70-412: Configuring Advanced Windows Server 2012 services Chapter 2 Configure File and Storage Solutions

Objective 2.1: Configuring Advanced File Services

Network File System (NFS) Network File System (NFS) is a distributed file system protocol used to access files over a network, similar to accessing a file using a shared folder in Windows, which uses Server Message Block (SMB). It is used with UNIX and Linux file server clients and VMware. Therefore, to support these clients, Windows Server 2012 supports NFS. © 2013 John Wiley & Sons, Inc.

Network File System (NFS) For the Windows Server 2012 NFS server to grant the UNIX user access to the requested file, it must associate the UID and GID with a Windows or Active Directory account and use that account to authenticate the client. NFS uses Active Directory lookup and User Name Mappings to obtain user and group information when accessing NFS shared files. © 2013 John Wiley & Sons, Inc.

Identity Management for UNIX Identity Management for UNIX enables you to Integrate Windows users into an existing UNIX or Linux environment Manage user accounts and passwords on Windows and UNIX systems using Network Information Service (NIS) Automatically synchronize passwords between Windows and UNIX operating systems. Install Identity Management for UNIX using the Deployment Image Servicing and management command-line tool, Dism.exe. © 2013 John Wiley & Sons, Inc.

BranchCache Branch offices typically have slow connectivity to the central office and limited infrastructure for security servers. When users access files over the slower WAN links, there might be a delay when opening files and when opening large files or many files at the same time, which can cause other programs to be slow or delayed. When using BranchCache, you are essentially creating a WAN accelerator where information is cached on branch computers or local servers. If the document is cached, it is accessed from the local branch office rather than going across a slower WAN link. © 2013 John Wiley & Sons, Inc.

BranchCache Modes BranchCache can operate in one of two modes: Hosted cache mode Distributed cache mode Starting with Windows 8 and Windows Server 2012, Windows 8 Clients can be configured through Group Policy as distributed cache mode clients by default. The clients will search for a hosted cache server, and if one is found, it will automatically configure itself into hosted cache mode clients so that it can use the local server. © 2013 John Wiley & Sons, Inc.

File Server Resource Manager (FSRM) File Server Resource Manager (FSRM) is a suite of tools that enables you to control and manage the quantity and type of data stored on a file server. You can Define how much data a person can store. Define what type of files a user can store on a file server. Generate reports about the file server being used. You can classify files based on defined properties and apply policies based on the classification. You can restrict access to files, encrypt files, and have files expire. © 2013 John Wiley & Sons, Inc.

File Classification File classification allows you to configure automatic procedures for defining a desired property on a file, based on the conditions specified in classification rules. For example, if the content contains “sales figure,” you can automatically set the Confidentiality property to High. By using file classification, you can automate file and folder maintenance tasks, such as deleting old data or protecting sensitive information. © 2013 John Wiley & Sons, Inc.

Authentication, Authorization, and Auditing Security can be divided into three areas: Authentication: Used to prove the identity of a user. Authorization: Gives access to the user who was authenticated. Auditing: Gives you a record of the users who have logged in, what those users accessed or tried to access, and what action those users performed (e.g., rebooting, shutting down a computer, or accessing a file). When you want to audit files, you must first enable object access auditing. Then you must specify what files you want to audit. © 2013 John Wiley & Sons, Inc.

Global Object Access Auditing Starting with Windows 7 and Windows Server 2008 R2, you can enable Global Object Access Auditing so that you can Configure object access auditing for every file and folder in a computer’s file system. Centrally manage and configure Windows to monitor files without going to each computer to configure the auditing of each computer or folder. © 2013 John Wiley & Sons, Inc.

Global Object Access Auditing To use global object access to audit files, you must enable two settings: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy\Audit Policies\Object Access\Audit File System Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy\Audit Policy\Global Object Access Auditing\File System (see Figure 5-15). Additionally, you must configure the System Access Control List (SACL), where you define the principal that you want to monitor, the type of event (success, failure, or all), the permission that you want to monitor, and a condition. © 2013 John Wiley & Sons, Inc.

Objective 2.2: Implementing Dynamic Access Control

Windows Deployment Services (WDS) Dynamic Access Control (DAC), originally called claims-based access control, was introduced with Windows Server 2012 and is used for access management. It provides an automatic mechanism to secure and control access to resources. © 2013 John Wiley & Sons, Inc.

Claims-Based Access Control Claims-based access control uses a trusted identity provider to provide authentication. The trusted identity provider issues a token to the user, which the user then presents to the application or service as proof of identity. Identity is based on a set of information. Each piece of information is referred to as a claim (e.g., who the user or computer claims to be) and is stored as a token, which is a digital key. The token is digital identification for the user or computer that is accessing a network resource. As users or computers need access to a resource, the user or computer presents the token to get access to the resource. © 2013 John Wiley & Sons, Inc.

Security Token Service (STS) In Windows Server 2012, the identity provider is the Security Token Service (STS) and the claims are the Active Directory attributes assigned to a user or device (e.g., a computer). The claims, the user’s security identifier (SID), and group membership are stored inside the Kerberos ticket. The ticket is then used to access protected resources. Claims authorization relies on the Kerberos Key Distribution Center (KDC). © 2013 John Wiley & Sons, Inc.

Attribute-Based Claims Attribute-based claims are The most common types of claims Usually configured with Active Directory Administrative Center, specifically using the Dynamic Access Control node. All claims are stored in the configuration partition in AD DS, which is a forest-wide partition. As a result, all domains in the forest share the claim dictionary. © 2013 John Wiley & Sons, Inc.

Configuring File Classification Classification management and file management tasks enable administrators to manage groups of files based on various file and folder attributes. After folders and files are classified, you can automate file and folder maintenance tasks (e.g., cleaning up stale data or protecting sensitive information). Although classification management can be done manually, you can automate this process with the File Server Resource Manager console. © 2013 John Wiley & Sons, Inc.

Central Access Policy A Central Access Policy contains Central Access Rules that grant permissions to objects for a defined group of resources. By default the rules apply to all resources, but you can limit the resources to which the rule will apply. Once the rule is defined, you can choose to apply it live or you can choose to use a “staging” mode. © 2013 John Wiley & Sons, Inc.

Expression-Based Audit Policies Windows Server 2012 has new advanced audit policies that implement more detailed and precise auditing on the file system, including the configuration of global-based audit policies and expression-based auditing. Expression-based audit policies let you specify what to audit based on defined properties or document attributes (e.g., a department or country). With Global Object Access Auditing you define computer-wide system access control lists (ACLs) for either the file system or registry instead of manually altering and maintaining System Access Control Lists (SACLs) on large sets of shared files or registry entry. In addition, the auditing is implicitly specified, which does not actually modify the files. © 2013 John Wiley & Sons, Inc.

Access-Denied Remediation When users are denied access to a shared folder or file, Windows Server 2012 provides Access-Denied Assistance, which helps users determine why they cannot access the folder or file and directs users to resolve the issue without calling the help desk. At this time, Access-Denied Remediation works only with Windows 8 and Windows Server 2012. © 2013 John Wiley & Sons, Inc.

Objective 2.3: Configuring and Optimizing Storage

Understanding Shared Storage To provide services and resources, many of the servers used in an organization require large amounts of disk space. Shared storage devices have many hard drives to provide huge amounts of disk space. There are two network storage solutions used in networking: Network attached storage (NAS): A NAS is a file-level data storage device that is connected to the server over a computer network to provide shared drives or folders usually using Server Message Block (SMB) or Network File System (NFS). Storage area networks (SANs): A SAN is a type of storage architecture that allows systems to attach to the storage in the SAN and that presents the drives to the server just as if attached locally. © 2013 John Wiley & Sons, Inc.

Understanding Shared Storage Most SANs use the SCSI protocol for communication between servers and disk drive devices. By using SCSI protocol, you can attach disks to a server using copper Ethernet cables or fiber optic cables. The two standards used in SANs include: Fibre Channel iSCSI © 2013 John Wiley & Sons, Inc.

Logical Unit Number (LUN) A Logical Unit Number (LUN) is a logical reference to a portion of a storage subsystem. The LUN can be a disk, part of a disk, an entire disk array, or part of the disk array. When configuring servers to attach to a SAN, you usually configure the SAN to assign a LUN to a specific server. The LUN allows the administrator to break the SAN storage into manageable pieces. If the LUN is not mapped to a specific server, the server cannot see or access the LUN. © 2013 John Wiley & Sons, Inc.

ISCSI iSCSI is an Internet Protocol-based storage network standard that allows servers and other devices to connect to a data storage device or devices. As the name indicates, it carries SCSI commands over IP networks. Unlike standard local SCSI drives, iSCSI allows data transfers over intranets and can be used over long distances. iSCSI allows clients, called iSCSI initiators, to send SCSI commands to iSCSI storage devices, which are known as iSCSI targets. © 2013 John Wiley & Sons, Inc.

iSCSI Qualified Name (IQN) iSCSI Qualified Name (IQN) is a unique identifier used to address initiators and targets on an iSCSI network. The IQN uses the following format: Literal iqn Date (yyyy-mm) that the naming authority took ownership of the domain Reversed domain name of the authority Optional ":" prefixing a storage target name specified by the naming authority An example of an IQN is: iqn.1991-05.com.contoso:storage01-target1-target © 2013 John Wiley & Sons, Inc.

iSCSI Target In April 2011, the iSCSI target was available to Windows Server 2008 R2 as a free download. Starting with Windows Server 2012, you can install the iSCSI Target Server role, so that other Windows servers can provide iSCSI storage to other clients (including other Windows servers). After installing the iSCSI Target Server role, you use Server Manager to create the volumes that will be presented to clients and specify which servers can access the iSCSI LUNs. © 2013 John Wiley & Sons, Inc.

Internet Storage Name Service (iSNS) The Internet Storage Name Service (iSNS) protocol is used to automatically discover, manage, and configure iSCSI devices on a TCP/IP network. iSNS is used to emulate Fibre Channel fabric services to provide a consolidated configuration point for an entire storage network. The iSNS provides a registration function to allow entities in a storage network to register a query in the iSNS database. Both targets and initiators can register in the iSNS database. © 2013 John Wiley & Sons, Inc.

Discovery Domain (DD) The discovery domain (DD) service allows the partitioning of storage nodes into management groupings (called discovery domains) for administrative and logon control purposes. You can create a new discovery domain by using the Create button and typing the name of the discovery domain. © 2013 John Wiley & Sons, Inc.

Features on Demand Starting with Windows Server 2012, you can use Features on Demand, which allows administrators to Completely remove the installation binaries for roles and features that are not needed for the server. Save disk space and enhance security by removing binaries for features that will not be needed. © 2013 John Wiley & Sons, Inc.