• Chapter 1. Installing and Configuring Windows Server 2003
  • software development Company Server 2003
  • Chapter 1. Installing and Configuring Windows Server 2003
  • New Features in Windows Server 2003
  • Best Practices
  • Moving Forward
  • Version Comparisons
  • Hardware Recommendations
  • Installation Checklist
  • Functional Overview of Windows Server 2003 Setup
  • Installing Windows Server 2003
  • Post Setup Configurations
  • Functional Description of the Windows Server 2003 Boot Process
  • Correcting Common Setup Problems
  • Chapter 2. Performing Upgrades and Automated Installations
  • New Features in Windows Server 2003
  • NT4 Upgrade Functional Overview
  • Upgrading an NT4 or Windows 2000 Server
  • Automating Windows Server 2003 Deployments
  • Moving Forward
  • Chapter 3. Adding Hardware
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Architecture
  • Overview of Windows Server 2003 Plug and Play
  • Installing and Configuring Devices
  • Troubleshooting New Devices
  • Moving Forward
  • Chapter 4. Managing NetBIOS Name Resolution
  • New Features in Windows Server 2003
  • Moving Forward
  • Overview of Windows Server 2003 Networking
  • Name Resolution and Network Services
  • Network Diagnostic Utilities
  • Resolving NetBIOS Names Using Broadcasts
  • Resolving NetBIOS Names Using Lmhosts
  • Resolving NetBIOS Names Using WINS
  • Managing WINS
  • Disabling NetBIOS-over-TCP/IP Name Resolution
  • Chapter 5. Managing DNS
  • New Features in Windows Server 2003
  • Configuring a Caching-Only Server
  • Configuring a DNS Server to Use a Forwarder
  • Managing Dynamic DNS
  • Configuring Advanced DNS Server Parameters
  • Examining Zones with Nslookup
  • Command-Line Management of DNS
  • Configuring DHCP to Support DNS
  • Moving Forward
  • Overview of DNS Domain Structure
  • Functional Description of DNS Query Handling
  • Designing DNS Domains
  • Active Directory Integration
  • Configuring DNS Clients
  • Installing and Configuring DNS Servers
  • Configuring Secondary DNS Servers
  • Integrating DNS Zones into Active Directory
  • Chapter 6. Understanding Active Directory Services
  • New Features in Windows Server 2003
  • Active Directory Support Files
  • Active Directory Utilities
  • Bulk Imports and Exports
  • Moving Forward
  • Limitations of Classic NT Security
  • Directory Service Components
  • Brief History of Directory Services
  • X.500 Overview
  • LDAP Information Model
  • LDAP Namespace Structure
  • Active Directory Namespace Structure
  • Active Directory Schema
  • Chapter 7. Managing Active Directory Replication
  • New Features in Windows Server 2003
  • Replication Overview
  • Detailed Replication Transaction Descriptions
  • Designing Site Architectures
  • Configuring Inter-site Replication
  • Controlling Replication Parameters
  • Special Replication Operations
  • Troubleshooting Replication Problems
  • Moving Forward
  • Chapter 8. Designing Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Design Objectives
  • DNS and Active Directory Namespaces
  • Domain Design Strategies
  • Strategies for OU Design
  • Flexible Single Master Operations
  • Domain Controller Placement
  • Moving Forward
  • Chapter 9. Deploying Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Preparing for an NT Domain Upgrade
  • In-Place Upgrade of an NT4 Domain
  • In-Place Upgrade of a Windows 2000 Forest
  • Migrating from NT and Windows 2000 Domains to Windows Server 2003
  • Additional Domain Operations
  • Moving Forward
  • Chapter 10. Active Directory Maintenance
  • New Features in Windows Server 2003
  • Loss of a DNS Server
  • Loss of a Domain Controller
  • Loss of Key Replication Components
  • Backing Up the Directory
  • Performing Directory Maintenance
  • Moving Forward
  • Chapter 11. Understanding Network Access Security and Kerberos
  • New Features in Windows Server 2003
  • Windows Server 2003 Security Architecture
  • Security Components
  • Password Security
  • Authentication
  • Analysis of Kerberos Transactions
  • MITv5 Kerberos Interoperability
  • Security Auditing
  • Moving Forward
  • Chapter 12. Managing Group Policies
  • New Features in Windows Server 2003
  • Group Policy Operational Overview
  • Managing Individual Group Policy Types
  • Moving Forward
  • Chapter 13. Managing Active Directory Security
  • New Features in Windows Server 2003
  • Overview of Active Directory Security
  • Using Groups to Manage Active Directory Objects
  • Service Accounts
  • Using the Secondary Logon Service and RunAs
  • Using WMI for Active Directory Event Notification
  • Moving Forward
  • Chapter 14. Configuring Data Storage
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Data Storage
  • Performing Disk Operations on IA32 Systems
  • Recovering Failed Fault Tolerant Disks
  • Working with GPT Disks
  • Moving Forward
  • Chapter 15. Managing File Systems
  • New Features in Windows Server 2003
  • Overview of Windows Server 2003 File Systems
  • NTFS Attributes
  • Link Tracking Service
  • Reparse Points
  • File System Recovery and Fault Tolerance
  • Quotas
  • File System Operations
  • Moving Forward
  • Chapter 16. Managing Shared Resources
  • New Features in Windows Server 2003
  • Functional Description of Windows Resource Sharing
  • Configuring File Sharing
  • Connecting to Shared Folders
  • Resource Sharing Using the Distributed File System (Dfs)
  • Printer Sharing
  • Configuring Windows Server 2003 Clients to Print
  • Managing Print Services
  • Moving Forward
  • Chapter 17. Managing File Encryption
  • New Features in Windows Server 2003
  • File Encryption Functional Description
  • Certificate Management
  • Encrypted File Recovery
  • Encrypting Server-Based Files
  • EFS File Transactions and WebDAV
  • Special EFS Guidelines
  • EFS Procedures
  • Moving Forward
  • Chapter 18. Managing a Public Key Infrastructure
  • New Features in Windows Server 2003
  • Moving Forward
  • PKI Goals
  • Cryptographic Elements in Windows Server 2003
  • Public/Private Key Services
  • Certificates
  • Certification Authorities
  • Certificate Enrollment
  • Key Archival and Recovery
  • Command-Line PKI Tools
  • Chapter 19. Managing the User Operating Environment
  • New Features in Windows Server 2003
  • Side-by-Side Assemblies
  • User State Migration
  • Managing Folder Redirection
  • Creating and Managing Home Directories
  • Managing Offline Files
  • Managing Servers via Remote Desktop
  • Moving Forward
  • Chapter 20. Managing Remote Access and Internet Routing
  • New Features in Windows Server 2003
  • Configuring a Network Bridge
  • Configuring Virtual Private Network Connections
  • Configuring Internet Authentication Services (IAS)
  • Moving Forward
  • Functional Description of WAN Device Support
  • PPP Authentication
  • NT4 RAS Servers and Active Directory Domains
  • Deploying Smart Cards for Remote Access
  • Installing and Configuring Modems
  • Configuring a Remote Access Server
  • Configuring a Demand-Dial Router
  • Configuring an Internet Gateway Using NAT
  • Chapter 21. Recovering from System Failures
  • New Features in Windows Server 2003
  • Functional Description Ntbackup
  • Backup and Restore Operations
  • Recovering from Blue Screen Stops
  • Using Emergency Management Services (EMS)
  • Using Safe Mode
  • Restoring Functionality with the Last Known Good Configuration
  • Recovery Console
  • Moving Forward
  • Who Should Read This Book
  • Who This Book Is Not For
  • Conventions
  • Acknowledgments
  • About the Author
  • About the Technical Reviewers
  • Index
  • Index A
  • Index B
  • Index C
  • Index D
  • Index E
  • Index F
  • Index G
  • Index H
  • Index I
  • Index J
  • Index K
  • Index L
  • Index M
  • Index N
  • Index O
  • Index P
  • Index Q
  • Index R
  • Index S
  • Index SYMBOL
  • Index T
  • Index U
  • Index V
  • Index W
  • Index X
  • Index Z
  • Preface
  • Previous Section Next Section

    Configuring File Sharing

    A share point represents a network path to a local file system. Windows never provides default share points that ordinary users can access. You must create shares at a server before users can map to the server.

    There are several ways to create a share. You can use the Explorer shell, the Computer Management console, the command line via the NET command, or Resource Kit tools. This section covers all these methods:

    File Sharing and XP

    The primary focus of this book is on Windows Server 2003 products, but you should be aware that file sharing for standalone XP Professional desktops (not domain members) and XP Home Edition desktops works significantly differently than Windows Server 2003 or previous versions of Windows 2000 or NT.

    First off, standalone XP desktops do not have network sharing enabled by default and NTFS permissions are not exposed to the Explorer shell. A feature called simple file sharing controls access to folders. This feature is enabled by default on all standalone XP Professional machines and is the only available option on XP Home machines.

    You can view the settings for simple file sharing by opening any folder then selecting TOOLS | FOLDER OPTIONS from the folder menu. Select the View tab and scroll all the way to the end of the list to see the Use Simple File Sharing checkbox. Figure 16.3 shows an example.

    Figure 16.3. Folder Options window showing Use Simple File Sharing selection.

    graphics/16fig03.gif

    Registry Tip: Shared Folders in the Registry

    Shares are stored in the Registry under the following key: HKLM | System | CurrentControlSet | Services | LanManServer | Shares. Each share is represented by a value with several data properties in a Reg_Multi_SZ entry:

    • CSCFlags. Client-side caching flags: 0 by default for manual caching, 16 for automatic document caching, 32 for automatic program caching, 48 for caching disabled.

    • Max Uses. 4294967295 by default (all Fs for a long integer).

    • Path. Local path to share point. If you change the path so that it does not match this Registry entry, the share no longer functions.

    • Permissions. This entry supports downlevel clients who expect to see share-level security flags in the SMB representing a share point.

    • Remark. Contains the comments for the share.

    • Type. Always set to 0 in Windows Server 2003, XP, and 2000.

    This option controls the following Registry entry:

    Key:    HKLM | System | CurrentControlSet | Control | LSA
    Value:  ForceGuest
    Data:   1 (blocks access), 0 (permits access)
    

    If ForceGuest is enabled (set to 1), the following simple file sharing restrictions apply:

    • Files in the user's My Documents folder can be configured to be completely private (NTFS permissions set to <User>:Full and System:Full) or private with access by the local Administrators group (NTFS permissions include Administrators:Full.)

    • The All Users\Documents folder is exposed to the shell as a Shared Documents folder. Users who want other users to see their documents can drag them to the Shared Documents folder. The NTFS permissions on this folder are set for Users:Read,Write,Append, CreatorOwner:Full, Administrators:Full, System:Full, and Power Users:Change.

    • Folders can be shared on the network using the Sharing tab in the folder properties in Explorer. If the Share This Folder On The Network option is checked and the Allow Network Users To Change My Files option is cleared, an SMB share is created for the folder and the NTFS permissions are set to add Everyone:Read to the access list.

      If the Allow Network Users To Change My Files option is checked, NTFS permissions are set to add Everyone:Change to the access list.

    These restrictions only apply to SMB connections. A standalone XP Professional desktop running IIS can respond to HTTP and FTP connection requests even if simple file sharing is enabled but nothing is shared. The desktop can also respond to WebDAV connection requests. FTP and WebDAV requests may fail, however, if appropriate NTFS permissions are not set.

    Simple file sharing is turned off when an XP Professional desktop joins a domain. (XP Home cannot join a domain.)

    Share Permissions

    In all previous versions of Windows, when a new share point was created, the Everyone group was placed on the permissions list for the share and granted Full Control access. Controlling access to the files and folders behind the share was given over to NTFS permissions.

    In the new spirit of security that imbues Windows Server 2003, Microsoft changed the default permissions for a share point. The Everyone group is still the only entry on the access control list, but the default permissions are now Read rather than Full Control. This ensures that shares created on FAT and FAT32 volumes will not expose the file system to exploits.

    You should always build servers with NTFS volumes so you can change the default share permissions back to Everyone: Full Control. This can be done from the Explorer interface or from the command line using new switches on the NET SHARE command as follows:

    Net share <share_name>=<folder_path> /grant:everyone,full
    

    By putting Everyone:Full on share permissions, you don't need to worry about someone in the future trying to resolve an access problem and forgetting about the share permissions.

    If you do assign share permissions, keep in mind that they act as a filter that sits in front of the folder in the file system. If a user has Full Control access permissions in NTFS but Read permission at the share, the user can only read the files. By the same token, if a user has Read access permission in NTFS and Full Control in the share, the user can still only read the files.

    Deciding Which Directories to Share

    Share points multiply like bad rock bands if you aren't careful. When a server sends its resource list to a client, it includes the name of every share, even the hidden shares. If you create thousands of shares, you'll slow performance at the client.

    Windows Server 2003 and Windows 2000 permit mapping a network drive to a folder underneath a share point. Use this feature to avoid excessive shares.

    Also, avoid overlapping shares. This confuses users and can cause tragic Help Desk calls like this: "I deleted some extra files from my K drive but they also disappeared from my L drive. What happened?"

    Creating a Share Using Explorer

    The simplest way to share a folder is to use Explorer. The steps in Procedure 16.3 create a new folder and share it.

    Procedure 16.3 Creating and Sharing a Folder

    1. Log on at the console using an account with administrative privileges.

    2. Open Explorer or My Computer.

    3. Create a folder or select an existing folder. The example in Figure 16.4 shows a folder called Sales.

      Figure 16.4. Properties window for Sales folder with Sharing tab selected.

      graphics/16fig04.gif

    4. Right-click the folder icon and select SHARING AND SECURITY from the flyout menu. The Properties window for the folder opens with the Sharing tab selected.

    5. Select the Share This Folder radio button. The system automatically inserts the folder name as the share name. If you already have a share by this name on the computer, the share name will be blank. You can select a different name.

    6. Ordinarily you would leave the Maximum Allowed radio button selected. Set a value under User Limit only if you want to limit the maximum number of users who can access the share point. You can use this feature to meet licensing restrictions for executables inside the share.

      Share Name Lengths

      Select a share name that meets the allowable name length for the Windows clients in your network:

      • Windows NT4 and later: 255 characters

      • NT 3.51: 15 characters

      • Windows 95: 12 characters

      • Windows 3.x and DOS: 8 characters

      If the share name exceeds the limit, the affected clients cannot see the share in a browse list or map a drive to it.

    7. Click Permissions and set Everyone to Full Control, then click OK.

    8. Click OK to create the share and close the Properties window. The Caching option is covered in Chapter 19, "Managing the User Operating Environment."

    Note that the folder now has a little hand under it indicating that it is shared. If you issue the NET SHARE command from the command line, you see this folder listed as a share point.

    Creating Shares on Remote Computers

    The Explorer interface has no mechanism for creating shares on remote servers. You can create a share point on a remote computer using the Computer Management console as in Procedure 16.4.

    Procedure 16.4 Creating Remote Shares Using the Computer Management Console

    1. Open the Computer Management console using START | PROGRAMS | ADMINISTRATIVE TOOLS | COMPUTER MANAGEMENT.

    2. Right-click the Computer Management (local) icon and select CONNECT TO ANOTHER COMPUTER from the flyout menu. The Select Computer window opens.

    3. Click Browse. The standard object search window opens. Enter the first few letters of the server you're searching for then click Check Names. The search starts with an LDAP search of Active Directory then expands to search the browse list.

    4. If more than one computer starts with the letters you entered, a Multiple Names Found window opens with a pick list. Double-click the name you want then click OK then OK again to select that machine.

    5. Expand the tree under SYSTEM TOOLS | SHARED FOLDERS | SHARES. Figure 16.5 shows an example.

      Figure 16.5. Computer Management console showing list of shares on a remote computer.

      graphics/16fig05.gif

    6. Right-click the Shares icon and select NEW FILE SHARE from the flyout menu. The Create Shared Folder window opens.

    7. Click Browse to locate the folder you want to share. The Browse for Folder window appears (see Figure 16.6). The browse feature requires that you have functioning administrative shares (dollar sign shares) at the root of each volume on the remote computer. If you have deleted the administrative shares, you must enter the local path to the folder manually.

      Figure 16.6. Browse For Folder window showing top-level folders represented by administrative shares at remote computer.

      graphics/16fig06.gif

    8. Select the folder you want to share or create a new folder.

    9. Click OK to save the selection and return to the Create Shared Folder window.

    10. Enter a Share Name and Share Description.

    11. Click Next. Select a permissions option. The Custom button opens the Customize Permission window that contains a browse list to select users or groups to add to the list of authorized share users.

    12. Click Finish to apply the changes and close the window.

    The system responds with a notification that the share was successfully created. If it encounters a problem, you get an error message. The most common problem associated with creating remote shares is not having sufficient rights. The owner may have set restrictive NTFS permissions on the folder you're trying to share.

    Creating Shares Using the Command Line

    You can create a share from the command line using the NET SHARE command with the following syntax:

    net share share_name=drive:\directory /grant:Everyone,Full
    

    If you want to stop sharing a directory, use the /delete switch as follows:

    net share share_name /delete
    

    The NET SHARE command only works at the console of the server containing the directory you want to share. If you want to create a share on a remote directory from the command line, use a Resource Kit utility called RMTSHARE. The syntax for this command is as follows:

    rmtshare  \\server_name\share_name=drive:path [/users:number | /unlimited]
                                   [/remark:"text"]
                                   [/grant user:perm]
                                   [/remove user]
    

    If you want to stop sharing a directory on a remote computer, use the /delete switch as follows:

    rmtshare \\server_name\share_name /delete
    

    Recreating Admin Shares

    Access to the C$ and ADMIN$ shares (and other shares representing volumes on a server) is restricted to members of the Administrators group. If the shares are accidentally deleted, you can create a new share called C$, but it will not have the same permissions. You can replace deleted admin shares with their special permissions using the Policy Editor (Poledit). Follow Procedure 16.5.

    Procedure 16.5 Restoring Deleted Administrative Shares with Poledit

    1. Launch Poledit from the Run window.

    2. From the menu, select FILE | OPEN REGISTRY.

    3. Double-click the Local Computer icon. This opens the Local Computer Properties window.

    4. Expand the tree under Windows NT Network | Sharing.

    5. Select Create Hidden Drive Shares (Server).

    6. Click OK to save the change and return to the main Policy Editor window.

    7. From the menu, select FILE | SAVE. This applies the change to the Registry.

    This action places a value called AutoShareServer in the Registry key HKLM | System | CurrentControlSet | Services | LanManServer | Parameters.

    Volume Shadow Copy

    You've probably gotten this phone call: It starts off, "I was making changes to a macro in the spreadsheet that I use to calculate payroll and now my spreadsheet doesn't work. Can you restore it for me from last night's backup?" For some reason, the answer "I sure can and you'll have it next Wednesday" never seems to satisfy the user.

    Tape backups are vitally important, but doing individual file restores imposes a signficant burden on IT staff and resources. Windows Server 2003 has a new feature, the Volume Shadow Copy service, that puts the user in charge of obtaining historical copies of data files. Volume Shadow Copy creates a database that holds changes to data files identified during periodic snapshots.

    The operation of the Volume Shadow Copy database is controlled at the Properties window of a volume via the Shadow Copies tab. Figure 16.7 shows an example.

    Figure 16.7. Properties window for an NTFS volume showing the Shadow Copies tab.

    graphics/16fig07.jpg

    Using the Settings button, you can define the size of the database and the schedule for taking snapshots of the volume. The default schedule is two snapshots per day at 7:00 AM and 12:00 PM, Monday through Friday. The number of historical copies is controlled by the size of the database. The default database size is 10 percent of the volume size with a minimum of 100MB.

    The Volume Shadow Copy database is stored in a hidden folder called System Volume Information, which is stored at the root of the volume. The database is encrypted to protect the file contents. The database cannot be defragged and there is no support for Volume Shadow Copy on the quorum drive of a cluster.

    Volume Shadowing is enabled on a per-volume basis. It cannot be controlled by individual shares. For best results, Microsoft recommends putting the cache on a separate spindle or RAID array. You can choose whether or not to back up the historical files. The backup application must conform to the Windows Server 2003 backup API to avoid corrupting the database.

    At clients, access to the Volume Shadow Copy database relies on an extension to the Explorer shell that must be installed separately. The client installation package is Twclient.msi and is stored in \Windows\System32\Clients\Twclient. You can deploy the package via group policies.

    The Twclient extension only runs on Windows XP and Windows Server 2003. The extension exposes the content of the Volume Shadow Copy database via a Previous Versions tab to the Properties page for a file. Figure 16.8 shows an example.

    Figure 16.8. Properties page for a network file showing the Previous Versions tab.

    graphics/16fig08.jpg

    The user can elect to view the previous versions and then either copy them to a new location or restore a copy if the original were accidentally deleted. There is a variety of safeguards to prevent users from accidentally overwriting their files.

    If you use a SAN or NAS, the Volume Shadow Copy feature also supports taking snapshots of dynamic files such as databases so that they can be safely transferred to another location. Windows Server 2003 includes a new service called the Virtual Disk Service, or VDS, that exposes an API for accessing RAID and SAN/NAS configurations from the operating system. This permits changing hardware storage parameters from the console.

      Previous Section Next Section