthefolderoverthenetwork.Accessisrestrictedatthesharedfolderlevel,andanygreateraccessattheNTFSpermissionsleveldoesnotapply.
Likewise,ifyousetthesharedfolderpermissiontoFullControl,andyousettheNTFSpermissionstoWrite,thentheuserwillhavenorestrictionsatthesharedfolderlevel,buttheNTFSpermissionsonthefoldergrantsonlyWritepermissionstothatfolder.
TheusermusthaveappropriatepermissionsonboththeNTFSfileorfolderandthesharedfolder.Ifnopermissionsexistfortheuser (eitherasanindividualorasthememberofagroup)oneitherresource,accessisdenied.ConsiderationsforCombinedNTFSandSharedFolderPermissionsThefollowingareseveralconsiderationsthatmakeadministeringpermissionsmoremanageable:Grantpermissionstogroupsinsteadofusers.Groupscanalwayshaveindividualsaddedordeleted,whilepermissionsonacase-by-casebasisaredifficulttotrackandcumbersometomanage.
UseDenypermissionsonlywhennecessary.BecauseDenypermissionsareinherited,assigningdenypermissionstoafoldercanresultinusersnotbeingabletoaccessfilesfurtherdowninthefolderstructuretree.YoushouldassignDenypermissionsonlyinthefollowingsituations:oToexcludeasubsetofagroupthathasAllowpermissions
oToexcludeonespecificpermissionwhenyouhavegrantedFullControlpermissionstoauseroragroup
NeverdenytheEveryonegroupaccesstoanobject.IfyoudenytheEveryonegroupaccesstoanobject,youdenyAdministratorsaccessincludingyourself.Instead,removetheEveryonegroupfromthepermissionslist,aslongasyougrantpermissionsfortheobjecttootherusers,groups,orcomputers.
Grantpermissionstoanobjectthatisashighinthefolderstructureaspossible,sothatthesecuritysettingsarepropagatedthroughoutthetree.Forexample,insteadofbringinggroupsrepresentingalldepartmentsofthecompanytogetherintoaReadfolder,assignDomainUsers (whichisadefaultgroupforalluseraccountsonthedomain)totheshare.Inthismanner,youeliminatetheneedtoupdatedepartmentgroupsbeforenewusersreceivethesharedfolder.
UseNTFSpermissionsinsteadofsharedpermissionsforfine-grainedaccess.ConfiguringbothNTFSandsharedfolderpermissionscanbedifficult.Considerassigningthemostrestrictivepermissionsforagroupthatcontainsmanyusersatthesharedfolderlevel,andthenuseNTFSpermissionstoassignpermissionsthataremorespecific.
WhatIsAccess-BasedEnumeration?
Withaccess-basedenumeration,usersseeonlythefilesandfolderswhichtheyhavepermissiontoaccess.Access-basedenumerationprovidesabetteruserexperiencebecauseitdisplaysalesscomplexviewofthecontentsofasharedfolder,makingiteasierforuserstofindthefilesthattheyneed.WindowsServer2012allowsaccess-basedenumerationoffoldersthataserversharesoverthenetwork.EnablingAccess-BasedEnumerationToenableaccess-basedenumerationforasharedfolder:1.OpenServerManager.
2.Inthenavigationpane,clickFileandStorageServices.
3.Inthenavigationpane,clickShares.
4.IntheSharespane,right-clickthesharedfolderforwhichyouwanttoenableaccess-basedenumeration,andthenclickProperties.
5.InthePropertiesdialogbox,clickSettings,andthenselectEnableaccess-basedenumeration.
WhenEnableaccess-basedenumerationisselected,access-basedenumerationisenabledonthesharedfolder.Thissettingisuniquetoeachsharedfolderontheserver.Note:TheFileandStorageServicesconsoleistheonlyplaceintheWindowsServer2012interfacewhereyoucanconfigureaccess-basedenumerationforasharedfolder.Access-basedenumerationisnotavailableinanyofthepropertiesdialogboxesthatareaccessiblebyright-clickingthesharedfolderinFileExplorer.WhatAreOfflineFiles?
Anofflinefileisacopyofanetworkfilethatisstoredonaclientcomputer.Byusingofflinefiles,userscanaccessnetwork-basedfileswhentheirclientcomputerisdisconnectedfromthenetwork.Ifofflinefilesandfoldershavebeeneditedormodifiedbytheclient,thenthechangesaresynchronizedwiththenetworkcopyofthefilesthenexttimetheclientreconnectstothenetwork.ThesynchronizationscheduleandbehaviorofofflinefilesiscontrolledbytheWindowsclientoperatingsystem.Offlinefilesareavailablewiththefollowingoperatingsystems:Windows8.1
Windows8
WindowsServer2012R2
WindowsServer2012
Windows7
WindowsServer2008R2
WindowsServer2008
WindowsVista
WindowsServer2003Note:OfflinefilesisnotavailableinhomeversionsofWindowsoperatingsystems.
OfflineSettingsWithWindowsServer2012,youviewtheOfflineSettingsdialogboxforasharedfolderbyclickingtheCachingbuttonintheAdvancedSharingdialogbox.ThefollowingoptionsareavailablewithintheOfflineSettingsdialogbox:Onlythefilesandprogramsthatusersspecifyareavailableoffline.Thisisthedefaultoptionwhenyousetupasharedfolder.Whenyouusethisoption,nofilesorprogramsareavailableofflinebydefault,anduserscontrolwhichfilesandprogramstheywanttoaccesswhentheyarenotconnectedtothenetwork.Alternatively,youcanchoosetheEnableBranchCacheoption.ThisoptionenablescomputersthatareaccessingthefilestocachefilesdownloadedfromthefolderusingWindowsBranchCache.YoumustinstallandconfigureBranchCacheontheWindowsServer2012servertoselectthisoption.
Nofilesorprogramsfromthesharedfolderareavailableoffline.Thisoptionblocksclientcomputersfrommakingcopiesofthefilesandprogramsonthesharedfolder.
Allfilesandprogramsthatusersopenfromthesharedfolderareautomaticallyavailableoffline.Wheneverauseraccessesthesharedfolderordriveandopensafileorprograminit,thatfileorprogramismadeautomaticallyavailableofflinetothatuser.Filesandprogramsthataremadeautomaticallyavailableofflineremainintheofflinefilescacheandsynchronizewiththeversionontheserveruntilthecacheisfullortheuserdeletesthefiles.Filesandprogramsthatarenotopenedarenotavailableoffline.
Optimizedforperformance.Ifyouselectthisoption,executablefiles (.exe, .dll)thatarerunfromthesharedfolderbyaclientcomputerarecachedonthatclientcomputerautomatically.Thenexttimetheclientcomputerrunstheexecutablefiles,itwillaccessitslocalcacheinsteadofthesharedfolderontheserver.Note:TheOfflineFilesfeaturemustbeenabledontheclientcomputerforfilesandprogramstobecachedautomatically.Inaddition,theOptimizedForPerformanceoptiondoesnothaveanyeffectonclientcomputersthatuseWindowsVistaorolderWindowsoperatingsystems,becausetheseoperatingsystemsperformtheprogram-levelcachingautomatically,asspecifiedbythisoption.
TheAlwaysOfflineModeYoucanconfigureWindowsServer2012andWindows8computerstousetheAlwaysAvailableOfflineModewhenaccessingsharedfolders.Whenyouconfigurethisoption,clientcomputersalwaysusethelocallycachedversionofthefilesfromanetworkshare,eveniftheyareconnectedtothefileserverbyahigh-speednetworkconnection.Thisconfigurationtypicallyresultsinfasteraccesstofilesforclientcomputers,especiallywhenconnectivityorspeedofanetworkconnectionisintermittent.Synchronizationwiththefilesontheserveroccursaccordingtotheofflinefilesconfigurationoftheclientcomputer.HowtoEnabletheAlwaysOfflineModeToenableAlwaysOfflinemode,useGroupPolicytoenabletheConfigureslow-linkmodesetting,andsetthelatencyvalueto1.TheConfigureslow-linkmodesettingislocatedinGroupPolicyundertheComputerConfiguration\AdministrativePolicies\Network\OfflineFilesnode.Demonstration:CreatingandConfiguringaSharedFolderCreatingandconfiguringasharedfolderistypicallydonewithinFileExplorer,fromthefileorfoldersPropertiesdialogboxontheSharingtab.Whencreatingasharedfolder,alwaysensurethatyousetpermissionsthatareappropriateforallofthefilesandfolderswithinthesharedfolderlocation.Inthisdemonstration,youwillseehowto:Createasharedfolder.
Assignpermissionsforthesharedfolder.
Configureaccess-basedenumeration.
Configureofflinefiles.
DemonstrationStepsCreateasharedfolder1.SignintoLON-SVR1asAdatum\AdministratorwiththepasswordPa$$w0rd.
2.OndriveE,createafoldernamedData.
3.SharetheDatafolder.
AssignpermissionsforthesharedfolderGranttheAuthenticatedUsersChangepermissionsfortheDatafolder.
Configureaccess-basedenumeration1.OpenServerManager.
2.NavigatetotheSharepaneintheFileandStorageServicesmanagementconsole.
3.OpentheDataPropertiesdialogboxfor\\LON-SVR1\Data,andenableaccess-basedenumeration.
Configureofflinefiles1.OpentheDataPropertiesdialogboxforE:\Data.
2.NavigatetotheSharingtab,andopentheAdvancedSharingsettings.
3.OpentheCachingsettings,andthendisableofflinefiles.
Lesson2:ProtectingSharedFilesandFoldersbyUsingShadowCopiesYouuseshadowcopiestorestorepreviousversionsoffilesandfolders.Itismuchfastertorestoreapreviousversionofafilefromashadowcopythanfromatraditionalbackupcopy,whichmightbestoredoffsite.Filesandfolderscanberecoveredbyadministrators,ordirectlybyendusers.Thislessonintroducesyoutoshadowcopies,andshowsyouhowtoconfigureascheduleofshadowcopiesinWindowsServer2012.LessonObjectivesAftercompletingthislesson,youwillbeableto:Describeshadowcopies.
Describeconsiderationsforschedulingshadowcopies.
Identifymethodsforrestoringdatafromshadowcopies.
Restoredatafromashadowcopy.
WhatAreShadowCopies?
Ashadowcopyisastaticimage (orasnapshot)ofasetofdata,suchasafileorfolder.Shadowcopiesprovidethecapabilitytorecoverfilesandfoldersbasedonsnapshotsofstoragedrives.Afterasnapshotistaken,youcanviewandpotentiallyrestorepreviousversionsoffilesandfoldersfromthatsnapshot.Ashadowcopydoesnotmakeacompletecopyofallfilesforeachsnapshot.Instead,afterasnapshotistaken,WindowsServer2012trackschangestothedrive.Aspecificamountofdiskspaceisallocatedfortrackingthechangeddiskblocks.Whenyouaccessapreviousversionofafile,someofthecontentmightbeinthecurrentversionofthefile,andsomemightbeinthesnapshot.Bydefault,thechangeddiskblocksarestoredonthesamedriveastheoriginalfile,butyoucanmodifywheretheyarestored.Youcanalsodefinehowmuchdiskspaceisallocatedforshadowcopies.Multiplesnapshotsareretaineduntiltheallocateddiskspaceisfull,afterwhich,oldersnapshotsareremovedtomakeroomfornewsnapshots.Theamountofdiskspacethatisusedbyasnapshotisbasedonthesizeofdiskchangesbetweensnapshots.Becauseasnapshotisnotacompletecopyoffiles,youcannotuseshadowcopiesasareplacementfortraditionalbackups.Ifthediskcontainingadriveislostordamaged,thenthesnapshotsofthatdrivearealsolost.Shadowcopiesaresuitableforrecoveringdatafiles,butnotformorecomplexdata (suchasdatabases),thatneedtobelogicallyconsistentbeforeabackupisperformed.Adatabasethatisrestoredfrompreviousversionsislikelytobecorruptandrequiredatabaserepairs.ConsiderationsforSchedulingShadowCopies
ThedefaultscheduleforcreatingshadowcopiesisMondaythroughFridayat07:00A.M.,andagainatnoon.Youcanmodifythedefaultscheduleasdesiredforyourorganization.Whenschedulingshadowcopies:Considerthatincreasingthefrequencyofshadowcopiesincreasestheloadontheserver.Asabestpractice,youshouldnotscheduledriveshadowcopiesmorethanonceeachhour.
Increasethefrequencyofshadowcopiesforfrequentlychangingdata.Thisincreasesthelikelihoodthatrecentfilechangesarecaptured.
Increasethefrequencyofshadowcopiesforimportantdata.Thisincreasesthelikelihoodthatrecentfilechangesarecaptured.
RestoringDatafromaShadowCopy
Previousversionsoffilescanberestoredbyeitherusersoradministrators.Mostusersareunawarethattheycandothis,andtheywillneedinstructionsonhowtorestoreapreviousversionofafile.Administratorscanaccessandrestorepreviousversionsoffilesdirectlyontheserverthatstoresthefiles.Userscanaccessandrestorepreviousversionsoffilesoverthenetworkfromafileshare.Inbothcases,previousversionsareaccessedfromthePropertiesdialogboxofthefileorfolder.Whenviewingpreviousversionsofafolder,youcanbrowsetheavailablefilesandselectonlythefilethatyouneed.Ifmultipleversionsoffilesareavailable,youcanrevieweachversionbeforedecidingwhichonetorestore.Finally,youcancopyapreviousversionofafiletoanalternatelocationinsteadofrestoringittoitspreviouslocation.Thispreventsoverwritingthecurrentfileversion.WindowsVistaandWindows7operatingsystemclientscanaccesspreviousfileversionswithoutinstallinganyadditionalsoftware.TheabilitytoaccesspreviousfileversionsisnolongersupportedinWindowsoperatingsystemsbeforeWindowsVista.Demonstration:RestoringDatafromaShadowCopyYoucancreateshadowcopiesusingthedefaultschedule,oryoucanmodifythescheduletoprovidemorefrequentsnapshots.Ineithercase,youwillonlyseetheversionsofthefileasithaschanged.Takingashadowcopyofafilethathasnotchangedhasnoactualeffectontheshadowcopy.Noadditionalversionsareavailable,andnospaceisusedinthesnapshotforthatparticularfile.Inthisdemonstration,youwillseehowto:Configureshadowcopies.
Createanewfile.
Createashadowcopy.
Modifythefile.
Restorethepreviousversion.
DemonstrationStepsConfigureshadowcopies1.OnLON-SVR1,openFileExplorer.
2.EnableShadowCopiesforLocalDisk (C:).
Createanewfile1.OpenFileExplorer.
2.CreateafolderondriveCnamedData.
3.CreateatextfilenamedTestFile.txtintheDatafolder.
4.ChangethecontentsofTestFile.txtbyaddingandsavingthetextVersion1.
Createashadowcopy1.InFileExplorer,right-clickLocalDisk (C:),andthenclickConfigureShadowCopies.
2.IntheShadowCopiesdialogbox,clickCreateNow.
3.Whentheshadowcopyiscomplete,clickOK.
Modifythefile1.OpenTestFile.txtasaNotepaddocument.
2.InNotepad,typeVersion2.
3.Savethechanges.
Restorethepreviousversion1.InFileExplorer,right-clickTestFile.txt,andthenclickRestorepreviousversions.
2.Choosethemostrecentversion.
3.IntheAreyousureyouwanttorestoremessage,clickRestore.
4.OpenTestFile.txtandverifythatthepreviousversionisrestored.
Lesson3:ConfiguringWorkFoldersMoreandmore,informationworkerswanttheabilitytousetheirowndevicessuchassmartphonesandtabletstoaccesscorporatedatafileswhileoutoftheoffice.TheWorkFoldersroleserviceaddressthisbyallowinguserstostoreandaccessworkfilesfromanywherewhilecomplyingwithcorporatepolicies.Thisisaccomplishedbysynchronizingcorporatedatatouserdevicesfromacentralized,on-premiseserverusinganewsynchronizationprotocol.Thecorporateorganizationstillmaintainscontrolofthedatabyimplementingpoliciessuchasencryption.LessonObjectivesAftercompletingthelesson,youwillbeableto:DescribetheWorkFoldersroleservice.
DiscussthebenefitsandlimitationsofWorkFolders.
DescribeWorkFolderscomponents.
ConfigureWorkFolders.
WhatistheWorkFoldersRoleService?
WorkFoldersisanewroleserviceoftheFileandStorageServicesroleandisonlyavailableinWindowsServer2012R2.WorkFoldersallowsuserstosynchronizecorporatedatatoalloftheirdevices.WhenausercreatesormodifiesafileinaWorkFoldersfolderonanydeviceorPC,itisautomaticallyreplicated (usingSecureSocketsLayer (SSL)connectionsonport443)toafolderknownasthesyncshareonthecorporatefileserver.ThechangesinthesyncsharearethensecurelyreplicatedtothatusersotherdevicesifthosedevicesareconfiguredtouseWorkFolders.Asyncsharemapstoaphysicallocationonthefileserverwherefilesarestored.Newfoldersorexistingsharedfolderscanbemappedtosyncshares.Clientcomputerscanbeconfiguredtoconnecttothesyncshareeithermanuallyorautomatically.Onceconfiguredontheclientcomputer,theworkfolderappearstotheuserlikeanyotherfolderinFileExplorer.Userscancreatefilesandfoldersintheworkfolderjustastheydoinanyothernetworksharedfolder.ThesefilesandfolderswillbesynchronizedtoallotherdevicesconfiguredtouseWorkFolders.OtherfactorstokeepinmindwhenworkingwithWorkFoldersare:Corporatesecuritypolicescanbeappliedtothedatatoenforceencryption,lockdevices,andwipecorporatedataoffofdevices.
Filemanagementtechnologiessuchasquotas,filescreens,reporting,andclassificationcanbeappliedtofilesandfoldersheldinWorkFolders.
Clientdevicesarelimitedtoonesynchronizepartnershipperuserperdevice.
HowFilesStayInSynchronizationOncethesynchronizepartnershipisestablishedbetweentheclientandtheserver,adatadirectoryiscreatedontheNTFSvolumeontheclientdevice.Ahiddenversiondatabaseisalsocreatedandstoredintheuserprofilethisdatabasetracksthemetadataofthefilesandfoldersstoredintheworkfoldersanddetectswhenchangesoccur.AhiddendownloadstagingdirectoryisusedtoacceptupdatedfilesfromtheWorkFoldersserver.Thefirsttimeausersynchronizesadevice,adatadirectoryanduploadstagingdirectoryiscreatedontheserverforthatuser.Oneversion-databaseiscreatedonthesyncshareforeachuser.Synchronizationoccursthroughchangedetectionontheclientorbypolling.Pollingisdoneevery10minutesbydefault.Whenalocalchangeisdetectedonadevice,theclientconnectstotheserveranduploadsthechangetotheuploadstagingdirectory.Thenthechangeisappliedtotheusersdatadirectoryontheserver.Synchronizationisalwaysinitiatedbytheclientdevice.ConflictResolutionIfafileiseditedandsavedondifferentdevicesatthesametime,bothcopieswillbeuploadedtotheserver.Oneofthefilenameswillhavethenameofthedeviceitwassavedonappendedtoit.Forexample,auseropens,edits,andsavesafilenamedDoc1onhisofficePC;hetheneditstheofflineversiononhistablet.Whenthetabletversionsynchronizes,thefilewillbesavedasDoc1nameoftablet.Therewillnowbetwoversionsofthefileinthesyncshare.BackupandRecoveryFilescanbeselectivelyrestoredeitherontheserverortheclient.Therestoredfileisseenasjustanotherchangeandbecomestheauthoritativeversionthatwillbesynchronizedtotheotherdevices.Whenyouarebackingupclientsystems,donotbackuptheversiondatabase;itwillrebuilditselffromtheserver.Forserverdisasterscenarios,theVolumeShadowCopyService (VSS)writersupportsafullserverrestore.Becausesynchronizationsareinitiatedbytheclientthedatabasebecomescurrentautomaticallyafterreceivingupdatesfromclients.ComparingWorkFolderstoCloud-basedStorageFororganizationsthatwanttomaintaindatastorageon-premiseandalreadyhaveestablishedpracticesarounddatamanagementandstorage,WorkFoldersprovidesasolutionthatuserswillfindfamiliar.Cloud-basedtechnologiessuchasSkyDriveProaregoodsolutionsfororganizationsthatuseSharePointandneedthecollaborationfeaturesofOffice365.BenefitsandLimitationsofWorkFolders
WorkFoldersprovidesanumberofbenefitsthatcannotbeachievedusingexistingtechnologies,buttherearelimitationstowhatWorkFolderscando.BenefitsWorkFoldersprovidesthefollowingbenefits:Itisavailablefordomainjoinedandnon-domainjoinedsystems.Usersneedtoprovidecredentialstoconnectfromnon-domainjoineddevices.
Itprovidesasinglepointofaccesstoworkfilesonausersworkandpersonalcomputersanddevices.
Itprovidesaccesstoworkfileswhileusersareoffline.
ItsynchronizesfilesfortheuserswhenthecomputerordevicenexthasInternetornetworkaccess.
ItcanbedeployedalongsideexistingtechnologiessuchasFolderRedirectionandOfflineFiles.
Datacanbeencryptedwhilein-transitaswellaswhenitissittingonthedeviceitself.
Administratorscanconfiguresecuritypolicies.Thesepoliciesmayincludetoinstructusercomputersanddevicestoencryptworkfoldersandtousealock-screenpassword.
Itcanuseexistingfileservermanagementtechnologiessuchasfileclassificationandfolderquotastomanageuserdata.
FailoverClusteringcanbeusedtoensurehigh-availability.
LimitationsWorkFoldershasthefollowinglimitations:WorkFoldersarecurrentlysupportedonWindowsServer2012R2andWindows8.1only.
Itdoesnotprovidecollaborationfunctionalitysuchassharingsynchronizedfilesorfolderswithotherusers.
Thereisnoabilitytoselectivelysynchronizefilesinworkfolders;allfilesaresynchronized.
Userssynchronizedtotheirownfolderonthefileserverthereisnosupportforsynchronizingtootherfileshares.
WorkFolderComponents
InordertoimplementWorkFolderstherearespecificsoftwarerequirementsandbothserverandclientsidecomponentsthatneedtobeconfigured.SoftwareRequirementsWorkFoldershasthefollowingsoftwarerequirementsforfileservers:AserverrunningWindowsServer2012R2forhostingsyncsharesanduserdata
AnNTFSformattedvolumetostoreuserfiles
Aservercertificatefromacertificationauthority(CA)thatistrustedbyyourusersapublicCAisbest
ToenableuserstosynchronizeacrosstheInternet,thereareadditionalrequirements:ThefileservermustbeaccessiblefromtheInternet
ApubliclyregistereddomainnameandassociatedDomainNameSystem (DNS)records
WorkFoldershasthefollowingsoftwarerequirementsforclientcomputers:Windows8.1
WindowsRT8.1
AnNTFSformattedvolumetostoreuserfilesNote:AWindowsServer2012R2cannotbeaclientofWorkFolders.
ServerComponentsWorkFoldersisaroleserviceoftheFileandStorageServicesrole.TheWorkFoldersroleservicecanbeinstalledonanyeditionofWindowsServer2012R2andcanbeinstalledalongsideanyotherrolesorprograms.Forexample,adomaincontrollerorExchangeservercanalsohostWorkFolders.InstallingtheWorkFoldersroleservicealsoinstallsthefollowingrolesandroleservices:FileServerroleservice
WebServerRole (InternetInformationServices (IIS))role
IISManagementConsoleroleservice
IISHostableWebCoreroleservice
Oncetheroleserviceisinstalled,thesyncsharemustbecreated.Youcancreatemultiplesyncsharesonafileserver.Eachonemapstodifferentfilesystemlocationswithdifferentusersandgroupshavingaccessanddifferentpoliciesdefinedpershare.ClientComponentsTheabilitytoconnecttoandmanageWorkFoldersfoldersandfilesisbuiltintoWindows8.1.Deploymentcanbemanualorautomatic.ManualDeploymentAbuilt-initeminControlPanelnamedWorkFoldersisusedtosupplytheuserscorporateemailaddress.ThisemailaddressisusedtoconstructtheURLfortheWorkFoldersserverandthatURLisusedtoconnecttotheWorkFoldersfolder.IfthereisnocorporateemailaddresstheURLcanbeenteredmanually.Opt-inDeploymentWorkFolderssettingscanbedeliveredviaGroupPolicy,MicrosoftSystemCenter2012ConfigurationManagerorbyWindowsIntune.Afterthesettingsaredelivered,theusercanthendecideiftheywanttouseWorkFoldersonthatdevice.MandatoryDeploymentSettingsaredeliveredviaGroupPolicy,SystemCenter2012ConfigurationManagerorbyWindowsIntune.Nouseractionisrequired.WorkFoldersisconfiguredonthedevice.ConfiguringWorkFolders
ThereareanumberofstepsonboththeserverandaclientthatmustbecompletedinordertosuccessfullyconfigureWorkFolders.ServerConfigurationServerconfigurationbeginswiththeadditionoftheWorkFoldersroleserviceandthentheconfigurationofthesyncshareasoutlinedinthefollowingsteps:1.UseServerManagerorWindowsPowerShelltoaddtheWorkFoldersroleserviceanddependentroleservices.ThefollowingWindowsPowerShellcommandaddstheWorkFoldersroleservice:Add-WindowsFeature FS-SyncShareService
2.UsetheNewSyncShareWizardorWindowsPowerShelltocreateasyncshare.Youmustprovidethefollowinginformation:oThenameoftheserverthatwillhostthesyncshare.
oThepathtothesyncshare.Thisisapathtoalocalfolderoranexistingsharedfolderonthelocalserver.IfyouareusinganexistingsharedfolderthentheworkfolderscanalsobeaccessedbytheUNCpath.
oThefoldernamingformat.Thisisintheformofanemailaddressorauseralias.Theuseraliasiscompatiblewithtechnologiessuchashomefolders.Youcanalsospecifythatonlyasubfolderofthesyncsharewillbesynchronized.
oThenameofthesyncshare.Thisisthefriendlynamethesyncshareisknownby.
oThenamesoftheusersorgroupsthatwillhaveaccesstothesyncshare.Bydefault,inheritedpermissionsontheuserfoldersisdisabledandtheuserisgrantedexclusiveaccesstothefolder,butyoucanchangethat.
oYoucanspecifywhethertoencrypttheworkfoldersandwhethertoautomaticallylockthescreenandrequireapassword.
WindowsPowerShellcmdletsNew-SyncShareandSet-SyncShareareusedtocreateandmodifythesyncshare.ThefollowingexamplecreatesasyncsharenamedSalesShareatthelocalpathofC:\SalesShare,grantsaccesstotheSalesgroup,andsetstheconflictresolutionmethodtokeepthelatestfilesaved.New-SyncShare SalesShare -path C:\SalesShare -User Contoso\Sales -ConflictResolution KeepLatest
TheservermusthaveanSSLcertificateinstalledinthecomputersTrustedRootCertificationAuthority.Thecommonname (CN)inthecertificatemustmatchthenameusedastheWorkFoldersURL.Forexample,iftheclientismakingarequesttohttps://syncsvr.contoso.com,thentheCNmustalsobehttps://syncsvr.contoso.com.Note:Asinglefileservercanhostmultiplesyncshares,whichwillrequireacertificatewithmultiplehostnames (aSubjectAlternativeName (SAN)certificatecanbeused).ClientConfigurationClientscanbeconfiguredeithermanuallyorautomatically.IneithercasetheWorkFoldersconnectionusesSSL,thereforeclientsmusttrusttheservercertificate.AlthoughitispossibletouseaninternalCA,thosecertificatesarenotnormallytrustedbynon-domainjoineddevices.Asabestpractice,purchasetheservercertificatefromapublicCA.ReferenceLinks:FormoreinformationaboutcertificatesforWorkFoldersseethearticle"WorkFoldersCertificateManagement"athttp://go.microsoft.com/fwlink/?LinkID=331094.ManualConfigurationThisrequirestheusertolaunchtheWorkFoldersiteminControlPanelandentertheircorporateemailaddress.ThisaddressisusedtobuildtheURL (bydefaultHTTPS://FQDN)ofthefileserver,whichwillconnecttheusertoWorkFolders.IftheURLcannotbediscoveredbyusingtheusersemailaddress,theURLcanbeinputmanually.AutomaticConfigurationusingGroupPolicyAutomaticconfigurationcanbeaccomplishedviaGroupPolicy.ThefollowingGroupPolicysettingsareusedforconfiguringclientcomputers:SettingDescription
ForceautomaticsetupforallusersThiscomputerconfigurationsettingspecifieswhetherWorkFolderswillbesetupautomaticallyforallusersonthiscomputer.Thispreventsusersfrommanuallyspecifyingthelocalfolderinwhichfilesarestored.WorkFoldersusesthesettingsspecifiedintheuserGroupPolicyconfigurationforWorkFolders.
SpecifyWorkFolderssettingsThisuserconfigurationsettingspecifiestheWorkFoldersserveraswellaswhetherornottheusersareallowedtochangesettingsondomain-joinedcomputers.Whenenabled,usersreceivesettingsfortheWorkFoldersURLandtheycanbepreventedfrommanuallyspecifyingthelocalfolderinwhichworkfoldersarestored.Thedefaultlocationis%userprofile%\WorkFolders.
Note:AutomaticconfigurationusingSystemCenter2012ConfigurationManagerorWindowsIntuneisbeyondthescopeofthiscourse.Demonstration:HowtoConfigureWorkFoldersInthisdemonstration,youwillseehowto:InstalltheWorkFoldersroleservice.
Createasyncshareforworkfoldersonafileserver.
ConfigureWorkFolderaccessonaWindows8.1client.
Createafileintheworkfolder.
ConfigureWorkFolderstosynchronizedataonasecondWindows8.1client.
DemonstrationStepsInstalltheWorkFoldersroleserviceOnLON-SVR1,installtheWorkFoldersroleservice.
CreateasyncshareonafileserverInServerManager,inFileandStorageServicesusetheNewSyncShareWizardtocreateanewsyncsharewiththefollowingparameters:oServerName:LON-SVR1
oSelectbyfileshare:Data
oStructureforuserfolders:Useralias
oSyncsharename:WorkFolders
oGrantsynchronizeaccesstogroups:DomainUsers
oDevicepolicies:Automaticallylockscreen,andrequireapassword
ConfigureWorkFolderaccessonaWindows8.1client1.SignintoLON-CL1asAdatum\AdministratorwiththepasswordPa$$w0rd.
2.NavigatetoC:\Labfiles\Mod10andruntheWorkFolders.bat.Thisbatchfileaddsaregistryentrythatallowsunsecuredconnectionstoworkfolders.
3.OpenControlPaneland,inSystemandSecurity,opentheWorkFoldersitem.
4.SetupWorkFoldersasfollows:ClickEnteraWorkFoldersURLinstead.oWorkFoldersURL:http://lon-svr1.adatum.comNormallythisrequiresasecureconnection
oWorkFolderslocation:Acceptdefault
oPolicies:Acceptthepolicies
5.SetuptheWorkFoldersfolder.
6.OpenFileExplorer.NoticethereisnowaWorkFoldersfolderundertheThisPCfolder.
CreateafileintheworkfolderOpentheWorkFoldersfolderandcreateanewtextdocument.
Synchronizedataonasecondclientcomputer1.SignintoLON-CL2asAdatum\AdministratorwiththepasswordPa$$w0rd.
2.NavigatetoC:\Labfiles\Mod10anddouble-clickSetIP.bat.ThisconfigurestheIPaddressoftheclienttobeonthecorrectsubnet.
3.Repeatsteps2through6fromtheConfigureWorkFolderaccessonaWindows8.1Clienttask.
4.OpentheWorkFoldersfolderandnoticethefileyoucreatedisavailablefromthiscomputer.
5.Closeallopenwindows.
6.UseHyper-VManageronthehostcomputertoRevert20410C-LON-CL2.
Lesson4:ConfiguringNetworkPrintingByusingthePrintandDocumentServicesroleinWindowsServer2012,youcanshareprintersonanetworkandcentralizeprintserverandnetworkprintermanagement.ByusingthePrintManagementconsole,youcanmonitorprintqueues,andreceiveimportantnotificationsregardingprintserveractivity.WindowsServer2012introducesnewfeaturesandimportantchangestothePrintandDocumentServicesrolethatyoucanusetomanageyournetworkprintingenvironmentbetter.Thislessonexplainstheimportantaspectsofnetworkprinting,andintroducesnewnetworkprintingfeaturesthatareavailableinWindowsServer2012.LessonObjectivesAftercompletingthelesson,youwillbeableto:Identifythebenefitsofnetworkprinting.
DescribeEnhancedPointandPrint.
Identifysecurityoptionsfornetworkprinting.
Createmultipleconfigurationsforaprintdevice.
Describeprinterpooling.
DescribeBranchOfficeDirectPrinting.
Identifymethodsfordeployingprinterstoclients.
BenefitsofNetworkPrinting
YoucanconfigurenetworkprintingbyusingWindowsServer2012asaprintserverforusers.Inthisconfiguration,clientcomputerssubmitprintjobstotheprintserverfordeliverytoaprinterthatisconnectedtothenetwork.BenefitsofNetworkPrintingCentralizedmanagement.ThebiggestbenefitofusingWindowsServer2012asaprintserveriscentralizedmanagementofprinting.Insteadofmanagingclientconnectionstomanyindividualdevices,youmanagetheirconnectiontotheserver.Youinstallprinterdriverscentrallyontheserver,andthendistributethemtoworkstations.
Simplifiedtroubleshooting.Byinstallingprinterdriverscentrallyonaserver,youalsosimplifytroubleshooting.Itisrelativelyeasytodeterminewhetherprintingproblemsarecausedbytheprinter,server,orclientcomputer.
Lowercosts.Anetworkprinterismoreexpensivethanthosetypicallyusedforlocalprinting,butitalsohassignificantlylowerconsumablescostsandbetterqualityprinting.Therefore,thecostofprintingisstillminimized,becausetheinitialcostoftheprinterisspreadoverallthecomputersthatconnecttothatprinter.Forexample,asinglenetworkprintercouldservice100usersormore.
Userscansearchforprinterseasily.YoucanalsopublishnetworkprintersinADDS,whichallowsuserstosearchforprintersintheirdomain.
EnterprisePrintManagementWindowsServer2012providesaPrintManagementconsolethatallowsadministratorstomanageprintingfortheentireenterprisefromasingleinterface.ThePrintManagementconsoleprovidesreal-timeinformationaboutthestatusofprintersandprintserversonthenetworkandcantakeactionssuchassendingnotificationsorrunningscriptswhenprintersneedattention.WiththisconsoleyoucanconnecttoandmanageprintersonprintserversrunningMicrosoftWindows2000andhigher.ThePrintServicesToolsarenotinstalledbydefault;youinstalltheroleusingServerManagerorWindowsPowerShell.Onceinstalled,PrintServicescandetectprintdevicesthatexistonthesamesubnetastheprintserver,installtheappropriateprinterdrivers,setupprintqueuesandsharetheprinters.PrinterscanthenbedeployedtousersorcomputersthrougheitherexistingornewgrouppoliciesdirectlyfromthePrintManagementconsole.ReferenceLinks:FormoreinformationseetheTechNetarticlePrintManagementStep-by-StepGuideathttp://go.microsoft.com/fwlink/?LinkID=331093.WhatIsEnhancedPointandPrint?
EnhancedPointandPrintisanewfeatureinWindowsServer2012thatmakesiteasiertoinstalldriversfornetworkprinters.EnhancedPointandPrintusesthenewversion4 (v4)drivertypethatisintroducedinWindowsServer2012andWindows8.UnderstandingV3DriversandV4DriversTheWindowsprinterdriverstandardthatisusedinpreviousversionsofWindowsServerhasexistedinrelativelythesameformsincetheintroductionofversion3 (v3)driversintheMicrosoftWindows2000operatingsystems.Withv3drivers,printermanufacturerscreatecustomizedprintdriversforeachspecificdevicethattheyproduce,toensurethatWindowsappscanusealloftheirprintersfeatures.Withthev3model,printerinfrastructuremanagementrequiresadministratorstomaintaindriversforeachprintdeviceintheenvironment,andseparate32-bitand64-bitdriversforasingleprintdevice,tosupportbothplatforms.IntroducingtheV4PrinterDriverWindowsServer2012andWindows8includesupportforv4printdrivers,whichenablesimprovedprintdevicedrivermanagementandinstallation.Underthev4model,printdevicemanufacturerscancreatePrintClassDriversthatsupportsimilarprintingfeaturesandprintinglanguagethatmaybecommontoalargesetofdevices.CommonprintinglanguagesmayincludePrinterControlLanguage (PCL), .ps,orXMLPaperSpecification (XPS).V4driversaretypicallydeliveredbyusingWindowsUpdateorWindowsSoftwareUpdateServices.Unlikev3drivers,v4driversarenotdeliveredfromaprinterstorethatishostedontheprintserver.Thev4drivermodelprovidesthefollowingbenefits:Sharingaprinterdoesnotrequireprovisioningdriversthatmatchtheclientarchitecture.
Driverfilesareisolatedonaper-driverbasis,preventingdriverfilenamingconflicts.
Asingledrivercansupportmultipledevices.
Driverpackagesaresmallerandmorestreamlinedthanv3drivers,resultinginfasterdriverinstallationtimes.
Theprinterdriverandtheprinteruserinterfacecanbedeployedindependently.
UsingEnhancedPointandPrintforDriverInstallationUnderthev4model,printersharinganddriverinstallationoperatesautomaticallyunderEnhancedPointandPrint.Whenanetworkprinterisinstalledonaclientcomputer,theserverandclientworktogethertoidentifytheprintdevice.Thedrivertheninstallsdirectlyfromthedriverstoreontheclientmachine,orfromWindowsUpdateorWindowsSoftwareUpdateServices.WithEnhancedPointandPrint,theprintdevicedriversnolongerneedtobemaintainedontheprintserver.Driverinstallationfornetworkprintdevicesbecomesfasterbecauseprinterdriversnolongerneedtobetransferredoverthenetworkfromservertoclient.Ifthedriverstoreontheclientmachinedoesnotcontainadriverforthenetworkprinterthatisbeinginstalled,andifanappropriatedrivercannotbeobtainedfromWindowsUpdateorWindowsServerUpdateServices,Windowsusesafallbackmechanismtoenablecross-platformprintingusingtheprintdriverfromtheprintserver.SecurityOptionsforNetworkPrinting
Whenaprinterissharedoveranetwork,inmanycasesnosecurityisrequired.Theprinterisconsideredopen-access,meaningeveryoneisallowedtoprintonit.ThisisthedefaultconfigurationforaprinterthatissharedonaWindowsserver.Thepermissionsthatareavailableforsharedprintinginclude:Print:Thispermissionallowsuserstoprintdocumentsontheprinter.Bydefault,theEveryonegroupisassignedthispermission.
Managethisprinter:Thispermissionallowsuserstomodifyprintersettings,includingupdatingdrivers.Bydefault,thispermissionisgiventoAdministrators,ServerOperators,andPrintOperators.
Managedocuments:Thispermissionallowsuserstomodifyanddeleteprintjobsinthequeue.ThispermissionisassignedtoCREATOROWNER,whichmeansthattheuserwhocreatesaprintjobmanagesthatjob.Administrators,ServerOperators,andPrintOperatorsalsohavethispermissionforallprintjobs.
Demonstration:CreatingMultipleConfigurationsforaPrintDeviceCreatingmultipleconfigurationsforaprintdeviceenablesyoutoassignprintqueuestospecificusersorgroupssothattheycanprinthighpriorityjobstoaprinterthatisbeingusedbyotherusers.Whenaprintjobissenttothehighpriorityprintqueue,theprintserverwillprocessthejobbeforeanyjobscomingfromthenormalpriorityqueue.Inthisdemonstration,youwillseehowto:Createasharedprinter.
Createasecondsharedprinterusingthesameport.
Increaseprintingpriorityforahighpriorityprintqueue.
DemonstrationStepsCreateasharedprinter1.OnLON-SVR1,opentheDevicesandPrinterswindow.
2.AddaprinterusingtheLPT1localport,andtheBrotherColorLegType1Classdriver.
3.NametheprinterAllUsers.
4.Sharetheprinterusingthedefaultsettings.
Createasecondsharedprinterusingthesameport1.OnLON-SVR1,pentheDevicesandPrinterswindow.
2.AddaprinterusingtheLPT1localport,andtheBrotherColorLegType1Classdriver.
3.NametheprinterExecutives.
4.Sharetheprinterusingthedefaultsettings.
Increaseprintingpriorityforahighpriorityprintqueue1.OpentheExecutivesPrinterpropertieswindow.
2.IncreasethePriorityto10.
WhatIsPrinterPooling?
Printerpoolingisawaytocombinemultiplephysicalprintersintoasinglelogicalunit.Toclientcomputers,theprinterpoolappearstobeasingleprinter.Whenjobsaresubmittedtotheprinterpool,anyavailableprinterintheprinterpoolcanprocessthem.Printerpoolingincreasesthescalabilityandavailabilityofnetworkprintingbyusingaprinterpool.Ifoneprinterinthepoolisunavailable (forexample,fromalargeprintjob,apaperjam,orbeingoffline),alljobsaredistributedtotheremainingprinters.Ifaprinterpooldoesnothavesufficientcapacity,youcanaddanotherprintertotheprinterpoolwithoutperforminganyclientconfiguration.Aprinterpoolisconfiguredonaserverbyspecifyingmultipleportsforaprinter.Eachportisthelocationofonephysicalprinter.Inmostcases,theportsareanIPaddressonthenetwork,insteadofalocalLPTorUSBconnection.Therequirementsforaprinterpoolareasfollows:Printersmustusethesamedriver:Clientsuseasingleprinterdriverforgeneratingprintjobs.Allprintersmustacceptprintjobsinthesameformat.Inmanycases,thismeansthatasingleprintermodelisused.
Printersshouldbeinthesamelocation:Theprintersinaprinterpoolshouldbelocatedphysicallyclosetogether.Whenusersretrievetheirprintjobs,theymustcheckallprintersintheprinterpooltofindtheirdocument.Thereisnowayforuserstoknowwhichprinterhasprintedtheirdocument.
WhatIsBranchOfficeDirectPrinting?
BranchOfficeDirectPrintingreducesnetworkcostsfororganizationsthathavecentralizedtheirWindowsServerroles.WhenBranchOfficeDirectPrintingisenabled,Windowsclientsobtainprinterinformationfromtheprintserver,butsendtheprintjobsdirectlytotheprinter.Theprintdatanolongertravelstothecentralserverandthenbacktothebranchofficeprinter.Thisconfigurationreducestrafficbetweentheclientcomputer,theprintserver,andthebranchofficeprinter,andresultsinincreasednetworkefficiency.BranchOfficeDirectPrintingistransparenttotheuser.Inaddition,theusercanprinteveniftheprintserverisunavailableforsomereason (forexampleifthewideareanetwork (WAN)linktothedatacenterisdown).Thisisbecausetheprinterinformationiscachedontheclientcomputerinthebranchoffice.ConfiguringBranchOfficeDirectPrintingBranchOfficeDirectPrintingisconfiguredbyanadministratorusingthePrintManagementconsoleoraWindowsPowerShellcommand-lineinterface.ToconfigureBranchOfficeDirectPrintingfromthePrintManagementconsole,usethefollowingsteps:1.InServerManager,openthePrintManagementconsole.
2.Inthenavigationpane,expandPrintServers,andthenexpandtheprintserverthatishostingthenetworkprinterforwhichBranchOfficeDirectPrintingwillbeenabled.
3.ClickthePrintersnode,right-clickthedesiredprinter,andthenclickEnableBranchOfficeDirectPrinting.
ToconfigureBranchOfficeDirectPrintingusingWindowsPowerShell,typethefollowingcmdletataWindowsPowerShellprompt:Set-Printer -name "" -ComputerName -RenderingMode BranchOffice DeployingPrinterstoClients
Deployingprinterstoclientsisacriticalpartofmanagingprintingservicesonthenetwork.Awell-designedsystemfordeployingprintersisscalableandcanbeusedtomanagehundredsorthousandsofcomputers.Theoptionsfordeployingprintersare:GroupPolicypreferences.YoucanuseGroupPolicypreferencestodeploysharedprinterstoWindowsXP,WindowsVista,Windows7,andWindows8clients.Theprintercanbeassociatedwitheithertheuseraccountorcomputeraccount,andcanbetargetedbygroup.ForWindowsXPcomputers,youmustinstalltheGroupPolicyPreferenceClientExtension.
GroupPolicyObject (GPO)createdbyPrintManagement.ThePrintManagementadministrativetoolcanaddprinterstoaGPOfordistributiontoclientcomputersbasedoneitherauseraccountoracomputeraccount.WindowsXPcomputersmustbeconfiguredtorunPushPrinterConnections.exe.
Manualinstallation.EachusercanaddprintersmanuallybyeitherbrowsingthenetworkorusingtheAddPrinterWizard.Itisimportanttonotethatnetworkprintersthatareinstalledmanuallyareavailableonlytotheuserthatinstalledthem.Ifmultipleusersshareacomputer,theymusteachinstalltheprintermanually.
Lab:ImplementingFileandPrintServicesScenarioYourmanagerhasrecentlyaskedyoutoconfigurefileandprintservicesforthebranchoffice.Thisrequiresyoutoconfigureanewsharedfolderthatwillbeusedbymultipledepartments,configureshadowcopiesonthefileservers,andconfigureaprinterpool.ManyotheruserswanttobeabletoworkontheirdatafileswhiletheyareconnectedacrosstheInternettootherdevices,forexample,WindowsRT-basedtablets.Youmustensurethattheseusersareabletoaccesstheirwork-relateddatafilesfromotherlocationswhenoffline.ObjectivesAfterperformingthislabyouwillbeableto:Createandconfigureafileshare.
Configureshadowcopies.
EnableandconfigureWorkFolders.
Createandconfigureaprinterpool.
LabSetupEstimatedtime:60minutes
Virtualmachines20410C-LON-CL120410C-LON-DC120410C-LON-SVR1
UsernameAdatum\Administrator
PasswordPa$$w0rd
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforebeginningthelab,youmustcompletethefollowingsteps:1.Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyper-VManager.
2.InHyper-VManager,click20410C-LON-DC1andintheActionspane,clickStart.
3.IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.
4.Signinusingthefollowingcredentials:oUsername:Administrator
oPassword:Pa$$w0rd
oDomain:Adatum
5.Repeatsteps2through4for20410C-LON-SVR1.
6.Repeatsteps2and3for20410C-LON-CL1.DonotsignintoLON-CL1untildirectedtodoso.
Exercise1:CreatingandConfiguringaFileShareScenarioYourmanagerhasaskedyoutocreateanewsharedfolderforusebyalldepartments.Therewillbeasinglefilesharewithseparatefoldersforeachdepartment.Toensurethatusersonlyseefilestowhichtheyhaveaccess,youneedtoenableaccess-basedenumerationontheshare.Therehavebeenproblemsinotherbranchofficeswithconflictswhenofflinefilesareusedforshareddatastructures.Toavoidconflicts,youneedtodisableOfflineFilesforthisshare.Themaintasksforthisexerciseareasfollows:1.Createthefolderstructureforthenewshare.
2.ConfigureNTFSpermissionsonthefolderstructure.
3.Createthesharedfolder.
4.Testaccesstothesharedfolder.
5.Enableaccess-basedenumeration.
6.Testaccesstotheshare.
7.DisableOfflineFilesfortheshare.
Task1:CreatethefolderstructureforthenewshareOnLON-SVR1,openFileExplorerandcreatethefollowingfolders:oE:\Data
oE:\Data\Development
oE:\Data\Marketing
oE:\Data\Research
oE:\Data\Sales
Task2:ConfigureNTFSpermissionsonthefolderstructure1.InFileExplorer,blocktheNTFSpermissionsinheritanceforE:\Data,andwhenprompted,convertinheritedpermissionsintoexplicitpermissions.
2.InFileExplorer,removepermissionsforLON-SVR1\UsersonsubdirectoriesinE:\Data.
3.InFileExplorer,addthefollowingNTFSpermissionsforthefolderstructure:FolderPermissions
E:\DataNochange
E:\Data\DevelopmentModify:Adatum\Development
E:\Data\MarketingModify:Adatum\Marketing
E:\Data\ResearchModify:Adatum\Research
E:\Data\SalesModify:Adatum\Sales
Task3:Createthesharedfolder1.InFileExplorer,sharetheE:\Datafolder.
2.Assignthefollowingpermissionstothesharedfolder:oChange:Adatum\AuthenticatedUsers
Task4:Testaccesstothesharedfolder1.SignintoLON-CL1asAdatum\BernardwiththepasswordPa$$w0rd.Note:BernardisamemberoftheDevelopmentgroup.
2.OpenFileExplorer.
3.Navigateto\\LON-SVR1\Data.
4.AttempttoopentheDevelopment,Marketing,Research,andSalesfolders.Note:BernardshouldhaveaccesstotheDevelopmentfolder.However,althoughBernardcanstillseetheotherfolders,hedoesnothaveaccesstotheircontents.
5.SignoutofLON-CL1.
Task5:Enableaccess-basedenumeration1.SwitchtoLON-SVR1.
2.OpenServerManager.
3.ClickFileandStorageManagement.
4.ClickShares.
5.OpenthePropertiesdialogboxfortheDatashare,andontheSettingspage,enableAccess-basedenumeration.
Task6:Testaccesstotheshare1.SignintoLON-CL1asAdatum\BernardwiththepasswordPa$$w0rd.
2.OpenFileExplorer,andnavigateto\\LON-SVR1\Data.Note:BernardcannowviewonlytheDevelopmentfolder,thefolderforwhichhehasbeenassignedpermissions.
3.OpentheDevelopmentfoldertoconfirmaccess.
4.SignoutofLON-CL1.
Task7:DisableOfflineFilesfortheshare1.SwitchtoLON-SVR1.
2.OpenFileExplorer.
3.NavigatetodriveE.
4.OpenthePropertiesdialogboxfortheDatafolder,anddisableOfflinefilecaching.
Results:Aftercompletingthisexercise,youwillhavecreatedanewsharedfolderforusebymultipledepartments.Exercise2:ConfiguringShadowCopiesScenarioA.DatumCorporationstoresdailybackupsoffsitefordisasterrecovery.Everymorningthebackupfromthepreviousnightistakenoffsite.Torecoverafilefrombackuprequiresthebackuptapestobeshippedbackonsite.Theoveralltimetorecoverafilefrombackupcanbeadayormore.Yourmanagerhasaskedyoutoensurethatshadowcopiesareenabledonthefileserversoyoucanrestorerecentlymodifiedordeletedfileswithoutusingabackuptape.Becausethedatainthisbranchofficechangesfrequently,youhavebeenaskedtoconfigureashadowcopytobecreatedonceperhour.Themaintasksforthisexerciseareasfollows:1.Configureshadowcopiesforthefileshare.
2.Createmultipleshadowcopiesofafile.
3.Recoveradeletedfilefromashadowcopy.
Task1:Configureshadowcopiesforthefileshare1.OnLON-SVR1.
2.OpenFileExplorer.
3.NavigatetodriveE,right-clickAllfiles (E:),andthenclickConfigureShadowCopies.
4.EnableShadowCopiesfordriveE.
5.ConfigurethesettingstoschedulehourlyshadowcopiesfordriveE.
Task2:Createmultipleshadowcopiesofafile1.OnLON-SVR1,switchtoFileExplorer,andnavigatetoE:\Data\Development.
2.CreateanewtextfilenamedReport.txt.
3.SwitchbacktotheAllfiles (E:)Propertiesdialogbox;itshouldstillbeopenedontheShadowCopiestab.ClickCreateNow.
Task3:Recoveradeletedfilefromashadowcopy1.OnLON-SVR1,switchbacktoFileExplorer.
2.DeletetheReport.txtfile.
3.OpenthePropertiesdialogboxforE:\Data\Development,andthenclickthePreviousVersionstab.
4.OpenthemostrecentversionoftheDevelopmentfolder,andthencopytheReport.txtfile.
5.PastethefilebackintotheDevelopmentfolder.
6.CloseFileExplorerandallopenwindows.
Results:Aftercompletingthisexercise,youwillhaveenabledshadowcopiesonthefileserver.Exercise3:EnablingandConfiguringWorkFoldersScenarioYoumustnowenableandconfigureWorkFolderstosupporttherequirementsofyourusers.DomainusershavetheirownWindows8.1andWindowsRT8.1tabletdevicesandwantaccesstotheirworkdatafromanywhere.Whentheyreturntowork,theywanttobeabletosynchronizethesedatafiles.YouwilluseGroupPolicytoforcetheWorkFolderssettingstousersandtestthesettings.Themaintasksforthisexerciseareasfollows:1.InstalltheWorkFoldersroleservice.
2.CreateaSyncShareontheFileServer.
3.AutomatesettingsforusersviaGroupPolicy.
4.Testsynchronization.
Task1:InstalltheWorkFoldersroleserviceOnLON-SVR1,useWindowsPowerShelltorunthefollowingcommandtoinstalltheWorkFoldersroleservice:Add-WindowsFeatureFS-SyncShareServiceNotethatthenameofthefeatureiscase-sensitive.
Task2:CreateaSyncShareontheFileServer1.OnLON-SVR1,useWindowsPowerShelltorunthefollowingcommandtocreatethesyncsharenamedCorp:New-SyncShareCorppathC:\CorpDataUserAdatum\DomainUsers
2.OpenServerManagerandviewtheWorkFolderstoensurethesyncsharewascreated.
Task3:AutomatesettingsforusersviaGroupPolicy1.OnLON-DC1,createaGPOnamedWorkFoldersandlinkittotheAdatum.comdomain.
2.EdittheWorkFoldersGPOasfollows:oNavigatetoUserConfiguration\Policies\AdministrativeTemplates\WindowsComponents\WorkFolders.
oEnabletheSpecifyWorkFolderssettingspolicyandspecifytheWorkFoldersURLashttp://lon-svr1.Adatum.com.
oSelectForceautomaticsetuptoforceautomaticsetup.
3.Closeallopenwindows.
Task4:Testsynchronization1.SignintoLON-CL1asAdatum\AdministratorwiththepasswordPa$$w0rd.
2.UseFileExplorertonavigatetoC:\Labfiles\Mod10anddouble-clickWorkFolders.batThisaddsaregistryentrytoallowunsecuredconnectionstotheworkfolders.
3.SignoutofLON-CL1.
4.SignintoLON-CL1asAdatum\Administrator.
5.InFileExplorer,openWorkFoldersandcreateanewtextdocumentnamedTestFile2.
6.SwitchtoLON-SVR1anduseFileExplorertoopenC:\CorpData\Administrator.Ensurethenewtextfileyoucreatedexists.
Results:Aftercompletingthisexercise,youwillhaveinstalledtheWorkFoldersroleservice,createdasyncshare,andcreatedaGroupPolicyObjecttodeliverthesettingstotheusersautomatically.Youwillhavealsotestedthesettings.Exercise4:CreatingandConfiguringaPrinterPoolScenarioYourmanagerhasaskedyoutocreateanewsharedprinterforyourbranchoffice.However,insteadofcreatingthesharedprinteronthelocalserverinthebranchoffice,hehasaskedyoutocreatethesharedprinterintheheadofficeanduseBranchOfficeDirectPrinting.Thisallowstheprintertobemanagedintheheadoffice,butpreventsprintjobsfromtraversingWANlinks.Toensurehighavailabilityofthisprinter,youneedtoformatitasapooledprinter.Twophysicalprintdevicesofthesamemodelhavebeeninstalledinthebranchofficeforthispurpose.Themaintasksforthisexerciseareasfollows:1.InstallthePrintandDocumentServicesserverrole.
2.Installaprinter.
3.Configureprinterpooling.
4.Installaprinteronaclientcomputer.
Task1:InstallthePrintandDocumentServicesserverrole1.OnLON-SVR1,openServerManager.
2.InstallthePrintandDocumentServicesrole,andacceptthedefaultsettings.
Task2:Installaprinter1.OnLON-SVR1,usethePrintManagementconsoletoinstallaprinterwithfollowingparameters:oIPAddress:172.16.0.200
oDriver:MicrosoftXPSClassDriver
oName:BranchOfficePrinter
2.Sharetheprinter.
3.ListtheprinterinADDS.
4.EnableBranchOfficeDirectPrinting.
Task3:Configureprinterpooling1.OnLON-SVR1,inthePrintManagementconsole,createanewportwiththefollowingconfiguration:oType:StandardTCP/IPport
oIPAddress:172.16.0.201
oConnection:GenericNetworkCard
2.OpentheBranchOfficePrinterPropertiesdialogbox,andonthePortstab,enableprinterpooling.
3.Selectport172.16.0.201asthesecondport.
Task4:InstallaprinteronaclientcomputerOnLON-CL1,addaprinter,selectingtheBranchOfficePrinteronLON-SVR1printer.
Results:Aftercompletingthisexercise,youwillhaveinstalledthePrintandDocumentServicesserverroleandinstalledaprinterwithprinterpooling.PrepareforthenextmoduleAfteryoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis,completethefollowingsteps.1.Onthehostcomputer,startHyper-VManager.
2.IntheVirtualMachineslist,right-click20410C-LON-SVR1,andthenclickRevert.
3.IntheRevertVirtualMachinedialogbox,clickRevert.
4.Repeatsteps2and3for20410C-LON-CL1and20410C-LON-DC1.
LabReviewQuestionsQuestion:Howdoesimplementingaccess-basedenumerationbenefittheusersoftheDatasharedfolderinthislab?Question:Isthereanotherwayyoucouldrecoverthefileintheshadowcopyexercise?Whatbenefitdoshadowcopiesprovideincomparison?Question:InExercise3,howcouldyouconfigureBranchOfficeDirectPrintingifyouwereinaremotelocationanddidnothaveaccesstotheWindowsServer2012GUIfortheprintserver?ModuleReviewandTakeawaysReviewQuestionsQuestion:Howdoesinheritanceaffectexplicitlyassignedpermissionsonafile?Question:Whyshouldyounotuseshadowcopiesasameansfordatabackup?Question:InwhichscenarioscouldBranchOfficeDirectPrintingbebeneficial?ToolsToolUseWheretofindit
EffectiveAccessToolAssessingcombinedpermissionsforafile,folder,orsharedfolder.UnderAdvanced,ontheSecuritytabofthePropertiesdialogboxofafile,folderorsharedfolder.
Netsharecommand-linetoolConfiguringWindowsServer2012networkingcomponents.CommandPromptwindow.
PrintManagementconsoleManagingtheprintenvironmentinWindowsServer2012.TheToolsmenuinServerManager.
