StudyDaddy Information Systems Windows Server Configuration

Windows Server Configuration

Installing Servers1 7 0 - 4 1 0 E X A M O B J E C T I V E Objective 1.1 – Install servers. This objective may include but is not limited to: Plan for a server installation; plan for server roles; plan for a server upgrade; install Server Core; optimize resource utilization by using Features on Demand; migrate roles from previous versions of Windows Server. LESSON HEADING E XAM OBJECTIVE Selecting a Windows Server 2012 Edition Plan for a server installation Supporting Server Roles Plan for server roles Supporting Server Virtualization Server Licensing Installing Windows Server 2012 System Requirements Performing a Clean Installation Installing Third-Party Drivers Working with Installation Partitions Choosing Installation Options Using Server Core Install Server Core Using the Minimal Server Interface Using Features on Demand Optimize resource utilization by using Features on Demand Upgrading Servers Plan for a server upgrade Upgrade Paths Preparing to Upgrade Performing an Upgrade Installation Migrating Roles Migrate roles from previous versions of Windows Server Installing Windows Server Migration Tools Using Migration Guides 1 L E S S O N 2 | Lesson 1 K E Y T E R M S cmdlets physical operating system environment (POSE) Server Core virtual operating system environment (VOSE) Windows PowerShell WinSxS When planning a server deployment, you should choose the operating system edition based on multiple factors, including the following: The roles you intend the servers to perform The virtualization strategy you intent to implement The licensing strategy you plan to use Compared with Windows Server 2008, Microsoft has simplified the process of selecting a Windows Server 2012 edition by reducing the available products. As with Windows Server 2008 R2, Windows Server 2012 requires a 64-bit processor architecture. All 32-bit versions have been eliminated, and for the first time since the Windows NT Server 4.0 release, no build will be released supporting Itanium processors. This leaves Windows Server 2012 with the following core editions:

Windows Server 2012 Datacenter: This edition is designed for large and powerful servers with up to 64 processors and fault-toleranc e features such as hot add processor support. As a result, this edition is ava ilable only through the Microsoft volume-licensing program and from original equipmen t manufacturers (OEMs), bundled with a server.

Windows Server 2012 Standard: This edition includes the full set of Windows Server 2012 features, varying from the Datacenter edition only by the number of virtual machine instances permitted by the license.

Windows Server 2012 Essentials: This edition includes nearly all the features in the Standard and Datacenter editions, except for Server Core, Hyper-V, and Active Directory Federation Services. This edition is limited to one physical or virtual server instance and a maximum of 25 users.

Windows Server 2012 Foundation: This reduced version of the operating system is designed for small businesses that require only basic server features such as file and print services and application support. This edition includes no virtualization rights and is limited to 15 users.

These various editions are priced commensurate with their capabilities. Obviously, your goal is to purchase the most inexpensive edition th at provides all your needs. The following sections examine the primary differences between the Windows Server 2012 editions. ■ Selecting a Windows Server 2012 Edition TH E B OTTOM L I N E Microsoft releases all its operating systems in multiple editions, which provides consumers with various price points and feature sets. CERTIFICATION READY Plan for a server installation.

Objective 1.1 Installing Servers | 3 Computers running the Windows Server 2012 operating system can perform a wide variety of tasks, using both the software included with the product and third-party applications. The activities Windows Server 2012 performs for network clients are known as roles. After you install the Windows Server 2012 operating system, you can use Server Manager or Windows PowerShell to assign one or more roles to that computer.

The roles included with Windows Server 2012 fall into three basic categories: Directory services store, organize, and supply information about a ne twork and its resources.

Infrastructure services provide support services for network clients.

Application services provide communications services, operating environments, or programming interfaces for specific applications.

Table 1-1 lists the roles that Microsoft supplies with Windows Server 2012. Supporting Server Roles Windows Server 2012 includes predefined combinations of services called roles that implement common server functions. CERTIFICATION READY Plan for server roles.

Objective 1.1 DI R E C TO RY SE R V I C E S I N F R A S T R U C T U R E SE R V I C E S A P P L I C AT I O N SE R V I C E S Active Directory Certificate Services implements certification authorities (CAs) and other services that facilitate the creation and man- agement of the public key certificates used by the identity and access con- trol elements of the Windows Server 2012 security infrastructure. DHCP (Dynamic Host Configuration Protocol) Server provides network clients with dynami- cally assigned IP addresses and other TCP/IP configuration settings, such as subnet masks, default gateway addresses, and Domain Name System (DNS) server addresses. Application Server provides an inte- grated environment for deploying and running server-based business applica- tions designed within (or expressly for) the organization, such as those requir- ing the services provided by Internet Information Services (IIS), Microsoft .NET Framework 2.0 and 3.0, COM , ASP .NET, Message Queuing, or Windows Communication Foundation (WCF).

Active Directory Domain Services (AD DS) configure the server to func- tion as an Active Directory domain controller, which stores and manages a distributed database of network resourc- es and application-specific information. DNS Server provides name-to- address and address-to-name resolu- tion services for AD DS and Internet clients. The Windows Server 2012 DNS server implementation also supports dynamic DNS and DHCP integration. Fax Server enables you to manage fax devices and clients to send and receive faxes over the network.

Active Directory Federation Services create a single sign-on environment by implementing trust relationships that enable users on one network to access applications on other networks without providing a secondary set of logon credentials. Hyper-V provides a hypervisor-based environment in which administrators can create virtual machines, each of which provides an isolated instance of the operating system environment. File and Storage Services install tools and services that enhance Windows Server 2012’s basic ability to provide network clients with access to files stored on server drives, including Distributed File System (DFS), DFS Replication, Storage Manager for Storage Area Networks (SANs), fast file searching, and file ser- vices for UNIX clients. Table 1-1 Windows Server 2012 Server Roles (continued) 4 | Lesson 1 Some Windows Server 2012 editions include all these roles, whereas others include only some of them. Selecting the appropriate edition of Windows Server has always been a matter of anticipating the roles that the computer must perform. At one time, this was a relatively sim- ple process. You planned your server deployments by deciding which ones would be domain controllers, which ones would be web servers, and so forth. After you made these decisions, you were done, because server roles were largely static. With the increased focus on virtualization in Windows Server 2012, however, more adminis- trators must consider not only what roles servers must perform at the time of the deployment, but also what roles they will perform in the future. By using virtualized servers, you can modify your network’s server strategy at will to accommodate changing workloads and business requiremen ts, or to adapt to unforeseen DI R E C TO RY SE R V I C E S I N F R A S T R U C T U R E SE R V I C E S A P P L I C AT I O N SE R V I C E S Table 1-1 (continued) Active Directory Lightweight Directory Services (AD LDS) imple- ment a Lightweight Directory Access Protocol (LDAP) directory service that provides support for directory-enabled applications without incurring the extensive overhead of AD DS. Network Policy and Access Services (NPAS) implement services such as Network Policy Server (NPS), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP), which enforce secu- rity policies for network users. Print and Document Services provides clients with access to printers attached to the server or to the net- work, as well as centralized network printer and print server management, and printer deployment using Group Policy. Document services enable you to route images from network- attached scanners to users.

Active Directory Rights Management Services (AD RMS) make up a client/server system that uses certificates and licensing to implement persistent usage policies, which can control access to informa- tion, no matter where a user moves it. Remote Access provides remote users with access to network resources by using DirectAccess and VPNs, as well as LAN and NAT routing services. Remote Desktop Services enable clients on the network or on the Internet to access server-based appli- cations remotely or the entire Windows desktop by using server resources.

Volume Activation Services auto- mate the management of Microsoft host keys and Key Management System (KMS) hosts. Web Server (IIS) installs Internet Information Services (IIS) 7.5, which enables the organization to publish websites and web-based applications for use by intranet, extranet, and/or Internet clients.

Windows Deployment Services (WDS) enable you to install Windows operating systems remotely on com- puters throughout the enterprise.

Windows Server Update Services (WSUS) automate the process of dis- seminating operating-system updates to Windows computers throughout the enterprise. Installing Servers | 5 circumstances. Therefore, the process of anticipating the roles servers will perform must account for the potential expansion of your business, as well as possible emergency needs. Table 1-2 lists the roles included with the various Windows Server 2012 editions. RO L E D ATAC E N T E R S TA N DA R D F O U N DAT I O N E S S E N T I A L S Active Directory Certificate Services Yes Yes Limited to CA creationLimited to CA creation Active Directory Domain Services Yes Yes Forest and domain root onlyNo Active Directory Federation Services Yes Yes No No Active Directory Lightweight Directory Services Yes Yes Yes No Active Directory Rights Management Services Yes Yes Yes No Application Server Yes Yes Yes Yes DHCP Server Yes Yes Yes Yes DNS Server Yes Yes Yes Yes Fax Server Yes Yes Yes Yes File and Storage Services Yes Yes Yes (DFS limited)Yes (DFS limited) Hyper-V Yes Yes No No Network Policy and Access Services Yes Yes Yes (Limited connections) Print and Document Services Yes Yes Yes Yes Remote Access Yes Yes Yes No Remote Desktop Services Yes Yes Yes (Limited connections)Yes (Limited connections) Volume Activation Services Yes Yes Yes No Web Server (IIS) Yes Yes Yes Yes Windows Deployment Services Yes Yes Yes Yes Windows Server Update Services Yes Yes Yes Yes Table 1-2 Roles Included in Windows Server 2012 Editions 6 | Lesson 1 Supporting Server Virtualization The Windows Server 2012 Datacenter and Standard editions both include support for Hyper-V, but they vary in the number of virtual machines permitted by their licenses.

Server Licensing Microsoft provides several different sales channels for Windows Server 2012 licenses, and not all editions are available through all the channels. Licensing Windows Server 2012 includes purchasing licenses for both servers and clients, and each one has many options.

Each running instance of the Windows Server 2012 operating system is classified as being in a physical operating system environment (POSE) or a virtual operating system environ- ment (VOSE ). A POSE is a physical computer with its own hardware, and a VOSE is a vir- tual machine running on a Hyper-V server with virtualized hardware. When you purchase a Windows Server 2012 license, you can perform a POSE installation of the operating system, as always. After installing the Hyper-V role, you can then create virtual machines (VMs) and perform VOSE installations on them. The number of VOSE installations permitted by your license depends on the edition you purchased, as shown in Table 1-3.

If you are already involved in a licensing agreement with Microsoft, you should be aware of the server editions available to you through that agreement. If you are not, you should inves- tigate the licensing options available to you before you select a server edition.

Table 1-4 lists the sales channels through which you can purchase each Windows Server 2012 edition. Table 1-3 Physical and Virtual Instances Supported by Windows Server 2012 Editions ED I T I O N POS E I N S TA N C E S VOS E I N S TA N C E S Datacenter 1 Unlimited Standard 1 2 Foundation 1 0 Essentials 1 (POSE or VOSE) 1 (POSE or VOSE) Table 1-4 Windows Server Sales Channel Availability, by Edition O R I G I N A L V O L U M E E Q U I P M E N T R E TA I L L I C E N S I N G M A N U FAC T U R E R Datacenter No Yes Yes Standard Yes Yes Yes Foundation No No Yes Essentials Yes Yes Yes TAKE N OTE * The limitations specified in Table 1-3 are those of the license, not the soft- ware. For example, you can create more than four VMs on a copy of Windows Server 2012 Enterprise, but you must purchase additional licenses to do so. Installing Servers | 7 The licensing structure for Windows Server 2012 is considerably simpler than it has been in previous versions of the operating system. The licenses you need to purchase for a given server installation are affected by the following criteria: Processors —Both the Datacenter and the Standard edition come with a license that supports up to two physical processors. To run either one on a computer with more than two processors, you must purchase additional licenses.

Virtual instances —The Standard edition license supports one physical instance and as many as two virtual operating system instances on a Hyper-V installation. If you want to create more than two virtual machines running Windows Server 2012 Standard, you must purchase additional licenses at the rate of two virtual instances per license. The Datacenter edition supports an unlimited number of virtual instances. The Essentials license enables you to install the operating system on one physical computer or one vir- tual machine, but not both. The Foundation license includes no virtual instances.

Clients —The Foundation license supports up to 15 users and the Essentials edition up to 25 users. For the Standard and Datacenter editions, you must purchase client access licenses (CALs).

If a computer is brand new and has no operating system installed on it, it cannot start until you supply a boot disk, such as a Windows Server 2012 installation disk. During installation, you select the disk partition on which you want to install the operating system, and the Setup program copies the operating system files there. ■ Installing Windows Server 2012 TH E B OTTOM L I N E A clean installation is the simplest way to deploy Windows Server 2012 on a bare metal computer—that is, a computer with no operating system installed—or a computer with a partition that you are willing to reformat (losing all the data on the partition in the process). System Requirements Choosing the correct hardware for a server requires an understanding of the tasks it will perform.

As of this writing, the minimum system requirements for all editions of Windows Server 2012 are as follows: 1.4 GHz 64-bit processor 512 MB RAM 32 GB disk space DVD or USB flash drive Super VGA (800x600) or higher resolution monitor Having 32 GB of available disk space should be considered an absolute minimum. The sys- tem partition needs extra space if you install the system over a network or your computer has more than 16 GB of RAM installed. The additional disk space is required for paging, hiber- nation, and dump files. In practice, you are unlikely to come across a computer with 8 | Lesson 1 32 GB RAM and only 32 GB disk space. If you do, free more disk space or invest in addi- tional storage hardware.

Not until you have decided how you will deploy your applications and what roles an applica- tion server will perform should you begin selecting the hardware that goes into the computer. Suppose that your organization decides to deploy an application suite such as Microsoft Office on all company workstations. If you decide to install the applications on each indi- vidual workstation, each computer must have sufficient memory and processor speed to run them efficiently. The application servers on the network then has to perform only relatively simple roles, such as file and print services, which do not require enormous amounts of server resources.

By contrast, if you decide to deploy the applications using Remote Desktop Services, you can use workstations with a minimal hardware configuration, because the servers take most of the burden. In this case, you need a more powerful application server in terms of processor and memory, or perhaps even several servers sharing the client load. Server roles can also dictate requirements for specific subsystems within the server computers, as in the following examples: Servers hosting complex applications might require more memory and faster processors.

File servers can benefit from disk arrays and hard drives with higher speeds and larger caches, or even a high performance drive interface, such as SCSI (Small Computer System Interface, pronounced “scuzzy”).

Web servers receiving large amounts of traffic might need higher-end network adapters or multiple adapters to connect to different subnets.

Streaming media servers require sufficient hardware in all subsystems, because any per- formance bottleneck in the server can interrupt the client’s media experience.

Enterprises with extensive server requirements might want to consider specialized server hard- ware, such as a storage area network, network attached storage, or a server cluster.

As part of Microsoft’s increased emphasis on virtualization and cloud computing in its server products, the company has increased the maximum hardware configurations significantly for Windows Server 2012. Table 1-5 lists these maximums. Table 1-5 Maximum Hardware Configurations in Windows Server Versions W I N D O W S SE R V E R 2 0 1 2 W I N D O W S SE R V E R 2 0 0 8 R2 Logical Processors 640 256 RAM 4 terabytes 2 terabytes Failover cluster nodes 63 16 Performing a Clean Installation A clean installation can be the basis for a new ser ver, or the initial phase of a server migration.

To perform a clean installation of Windows Server 2012, use the following procedure. TAKE N OTE * The Traditional Chinese version of Windows Server 2012 (ZH-TN) does not install correctly on a computer with only 512 MB of RAM—either a physical computer or a virtual machine. In practice, the next readily available physical RAM size is 1 GB. Installing Servers | 9 P ER F OR M A C L EAN I N S TAL L AT I O N GET READY. Prepare the computer for the Windows Server 2012 installation by making sure that all its external peripheral devices ar e connected and powered on.

1. Turn on the computer and insert the Windows Server 2012 installation disk into the DVD drive. 2. Press any key to boot from the DVD (if necessary). A progress indicator screen appears as Windows is loading les. MORE INFORMATION The device that a PC uses to boot is specified in its system (or BIOS) settings. In some cases, you might have to modify these settings to enable the computer to boot from the Windows Server 2012 DVD. If you are not familiar with the operation of a particular computer, watch the screen carefully as the system starts and look for an instruc- tion specifying what key to press to access the system settings. ✚ The computer loads the Windows graphical interface and the Windows Setup page appears, as shown in Figure 1-1.

3. By using the drop-down lists provided, select the appropriate language to install, tim e and currency format, and keyboard or input method, and then click Next . The Windows Setup page appears, as shown in Figure 1-2.

4. Click Install Now . The Windows Setup Wizard appears, displaying the Select the operating system you want to install page, as shown in Figure 1-3. 5. Select the operating system edition and installation option you want to install and click Next . The License Terms page appears. Figure 1-1 The Windows Setup page 10 | Lesson 1 6. Select the I accept the license terms check box and click Next . The Which type o f installation do you want? page appears, as shown in Figure 1-4. Figure 1-2 The Window Setup page Figure 1-3 The Select the operating system you want to install page Installing Servers | 11 Figure 1-4 The Which type of installation do you want? page Figure 1-5 The Where do you want to install Windows? page 7. Because you are performing a clean installation and not an upgrade, click the Custom: Install Windows Only (advanced) option. The Where do you want to install Windows? page appears, as shown in Figure 1-5. 12 | Lesson 1 8. From the list provided, select the partition on which you want to install Windows Server 2012, or select an ar ea of unallocated disk space where the Setup program can create a new partition. Then click Next . The Installing Windows page appears.

9. After several minutes, during which the Setup program installs Windows Server 2012, the computer restarts and the Settings page appears, as shown in Figure 1-6. Figure 1-6 The Settings page 10. In the Password and Reenter Password text boxes, type the password to be asso- ciated with the Administrator account and press Enter. The system nalizes the installation and the Windows sign-on screen appears, as shown in Figure 1-7. Figure 1-7 The Windows sign-on screen Installing Servers | 13 I N S TAL L A T H I R D -PAR T Y D I S K D R I VE R GET READY. If during a Windows Server 2012 installation no disk partitions or unallocated space appear on the Wher e do you want to install Windows? page, you must install the appro- priate driver for your disk controller using the following procedure before the installation can continue.

1. On the Where do you want to install Windows? page, click the Load Driver button.

A Load Driver message box appears, as shown in Figure 1-8. During the Windows Server 2012 installation procedure, the Setup program enables you to select the partition or area of unallocated disk space where you want to install the operating system. The Where do you want to install Windows? page lists the partitions on all the com- puter’s disk drives that the Setup program can detect with its default drivers. In most cases, all the computer’s drives should appear in the list; if they do not, it is probably because Windows does not include a driver for the computer’s drive controller.

If the computer’s hard drives are connected to a third-party controller, rather than the one integrated into most motherboards, the list of partitions might appear empty, and you have to supply a driver for the Setup program to see the drives. Check the controller manufacturer’s website for a driver supporting Windows Server 2012, or another recent version of Windows Server. To install the driver, use the following procedure. In some cases, it might be necessary to install a driver supplied by a hardware manufac- turer before the disks in the computer appear in the setup program. Installing Third-Party Drivers Figure 1-8 The Load Driver message box 2. Insert the storage medium containing the driver into the computer. You can supply drivers on a CD, DVD, oppy disk, or USB ash drive.

3. Click OK if the driver is in the root directory of the storage medium, or Browse if you need to locate the driver in the directory structure of the disk. A list of the drivers found on the disk appears on the Select the driver to install page.

4. Select one of the drivers in the list and click Next .

5. When the driver loads, the partitions and unallocated space on the associated disks appear in the list on the Where do you want to install Windows? page.

6. Select the partition or area of unallocated space where you want to install Win- dows Server 2012 and then continue with the rest of the installation procedure, as covered earlier in this lesson. 14 | Lesson 1 Clicking the Drive options (advanced) button on the page causes four additional buttons to appear, as shown in Figure 1-9. These buttons have the following functions:

Delete removes an existing partition from a disk, permanently erasing all its data. You might want to delete partitions to consolidate unallocated disk space, enabling you to create a new, larger partition.

Extend enables you to make an existing partition larger, as long as unallocated space is available immediately following the selected partition on the disk.

Format enables you to format an existing partition on a disk, thereby erasing all its data. You do not need to format any new partitions you create for the install, but you might want to format an existing partition to eliminate unwanted files before installing Windows Server 2012 on it.

New creates a new partition of a user-specified size in the selected area of unallocated space. In addition to installing disk drivers, the Where do you want to install Windows? page enables you to create, manage, and delete the partitions on your disks. Working with Installation Partitions Figure 1-9 Additional buttons on the Where do you want to install Windows? page ■ Choosing Installation Options TH E B OTTOM L I N E Many enterprise networks today use servers dedicated to a particular role. When a server is performing a single role, does it really make sense to have so many other processes running on the server that contribute little to that role? Installing Servers | 15 Reduced disk space: Server Core requires less disk space for the installed operating sys- tem elements, as well as less swap space, which maximizes the utilization of the server’s storage resources.

Reduced patch frequency: Windows Server 2012’s graphical elements are among the most frequently patched features, so running Server Core reduces the number of patches that you must apply. Fewer patches also mean fewer server restarts and less downtime.

Reduced attack surface: The less software there is running on the computer, the fewer entrances are available for attackers to exploit. Server Core reduces the potential open- ings presented by the operating system, increasing its overall security.

Many IT administrators today are so accustomed to graphical user interfaces (GUIs) that they are unaware that there was ever any other way to operate a computer. When the first version of Windows NT Server appeared in 1993, many complained about wasting server resources on graphical displays and other elements that they deemed unnecessary. Up until that time, server displays were usually minimal, character-based, monochrome affairs. In fact, many servers had no display hardware at all, relying instead on text-based remote administration tools, such as Telnet. Using Server Core Windows Server 2012 includes an installation option that addresses those old complaints about wasting server resources on graphical displays.

When you select the Windows Server Core installation option, you get a stripped-down ver- sion of the operating system. There is no Start menu, no desktop Explorer shell, no Microsoft Management Console, and virtually no graphical applications. All you see when you start the computer is a single window with a command prompt, as shown in Figure 1-10.

The advantages of running servers using Server Core are several:

Hardware resource conservation: Server Core eliminates some of the most memory- and processor-intensive elements of the Windows Server 2012 operating system, thus devoting more of the system hardware to running essential services. CERTIFICATION READY Install server core.

Objective 1.1 TAKE N OTE * Server Core is not a separate product or edition. It is an instal- lation option included with the Windows Server 2012 Standard, Enterprise, and Datacenter editions.

Figure 1-10 The default Server Core interface 16 | Lesson 1 When Microsoft first introduced the Server Core installation option in Windows Server 2008, the idea was intriguing, but few administrators took advantage of it. The main reason for this was that most server administrators were n ot sufficiently conversant with the command-line interface to manage a Windows server without a GUI.

In Windows Server 2008 and Windows Server 2008 R2, the decision to install the operating system via the Server Core option was irrevocable. After you installed the operating system using Server Core, in no way could you get the GUI back except to perform a complete reinstallation. That has all changed in Windows Server 2012. You can now switch a server from the Server Core option to the Server with a GUI option, and back again, at will, using Windows PowerShell commands. MORE INFORMATION For more information on converting from Server Core to Server with a GUI and back again, refer to Lesson 2, “Configuring Servers .” ✚ This ability means that you can install Windows Server 2012 using the Server with a GUI option, if you want to, configure the server using the familiar graphical tools, and then switch the server to Server Core, to take advantage of the benefits listed earlier.

SERVER CORE DEFAULTS In Windows Server 2012, Microsoft is attempting to fundamentally modify the way admin- istrators work with their servers. Server Core is now the default installation option because in the new way of managing servers, you should rarely, if ever, have to work at the server con- sole, either physically or remotely.

Windows Server has long been capable of remote administration, but this capability has been a piecemeal affair. Some Microsoft Management Console (MMC) snap-ins enabled admin- istrators to connect to remote servers, and Windows PowerShell 2.0 provided some remote capabilities from the command line, but Windows Server 2012, for the first time, includes comprehensive remote administration tools that virtually eliminate the need to work at the server console. The new Server Manager application in Windows Server 2012 enables you to add servers from all over the enterprise and create server groups to facilitate the configuration of multiple systems simultaneously. The new Windows PowerShell 3.0 environment increases the number of available commands—known as cmdlets—from 230 to more than 2,430.

With tools like these, it is possible for you to install your servers using the Server Core option, execute a few commands to join each server to an AD DS domain, and then never touch the server console again. You can perform all subsequent administration tasks, includ- ing deployment of roles and features, by using Server Manager and Windows PowerShell from a remote workstation.

SERVER CORE CAPABILITIES In addition to omitting most of the graphical interface, a Server Core installation omits some of the server roles found in a Server with a GUI installation. However, the Server Core option in Windows Server 2012 includes 13 of the 19 roles, plus support for SQL Server 2012, as opposed to only 10 roles in Windows Server 2008 R2 and 9 in Windows Server 2008.

Table 1-6 lists the roles and features that are available and not available in a Windows Server 2012 Server Core installation. Installing Servers | 17 The Minimal Server Interface setting removes some of the most hardware-intensive elements from the graphical interface. These elements include Internet Explorer and the components that make up the Windows shell, including the desktop, Windows Explorer, and the Modern application interface. Also omitted are the Control Panel applets implemented as shell exten- sions, including the following: Programs and Features Network and Sharing Center Devices and Printers Center Display Firewall Windows Update Fonts Storage Spaces Table 1-6 Windows Server 2012 Server Core Roles RO L E S AVA I L A B L E I N SE R V E R CO R E R O L E S N OT AVA I L A B L E I N SE R V E R CO R E IN S TA L L AT I O N I N S TA L L AT I O N Active Directory Certificate Services Active Directory Federation Services Active Directory Domain Services Application Server Active Directory Lightweight Directory Services Fax Server Active Directory Rights Management Services Network Policy and Access Services DHCP Server Remote Desktop Services: Remote Desktop Gateway Remote Desktop Session Host Remote Desktop Web Access DNS Server Volume Activation Services File and Storage Services Windows Deployment Services Hyper-V Print and Document Services Remote Desktop Services:

Remote Desktop Connection Broker Remote Desktop Licensing Remote Desktop Virtualization Host Remote Access Web Server (IIS) Windows Server Update Services Using the Minimal Server Interface If the advantages of Server Core sound tempting but you do not want to give up certain traditional server administration tools, Windows Server 2012 provides a compromise called the Minimal Server Interface. 18 | Lesson 1 Left in the Minimal Server Interface are the Server Manager and MMC applications, as well as Device Manager and the entire Windows PowerShell interface. This provides you with most of the tools you need to manage local and remote servers The omission of Internet Explorer in the Minimal Server Interface affects the performance of some MMC snap-ins. For example, the Group Policy Management snap-in relies on Hypertext Markup Language (HTML) for some of its displays, and those displays do not function in the Minimal Server Interface. TAKE N OTE * To configure a Windows Server 2012 Server with a GUI installation to use the Minimal Server Interface, complete the following procedure.

C O N F I G U R E T H E M I N I M AL S ERVE R I N T ER FAC E GET READY. Log on to the server running Windows Server 2012 using an account with administrativ e privileges. The Server Manager window appears.

1. Click Manage Remove Roles and Features . The Remove Roles and Features Wizard appears, showing the Before You Begin page. 2. Click Next . The Server Selection page appears.

3. In the Server Pool list, select the server you want to modify and click Next . The Remove Server Roles page appears.

4. Click Next . The Remove Features page appears.

5. Scroll down the Features list and expand the User Interfaces and Infrastructure feature, as shown in Figure 1-11. Figure 1-11 The User Interfaces and Infrastructure feature in the Remove Roles and Features Wizard Installing Servers | 19 6. Clear the Server Graphical Shell check box and click Next . The Con rm Removal Selections page appears.

7. Click Remove . The Removal Progress page appears.

8. When the removal is complete, click Close .

9. Restart the server. TAKE N OTE * Removing the Graphical Management Tools and Infrastructure package as well as the Server Graphical Shell converts the computer to the Server Core installation option. Using Features on Demand During a Windows Server 2012 installation, the Setup program copies the files for all operating system components from the installation medium to a directory called WinSxS, the side-by-side component store. This enables you to activate any features included with Windows Server 2012 without having to supply an installation medium.

The drawback of this arrangement is that the WinSxS directory occupies a significant amount of disk space, much of which is, in many cases, devoted to data that will never be used. With the increasing use of virtual machines to distribute server roles, enterprise networks often have more copies of the server operating system than ever before, and therefore more wasted disk space. Also, the advanced storage technologies often used by today’s server infra- structures, such as storage area networks (SANs) and solid state drives (SSDs), are making that disk space more expensive. Features on Demand, new to Windows Server 2012, is a third state for operating system fea- tures that enables administrators to conserve disk space by removing specific features not only from operation, but also from the WinSxS directory. This state is intended for features that you do not intend to install on a particular server. If, for example, you want to disable the Server Graphical Shell feature in Windows Server 2012 to prevent Internet Explorer, Windows Explorer, and the desktop shell from running, and you want to remove the files that provide those features from the disk completely, you can do so with Features on Demand. By removing all the disk files for all your unused features on all your virtual machines, the accumulated savings in disk space can be substantial.

Features on Demand provide a third installation state for each feature in Windows Server 2012. In previous versions of the operating system, you could enable or disable features.

Windows Server 2012 provides the following three states: Enabled Disabled Disabled with payload removed To implement this third state, you must use the Windows PowerShell Uninstall- WindowsFeature cmdlet, which now supports a new –Remove flag. Thus, the Windows PowerShell command to disable the Server Graphical Shell and remove its source files from the WinSxS directory would be as follows:

Uninstall-WindowsFeature Server-Gui-Shell -Remove Deleting the source files for a feature from the WinSxS folder does not make them irretriev- ably gone. If you try to enable that feature again, the system downloads it from Windows Update or, alternatively, retrieves it from an image file you specify using the –Source flag with the Install-WindowsFeature cmdlet. This enables you to retrieve the required files from a removable disk or from an image file on the local network. You can also use Group Policy to specify a list of installation sources. CERTIFICATION READY Optimize resource utilization by using Features on Demand.

Objective 1.1 20 | Lesson 1 If you have a 64-bit computer running Windows Server 2008 or Windows Server 2008 R2, you can upgrade it to Windows Server 2012 as long as you use the same (or a lower) operat- ing system edition. Windows Server 2012 does not support the following: Upgrades from Windows Server versions prior to Windows Server 2008 Upgrades from Windows workstation operating systems Cross-edition upgrades, such as Windows Server 2008 Standard Edition to Windows Server 2012 Datacenter Edition Cross-platform upgrades, such as 32-bit Windows Server 2008 to 64-bit Windows Server 2012 Upgrades from any Itanium edition Cross-language upgrades, such as from Windows Server 2008, U.S. English, to Windows Server 2012, French In any of these cases, the Windows Setup program does not permit the upgrade to proceed. This ability to retrieve source files for a feature from another location is the actual function- ality to which the name Features on Demand is refer ring. Microsoft often uses this capabil- ity to reduce the size of updates downloaded from t he Internet. After the user installs the update, the program downloads the additional files required and completes the installation. TAKE N OTE * During an in-place upgrade, the Setup program creates a new Windows folder and installs the Windows Server 2012 operating system files into it. This is only half of the process, however. The program must then migrate the applications, files, and settings from the old OS. This calls for a variety of procedures, such as importing the user profiles, copying all pertinent set- tings from the old registry to the new one, locating applications and data files, and updating device drivers with new versions.

While in-place upgrades often proceed smoothly, the complexity of the upgrade process and the large number of variables involved means that many things can potentially go wrong. To minimize the risks involved, you must to take the upgrade process seriously, prepare the system beforehand, and have the ability to troubleshoot any problems that might arise. The following sections discuss these subjects in detail. ■ Upgrading Servers TH E B OTTOM LI N EAn in-place upgrade is the most complicated form of Windows Server 2012 installation. It is also the lengthiest and the most likely to cause problems during its execution. Whenever possible, Microsoft recommends that administrators perform a clean installation, or migrate required applications and settings instead. CERTIFICATION READY Plan for a server upgrade.

Objective 1.1 Upgrade Paths Upgrade paths for Windows Server 2012 are quite limited. In fact, they are easier to specify when you can perform an upgrade than when you cannot. Installing Servers | 21 Consider the following before you perform any upgrade to Windows Server 2012: Check hardware compatibility. Make sure that the server meets the minimum hard- ware requirements for Windows Server 2012.

Check disk space. Make sure that sufficient free disk space is on the partition where the old operating system is installed. During the upgrade procedure, sufficient disk space is needed to hold both operating systems simultaneously. After the upgrade is complete, you can remove the old files, freeing up some additional space.

Confirm that software is signed. All kernel-mode software on the server, including device drivers, must be digitally signed, or the upgrade will not proceed. If you cannot locate a software update for any signed application or driver, you must uninstall the application or driver before you proceed with the installation.

Check application compatibility. The Setup program displays a Compatibility Report page that can point out possible application compatibility problems. You can sometimes solve these problems by updating or upgrading the applications. Create an inventory of the software products installed on the server and check the manufacturers’ websites for updates, availability of upgrades, and announcements regarding support for Windows Server 2012. In an enterprise environment, you should test all applications for Windows Server 2012 compatibility, no matter what the manufacturer says, before you perform any operating system upgrades.

Ensure computer functionality. Make sure that Windows Server 2008 or Windows Server 2008 R2 is running properly on the computer before you begin the upgrade pro- cess. Check the Event Viewer console for warnings and errors. You must start an in-place upgrade from within the existing operating system, so you cannot count on Windows Server 2012 to correct any problems that prevent the computer from starting or running the Setup program.

Perform a full backup. Before you perform any upgrade procedure, you should back up the entire system, or at the very least the essential data files. Removable hard drives make this a simple process, even if the computer does not have a suitable backup device.

Purchase Windows Server 2012. Be sure to purchase the appropriate Windows Server 2012 edition for the upgrade, and have the installation disk and product key handy. Preparing to Upgrade Before you begin an in-place upgrade to Windows Server 2012, you should perform a number of preliminary procedures to ensure that the process goes smoothly and that server data is protected.

Performing an Upgrade Installation Windows Server 2012 permits you to perform an upgrade installation only after you have met the prerequisites described in the previous section.

To perform a Windows Server 2012 upgrade installation from Windows Server 2008 or Windows Server 2008 R2, use the following procedure. 22 | Lesson 1 6. Note the compatibility information provided by the Setup program and click Next .

Th e Upgrading Windows page appears, as shown in Figure 1-13. Figure 1-12 The Compatibility Report page P ER F OR M AN U P G R AD E I N S TAL L AT I ON GET READY. Start the server and log on using an account with administrative privileges.

1. Insert the Windows Server 2012 installation disk into the DVD drive and start the Setup program. The Windows Setup window appears.

2. Click Install Now . The Windows Setup Wizard appears, displaying the Select the operating system you want to install page.

3. Select the operating system edition and installation option you want to install and click Next . The License Terms page appears.

4. Select the I accept the license terms check box and click Next . The Which type of installation do you want? page appears.

5. Click the Upgrade: Install Windows and keep les, settings, and applications option.

The Compatibility report (saved to your desktop) page appears, as shown in Figure 1-12. Installing Servers | 23 After several minutes, during which the Setup program upgrades Windows Server 2008 or Windows Server 2008 R2 to Windows Server 2012 and restarts the com- puter several times, the system nalizes the installation and the Windows sign-on screen appears.

During the upgrade process, when the system restarts, the boot menu provides an option to roll back to the previous operating system version. However, after the upgrade is complete, this option is no longer available; uninstalling Windows Server 2012 and reverting to the old operating system version is not possible. Figure 1-13 The Upgrading Windows page TAKE N OTE * In some cases, you might have to close the Setup program to update, upgrade, or uninstall an incompatible application. ■ Migrating Roles T H E B OTTOM L I N E Migration is the preferred method of replacing an existing server with one running Windows Server 2012. Unlike an in-place upgrade, a migration copies vital information from an existing server to a clean Windows Server 2012 installation.

During a migration, virtually all the restrictions listed earlier concerning upgrades do not apply. By using the Windows Server Migration Tools and migration guides supplied with Windows Server 2012, you can migrate data between servers under any of the following conditions: Between versions: You can migrate data from any Windows Server version since Windows Server 2003 SP2 to Windows Server 2012. This includes migrations from one server running Windows Server 2012 to another. CERTIFICATION READY Migrate roles from previous versions of Windows Server. Objective 1.1 24 | Lesson 1 Between platforms: You can migrate data from an x86- or x64-based server to an x64- based server running Windows Server 2012.

Between editions: You can migrate data between servers running different Windows Server editions.

Between physical and virtual instances: You can migrate data from a physical server to a virtual one, or the reverse.

Between installation options: You can migrate data from a server running Windows Server 2008 R2 to one running Windows Server 2012, even when one server is using the Server Core installation option and the other uses the Server Core with a GUI option. Windows Server 2012 does not support migrations between different language versions of the operating system. You also cannot migrate data from Server Core installations of Windows Server 2008, because Server Code in that version does not include support for Microsoft .NET Framework. TAKE N OTE * Migration at the server level is different from any migrations you might have performed on workstation operating systems. Rather than perform a single migration procedure that copies all user data from the source to the destination computer at once, in a server migration you migrate roles or role services individually.

Windows Server 2012 includes a collection of migration guides that provide individualized instructions for each role supported by Windows Server 2012. Some roles require the use of the Windows Server Migration Tools; others do not.

Installing Windows Server Migration Tools Windows Server Migration Tools is a Windows Server 2012 feature that consists of Windows PowerShell cmdlets and help files that enable administrators to migrate certain roles between servers.

Before you can use the migration tools, however, you must install the Windows Server Migration Tools feature on the destination server running Windows Server 2012, and then copy the appropriate version of the tools to the source server.

Windows Server Migration Tools is a standard feature that you install on Windows Server 2012 using the Add Roles and Features Wizard in Server Manager, as shown in Figure 1-14, or the Install-WindowsFeature Windows PowerShell cmdlet. Installing Servers | 25 After you install the Windows Server Migration Tools feature on the destination server, you must create a distribution folder containing the tools for the source server. This distribution folder must contain the appropriate files for the platform and the operating system version of the source server.

To create the distribution folder on a server running Windows Server 2012 with the Windows Server Migration Tools feature already installed, use the following procedure.

C R EAT E A W I N D OW S S ERVER M I G R AT I ON TO OL S D I ST R I B U TI ON F OL D ER GET READY. Start the destination server running Windows Serve r 2012 and log on using an account with administrativ e privileges.

1. Open a Command Prompt window.

2. Switch to the directory containing the Windows Server Migration Tools les by typ- ing the following command and pressing Enter :

cd\windows\system32\ServerMigrationTools 3. Run the SmigDeploy.exe program with the appropriate command line switches for the platform and operating system version of the source server, using the following syntax:

SmigDeploy.exe /package /architecture [x86|amd64] /os [WS08|WS08R2|WS03] /path deployment_folder_path Figure 1-14 The Select Features page of the Add Roles and Features Wizard USING WINDOWS POWERSHELL To install the Windows Server Migration Tools feature using Windows PowerShell, use the following syntax:

Install-WindowsFeature Migration [–ComputerName ] 26 | Lesson 1 The SmigDeploy.exe program creates a new folder in the directory you specify for the deployment_folder_path variable, assigning it a name and location based on the command-line switches you specify. For example, if you enter the following command and press Enter, the program creates a folder called C:\SMT_ws08R2_amd64 containing the Server Migration Tools.

SmigDeploy.exe /package /architecture amd64 /os WS08R2 /path C:\ After you create the distribution folder, you must copy it to the source server by any standard means, and then register the Windows Server Migration Tools on the source server using the following procedure. C R EAT E A W I N D O W S S ERVE R M I G R AT I ON TO O L S D I S TR I B U TI O N FO LD ER GET READY. Start the source server and log on using an accoun t with administrative privileges.

1. Open a Command Prompt window.

2. Switch to the folder containing the Windows Server Migration Tools that you previ- ously copied to the server.

3. Run the SmigDeploy.exe program with no parameters on the command line, as follows:

SmigDeploy.exe When you execute SmigDeploy.exe, the program registers the Windows Server Migration Tools on the source server and opens a Windows PowerShell window in which you can use those tools, as shown in Figure 1-15. Figure 1-15 Registering Windows Server Migration Tools To use the migration tools in a new Windows PowerShell session, you must open a Windows PowerShell window with elevated user rights and then add the appropriate snap-in, using the following syntax:

Add-PSSnapin Microsoft.Windows.ServerManager.Migration Installing Servers | 27 By using the migration tools, you can migrate certain roles, features, shares, operating system settings, and other data from the source server to the destination server running Windows Server 2012. Some roles require the use of the migration tools while others do not, having their own internal communication capabilities. For example, the Print and Document Services role includes a Printer Migration Wizard (and a command-line tool called Printbrm.exe) that enables you to export printers on a source server to a file and import the file on the destination server. Roles that do not have capabili- ties like this rely on the Windows Server Migration Tools.

Migrating all the Windows Server roles does not involve any one procedure, whether the roles have their own migration tools or not. Instead, Microsoft provides detailed migration guides for individual roles, and sometimes for individual role services within a role. Using Migration Guides After you install the Windows Server Migration Tools on both the source and the destina- tion servers, you can proceed to migrate data between the two.

MORE INFORMATION Up-to-date migration guides are available at the Windows Server Migration Portal in the Windows Server 2012 T echCenter, from Microsoft’s TechNet website. ✚ A typical migration guide contains elements such as the following:

Compatibility notes: Lists or tables containing specific circumstances in which the guide procedures apply, and circumstances in which they do not apply. These include notes regarding migrations between different operating systems, platforms, and installa- tion options.

Guide contents: A list of the sections appearing in the migration guide Migration overview: A high-level list of the procedures required to complete the migra- tion, linked to the instructions for the procedures themselves.

Migration requirements: A list of the software, permissions, and other elements needed to complete the migration, as well as the estimated amount of time required.

Pre-migration tasks: Detailed instructions for procedures you must complete before beginning the actual migration, including installation of required software and backup of existing data.

Migration procedures: Detailed instructions for the individual procedures you must perform to complete the migration.

Post-migration procedures: Instructions for removing or disabling a role from the source server or restoring the systems to their previous states. 28 | Lesson 1 ■ Knowledge Assessment Multiple Choice Select one or more correct answers for each of the following questions. 1. Which of the following roles implement what can be classified as infrastructure services?

(Choose all that apply)?

a. DNS b. Web Server (IIS) c. DHCP d. Remote Desktop Services 2. Which of the following is a valid upgrade path to Windows Server 2012?

a. Windows Server 2003 Standard to Windows Server 2012 Standard b. Windows Server 2008 Standard to Windows Server 2012 Standard c. Windows Server 2008 R2 32-bit to Windows Server 2012 64-bit d. Windows 7 Ultimate to Windows Server 2012 Essentials S K I L L S U M M A R Y IN THIS LESSON , YOU LEARNED : Microsoft releases all its operating systems in multiple editions, which provides consumers with various price points and feature sets.

Windows Server 2012 includes predefined combinations of services called roles that implement common server functions.

A clean installation is the simplest way to deploy Windows Server 2012 on a bare metal computer or a computer with a partition that you are willing to reformat (losing all the data on the partition in the process).

Many enterprise networks today use servers dedicated to a particular role. When a server is performing a single role, does it really make sense to have so many other processes running on the server that contribute little to that role?

When you select the Windows Server Core installation option, you get a stripped-down version of the operating system.

If the advantages of Server Core sound tempting but you do not want to give up certain traditional server administration tools, Windows Server 2012 provides a compromise called the Minimal Server Interface.

The Minimal Server Interface is a setting that r emoves some of the most hardware- intensive elements from the graphical interface.

An in-place upgrade is the most complicated form of Windows Server 2012 installa- tion. It is also the lengthiest and the most likely to cause problems during its execution.

Whenever possible, Microsoft recommends that administrators perform a clean installa- tion, or migrate required applications and settings instead.

Migration is the preferred method of replacing an existing server with one running Windows Server 2012. Unlike an in-place upgrade, a migration copies vital information from an existing server to a clean Windows Server 2012 installation.

Windows Server Migration Tools is a Windows Server 2012 feature that consists of Windows PowerShell cmdlets and help files that enable administrators to migrate certain roles between servers. Installing Servers | 29 3. Which feature must you add to a Windows Server 2012 Server Core installation to con- vert it to the Minimal Server Interface?

a. Graphical Management Tools and Infrastructure b. Server Graphical Shell c. Windows PowerShell d. Microsoft Management Console 4. What is the name of the directory where Windows stores all of the operating system modules it might need to install at a later time?

a. Windows b. System32 c. Bin d. WinSxS 5. Which of the following are valid reasons why administrators might want to install their Windows Server 2012 servers using the Server Core option? (Choose all that apply) a. A Server Core installation can be converted to the full GUI without reinstalling the operating system.

b. The PowerShell 3.0 interface in Windows Server 2012 includes more than 10 times as many cmdlets as PowerShell 2.0.

c. The new Server Manager in Windows Server 2012 makes it far easier to administer servers remotely.

d. A Windows Server 2012 Server Core license costs s ignificantly less than a full GUI license.

6. Windows Server 2012 requires what processor architecture?

a. 64-bit processor only b. 32-bit processor and 64-bit processor c. Any processor provided it is physical, not virtual d. Minimum dual–core processor 7. What are the minimum system memory requirements to run all editions of Windows Server 2012?

a. 256 MB RAM b. 512 MB RAM c. 2 GB RAM d. 4 GB RAM 8. What is the default installation of installing Windows Server 2012?

a. Server Core b. Startup GUI c. PowerShell d. There is no default.

9. What Windows Server 2012 role would you install to provide network resources to remote users?

a.

Network Policy and Access Services b. Remote Access c. Windows Deployment Services d. Web Server (IIS) 10. What Windows Server 2012 role enforces security policies for network users?

a. Network Policy and Access Services b. Remote Access c. Active Directory Rights Management Services d. Remote Desktop Services 30 | Lesson 1 Best Answer Choose the letter that corresponds to the best answer. More than one answer choice may achieve the goal. Select the BEST answer. 1. You are deciding which Windows Server 2012 edition is right for your needs: a Remote Access server. You are eager to create a virtual machine (VM) on which you can install a virtual operating system environment (VOSE). You foresee needing only one VOSE. What Windows Server 2012 edition is best?

a. Windows Server 2012 Datacenter edition b. Windows Server 2012 Standard edition c. Windows Server 2012 Foundation edition d. Windows Server 2012 Essentials edition 2. Your company wants to upgrade to Windows Server 2012. Considering the present envi- ronment of mostly Windows Server 2008 R2 servers, what is the best path to upgrade to Windows Server 2012?

a. Perform an in-place upgrade of a Windows Server 2008 R2 machine b. Create a virtual instance of Windows Server 2012 c. Perform a clean installation of Windows Server 2012 d. Perform an in-place upgrade of the current lowest Windows Server edition 3. You are tempted by the advantages of Server Core, but you do not want to give up cer- tain traditional server administration tools. What is the best option made available by Windows Server 2012 as a compromise?

a. Use the Minimal Server Interface b. Use PowerShell c. Use cmdlets d. Use the full graphical user interface (GUI) 4. What is the purpose of Microsoft releasing multiple editions of Windows Server 2012?

a. To better secure a server by eliminating unnecessary features b. To accommodate needs of different companies c. To offer various feature sets and at different price points d. To complement available 32-bit server editions 5. Active Directory Rights Management Services (AD RMS) are available on which Windows Server 2012 edition?

a. Windows Server 2012 Datacenter edition b. Windows Server 2012 Datacenter and Standard editions c. Windows Server 2012 Datacenter, Standard, and Foundation editions d. All Windows Server 2012 editions Build a List 1. Order the steps to install Windows Server 2012.

a. Select the appropriate language, time and currency format, and so on b. After accepting the license terms, select the type of installation c. Boot up the computer with the Windows Server 2012 DVD d. Select whether a clean installation or an upgrade e. Enter the password associated with the new Administrator account f. Select a partition on which to install or create a new partition 2. Order the steps to create and register a Windows Server Migration Tools Distribution Folder, ending with the use of the migration tools in a new PowerShell session.

a. Start the destination server and log on with administrative privileges b. Copy the distribution folder to the source server Installing Servers | 31 c. Run the SmigDeploy.exe program with the appropria te command-line switches for the platform and operating system version of the source server, using the following syntax:

SmigDeploy.exe /package /architecture [x86|amd64] /os [WS08|WS08R2|WS03] /path d. Type: Add-PSSnapin Microsoft.Windows.ServerManager.Migration e. At a command prompt on the destination server’s folder, type: SmigDeploy.exe 3. Order the steps to upgrade to Windows Server 2012.

a. Migrate services and applications b. Perform an in-place upgrade on Windows Server 2003 servers c. Install a clean instance of Windows Server 2012.

d. Check hardware and application compatibility and disk space e. Perform a full backup ■ Business Case Scenarios Scenario 1-1: Preparing for an Upgrade to Windows Server 2012 Walk through the steps an administrator needs to do to prepare for an upgrade to Windows Server 2012.

Scenario 1-2: Switching to GUI Installation A server is running the Server Core installation of Windows Server 2012. What would you do if you desired the GUI installation? 32Configuring Servers 2 L E S S O N ■ Completing Post-Installation Tasks TH E B OTTOM L I N E As part of the new emphasis on cloud-based services in Windows networking, Windows Server 2012 contains various tools that have been overhauled to facilitate remote server management capabilities. K E Y T E R M S NIC teaming role group 7 0 - 4 1 0 E X A M O B J E C T I V E Objective 1.2 – Con gure servers. This objective may include but is not limited to: Con gure Server Core; delegate administration; add and remove features in of ine images; deploy roles on remote servers; convert Server Core to/ from full GUI; con gure services; con gure NIC teaming. LESSON HEADING E XAM OBJECTIVE Completing Post-Installation Tasks Using GUI Tools Using Command-Line Tools Configure Server Core Converting Between GUI and Server Core Convert Server Core to/from full GUI Configuring NIC Teaming Configure NIC teaming Using Roles, Features, and Services Using Server Manager Adding Roles and Features Deploy roles on remote servers Deploying Roles to VHDs Add and remove features in offline images Configuring Services Configure services Delegating Server Administration Delegate administration Configuring Servers | 33 With the new Server Manager, for example, you can fully manage Windows servers without ever having to interact directly with the server console, either physically or remotely. However, immediately after the operating system installation, you might have to perform some tasks that require direct access to the server console. These tasks might include the following: Configuring the network connection Setting the time zone Renaming the computer Joining a domain Enabling Remote Desktop Configuring Windows Update settings Using GUI Tools In Windows Server 2012, the Properties tile in Serv er Manager provides the same functionality as the Initial Con guration Tasks window in previo us versions.

To complete any or all post-installation con guration tasks on a GUI Windows Server 2012 installation, use the following procedure.

C O N F I G U R E A G U I I N S TA LL AT I ON GET READY. Log on to the server running Windows Server 2012 using an account with administrativ e privileges. The Server Manager window appears.

1. In the left pane, click the Local Server icon. The Properties tile for the server appears, as shown in Figure 2-1. 2. In the Properties tile, the Ethernet entry speci es the status of the computer’s network interface. If the network has an active Dynamic Host Con guration Protocol (DHCPv4) server, the server has already retrieved an IPv4 address and other settings and con gured the interface. If the network has no DHCP server, or if you must con gure the computer with a static IPv4 address, click the Ethernet hyperlink. The Network Connections window appears, as shown in Figure 2-2. Figure 2-1 The Properties tile of the local server in Server Manager 34 | Lesson 2 3. Right-click the Ethernet connection and, from the context menu, select Properties .

Th e Ethernet Properties sheet appears.

4. Select the Internet Protocol Version 4 (TCP/IPv4) component and click Properties . The Internet Protocol Version 4 (TCP/IPv4) Properties sheet appears, as shown in Figure 2-3.

5. Select the Use The Following IP A ddress radio button and con gure the following parameters with appropriate values:

IP Address Subnet Mask Default Gateway Preferred DNS Server 6. Click OK twice to close the Internet Protocol Version 4 (TCP/IPv4) and Ethernet Properties sheets.

7. Accurate computer clock time is essential for Acti ve Directory Domain Services (AD DS) communication. If the server is located in a time zone other than the default Pacific zone, click the Time Zone hyperlink to display the Date and Time dialog box.

8. Click Change Time Zone . The Time Zone Settings dialog box appears, as shown in Figure 2-4. TAKE N OTE * At this time, you might also want to configure NIC teaming. For more information, see “Configuring NIC Teaming,” later in this lesson.

Figure 2-2 The Network Connections window Figure 2-3 The Internet Protocol Version 4 (TCP/IPv4) Properties sheet Configuring Servers | 35 9. Select the appropriate Time Zone setting for the server’s permanent location and click OK twice to close the dialog boxes.

10. By default, Windows Server 2012 does not allow Remote Desktop connections. To en able them, click the Remote Desktop hyperlink to open the Remote tab of the System Properties sheet, as shown in Figure 2-5.

11. Select the Allow remote connections to this computer radio button. A Remote Desktop Conn ection message box appears.

12. Click OK to enable the required rewall exception.

13. Click Select Users to grant users remote desktop permissions, if desi red, and click OK.

14. Click OK to close the System Properties sheet.

15. In a manual operating system installation, the Windows Setup program assigns a unique name beginning with WIN- to the computer. To change the name of the computer and join it to a domain, click the Computer Name hyperlink to display the System Properties sheet. Figure 2-4 The Time Zone Settings dialog box Figure 2-5 The Remote tab of the System Properties sheet 36 | Lesson 2 17. In the Computer Name eld, type the new name for the computer.

18. Click the Domain radio button and type the name of the domain to which you want to join the computer.

19. Click OK . A Windows Security dialog box appears, as sh own in Figure 2-7. 20. In the User Name and Password elds, type the cre dentials for a domain account with the privileges needed to add a computer to the speci ed domain and click OK .

A Welcome to the Domain message box appears, followed by a message box informing you that you must restart the computer.

21. Click OK twice to close the message boxes.

22. Close the System Properties sheet and restart the computer when you are prompted to do so.

If necessary, because of limited physical access to the server, you can con ne this procedure to con guring the network connection and enabling Remote Desktop. Then, you can use Remote Desktop to connect to the server and con gure everything else. Figure 2-6 The Computer Name/Domain Changes dialog box Figure 2-7 The Windows Security dialog box 16. Click Change . The Computer Name/Domain Changes dialog box appears, as shown in Figure 2-6. Configuring Servers | 37 To restart the computer as directed, use the following command:

shutdown /r Then, to join the computer to a domain, use the following syntax:

netdom join %ComputerName% /domain : /userd : /passwordd:* In this command, the asterisk ( *) in the /passwordd parameter causes the program to prompt you for the password to the user account you speci ed.

These commands assume that a DHCP server has alread y con gured the computer’s TCP/IP client. If this is not the case, you must co n gure it manually before you can join a domain. To assign a static IP address to a computer using Server Core, use the Netsh.exe program or the Windows Management Instrumentation (W MI) access provided by Windows PowerShell. Figure 2-8 Renaming a computer from the command line CERTIFICATION READY Configure Server Core.

Objective 1.2 Converting Between GUI and Server Core In Windows Server 2012, you can convert a computer installed with the full GUI option to Server Core and add the full GUI to a Server Core computer.

This is a major improvement in the usefulness of Se rver Core over the version in Windows Server 2008 R2, in which you can change the interface only by reinstalling the entire operating system. With this capability, you can install servers with the full GUI, CERTIFICATION READY Convert Server Core to/ from full GUI.

Objective 1.2At the very minimum, you need to rename the computer and join it to a domain. To perform these tasks, use the Netdom.exe command. To rename a computer, run Netdom.exe with the following syntax, as shown in Figure 2-8:

netdom renamecomputer %ComputerName% /NewName: Using Command-Line Tools If you selected the Server Core option when installing Windows Server 2012, you can perform the same post-installation tasks from the command line. 38 | Lesson 2 6. Clear the check boxes for the following components: Graphical Management Tools and Infrastructure Server Graphical Shell 7. The Remove features that require Graphical Management Tools and Infrastructure dialog box appears, as shown in Figure 2-10, with a list of dependent features that must be uninstalled. Click Remove Features .

8. Click Next . The Confirm removal selections page appears. Figure 2-9 The Remove features page in Server Manager use the graphical tools to perform the initial setu p, and then convert them to Server Core to conserve system resources. If later it beco mes necessary, it is possible to reinstall the GUI components.

To convert a full GUI installation of Windows Server 2012 to Server Core using Server Manager, use the following procedure.

C O N VER T A G U I S ERVER TO S ERVE R C O R E GET READ Y. Log on to the server running Windows Server 2012 by using an account with administrativ e privileges. The Server Manager window appears.

1. From the Manage menu, select Remove Roles and Features . The Remove Roles and Features Wizard appears, displaying the Before you begin page.

2. Click Next . The Select destination server page appears.

3. Select the server you want to convert to Server Core and click Next . The Remove Server Roles page appears.

4. Click Next . The Remove features page appears.

5. Scroll down in the list and expand the User Interfaces and Infrastructure feature, as shown in Figure 2-9. Configuring Servers | 39 Configuring NIC Teaming A new feature in Windows Server 2012, NIC teaming enables administrators to combine the bandwidth of multiple network interface adapters, providing increased performance and fault tolerance.

Virtualization enables you to separate vital network functions on different systems without having to purchase a separate physical computer for each one. However, one drawback of this practice is that a single server hosting multiple virtual machines is still a single point of failure for all of them. A single malfunctioning network adapter, a faulty switch, or even an unplugged cable can bring down a host server and all its VMs with it. NIC teaming —also called bonding, balancing, and aggregation—is a technology that has been available for some time, but was always tied to speci c hardware implementations. The NIC teaming capability in Windows Server 2012 is hardware independent and enables you to combine multiple physical network adapters into a single interface. The results can include USING WINDOWS POWERSHELL To convert a Windows Server 2012 Server Core installation to the full GUI option, use the following Windows P owerShell command:

Install–WindowsFeature Server–Gui–Mgmt–Infra, Server–Gui–Shell –Restart To convert a full GUI server installation to Server Core, use the following command: Uninstall–WindowsFeature Server–Gui–Mgmt–Infra, Server–Gui–Shell –Restart Figure 2-10 The Remove features that require Graphical Management Tools and Infrastructure dialog box CERTIFICATION READY Configure NIC Teaming.

Objective 1.2 9. Select the Restart the destination server automatically if required check box and click Remove. The Removal progress page appears as the wizard uninstalls the feature.

10. Click Close . When the removal is completed, the computer restarts.

To add the full GUI to a Server Core computer, you must use Windows PowerShell to install the same features you removed in the previous procedure. 40 | Lesson 2 Figure 2-11 The NIC Teaming window in Server Manager increased performance through the combined throughput of the adapters and protection from adapter failures by dynamically moving all traf c to the functioning NICs.

NIC teaming in Windows Server 2012 supports two modes:

Switch Independent Mode: All network adapters are connected to different switches, providing alternative routes through the network.

Switch Dependent Mode: All network adapters are connected to the same switch, providing a single interface with the adapters’ combined bandwidth.

In Switch Independent Mode, you can choose between two con gurations. The active/active con guration leaves all network adapters functional, providing increased throughout. If one adapter fails, all traf c shunts to the remaining adapters. In the active/standby con guration, one adapter is left of ine, to function as a failover in the event the active adapter fails. In active/active mode, an adapter failure causes a performance reduction; in active/standby mode, the performance remains the same before and after an adapter failure. In Switch Dependent Mode, you can choose static teaming, a generic mode that balances traf c between the adapters in the team, or you can opt to use the Link Aggregation Control Protocol de ned in IEEE 802.3ax, assuming that your equipment supports it. NIC teaming has one signi cant limitation. If your traf c consists of large TCP sequences, such as a Hyper-V live migration, the system avoids using multiple adapters for those sequences to minimize the number of lost and out-of-order TCP segments. You therefore do not realize any performance increase for large le transfers using TCP. You can create and manage NIC teams using Server Manager or Windows PowerShell. To create a NIC team using Server Manager, use the following procedure.

C R EAT E A N I C T E AM GET READ Y. Log on to the server running Windows Server 2012 using an account with administrativ e privileges. The Server Manager window appears.

1. In the navigation pane, click the Local Server icon . The Local Server homepage appears.

2. In the Properties tile, click the NIC Teaming hyperlink. The NIC Teaming window appears, as shown in Figure 2-11. Configuring Servers | 41 Figure 2-12 The New team page in Server Manager 5. In the Team Name text box, type the name you want to assign to the team.

6. In the Member adapters box, select the network adapters you want to add t o the team.

7. In the Teaming Mode drop-down list, select one of the following options:

Static Teaming Switch Independent LACP 8. In the Load balancing mode drop-down list, select one of the following options:

Address Hash Hyper-V Port 9. If you selected Switch Independent for the Teaming mode value, from the Standby adapter drop-down list, select one of adapters you added to the team to function as the of ine standby.

10. Click OK . The new team appears in the Teams tile, as shown in Figure 2-13.

After you create a NIC team, you can use the NIC Teaming window to monitor the status of the team and the team interface you created. The team itself and the individual adapters all have status indicators that inform you if an adapter goes of ine. 3. In the Teams tile, click the Tasks menu and select New Team . The New team page appears.

4. Click the Additional properties down arrow to expand the window, as shown in Figure 2-12. 42 | Lesson 2 USING WINDOWS POWERSHELL To manage NIC teaming with Windows PowerShell, you use the cmdlets in the NetLbfoTeam module. To create a new NIC team, you use the New-NetLbfoTeam cmdlet with the following basic syntax:

New–NetLbfoTeam –Name –TeamMembers [–TeamingMode LACP|Static|SwitchIndependent] [–LoadBalancingAlgorithm TransportPorts|IPAddresses |MACAddresses|HyperVPort] Figure 2-13 A new NIC team in the NIC Teaming window in Server Manager Figure 2-14 A NIC team with a failed adapter If this does occur, the indicator for the faulty adapter immediately switches to disconnected, as shown in Figure 2-14, and depending on which teaming mode you chose, the status of the other adapter might change as well. Configuring Servers | 43 A role, as noted in Lesson 1, “Installing Servers,” is a combination of components that implements a common server infrastructure, application, or directory service function. Roles can consist of applications, management tools, utilities, and other components, all devoted to a particular end. Roles de ne the primary functions of a server. A server with the Web Server (IIS) role installed is referred to as a web server, no matter what other functions it might perform. A feature is a smaller module, typically with a single purpose, such as a management tool, an extension to a service, or an optional infrastructure component. The object of packaging software components as features is to avoid consuming system resources for tools that not every system administrator will use or need.

Table 2-1 lists the features supplied with Windows Server 2012. ■ Using Roles, Features, and Services TH E B OTTOM L I N E Configuring servers running Windows Server 2012 is initially a matter of deploying roles, features, and services. X REF For a list of the roles included with Windows Server 2012, refer to Table 1-1 in Lesson 1.

Table 2-1 Windows Server 2012 Features FE AT U R E DE S C R I P T I O N .NET Framework 3.5 Features A software package containing code that provides solutions to a large number of common programming requirements, including user interface, database access, cryptographic security, and network communications routines. Software developers can use these routines, with their own code, to build Windows applications more easily.

.NET Framework 4.5 Features A software package that provides programming tools for building and running applications for PCs, smart phones, and cloud systems.

Background Intelligent Transfer Service (BITS) A service that enables client computers to transmit and receive files without using resources needed by other processes.

BitLocker Drive Encryption A data-protection feature that encrypts entire hard disk volumes, allowing access to the volumes only after validating the integrity of the computer’s boot components and confirming that no one has moved the drive to another computer.

BitLocker Network Unlock A feature that implements a network-based key protector service for domain computers.

BranchCache A technology that enables the computer to function as either a BranchCache content server or a hosted cache server at a branch office location.

Client for NFS A client that enables the computer to access NFS shares on UNIX/Linux servers.

Data Center Bridging A feature that provides hardware-based quality of service and reliability on networks using iSCSI and Fibre Channel over Ethernet.

Enhanced Storage A technology that enables the operating system to access additional functions on Enhanced Storage hardware devices.

Failover Clustering A technology that enables multiple servers to work together at performing the same tasks, to provide high availability for applications and services.

(continued) 44 | Lesson 2 Table 2-1 (continued) Group Policy Management A tool that installs the Group Policy Management Console, a Microsoft Management Console snap-in that simplifies the process of deploying, managing, and troubleshooting Group Policy Objects (GPOs).

Ink and Handwriting Services A feature that implements APIs that support the use of pen flicks and handwriting recognition in applications.

Internet Printing Client A client technology that enables users to send print jobs to remote web server-based printers, using an Internet connection.

IP Address Management (IPAM) Server A feature that provides a unified framework for IP address allocation and infrastructure servers such as DHCP and DNS.

Internet Storage Name Service (iSNS) A technology that provides discovery services for clients accessing storage area networks running the Internet Small Computer System Interface (iSCSI), including registration, deregistration, and queries.

LPR (Line Printer Remote) Port Monitor A feature that enables the computer to send print jobs to a UNIX computer with a compatible line printer daemon (LPD) implementation running on it.

Management OData IIS Extension An infrastructure that provides a web-based ser vice that supports Windows PowerShell cmdlets.

Media Foundation A platform that provides the infrastructure requ ired for server applications to work with media files.

Message Queuing A technology that provides a variety of messaging services enabling applications to communicate, even when they run on different operating systems, use different types of networks, run at different times, or are temporarily offline.

Multipath I/O (MPIO) A technology that provides multiple data paths to a single server storage device.

Network Load Balancing (NLB) A feature that distributes incoming client traf fic evenly among servers running the same application, enabling you to scale the application up or down by adding or removing servers as needed.

Peer Name Resolution Protocol (PNRP) A name-resolution service that enables computers to register their peer names and associate them with their IPv6 addresses. Other computers on the network can then use the service to resolve a name into an address, enabling them to es tablish a connection to the named computer.

Quality Windows Audio Video Experience (qWave) A feature that provides flow control and traffic prioritization services for applications that stream audio and video content over a network.

RAS Connection Manager Administration Kit (CMAK) A tool kit that enables you to create customized service profiles for the Connection Manager client dialer application.

Remote Assistance A feature that enables one user to provide technical support or training to another user at a remote computer by observing the remote user’s desktop or by taking control of it.

Remote Differential Compression (RDC) A synchronization algorithm that enables applications to conserve network bandwidth by determining what parts of a file have changed and transmitting only the modifications over the network.

Remote Server Administration Tools A tool kit that enables administrators to access management tools on remote computers running Windows Server 2003 and Windows Server 2008.

FE AT U R E DE S C R I P T I O N Configuring Servers | 45 Table 2-1 (continued) FE AT U R E DE S C R I P T I O N RPC Over HTTP Proxy A component that enables objects to receive Remote Procedure Calls (RPC) messages using the Hypertext Transfer Protocol (HTTP), even if someone has moved the object to another server on the network.

Simple TCP/IP Services A service that implements the Character Generator, Daytime, Discard, Echo, and Quote of the Day services, as defined in the TCP/IP standards.

SMTP (Simple Mail Transfer Protocol) Server A server that provides communication between e-mail servers, and between e-mail clients and servers.

SNMP Service A service that installs support for the Simple Network Management Protocol (SNMP), which enables network management applications to communicate with the agents for managed devices on the network.

Subsystem for UNIX-based Applications (Deprecated) A technology that enables the server to compile and run UNIX-based applications.

Telnet Client A client that enables the computer to connect to a Telnet server and access a command-line administration interface.

Telnet Server A server that enables remote users running Telnet clients to connect to the computers and access a command-line administration interface.

TFTP (Trivial File Transfer Protocol) Client A client that enables the computer to send files to and receive them from a TFTP server on the network, without needing authentication.

User Interfaces and Infrastructure An infrastructure that provides the graphical interface that distinguishes a full GUI installation from Server Core.

Windows Biometric Framework A framework that provides the software required to use fingerprint scanners for user authentication.

Windows Feedback Forwarder A feature that enables the server to forward statistical information to Microsoft for development purposes.

Windows Identity Foundation 3.5 A set of .NET Framework classes superseded by .NET Framework 4.5.

Windows Internal Database A database that implements a relational data store that other server roles and features can use.

Windows PowerShell A command-line shell and scripting language that provides improved administration and automation capabilities.

Windows Process Activation Service (WAS) An environment that generalizes the IIS process model by removing the dependency on HTTP, thus enabling WCF applications to use non-HTTP protocols. This feature is required to run the Web Server (IIS) role.

Windows Search Service A service that enables client systems to perform fast file searches on servers.

Windows Server Backup A feature that enables administrators to perform full or partial server backups at scheduled intervals.

Windows Server Migration Tools A tool kit that provi des role-specific tools for migrating data from earlier versions of Windows Server.

(continued) 46 | Lesson 2 Table 2-1 (continued) Windows Standards-based Storage Management A feature that provides the server with access to storage devices conforming to the SMI-S standard.

Windows System Resource Manager (WSRM) (Deprecated) A feature that enables administrators to allocate specific amounts of CPU and memory resources to specific applications, services, or processes.

Windows TIFF Filter A filter that enables the server to perform optical character recognition (OCR) scans of TIFF graphic files.

WinRM IIS Extension A technology that enables the se rver to receive management requests from clients using web services.

WINS Server A server that provides NetBIOS name registration and resolution services for down-level Windows clients.

Wireless LAN Service A service that implements the Wireless LAN (WLAN ) AutoConfig service, which detects and configures wireless network adapters, and manages w ireless networking profiles and connections.

WoW64 Support A feature that enables the server to run 32-bit applications on Server Core installations.

XPS Viewer A viewer that enables users to read and digitally sign XPS documents.

FE AT U R E DE S C R I P T I O N To install roles and features in Windows Server 2012, you can use the Add Roles and Features Wizard in Server Manager, the Server ManagerCmd.exe tool at the command line, or the Add-WindowsFeature cmdlet in Windows PowerShell.

Some members of the Windows Server development team have stated that their ultimate goal is to create a server operating system with a default configuration that consists of nothing more than the tools needed to add roles and features. Windows Server 2012 is a major step toward this goal, in that you can remove a great deal of the infrastructure you do not need from the server’s memory and hard disks. TAKE N OT E * A service is a program that runs continuously in the background, typically providing server functions by listening for incoming requests from clients. Roles typically include a number of services, as do some features. After you install the roles or features that implement services, you can manage them as needed through Server Manager and command-line tools.

In previous version of Windows Server, an administrator wanting to install a role using graphical controls had to work at the server console by either physically sitting at the keyboard or connecting to it using Remote Desktop Services (formerly Terminal Services). By contrast, ■ Using Server Manager TH E B OTTOM L I N E The Server Manager tool in Windows Server 2012 is a completely new application that is the first and most obvious evidence of a major p aradigm shift in Windows Server administration. Configuring Servers | 47 After you add multiple servers to the Server Manager interface, they are integrated into the Add Roles and Features Wizard, so you can deploy roles and features to any of your servers.

To install roles and features using Server Manager, use the following procedure.

I N S TAL L R OL ES AN D F EATU R ES U S I N G SERVER M AN AG ER GET READ Y. Log on to the server running Windows Server 2012 using an account with administrativ e privileges. The Server Manager window appears.

1. From the Manage menu, select Add Roles and Features . The Add Roles and Features Wizard appears, displaying the Before you begin page.

2. Click Next . The Select Installation Type page appears, as shown in Figure 2-15. Adding Roles and Features The Server Manager program in Windows Server 2012 combines what used to be sepa- rate wizards for adding roles and features into one, the Add Roles and Features Wizard.

3. Leave the Role-based or feature-based installation radio button selected and click Next . The Select destination server page appears, as shown in Figure 2-16. MORE INFORMATION The Remote Desktop Services (RDS) installation radio button provides a separate procedure that enables you to perform a distributed installation of the v arious RDS role services to different servers on the network. ✚ the Windows Server 2012 Server Manager can install roles and features to any server on the network, and even to multiple servers or groups of servers at once. Figure 2-15 The Select Installation Type page in the Add Roles and Features Wizard CERTIFICATION READY Deploy roles on remote servers.

Objective 1.2 48 | Lesson 2 4. Select the server on which you want to install the roles and/or features. If the server pool con tains a large number of servers, you can use the lter text box to display a subset of the pool based on a text string. After you select the server, click Next . The Select Server Roles page appears, as shown in Figure 2-17. TAKE N OTE * Although you can use the Add Roles and Features Wizard to install components to any server you have added to Server Manager, you cannot use it to install components to multiple servers at once. You can, however, do this using Windows PowerShell.

Figure 2-16 The Select destination server page in the Add Roles and Features Wizard Figure 2-17 The Select Server Roles page in the Add Roles and Features Wizard Configuring Servers | 49 5. Select the role or roles you want to install on the selected server. If the roles you select have other roles or features as dependencies, an Add features that are required dialog box appears, as shown in Figure 2-18. Unlike previous versions of Server Manager, the Windows Server 2012 version enables you to select all the roles and features for a particular server configuration at once, rather than make you run the wizard multiple times. TAKE N OTE * 6. Click Add Features to accept the dependencies, and then click Next . The Select features page appears, as shown in Figure 2-19. Figure 2-18 The Add features that are required dialog box in the Add Roles and Features Wizard Figure 2-19 The Select features page in the Add Roles and Features Wizard 50 | Lesson 2 7. Select any features you want to install in the sel ected server and click Next .

Depen dencies also might appear for your feature selectio ns.

8. The wizard displays pages speci c to the roles an d/or features you have chosen. Most roles have a Select role services page, as shown in Figure 2-20, on which you can se lect which elements of the role you want to install. Complete each of the role- or feature-speci c pages and click Next . A Confirm installation selections page appears, as shown in Figure 2-21. Figure 2-20 The Select role services page in the Add Roles and Features Wizard Figure 2-21 The Confirm installation selections page in the Add Roles and Features Wizard Configuring Servers | 51 9. Select from the following optional functions, if desired: Restart the destination server automatically if desired causes the server to restart automatically when the installation completes, if the selected roles and features require it.

Export configuration settings create an XML script documenting the procedures performed by the wizard, which you can use to install the same con guration on another server using Windows PowerShell.

Specify an alternate source path speci es the location of an image le containing the software needed to install the selected roles and features USING WINDOWS POWERSHELL To use an exported configuration file to install roles and features on another computer running Windows Server 2012, use the following command in a Windows PowerShell session with elevated privileges:

Install–WindowsFeature –ConfigrationFilePath 10. Click Install . The Installation progress page appears, as shown in Figure 2-22.

Depending on the roles and features installed, the wizard might display hyperlinks to the tools needed to perform required post-installation tasks. When the installation is completed, click Close to terminate the wizard.

After you install roles on your servers, the roles appear as icons in the navigation pane. These icons actually represent role groups. Each role group contains all instances of that ro le found on any of your added servers. You can therefore administer the rol e across all servers on which you have installed it. Deploying Roles to VHDs In addition to installing roles and features to servers on the network, Server Manager also enables administrators to install them to virtual machines currently in an offline state. Figure 2-22 The Installation progress page in the Add Roles and Features Wizard 52 | Lesson 2 In an enterprise virtualization strategy, administrators frequently maintain virtual machines (VMs) in an of ine state. For example, you might have an of ine web server VM stored on a backup host server, in case the computer hosting your main web server VMs should fail. Server Manager enables you to select a virtual hard disk (VHD) le and install or remove roles and features without having to start the VM.

To install roles and/or features to an of ine VHD le, use the following procedure.

I N S TAL L R OL ES AN D F EAT U R ES TO AN OF F L I N E VH D F I LE GET READ Y. Log on to the server running Windows Server 2012 using an account with administrativ e privileges. The Server Manager window appears.

1. From the Manage menu, select Add Roles and Features . The Add Roles and Features Wizard appears, displaying the Before you begin page.

2. Click Next . The Select Installation Type page appears.

3. Leave the Role-based or feature-based installation radio button selected and click Next . The Select Destination Server page appears.

4. Select the Select a virtual hard disk radio button.

5. A Virtual Hard Disk text box appears at the bottom of the page. In this text box, type in or browse to the location of the VHD le you want to modify.

6. In the Server Pool box, select the server that the wizard should use to mount the VHD le, as shown in Figure 2-23, and click Next . The Select Server Roles page appears. Figure 2-23 The Select Destination Server page in the Add Roles and Features Wizard The wizard must mount the VHD file on the server yo u select, and look inside and determine which roles and features are already installed and which are available for installation. Mounting a VHD file makes it available only through the comp uter’s file system; it is not the same as starting the virtual machine using the VHD. TAKE N OT E * CERTIFICATION READY Add and remove features in offline images.

Objective 1.2 Configuring Servers | 53 7. Select the role or roles you want to install on the selected server, adding the required dependencies, if necessary, and click Next . The Select features page appears.

8. Select any features you want to install in the sel ected server and click Next .

Dependencies also might appear for your feature sel ections.

9. The wizard then displays pages speci c to the rol es and/or features you have chosen, enabling you to select role services and co n gure other settings.

Complete each of the role- or feature-speci c page s and click Next . A Confirmation page appears.

10. Click Install . The Installation progress page appears.

11. When the installation is completed, click Close to dismount the VHD and terminate the wizard.

When you rst look at the Local Server homepage in Server Manager, one tile that you nd there is the Services tile, as shown in Figure 2-24. This tile lists all the services installed on the server and speci es the operational status and their Start Types. When you right-click a service, the context menu provides controls that en able you to start, stop, restart, pause, and resume the service. Configuring Services Most Windows Server roles and many features include services , programs that run continuously in the background, typically waiting f or a client process to send a request to them. Server Manager provides access to services running on servers all over the network. Figure 2-24 The Services tile in Server Manager The Services tile in Server Manager is not unlike t he traditional Services MMC snap-in found in previous versions of Windows Server. Howev er, although you can start and stop a service in Server Manager, you cannot modify its St art Type, which speci es whether the service should start automatically with the operati ng system. For that, you must use the Services MMC snap-in.

Another difference of the Services tile in Windows Server 2012 Server Manager is that it appears in many locations throughout Server Manager , displaying a list of services for a different context in each location. This is a good example of the organizational principle of the new CERTIFICATION READY Configure services.

Objective 1.2 54 | Lesson 2 Server Manager. The same tools, repeated in many pl aces, provide a consistent management interface to different sets of components.

For example, when you select the All Servers icon in the navigational pane, you see rst the Servers tile, as usual, containing all the servers you have added to the Server Manager console. When you select some or all servers and scroll down to the Services tile, you see the same display as before, except that it now contains all services for all the computers you selected.

This enables you to monitor the services on all servers at once. In the same way, when you select one of the role group icons, you can select from the servers running that role and the Services tile will contain only the services associated with that role for the servers you selected.

To manipulate other server con guration settings, you must use the Services MMC snap-in as mentioned earlier. However, you can launch that, and many other snap-ins, by using Server Manager.

After selecting a server from the Servers pane in any group homepage, click the Tools menu to display a list of the server-speci c utilities and MMC snap-ins, including the Services snap-in, directed at the selected server. USING WINDOWS POWERSHELL You can manage services using Windows PowerShell by using the following cmdlets:

Get-Service lists the services installed on the system. Use this cmdlet to discover the names you should use to reference services in Windows PowerShell commands.

Start-Service starts a stopped service.

Stop-Service stops a running service.

Restart-Service stops and starts a running service.

Set-Service modifies a service’s properties. TH E B OTTOM L I N E On smaller networks, with small IT staffs, it is co mmon for task delegation to be informal, and for everyone in the IT department to have full access to the entire network. However, on larger networks, with larger IT staffs, this bec omes increasingly impractical. For example, you might want the newly hired junior IT staffers to be able to create new user accounts, but you do not want them to be able to redesign your Active Directory tree or change the CEO’s password.

Delegation, therefore, is the practice by which administrators grant other users a subset of the privileges that they themselves possess. As such, delegation is as much a matter of restricting permissions as it is of granting them. You want to provide individuals with the privileges they need, while protecting sensitive information and delicate infrastructure. ■ Delegating Server Administration As networks grow in size, so does the number of administrative tasks to perform regularly and the size of the IT staffs needed to perform them. Delegating administrative tasks to specific individuals is a natural part of enterprise server management, as is assigning those individuals the permissions they need—and only the permissions they need—to perform those tasks. CERTIFICATION READY Delegate administration.

Objective 1.2 X REF For information on delegating printer privileges, see “Configuring Printer Security” in Lesson 5, “Configuring Print and Document Services.” X REF For information on delegating administrative control via Active Directory, see “Using OUs to Delegate Active Directory Management Tasks” in Lesson 15, “Creating and Managing Active Directory Groups and Organizational Units.” TH E B OTTOM LI N E Configuring Servers | 55 S K I L L S U M M A R Y IN THIS LESSON , YOU LEARNED : With the new Server Manager, you can fully manage Windows servers without ever having to interact directly with the server console, either physically or remotely.

Immediately after the operating system installation, you might have to perform some tasks that require direct access to the server console.

If you selected the Server Core option when installing Windows Server 2012, you can perform post-installation tasks from the command line.

In Windows Server 2012, the Properties tile in Server Manager provides the same functionality as the Initial Configuration Tasks window in previous versions.

In Windows Server 2012, you can convert a computer installed with the full GUI option to Server Core, and add the full GUI to a Server Core computer.

A new feature in Windows Server 2012, NIC teaming enables administrators to combine the bandwidth of multiple network interface adapters, providing increased performance and fault tolerance.

In addition to installing roles and features to s ervers on the network, Server Manager also enables administrators to install them to virtual machines currently in an offline state. ■ Knowledge Assessment Multiple Choice Select one or more correct answers for each of the following questions. 1. Which features must you remove from a full GUI installation of Windows Server 2012 to convert it to a Server Core installation? (Choose all that apply) a. Windows Management Instrumentation b. Graphical Management Tools and Infrastructure c. Desktop Experience d. Server Graphical Shell 2. Which of the following NIC teaming modes provides fault tolerance and bandwidth aggregation?

a. Hyper-V live migration b. Switch Independent Mode c. Switch Dependent Mode d. Link Aggregation Control Protocol 3. Which of the following command-line tools do you u se to join a computer to a domain?

a. Net.exe b. Netsh.exe c. Netdom.exe d. Ipconfig.exe 56 | Lesson 2 4. Which of the following statements about Server Manager is not true?

a. Server Manager can deploy roles to multiple servers at the same time.

b. Server Manager can deploy roles to VHDs while they are offline.

c. Server Manager can install roles and features at the same time.

d. Server Manager can install roles and features to any Windows Server 2012 server on the network.

5. Which of the following operations can you not perform on a service using Server Manager? (Choose all that apply) a. Stop a running service b. Start a stopped service c. Disable a service d. Configure a service to start when the computer starts 6. Name the two methods to assign a static IP address to a computer using Server Core.

a. Server Manager and the netdom.exe command b. The netdom.exe command and the IPv4 Properties sheet c. The IPv4 Properties sheet and the netsh.exe command d. The netsh.exe command and Windows Management Instrumentation (WMI) access provided by Windows PowerShell 7. Before you can deploy roles to multiple remote servers, what must be done?

a. Perform an in-place upgrade to Windows Server 2012.

b. Ensure the remote servers are patched sufficiently.

c. Add the remote servers to the Server Manager interface.

d. Perform a full backup 8. What utility allows you to install components to multiple servers at once?

a. The Add Roles and Features Wizard only b. Both Add Roles and Features Wizard and Windows PowerShell c. Windows PowerShell only d. The Minimal Server Interface 9. What method is available to install roles and features on another Windows Server 2012 computer using Windows PowerShell?

a. Use the Install-WindowsFeature command and an exported configuration file b. Use the Install-WindowsRole command and an exported configuration file c. Use Server Manager and the proper tile d. It is not possible using Windows PowerShell 10. What is the key principle to delegating server administrative tasks?

a. Granting individuals the tasks they feel most comfortable doing b. Granting individuals only the permissions needed to do the delegated job c. Assign the delegated tasks to the person most likely to benefit d. Assigning enough permissions to do the delegated tasks as well as anticipated tasks Best Answer Choose the letter that corresponds to the best answer. More than one answer choice may achieve the goal. Select the BEST answer. 1. On a Windows Server 2012 server, you decide to change the interface. Select the best answer to convert a GUI server to Server Core.

a. Reinstall the operating system and select Server Core upon installation b. Use Server Manager to start the Remove Roles and Features Wizard c. Use Server Manager to deselect the Server Graphical Shell option d. There is no option to downgrade from GUI to Server Core Configuring Servers | 57 2. Windows Server 2012 provides hardware-independent NIC teaming or bonding to enable better network performance and adapter fault-tolerance. However, in what sce- nario is the NIC teaming limited?

a. During a Hyper-V live migration b. When network adapters connect to different switches c. When network traffic consists of large TCP sequences d. For multiple network adapters to function as one interface 3. As an administrator of a Windows Server 2012 network, you want to add a role to a few servers on the network. What is your best available option?

a. Install a role at the target server’s console b. Use Server Manager on the nearest Windows Server 2012 c. Connect to the target server using Remote Desktop Services d. Using PowerShell, install the desired role to all target servers at once 4. What is the advantage of deploying roles to a virtual hard disk (VHD) file?

a. Administrators can use Server Manager to modify VHD files b. An administrator can modify server roles to offline virtual machines (VMs) without starting the VM c. An administrator can modify server roles to offline VMs without connecting the VM to the network d. VHD files require fewer resources (for example, hard drive space) 5. What is the key benefit behind delegating server administration?

a. In larger networks, delegation uses permissions to restrict access b. In smaller networks, delegation provides formalized synergy c. In larger networks, delegation improves prioritization of tasks d. In smaller networks, delegation creates employment opportunities Build a List 1. You have finished a new installation. Order the steps to rename the computer and join it to a domain using the command prompt.

a. Type netdom join %ComputerName% /domain: /userd: /passwordd:* b. Restart the computer by typing shutdown /r c. Ensure DHCP has already configured the computers TCP/IP client d. Type netdom renamecomputer %ComputerName% /NewName: 2. Order the steps to install a role or feature using Server Manager.

a. Select the destination server b. Choose the Select Installation Type (Role-based or Feature-based installation selected) c. Add required features or services the needed service depends upon d. Log on with administrative privileges and start Server Manager e. Select the server role f. From the Manage menu, select Add Roles and Features 3. Order the steps to install a role or feature to an offline VHD file.

a. From the Manage menu, select Add Roles and Features b. Choose the Select Installation Type (Role-based or Feature-based installation selected) c. Log on with administrative privileges and start Server Manager d. For Destination server, select Virtual Hard Disk e. Close the wizard to dismount the VHD f. Type in or browse to the location of the VHD file you want to modify g. Select the role and required features 58 | Lesson 2 ■ Business Case Scenarios Scenario 2-1: Installing Roles with a Batch File Mark Lee is an IT technician whose supervisor has assigned the task of configuring 20 new servers, which Mark is to ship to the company’s branch offices around the country. He must configure each server to function as a file server with support for DFS and UNIX clients, a print server with support for Internet and UNIX printing, a fax server, and a secured, intranet Web/FTP server for domain users. Write a Windows PowerShell script that Mark can use to install all of the required software elements on a server.

Scenario 2-2: Deploying Roles to VHDs You maintain several virtual machines (VMs) in an offline state. How do you proceed to add a particular role to one of those VMs? 59 7 0 - 4 1 0 E X A M O B J E C T I V E Objective 1.3 – Con gure local storage. This objective may include but is not limited to: Design storage spaces; con gure basic and dynamic disks; con gure MBR and GPT disks; manage volumes; create and mount virtual hard disks (VHDs); con gure storage pools and disk pools. LESSON HEADING E XAM OBJECTIVE Planning Server Storage Determining the Number of Servers Needed Estimating Storage Requirements Selecting a Storage Technology Planning for Storage Fault Tolerance Using Storage Spaces Design storage spaces Understanding Windows Disk Settings Selecting a Partition Style Configure MBR and GPT disks Understanding Disk Types Configure basic and dynamic disks Understanding Volume Types Choosing a Volume Size Understanding File Systems Working with Disks Adding a New Physical Disk Creating and Mounting VHDs Create and mount virtual hard disks (VHDs) Creating a Storage Pool Configure storage pools and disk pools Creating Virtual Disks Creating a Simple Volume Creating a Striped, Spanned, Mirrored, or RAID-5 Volume Extending and Shrinking Volumes and Disks Manage volumes Configuring Local Storage 3 L E S S O N 60 | Lesson 3 K E Y T E R M S basic disk direct-attached storage disk duplexing disk mirroring DiskPart.exe dynamic disk external drive array GUID Partition Table (GPT) Just a Bunch of Disks (JBOD) Master Boot Record (MBR) Network attached storage (NAS) parity partition style Redundant Array of Independent Disks (RAID) ReFS storage area network (SAN) storage pool Storage Spaces virtual disks Virtual Hard Disk (VHD) A variety of storage technologies are better suited for server use. The process of designing a storage solution for a server depends on several factors, including the following: The amount of storage the server needs The number of users that will be accessing the server at the same time The sensitivity of the data to be stored on the server The importance of the data to the organization The following sections examine these factors and the technologies you can choose when creating a plan for your network storage solutions. ■ Planning Server Storage TH E B OTTOM L I N E A Windows server can conceivably perform its tasks using the same type of storage as a workstation—that is, one or more standard hard disks connected to a standard drive interface such as Serial ATA (SATA). However, a server’s I/O burdens vary quite differently from those of a workstation, and file requests from dozens or hundreds of users can easily overwhelm a standard storage subsystem. Also, standard hard disks offer no fault tolerance and their scalability is limited.

Determining the Number of Servers Needed When is one big le server preferable to several smaller ones?

One of the most frequently asked questions when planning a server deployment is whether using one big server or several smaller ones is better. In the past, you might have considered the advantages and disadvantages of using one server to perform several roles versus distributing the roles among several smaller servers. Today, however, the emphasis is on virtualization, which means that although you might have many virtual machines running different roles, they could all be running on a single large physical server.

If you are considering large physical servers or your organization’s storage requirements are extremely large, you must also consider the inherent storage limitations of Windows Server 2012, as listed in Table 3-1. Configuring Local Storage | 61 The number of sites your enterprise network encompasses and the technologies you use to provide network communication between those sites can also affect your plans. If, for example, your organization has branch of ces scattered around the world and uses relatively expensive wide area networking (WAN) links to connect them, installing a server at each location would probably be more economical than to have all your users access a single server via WAN links.

Within each site, the number of servers you need can depend on how often your users work with the same resources and how much fault tolerance and high availability you want to build into the system. For example, if each department in your organization typically works with its own applications and documents and rarely needs access to those of other departments, deploying individual servers to each department might be preferable. If everyone in your organization works with the same set of resources, centralized servers might be a better choice. Table 3-1 Windows Server 2012 Storage Limitations AT T R I B U T E L I M I T BA S E D O N T H E O N-D I S K FO R M AT Maximum size of a single file 2 64 -1 bytes Maximum size of a single volume Format supports 2 78 bytes with 16KB cluster size. Windows stack addressing allows 2 64 bytes Maximum number of files in a directory 2 64 Maximum number of directories in a volume 2 64 Maximum filename length 32K Unicode characters Maximum path length 32K Maximum size of any storage pool 4 petabytes Maximum number of storage pools in a system No limit Maximum number of spaces in a storage pool No limit Estimating Storage Requirements The amount of storage space you need in a server depends on various factors, not just the initial requirements of your applications and users.

For an application server, start by allocating the amount of space needed for the application les themselves, plus any other space the application needs, as recommended by the developer.

If users will store documents on the server, allocate a speci c amount of space for each user the server will support. Then, factor in the potential growth of your organization and your network, both in terms of additional users and additional space required by each user, and of the application itself, in terms of data les and updates.

In addition to the space allocated to applications and individual users, you must also consider the storage requirements for the following server elements: Operating system: The size of the operating system installation depe nds on the roles and features you choose to install. A typical Windows S erver 2012 installation with the File Services role needs just over 10 GB, but the system requirements recommend 40 GB.

Paging file: The traditional formula for the size of the paging file—pagefile.sys—on a computer running Windows is 1½ times the amount of memory installed on the computer. However, this formula has now come into question, due to the large amounts 62 | Lesson 3 of memory in some servers and the increasing use of Hyper-V. Virtual machines require physical, not virtual, memory, so you do not need to count the memory allotted to your VMs when calculating your paging file size.

Memory dump: When Windows Server 2012 experiences a serious malfunction, it offers to dump the contents of the system memory to a file, which technicians can use for diagnostic purposes. The maximum size for a memory dump file is the amount of memory installed in the computer plus 1 MB. However, blue screens are relatively rare on Windows servers these days, and unless you are troubleshooting a chronic problem with the aid of a technician who can make use of a memory dump, you probably do not need to reserve space for this purpose.

Log files: Be sure to consider any applications that maintain their own logs, in addition to the operating system logs. You can configure the maximum log size for Windows event logs and for most application logs, and add those values to calculate the total log space required.

Shadow copies: The Windows Server 2012 shadow copies feature automatically retains copies of files on a server volume in multiple versions from specific points in time. Shadow copies can use up to 10% of a volume, by default. However, Microsoft recommends enlarging this value for volumes containing frequently modified files.

Fault tolerance: Fault-tolerance technologies, such as disk mirroring and disk parity, can profoundly affect disk consumption. Mirroring disks cuts the effective storage size in half, and parity can reduce it by as much as one third. Selecting a Storage Technology Planning for server storage encompasses both hardware and software elements. You must decide how much storage space you need, as well as how much and what type of fault tolerance, and then select appropriate hardware to implement your decisions.

The following sections examine some of the storage technologies you can choose from when designing a server storage subsystem.

SELECTING A PHYSICAL DISK TECHNOLOGY Most computers, including servers, use direct-attached storage—that is, the hard drives are located inside the computer case. For servers that require more storage space than a standard computer case can hold, or that have special availability requirements, a variety of external storage hardware options are available.

Of the many speci cations that hard disk manufacturers provide for their products, the best gauge of the drive’s performance is the rotational speed of the spindle that holds the platters.

Typical desktop workstation hard drives have rotational speeds of 7,200 revolutions per minute (rpm). For a server, consider 10,000 as the minimum acceptable speed; many higher- end server drives run at 15,000 rpm, which is preferable but costly.

Just as important as the speed and capacity of the hard disks you select is the interface the disks use to connect to the computer. A server on an enterprise network often has to handle large numbers of disk I/O requests simultaneously, far more than a workstation drive with a single user ever would. For that reason, an interface that might be more than suf cient for a workstation, such as the ATA (Advanced Technology Attachment) interface that most workstation drives use, would perform poorly under a le server load.

ATA devices are limited to a maximum transmission speed of 133 MB/sec, which is relatively slow by server standards. The other big problem with ATA devices is that the cable can handle only a single command at any one time. If you have two drives connected to an ATA cable, TAKE N OTE * Hard drives using the ATA interface are commonly referred to as Integrated Drive Electronics (IDE) or Enhanced IDE (EIDE) drives. Configuring Local Storage | 63 a command sent to the rst drive has to complete before the system can send a command to the second drive. For a server that must handle requests from many simultaneous users, this arrangement is inherently inef cient.

The newer Serial ATA (SATA) standards increase the maximum transmission speed to 600 MB/sec and addresses the ATA unitasking problem with a technology called Native Command Queuing (NCQ). NCQ enables a drive to optimize the order in which it processes commands, to minimize drive seek times. However, SATA supports only a single drive per channel and uses NCQ only when the computer has a motherboard and chipset that supports the Advanced Host Controller Interface (AHCI) standard. Computers that do not comply with this standard run the drives in “IDE emulation” mode, which disables their NCQ and hot-plugging capabilities. While SATA drives are more ef cient than ATA and can be a viable solution for relatively low-volume servers, they are not suitable for large enterprise servers.

Small Computer System Interface (SCSI) is the traditional storage interface for enterprise servers. SCSI offers transmission rates up to 640 MB/sec, support for up to 16 devices on a single bus, and the capability to queue commands on each device. This enables multiple drives connected to one SCSI host adapter to process commands simultaneously and independently, which is an ideal environment for a high-volume server.

Many different SCSI standards exist, with different bus types, transmission speeds, and cable con gurations. Most implementations available today use serial attached SCSI (SAS), which, like SATA, is a version of the original parallel standard adapted to use serial communications.

SAS and SCSI hard drives are usually quite a bit more expensive than those using any of the other disk interfaces, despite that the disk assemblies are virtually identical; only the electronics providing the interface are different. However, for most administrators of large enterprise networks, the enhanced performance of SAS and SCSI drives in a high-traf c environment is worth the added expense. USING EXTERNAL DRIVE ARRAYS High-capacity servers often store hard drives in a separate housing, called an external drive array , which typically incorporates a disk controller, power supply, cooling fans, and cache memory into an independent unit. Drive arrays can connect to a computer via a disk inter- face, such as SCSI (Small Computer System Interface), IEEE 1394 (FireWire), external SATA (eSATA), or Universal Serial Bus (USB); or via a network interface, such as iSCSI or Fibre Channel.

Drive arrays enable a server to host more physical hard drives than a normal computer case can hold, and often include additional fault-tolerance features, such as hot-swappable drives, redundant power supplies, and hardware-based RAID. Obviously, the more features the array has, and the more drives it can hold, the higher the cost. Large arrays intended for enterprise networks can easily cost tens of thousands of dollars.

Drive arrays typically operate in one of the following con gurations:

Storage area network (SAN): This is a separate network dedicated solely to storage devices, such as drive arrays, magnetic tape autochangers, and optical jukeboxes (see Figure 3-1). SANs use a high-speed networking technology, such as iSCSI or Fibre Channel, to enable them to transmit large amounts of data very quickly. Therefore, a server connected to a SAN will have two separate network interfaces: one to the SAN and one to the standard local area network (LAN). A SAN provides block-based storage services to the computers connected to it, just as though the storage devices were installed inside the computer. The storage hardware on a SAN might provide additional capabilities, such as RAID, but the computer implements the file system used to store and protect data on the SAN devices. TAKE N OTE * With the introduc- tion of the Serial ATA interface, the original ATA interface has been retroactively named Parallel ATA (PATA), in reference to the way in which these devices transmit data over 16 connections simultaneously. 64 | Lesson 3 Network attached storage (NAS): A NAS drive array varies from a SAN array primarily in its software. NAS devices are essentially dedicated file servers that provide file-based storage services directly to clients on the network. A NAS array connects to a standard LAN, using traditional Ethernet hardware (see Figure 3-2), and does not require a separate computer to implement the file system or function as a file server. In addition to the storage subsystem, the NAS device has its own processor and memory hardware, and runs its own operating system with a web interface for administrative access. The operating system is typically a stripped-down version of UNIX or Linux designed to provide only data storage, data access, and management functions. Most NAS devices support both the Server Message Block (SMB) protocol used by Windows clients and the Network File System (NFS) protocol used by most UNIX and Linux distributions. Figure 3-1 A SAN is a separate network dedicated to file servers and external storage devices Figure 3-2 A NAS device connects directly to the LAN and functions as a self-contained file server Just a Bunch of Disks (JBOD): SAN and NAS arrays typically can concatenate multiple disks into a single addressable resource. No matter how many physical drives are mounted in the array, the array appears to operating systems and applications as though it is one large disk. By contrast, a JBOD array is just a housing for the drives. Each disk appears to the operating system as a separate resource, as though it was physically installed in the computer.

SANs and NAS devices are both technologies designed to provide scalability and fault tolerance to network data storage systems. A SAN is more complicated and more expensive to Configuring Local Storage | 65 implement, but it can provide excellent performance due to its use of a separate network medium and virtually unlimited storage capacity. MORE INFORMATION Windows Server 2012 includes several SAN management features and tools, which are covered in Exam 70-412, ”Configuring Advanced Windows Server 2012 Services.” ✚ Adding a NAS device to your network is a simple way to provide your users with additional storage and reduce the processing burden on your servers. Despite its almost plug-and-play convenience, however, NAS does have some signi cant drawbacks. Because the NAS array is a self-contained device with its own processing hardware and operating system, it has inherent limitations. NAS devices typically do not have upgradeable processors, memory, or network interfaces. If too many users or I/O requests overburden a NAS device, it can reach its performance limit, and you can do nothing except purchase another NAS device. By contrast, direct-attached storage and SANs both use standard computers to serve les, which you can upgrade in all the usual ways: by adding or replacing hardware, moving the drives to a more powerful computer, or adding another server to a cluster.

JBOD arrays are the simplest and therefore the least expensive of the three types. They are designed simply to provide a server with access to more hard disk drives than can t in the computer case or be supported by the computer’s power supply.

Planning for Storage Fault Tolerance How valuable is your data, and how much are you wil ling to spend to protect it from disaster?

Depending on the nature of your organization, fault tolerance for your servers might be a convenience or an absolute requirement. For some businesses, a server hard drive failure might mean a few hours of lost productivity. For an order-entry department, it could mean lost income. For a hospital records department, it could mean lost lives. Depending on where in this range your organization falls, you might consider using a fault-tolerance mechanism to make sure that your users always have access to their applications and data.

The essence of fault tolerance is immediate redunda ncy. If one copy of a le becomes unavailable due to a disk error or failure, another copy online can take its place almost immediately. Various fault-tolerance mechanisms provide this redundancy in different ways. Some create redundant blocks, redundant les, redundant volumes, redunda nt drives, and even redundant servers.

As with many computer technologies, fault tolerance is a tradeoff between performance and expense. The mechanisms that provide the most fault tolerance are usually the most expensive.

And it is up to you and your organization to decide the value of continuous access to your data.

The following sections discuss some of the most common fault-tolerance mechanisms used by and for servers. You can implement all these technologies in several ways, through Windows Server 2012 or by third-party products.

USING DISK MIRRORING Disk mirroring , in which the computer writes the same data to identical volumes on two different disks, is one of the simplest forms of fault tolerance to implement and manage, but it is also one of the more expensive solutions. By mirroring volumes, you are essentially paying twice as much for your storage space. Little or no performance penalty is associated with mirroring volumes, as long as you use a hardware con guration that enables the two drives to write their data simultaneously. As discussed earlier in this lesson, SCSI, SAS, and SA TA drives are suitable for disk mirroring, but 66 | Lesson 3 parallel ATA drives are not, because two ATA drives on the same interface have to write their data sequentially, not simultaneously, thus slowing down the volume’s performance substantially.

A variation on disk mirroring, called disk duplexing, uses duplicate host adapters as well as duplicate hard drives. Installing the drives on separate host adapters adds an extra measure of fault tolerance, enabling users to continue working if either a drive or a host adapter fails. Duplexing also enables the computer to mirror ATA drives effectively, because each disk is connected to a separate host adapter. USING RAID Redundant Array of Independent Disks (RAID) is a group of technologies that uses multiple disk drives in various con gurations to store data, providing increased performance or fault tolerance, or both. Table 3-2 lists the standard RAID con gurations. Table 3-2 RAID Levels R AI D LE V E L R AI D FU N C T I O N A L I T Y MI N I M U M N U M B E R O F D I S K S R E Q U I R E D DE S C R I P T I O N RAID 0 Stripe set without parity 2 Implemented in Windows Server 2012 as a striped vol ume, RAID 0 provides no fault tolerance, but it does enhance performance , due to the parallel read/ write operations that occur on all drives simultane ously. RAID 0 has no error- detection mechanism, so the failure of one disk cau ses the loss of all data on the volume.

RAID 1 Mirror set without parity 2 Implemented in Windows Server 2012 as a mirrored vo lume, a RAID 1 array provides increased read performance, as well as fau lt tolerance. The array can continue to serve files as long as one disk remains operational.

RAID 3 Byte-level stripe set with dedicated parity 3 Not implemented in Windows Server 2012, a RAID 3 array stripes data at the byte level across the disks, reserving one disk for parity information. A RAID 3 array can survive the loss of any one disk, but because every write to one of the data disks requires a write to the parity disk, the parity disk becomes a performance bottleneck.

RAID 4 Block-level stripe set with dedicated parity 3 Not implemented in Windows Server 2012, RAID 4 is identical in structure to RAID 3, except that a RAID 4 array uses larger, block-level stripes, which improves performance on the data disks. The parity disk can still be a performance bottleneck, however.

RAID 5 Stripe set with distributed parity 3 Implemented in Windows Server 2012, a RAID 5 volume stripes data and parity blocks across all disks, making sure that a block and its parity informa- tion are never stored on the same disk. Distributing the parity eliminates the performance bottleneck of the dedicated parity drive in RAID 3 and RAID 4, but the need to calculate the parity information still adds overhead to the system. A RAID 5 array can tolerate the loss of any one of its drives and rebuild the missing data when the drive is repaired or replaced.

RAID 6 Stripe set with dual distributed parity 4 Not implemented in Windows Server 2012, RAID 6 uses the same structure as RAID 5, except that it stripes two copies of the parity information with the data. This enables the array to survive the failure of two drives. When a RAID 5 array suffers a drive failure, the array is vulnerable to data loss until the failed drive is replaced and the missing data rebuilt, which in the case of a large volume can take a long time. On the other hand, a RAID 6 array remains protected against data loss, even while one failed drive is rebuilding. Configuring Local Storage | 67 RAID arrays that use parity provide the same fault tolerance as mirrored disks in that the array can survive the failure of any one drive, but they leave more storage space for data. While mirrored disks provide only half of their total storage capacity for data, the data storage capacity of a RAID array that uses single parity is the size of the disks multiplied by the number of disks in the array, minus one. For example, a RAID 5 array that uses ve 200 GB disks has a data storage capacity of 800 GB.

One drawback of the parity system, however, is that the process of recalculating lost bits can degrade the array’s performance temporarily. The process of reconstructing an entire drive also can be lengthy.

In addition to the RAID levels listed in Table 3-2 are hybrid RAID solutions, such as RAID 0 1, which is an array of striped drives mirrored on a duplicate array. Windows Server 2012 provides support for only RAID levels 0, 1, and 5 (although the operating system does not refer to RAID 0 and RAID 1 as such, calling them striping and mirroring, respectively). To implement these hybrid RAID solutions, or any standard RAID level other than 0, 1, or 5, you must install a third-party product.

Third-party products can implement RAID functions in software (as Windows Server 2012 does) or in hardware. Most third-party RAID implementations are hardware-based and can range from a host adapter card that you connect to your own drives to a complete array containing drives and a host adapter. Generally, hardware RAID implementations are more expensive than software implementations but provide better performance because a hardware RAID solution of oads the parity calculations and disk manipulation functions from the system processor to the RAID controller itself. MORE INFORMATION Understanding Parity Parity is a mathematical algorithm that some disk storage technologies levels use to provide data redundancy in their disk write operations. To calculate the parity information for a drive array, the system takes the values for the same data bit at a specific location on each drive in the array and adds them together to determine whether the total is odd or even. The system then uses the resulting total to calculate a value for a parity bit corresponding to those data bits. The system then repeats the process for every bit location on the drives. If one drive is lost due to a hardware failure, the system can restore each lost data bit by calculating its value using the remaining data bits and the parity bit.

For example, in an array with five disks, suppose the first four disks have the values 1, 1, 0, and 1 for their first bit. The total of the four bits is 3, an odd number, so the system sets the first bit of the fifth disk, the parity disk, to 0, indicating an odd result for the total of the bits on the other four disks. Suppose then that one disk fails. If the parity disk fails, no actual data is lost, so data I/O can proceed normally. If one of the four data disks is lost, the total of the first bits in the remaining three disks will be either odd or even. If the total is even, because we know the parity bit is odd, the bit in the missing disk must have been a 1. If the total is odd, the bit in the missing disk must have been a 0. After the failed disk hardware is replaced, the disk controller can reconstruct the lost data. ✚ Using Storage Spaces Windows Server 2012 includes a new disk virtualization technology called Storage Spaces, which enables a server to concatenate storage space from individual physical disks and allocate that space to create virtual disks of any size supported by the hardware.

This type of virtualization is a feature often found in SAN and NAS technologies, which require a substantial investment in specialized hardware and administrative skill. Storage Space provides similar capabilities, using standard direct-attached disk drives or simple external JBOD arrays. 68 | Lesson 3 Storage Spaces uses unallocated disk space on server drives to create storage pools. A storage pool can span multiple drives invisibly, providing an accumulated storage resource that you can expand or reduce as needed by adding disks to or removing them from the pool. By using the space in the pool, you can create virtual disks of any size.

Once created, a virtual disk behaves much like a physical disk, except that the actual bits might be stored on any number of physical drives in the system. Virtual disks can also provide fault tolerance by using the physical disks in the storage pool to hold mirrored or parity data. Virtual disks can also be thinly provisioned, meaning that while you specify a maximum size for the disk, it starts out small and grows as you add data to it. You can therefore create a virtual disk with a maximum size that is larger than that of your storage space. For example, if you plan to allocate a maximum of 10 TB for your database les, you can create a thin 10 TB virtual disk, even if you only have a 2 TB storage pool. The application using the disk will function normally, gradually adding data until the storage pool is nearly consumed, at which point the system noti es you to add more space to the pool. You can then install more physical storage and add it to the pool, gradually expanding it until it can support the entire 10 TB required by the disk.

After creating a virtual disk, you can create volumes on it, just as you would on a physical disk. Server Manager provides the tools needed to create and manage storage pools and virtual disks, as well as the capability to create volumes and le system shares, with some limitations. CERTIFICATION READY Design storage spaces.

Objective 1.3 When you install Windows Server 2012 on a computer, the setup program automatically performs all preparation tasks for the primary hard disk in the system. However, when you install additional hard disk drives on a server, or when you want to use different settings from the system defaults, you must perform the following tasks manually: Select a partitioning style: Windows Server 2012 supports two hard disk partition styles: the master boot record (MBR) partition style and the GUID (globally unique identifier) partition table (GPT) partition style. You must choose one of these partition styles for a drive; you cannot use both.

Select a disk type: Windows Server 2012 supports two disk types: basic and dynamic.

You cannot use both types on the same disk drive, but you can mix disk types in the same computer.

Divide the disk into partitions or volumes: Although many professionals use the terms partition and volume interchangeably, it is correct to refer to partitions on basic disks, and volumes on dynamic disks.

Format the partitions or volumes with a file system: Windows Server 2012 supports the NTFS file system, the FAT file system (including the FAT16, FAT32, and exFAT variants), and the new ReFS file system.

The following sections examine the options for each of these tasks. ■ Understanding Windows Disk Settings When preparing a disk for use, Windows Server 2012 servers often require different settings than workstations. TH E B OTTOM L I N E Configuring Local Storage | 69 CERTIFICATION READY Configure MBR and GPT disks.

Objective 1.3Servers running Windows Server 2012 computers can use either of the following hard disk partition styles:

Master Boot Record (MBR): The MBR partition style has been around since before Windows and is still a common partition style for x86-based and x64-based computers.

GUID Partition Table (GPT): GPT has existed since the late 1990s, but no x86 versions of Windows prior to Windows Server 2008 and Windows Vista supports it.

Today, most operating systems support GPT, including Windows Server 2012.

MBR uses a partition table to point to the locations of the partitions on the disk. The MBR disk partitioning style supports volumes up to 2 TB in size, and up to either four primary partitions or three primary partitions and one extended partition on a single drive.

GPT varies from MBR in that partitions, rather than hidden sectors, store data critical to platform operation. GPT-partitioned disks also use redundant primary and backup partition tables for improved integrity. Although GPT speci cations per mit an unlimited number of partitions, the Windows implementation restricts partitions to 128 per disk. The GPT disk partitioning style supports volumes up to 18 exabytes (1 exabyte 1 billion gigabytes, or 2 60 bytes).

Unless the computer’s architecture provides support for an Extensible Firmware Interface (EFI)–based boot partition, it is not possible to boot from a GPT disk. If this is the case, the system drive must be an MBR disk, and you can use GPT only on separate non-bootable disks used for data storage.

Before Windows Server 2008 and Windows Vista, all x86-based Windows computers used only the MBR partition style. Computers based on the x64 platform could use either the MBR or GPT partition style, as long as the GPT disk was not the boot disk.

Now that hard drives larger than 2 TB are readily available, the selection of a partition style is more critical than ever. When you initialize a physical disk using the traditional Disk Management snap-in, MBR is the default partition style, as it always has been. You can also use the snap-in to convert a disk between MBR and GPT partition styles, although you can do so only on disks that do not have partitions or volumes created on them. When you use Server Manager to initialize a disk in Windows Server 2012, it uses the GPT partition style, whether the disk is physical or virtual. Server Manager has no controls supporting MBR, although it does display the partition style in the Disks tile.

Table 3-3 compares some of the characteristics of the MBR and GPT partition styles.

Table 3-3 MBR and GPT Partition Style Comparison MA S T E R BO OT RE C O R D ( M B R ) G U I D P A R T I T I O N TA B L E ( G P T ) Supports up to four primary partitions or three primary partitions and one extended partition, with unlimited logical drives on the extended partition Supports up to 128 primary partitions Supports volumes up to 2 terabytes Supports volumes up to 18 exabytes Hidden (unpartitioned) sectors store data critical to platform operation Partitions store data critical to platform operation Replication and cyclical redundancy checks (CRCs) are not features of MBR's partition table Replication and CRC protection of the partition table provide increased reliability Selecting a Partition Style The term partition style refers to the method Windows operating systems use to organize partitions on the disk. 70 | Lesson 3 Understanding Disk Types Most personal computers use basic disks because they are easiest to manage. Advanced volume types require the use of dynamic disks.

A basic disk using the MBR partition style uses primary partitions, extended partitions, and logical drives to organize data. A primary partition appears to the operating system as though it is a physically separate disk and can host an operating system, in which case it is known as the active partition.

During the operating system installation, the setup program creates a system partition and a boot partition. The system partition contains hardware-related les that the computer uses to start. The boot partition contains the operating system les, which are stored in the Windows le folder. In most cases, these two partitions are one and the same, the active primary partition that Windows uses when starting. The active partition tells the computer which system partition and operating system to use to start Windows.

When you work with basic MBR disks in Windows Server 2012, you can create three volumes that take the form of primary partitions. When you create the fourth volume, the system creates an extended partition, with a logical drive on it, of the size you speci ed. If the disk still has free space left, the system allocates it to the extended partition (see Figure 3-3), which you can use to create additional logical drives. CERTIFICATION READY Configure basic and dynamic disks.

Objective 1.3 Figure 3-3 Primary and extended partitions on a basic disk using MBR Table 3-4 compares some of the characteristics of primary and extended partitions. Table 3-4 Primary and Extended Partition Comparison PR I M A RY PA R T I T I O N S EX T E N D E D PA R T I T I O N S A primary partition functions as though it is a physically separate disk and can host an operating system. Extended partitions cannot host an operating system.

You can mark a primary partition as an active partition but can have only one active partition per hard disk. The system BIOS looks to the active partition for the boot files it uses to start the operating system.You cannot mark an extended partition as an active partition.

On a basic disk using MBR, you can create up to four primary partitions, or three primary partitions and one extended partition.

A basic disk using MBR can contain only one extended partition, but unlimited logical drives.

You format each primary partition and assign a unique drive letter. You do not format the extended partition itself, but the logical drives it contains. You assign a unique drive letter to each of the logical drives. Configuring Local Storage | 71 When you select the GPT partition style, the disk still appears as a basic disk, but you can create up to 128 volumes, each of which appears as a primary partition, as shown in Figure 3-4. GPT disks have no extended partitions or logical drives. Figure 3-4 Primary partitions on a basic disk using GPT The alternative to using a basic disk is to convert it to a dynamic disk. Converting a basic disk to a dynamic disk creates a single partition that occupies the entire disk. You can then create an unlimited number of volumes out of the space in that partition. Dynamic disks support several different types of volumes, as described in the next section.

Understanding Volume Types A dynamic disk can contain an unlimited number of volumes that function much like primary partitions on a basic disk, but you cannot mark an existing dynamic disk as active.

When you create a volume on a dynamic disk using the Disk Management snap-in in Windows Server 2012, you choose from the following ve volume types: Simple volume: Consists of space from a single disk. After you create a simple volume, you can extend it to multiple disks to create a spanned or striped volume, as long as it is not a system volume or boot volume. You can also extend a simple volume into any adjacent unallocated space on the same disk or, with some limitations, shrink the vol- ume by de-allocating any unused space in the volume.

Spanned volume: Consists of space from 2 to 32 physical disks, all of which must be dynamic disks. A spanned volume is essentially a method for combining the space from multiple dynamic disks into a single large volume. Windows Server 2012 writes to the spanned volume by filling all the space on the first disk and then fills each additional disk in turn. You can extend a spanned volume at any time by adding disk space.

Creating a spanned volume does not increase the disk’s read/write performance, nor does it provide fault tolerance. In fact, if a single physical disk in the spanned volume fails, all data in the entire volume is lost.

Striped volume: Consists of space from 2 to 32 physical disks, all of which must be dynamic disks. The difference between a striped vol ume and a spanned volume is that in a striped volume, the system writes data one stripe a t a time to each successive disk in the volume. Striping provides improved performance beca use each disk drive in the array has time to seek the location of its next stripe while the other drives are writing. Striped volumes do not provide fault tolerance, however, and you ca nnot extend them after creation. If a single physical disk in the striped volume fails, a ll data in the entire volume is lost.

Mirrored volume: Consists of an identical amount of space on two physical disks, both of which must be dynamic disks. The system performs all read/write operations on both disks simultaneously, so they contain duplicate copies of all data stored on the volume.

If one of the disks fails, the other continues to provide access to the volume until the failed disk is repaired or replaced.

RAID-5 volume: Consists of space on three or more physical disks, all of which must be dynamic. The system stripes data and parity information across all disks so that if one physical disk fails, the missing data can be re-created using the parity information on the other disks. RAID-5 volumes provide improved read performance, because of the disk striping, but write performance suffers due to the need for parity calculations. 72 | Lesson 3 Choosing a Volume Size Although Windows Server 2012 can support volumes larger than 1 exabyte in size (and 1 exabyte equals 1 million TB), this does not mean that you should create volumes that big, even if you have a server with that much storage. To facilitate the maintenance and administration processes, splitting your server’s storage into volumes of manageable size is usually preferable over creating a single, gigantic volume.

One common practice is to choose a volume size based on the capacity of your network backup solution. For example, if you perform network backups using tape drives with an 80 GB capacity, creating volumes that can t onto a single tape can facilitate the backup process.

Creating smaller volumes also speeds up the restore process if you have to recover a volume from a tape or other backup medium.

Another factor is the amount of downtime your business can tolerate. If one of your volumes suffers a le system error, and you do not have a fault-tolerance mechanism in place to keep the system running, you might have to bring it down so that you can run a disk repair utility.

The larger the volume, the longer the repair process will take, and the longer your users will be without their les. For extremely large volumes, the repair process can take hours or even days.

Of course, erring in the other extreme is also possible. Splitting a 1 TB drive into 100 volumes of 10 GB, for example, would also be an administrative nightmare, in many different ways.

Understanding File Systems To organize and store data or programs on a hard drive, you must install a le system, the underlying disk drive structure that enables you to store information on your computer. You install le systems by formatting a partition or volume on the hard disk.

In Windows Server 2012, ve le system options are available: NTFS, FAT32, exFAT, FAT (also known as FAT16), and ReFS. NTFS and ReFS are the preferred le systems for a server; the main bene ts are improved support for larger hard drives that FAT and better security in the form of encryption and permissions that restrict access by unauthorized users.

Because the FAT (File Allocation Table) le systems lack the security that NTFS provides, any user who gains access to your computer can read any le without restriction. FAT le systems also have disk size limitations: FAT32 cannot handle a partition greater than 32 GB, or a le greater than 4 GB. FAT cannot handle a hard disk greater than 4 GB, or a le greater than 2 GB. Because of these limitations, the only viable reason for using FAT16 or FAT32 is the need to dual boot the computer with a non-Windows operating system or a previous version of Windows that does not support NTFS, which is not a likely con guration for a server.

ReFS (Resilient File System) is a new le system debut ing in Windows Server 2012 that offers practically unlimited le and directory sizes and increased resiliency that eliminates the need for error-checking tools, such as Chkdsk.exe. However, ReFS does not include support for NTFS features such as le compression, Encrypted File S ystem (EFS), and disk quotas. ReFS disks also cannot be read by any operating systems older than Windows Server 2012 and Windows 8. ■ Working with Disks TH E B OTTOM L I N E Windows Server 2012 includes tools that enable you to manage disks graphically or from the command prompt. Configuring Local Storage | 73 All Windows Server 2012 installations include the File and Storage Services role, which causes Server Manager to display a submenu when you click the icon in the navigational pane (see Figure 3-5). This submenu provides access to homepages that enable you to manage volumes, disks, storage pools, shares, and iSCSI devices. Figure 3-5 The File and Storage Services submenu in Server Manager Server Manager is the only graphical tool that can manage storage pools and create virtual disks. It can also perform some—but not all—of the standard disk and volume management operations on physical disks. As with the other Ser ver Manager homepages, the File and Storage Services pages also enable you to perform t asks on any servers you have added to the interface.

Disk Management is a Microsoft Management Console (MMC) snap-in that is the traditional tool for performing disk-related tasks, such as the following:

Initializing disks Selecting a partition style Converting basic disks to dynamic disks Creating partitions and volumes Extending, shrinking, and deleting volumes Formatting partitions and volumes Assigning and changing driver letters and paths Examining and managing physical disk properties, such as disk quotas, folder sharing, and error checking To access the Disk Management snap-in, you can open the Computer Management console in any of the following ways: In Server Manager , in the Servers tile, right-click the server you want to manage and, from the context menu, select Computer Management. 74 | Lesson 3 From the Administrative Tools program group, select Computer Management.

Open the Run dialog box and execute the compmgmt.msc file.

You can also open the Disk Management snap-in directly by running Diskmgmt.exe and manage disks and volumes from the command line by using the DiskPart.exe utility. Adding a New Physical Disk When you add a new hard disk to a Windows Server 2012 computer, you must initialize the disk before you can access its storage.

To add a new secondary disk, shut down the computer and install or attach the new physical disk according to the manufacturer’s instructions. Server Manager displays a newly added physical disk in the Disks tile, as shown in Figure 3-6, with a status of Of ine and an unknown partition style. Figure 3-6 A new physical disk in Server Manager To make the disk accessible, you must rst bring it online by right-clicking it in the Disks tile and, from the context menu, selecting Bring Online. After you con rm your action and the disk status changes to Online, right-click it and select Initialize.

Unlike the Disk Management snap-in, Server Manager gives you no choice of the partition style for the disk. A Task progress window appears, as shown in Figure 3-7; when the process completes, you click Close, and the disk appears in the list with a partition style of GPT. Configuring Local Storage | 75 To initialize a new physical disk and choose a partition style using the Disk Management snap-in, use the following procedure.

AD D A N EW P H YS I C AL D I S K GET READY. Log on to Windows Server 2012, using an account with Administrator privileges. The Server Manager window appears. 1. Click Tools > Computer Management to display the Computer Management console. 2. Click Disk Management . The Disk Management snap-in appears, as shown in Figure 3-8. Figure 3-7 A Task progress window in Server Manager Figure 3-8 The Disk Management snap-in 3. Right-click the disk box and, from the context menu, select Online . The disk status switches to Not Initialized . 4. Right-click the disk box and, from the context menu, select Initialize Disk .

The Initialize Disk dialog box appears, as shown in Figure 3-9. 76 | Lesson 3 5. In the Select disks box, verify that the check box for the new disk is selected. 6. For the Use the following partition style for the selected disks option, select either MBR (Master Boot Record) or GPT (GUID Partition Table) and click OK . The snap-in initi alizes the disk, causing its status to appear as Online, as shown in Figure 3-10. Figure 3-9 The Initialize Disk dialog box Figure 3-10 The Disk Management snap-in, with a newly initialized disk CLOSE the console containing the Disk Management snap-in.

You can convert a disk from one partition style to another at any time by right-clicking the disk you need to convert and then, from the context menu, selecting Convert to GPT Disk or Convert to MBR Disk . However, be aware that converting the disk partition style is a destructive process. You can perform the conversion only on an unallocated disk, so if the disk you want to convert contains data, you must back it up and then delete all existing partitions or volumes before you begin the conversion. Creating and Mounting VHDs Hyper-V relies on the Virtual Hard Disk (VHD) format to store virtual disk data in les that can easily be transferred from one computer to another. Configuring Local Storage | 77 The Disk Management snap-in in Windows Server 2012 enables you to create VHD les and mount them on the computer. As soon as the VHDs are mounted, you can treat them just like physical disks and use them to store data. Dismounting a VHD packages the stored data in the le, so you can copy or move it as needed.

To create a VHD in Disk Management, use the following procedure.

C R EAT E A VH D GET READY. Log on to Windows Server 2012, using an account with Administrator privileges. The S erver Manager window appears. 1. Click Tools > Computer Management . 2. In the Computer Management console, click Disk Management. The Disk Management snap-in appears. 3. From the Action menu, select Create VHD . The Create and Attach Virtual Hard Disk dialog box appears, as shown in Figure 3-11. CERTIFICATION READY Create and mount virtual hard disks (VHDs).

Objective 1.3 Figure 3-11 The Create and Attach Virtual Hard Disk dialog box 4. In the Location text box, specify the path and name for the le you want to create. 5. In the Virtual hard disk size text box, specify the maximum size of the disk you want to create. 6. Select one of the following virtual hard disk format options:

VHD : The original and more compatible format, which supports les up to 2,040 GB.

VHDX : A new version of the format that supports les up to 64 TB, but can be read only by computers running Windows Server 2012 and Windows 8. 7. Select one of the following virtual hard disk type options:

Fixed size allocates all disk space for the VHD le at once.

Dynamically expanding allocates disk space to the VHD le as you add data to the virtual hard disk. 78 | Lesson 3 8. Click OK . The system creates the VHD le and attaches it, so that it appears as a disk in the snap-in, as shown in Figure 3-12.

After you create and attach the VHD, it appears as an uninitialized disk in the Disk Management snap-in and in Server Manager. By using either tool, you can initialize the disk and create volumes on it, just as you would a physical disk. After storing data on the volumes, you can detach the VHD and move it to another location or mount it on a Hyper-V virtual machine. Creating a Storage Pool After you install your physical disks, you can concatenate their space into a storage pool, from which you can create virtual disks of any size.

To create a storage pool via Server Manager, use the following procedure.

C R EAT E A S TOR AG E P OO L GET READ Y. Log on to Windows Server 2012, using an account with Administrator privileges. 1. In the Server Manager window, click the File and Storage Services icon and, in the submenu that appears, click Storage Pools . The Storage Pools homepage appears, as shown in Figure 3-13. CERTIFICATION READY Configure storage pools and disk pools.

Objective 1.3 Figure 3-12 A newly created and attached VHD Configuring Local Storage | 79 2. In the Storage P ools tile, select the primordial space on the server where you want to create the pool and then, from the Tasks menu, select New Storage Pool . The New Storage Pool Wizard appears, displaying the Before you begin page. 3. Click Next . The Specify a storage pool name and subsystem page appears, as shown in Figure 3-14. Figure 3-13 The Storage Pools homepage 4. In the Name text box, type the name you want to assign to the storage pool. Then, select the server on which you want to create the pool and click Next . The Select physical disks for the storage pool page appears, as shown in Figure 3-15. Figure 3-14 The Specify a storage pool name and subsystem page 80 | Lesson 3 Figure 3-15 The Select physical disks for the storage pool page 5. Select the check boxes for the disks you want to add to the pool and click Next . The Con rm selections page appears. 6. Click Create . The wizard creates the new storage pool and the View results page appears, as shown in Figure 3-16. TAKE N OTE * The wizard displays only the disks eligible for addition to the pool. Disks that already have partitions or volumes on them do not appear.

Figure 3-16 The View results page Configuring Local Storage | 81 7. Click Close . The wizard closes, and the Storage P ools homepage lists the new pool, as shown in Figure 3-17. CLOSE the Server Manager window.

After you create a storage pool, you can modify its capacity by adding or removing physical disks. The Tasks menu in the Physical Disks tile on the Storage Pools homepage contains the following options:

Add Physical Disk enables you to add a physical disk to the pool, as long as it is initialized and does not contain any volumes Evict Disk prepares a physical disk for removal from the storage pool by moving all data it contains to the other physical disks in the pool. This can cause the status of virtual disks using mirror or parity fault tolerance to revert to Warning, if the eviction causes the number of physical disks in the pool to fall below the minimum required Remove Disk removes the space provided by a physical disk from the storage pool. This option appears only if all data already has been evicted from the disk. Figure 3-17 A new pool on the Storage Pools homepage USING WINDOWS POWERSHELL To create a new storage pool using Windows PowerShell, you use the New-StoragePool cmdlet with the following basic syntax:

New-StoragePool –FriendlyName -StorageSubSystemFriendlyName -PhysicalDisks To obtain the correct designations for the storage subsystem and the physical disks, use the Get- StorageSubsystem and Get-PhysicalDisk cmdlets.

For example the following command generates a list of all the physical disks in the system available for pooling and assigns it to the variable $disks:

$disks (GetPhysicalDisk –CanPool $true) The next command then creates a new storage pool, specifying the $disks variable to the –PhysicalDisks parameter. The results are shown in Figure 3-18.

New-StoragePool –FriendlyName Pool1 -StorageSubSystemFriendlyName "Storage Spaces on ServerC" -PhysicalDisks $disks 82 | Lesson 3 Figure 3-18 A new pool created using Windows PowerShell Creating Virtual Disks After you create a storage pool, you can use the space to create as many virtual disks as you need.

To create a virtual disk using Server Manager, use the following procedure.

C R EAT E A VI R T UA L D I S K GET READ Y. Log on to Windows Server 2012, using an account with Administrator privileges. 1. In the Server Manager window, click the File and Storage Services icon and, in the submenu, click Storage Pools . The Storage Pools homepage appears. 2. Scroll down (if necessary) to expose the Virtual Disks tile and, from the Tasks menu, select New Virtual Disk . The New Virtual Disk menu appears, displaying the Before you begin page. 3. Click Next . The Select the server and storage pool page appears, as shown in Figure 3-19. 4. Select the pool in which you want to create a virtual disk and click Next . The Specify the virtual disk name page appears, as shown in Figure 3-20. Configuring Local Storage | 83 Figure 3-19 The Select the server and storage pool page Figure 3-20 The Specify the virtual disk name page 84 | Lesson 3 5. In the Name text box, type a name for the virtual disk and click Next . The Select the storage layout page appears, as shown in Figure 3-21. Figure 3-21 The Select the storage layout page 6. Select one of the following layout options and click Next :

Simple requires the pool to contain at least one physical disk and provides no fault tolerance. When more than one physical disk is available, the system stripes data across the disks.

Mirror requires the pool to contain at least two physical disks and provides fault tolerance by storing identical copies of every le. Two physical disks provide protection against a single disk failure; ve physical disks provide protection against two disk failures.

Parity requires the pool to contain at least three physical disks and provides fault tolerance by striping parity information along with data. The fault tolerance built into Storage Spaces is pr ovided at the disk level, not at the volume level, as in the Disk Management snap-in. Th eoretically, you can use Disk Management to create mirrored or RAID-5 volumes out of virtual disks, but this would defeat the purpose of creating them because the vir tual disks might very well be located on the same physical disk. TAKE N OTE * The Specify the provisioning type page appears, as shown in Figure 3-22. Configuring Local Storage | 85 7. Select one of the following provisioning options and click Next :

Thin : The system allocates space from the storage pool to the disk as needed, up to th e maximum speci ed size.

Fixed : The system allocates the maximum speci ed amount of space to the disk immediately on creating it. The Specify the size of the virtual disk page appears, as shown in Figure 3-23. Figure 3-22 The Specify the provisioning type page Figure 3-23 The Specify the size of the virtual disk page 86 | Lesson 3 8. In the Virtual disk size text box, specify the size of the disk you want to create and cli ck Next . The Con rm Selections page appears. 9. Click Create . The View results page appears as the wizard creates the disk. 10. Click Close . The wizard closes and the Virtual Disks tile lists the new disk, as shown in Figure 3-24. Figure 3-24 A new disk in the Virtual Disks tile in Server Manager CLOSE the Server Manager window.

By default, the New Volume Wizard launches when you create a new virtual disk. At this point, the disk is a virtual equivalent to a newly installed physical disk. It contains nothing but unallocated space, and you must create at least one volume before you can store data on it. USING WINDOWS POWERSHELL To create a new virtual disk from the space on your storage pool using Windows PowerShell, you use the New-VirtualDisk cmdlet with the following basic syntax:

New-VirtualDisk –FriendlyName –StoragePoolFriendlyName -Size [-ResiliencySettingName Simple|Mirror|Parity] [-ProvisioningType Thin|Fixed] For example, to create a simple, thinly provisioned 50 GB virtual disk called Data1 from the previously created storage pool, use the following example.

New-VirtualDisk –FriendlyName Data1 –StoragePoolFriendlyName Pool1 -Size 50GB -ResiliencySettingName Simple -ProvisioningType Thin To obtain the correct designations for the storage subsystem and the physical disks, use the Get- StorageSubsystem and Get-PhysicalDisk cmdlets. Configuring Local Storage | 87 Windows versions prior to 2008 use the correct terminology in the Disk Management snap-in.

The menus enable you to create partitions on basic disks and volumes on dynamic disks.

Windows Server 2012 uses the term volume for both disk types, and enables you to create any of the available volume types, whether the disk is bas ic or dynamic. If the volume type you select is not supported on a basic disk, the wizard converts it to a dynamic disk as part of the volume creation process.

Despite the menus that refer to basic partitions as volumes, the traditional rules for basic disks remain in effect. The New Simple Volume menu option on a basic disk creates up to three primary partitions. When you create a fourth volume, the wizard actually creates an extended partition and a logical drive of the size you specify. If any space remains on the disk, you can create additional logical drives in the extended partition.

To create a new simple volume on a basic or dynamic disk using the Disk Management snap-in, use the following procedure.

C R EAT E A N EW S I M P L E VO L U M E GET READ Y. Log on to Windows Server 2012, using an account wi th Administrator privileges. 1. In the Server Manager window, click Tools > Computer Management . 2. In the Computer Management console, click Disk Management . 3. In the Graphical View of the Disk Management snap-in, right-click an unallocated disk area on which you want to create a volume. From the context menu, select New Simple Volume . The New Simple Volume Wizard appears. 4. Click Next to dismiss the Welcome page. The Specify Volume Size page appears, as shown in Figure 3-25. Creating a Simple Volume Technically speaking, you create partitions on basi c disks and volumes on dynamic disks. This is not just an arbitrary change in nome nclature. Converting a basic disk to a dynamic disk actually creates one big partitio n, occupying all space on the disk.

The volumes you create on the dynamic disk are logi cal divisions within that single partition. Figure 3-25 The Specify Volume Size page When you use DiskPart.exe , a command-line utility included with Windows Server 2012, to manage basic disks, you can create four primary partitions, or three primary partitions and one extended partition. The DiskPart.exe utility contains a superset of the commands supported by the Disk Management snap-in. In other words, DiskPart can do everything Disk Management can do, and more. However, while the Disk Management Snap-in prevents you from unintentionally performing actions that might result in data loss, DiskPart has no safeties, and thus does not prohibit you from performing such actions. For this reason, Microsoft recommends that only advanced users use DiskPart and that they use it with due caution. WARNING 88 | Lesson 3 5. Select the size for the new partition or volume, within the maximum and minimum limits stated on the page, using the Simple volume size in MB spin box, and then click Next . The Assign Drive Letter or Path page appears, as shown in Figure 3-26. Figure 3-26 The Assign Drive Letter or Path page 6. Con gure one of the following options:

Assign the following drive letter : If you select this option, click the associated drop-down list for a list of available drive letters and select the letter you want to assign to the drive.

Mount in the following empty NTFS folder : If you select this option, either key the path to an existing NTFS folder or click Browse to search for or create a new folder. The folder you specify will list the entire contents of the new drive.

Do not assign a drive letter or drive path : Select this option if you want to create the partition but are not yet ready to use it. When you do not assign a volume a drive letter or path, the drive is left unmounted and inaccessible. When you want to mount the drive for use, assign a drive letter or path to it. MORE INFORMATION Mounting drives to NTFS folders is a convenient way to add space to an existing drive or overcome the built-in system limitation of 26 drive letters . When you mount a volume to a folder, it becomes a logical part of the volume containing that folder. To users, the volume is just another folder in the directory tree. They are unaware that the files in that folder (and its subfolders) are actually stored on another volume. ✚ 7. Click Next . The Format Partition page appears, as shown in Figure 3-27. Configuring Local Storage | 89 8. Specify whether the wizard should format the volume and, if so, how. If you do not want to format the volume at this time, select the Do not format this volume option.

If you do want to format the volume, select the Format this volume with the following settings option, and then con gure the following associated options:

File system : Select the desired le system. The options available depend on the size of the volume, and can include ReFS, NTFS, exFAT, FAT32, or FAT.

Allocation unit size : Specify the le system’s cluster size. The cluster size signi es the basic unit of bytes in which the system allocates disk space. The system calculates the default allocation unit size based on the size of the volume. You can override this value by clicking the associated drop-down list and then selecting one of the values. For example, if your client uses consistently small les, you may want to set the allocation unit size to a smaller cluster size.

Volume label : Specify a name for the partition or volume. The default name is New Volume, but you can change the name to anything you want.

Perform a quick format : When you select this option, Windows formats the disk without checking for errors. This is a faster method with which to format the drive, but Microsoft does not recommend it. When you check for errors, the system looks for and marks bad sectors on the disk so that your clients will not use those areas.

Enable le and folder compression : Selecting this option turns on folder compression for the disk. This option is available only for volumes being formatted with the NTFS le system. 9. Click Next . The Completing the New Simple Volume Wizard page appears. 10. Review the settings to con rm your options, and then click Finish . The wizard creates the volume according to your speci cations. CLOSE the console containing the Disk Management snap-in.

After you create a simple volume, you can use the Disk Management snap-in to modify its properties by extending or shrinking it, as described later in this lesson.

This procedure can create volumes on physical or virtual disks. You can also create simple volumes by using a similar wizard in Server Manager. Figure 3-27 The Format Partition page 90 | Lesson 3 When you launch the New Volume Wizard in Server Manager, which you can do from the Volumes or Disks homepage, the options the wizard presents are virtually identical to those in the New Simple Volume Wizard in Disk Management.

The primary difference is that, like all Server Manager wizards, the New Volume Wizard includes a page that enables you to select the server and the disk on which you want to create volume, as shown in Figure 3-28. You can therefore use this wizard to create volumes on any disk, on any of your servers. Figure 3-28 The Select the server and disk page in the New Volume Wizard in Server Manager Creating a Striped, Spanned, Mirrored, or RAID-5 Volume The procedure for creating a striped, spanned, mirrored, or RAID-5 volume is almost the same as that for creating a simple volume, except that the Specify Volume Size page is replaced by the Select Disks page.

To create a striped, spanned, mirrored, or RAID-5 volume, use the following procedure.

C R EAT E A S T R I P ED, S PAN N E D, M I R RO R E D, OR R AI D -5 VO L U M E GET READ Y. Log on to Windows Server 2012, using an account wi th Administrator privileges. 1. In the Server Manager window, click Tools > Computer Management . 2. In the Computer Management console, click Disk Management . 3. In the Disk Management snap-in, right-click an unallocated area on a disk and, from the context menu, select the command for the type of volume you want to create. A New Volume Wizard appears, named for your selected volume type. 4. Click Next to dismiss the Welcome page. The Select Disks page appears, as shown in Figure 3-29. Configuring Local Storage | 91 5. On the Select Disks page, select the disks you want to use for the new volume from the Available list box, and then click Add . The disks you chose are moved to the Selected list box, joining the original disk you selected when launching the wizard. For a striped, spanned, or mirrored volume, you must have at least two disks in the Selected list; for a RAID-5 volume, you must have at least three. 6. Specify the amount of space you want to use on each disk, using the Select the amount of space in MB spin box. Then click Next . The Assign Drive Letter or Path page appears.

If you are creating a spanned volume, you must click each disk in the Selected list and specify the amount of space to use on that disk. The default value for each disk is the size of the unallocated space on that disk.

If you are creating a striped, mirrored, or RAID-5 volume, you specify only one value, because such volumes require the same amount of space on each disk. The default value is the size of the unallocated space on the disk with the least amount of space free. 7. Specify whether you want to assign a drive letter or path, and then click Next . The Format Partition page appears. 8. Specify if or how you want to format the volume, and then click Next . The Completing the New Simple Volume Wizard page appears. 9. Review the settings to con rm your options, and then click Finish . If any of the disks you selected to create the volume are basic disks, a Disk Management message box appears, warning that the volume creation process will convert the basic disks to dynamic disks. 10. Click Yes . The wizard creates the volume according to your speci cations. CLOSE the Disk Management snap-in.

The commands that appear in a disk’s context menu depend on the number of disks installed in the computer and the presence of unallocated space on them. For example, at least two disks with unallocated space must be available to create a striped, spanned, or mirrored volume, and at least three disks must be available to create a RAID-5 volume. Figure 3-29 The Select Disks page X REF See the “Create a New Simple Volume” proce- dure, in the preceding section, for more infor- mation about the options on the Assign Drive Letter or Path and Format Partition pages. 92 | Lesson 3 Extending and Shrinking Volumes and Disks To extend or shrink a volume in the Disk Management snap-in, you simply right-click a volume and select Extend Volume or Shrink Volume from the context menu or from the Action menu.

The Disk Management snap-in extends existing volumes by expanding them into adjacent unallocated space on the same disk. When you extend a simple volume across multiple disks, the simple volume becomes a spanned volume. You cannot extend striped volumes.

In Server Manager, you can extend a simple volume using unallocated space on the same disk, but you cannot extend it to other disks to create a spanned volume.

To extend a volume on a basic disk, the system must meet the following requirements: A volume of a basic disk must be either unformatted or formatted with the NTFS file system.

If you extend a volume that is actually a logical drive, the console first consumes the contiguous free space remaining in the extended partition. If you attempt to extend the logical drive beyond the confines of its extended partition, the extended partition expands to any unallocated space left on the disk.

You can extend logical drives, boot volumes, or system volumes only into contiguous space, and only if the hard disk can be upgraded to a dynamic disk. The operating system enables you to extend other types of basic volumes into noncontiguous space but prompts you to convert the basic disk to a dynamic disk.

To extend a volume on a dynamic disk, the system must meet these requirements: When extending a simple volume, you can use only the available space on the same disk, if the volume is to remain simple.

You can extend a simple volume across additional disks if it is not a system volume or a boot volume. However, after you expand a simple volume to another disk, it is no longer a simple volume; it becomes a spanned volume.

You can extend a simple or spanned volume if it does not have a file system (a raw volume) or if you formatted it using the NTFS file system. (You cannot extend volumes using the FAT or FAT32 file systems.) You cannot extend mirrored or RAID-5 volumes, although you can add a mirror to an existing simple volume.

When shrinking volumes, the Disk Management snap-in frees up space at the end of the volume, relocating the existing volume’s les, if necessary. The snap-in then converts that free space to new unallocated space on the disk. Server Manager cannot shrink volumes.

To shrink basic disk volumes and simple or spanned dynamic disk volumes, the system must meet the following requirements:

The existing volume must not be full and must contain the specified amount of available free space for shrinking.

The volume must not be a raw partition (one without a file system). Shrinking a raw partition that contains data might destroy the data.

You can shrink a volume only if you formatted it using the NTFS file system. (You cannot shrink volumes using the FAT or FAT32 file systems.) TAKE N OTE * You must be a member of the Backup Operator or Administrators group to extend or shrink any volume.

CERTIFICATION READY Manage volumes.

Objective 1.3 Configuring Local Storage | 93 You cannot shrink striped, mirrored, or RAID-5 volumes.

You should always defragment a volume before you attempt to shrink it.

Physical disks, obviously, cannot be extended, but virtual disks can. In Server Manager, you can right-click a virtual disk and select Extend Virtual Disk from the context menu to display the Extend Virtual Disk dialog box, as shown in Figure 3-30. Figure 3-30 The Extend Virtual Disk dialog box If you elected to use thin provisioning when you created the virtual disk, you can even extend its size beyond the storage pool’s current capacity. To actually store that much data on the disk, however, you must rst expand the pool to provide enough space.

S K I L L S U M M A R Y IN THIS LESSON , YOU LEARNED : Windows Server 2012 supports two hard disk partition types: MBR and GPT; two disk types: basic and dynamic; five volume types: simple, striped, spanned, mirrored, and RAID-5; and three file systems: ReFS, NTFS, and FAT.

The Disk Management snap-in can initialize, partition, and format disks on the local machine. Server Manager can perform many of the same tasks for servers all over the network.

A Windows server can conceivably perform its tasks using the same type of storage as a workstation. However, a server’s I/O burdens are quite different from those of a workstation, and file requests from dozens or hundreds of users can easily overwhelm a standard storage subsystem. Standard hard disks also offer no fault tolerance and are limited in their scalability.

Windows Server 2012 includes a new disk virtualization technology called Storage Spaces, which enables a server to concatenate storage space from individual physical disks and allocate it to create virtual disks of any size supported by the hardware.

All Windows Server 2012 installations include the File and Storage Services role, which causes Server Manager to display a submenu when you click the icon in the navigational pane. This submenu provides access to homepages that enable you to manage volumes, disks, storage pools, shares, and iSCSI devices.

The Disk Management snap-in in Windows Server 2012 enables you to create VHD files and mount them on the computer.

After you install your physical disks, you can concatenate their space into a storage pool, from which you can create virtual disks of any size. After you create a storage pool, you can use the space to create as many virtual disks as you need. 94 | Lesson 3 ■ Knowledge Assessment Multiple Choice Select one or more correct answers for each of the following questions.

1. Which of the following statements are true of striped volumes?

a. Striped volumes provide enhanced performance over simple volumes.

b. Striped volumes provide greater fault tolerance than simple volumes.

c. You can extend striped volumes after creation.

d. If a single physical disk in the striped volume fails, all of the data in the entire vol- ume is lost.

2. Which of the following are requirements for extending a volume on a dynamic disk?

a. If you want to extend a simple volume, you can use only the available space on the same disk, if the volume is to remain simple.

b. The volume must have a file system before you can extend a simple or spanned volume.

c. You can extend a simple or spanned volume if you formatted it using the FAT or FAT32 file systems.

d. You can extend a simple volume across additional disks if it is not a system volume or a boot volume.

3. Which of the following are not true in reference to converting a basic disk to a dynamic disk?

a. You cannot convert a basic disk to a dynamic disk if you need to dual boot the computer.

b. You cannot convert drives with volumes that use an allocation unit size greater than 512 bytes.

c. A boot partition or system partition on a basic disk cannot be extended into a striped or spanned volume, even if you convert the disk to a dynamic disk.

d. The conversion will fail if the hard drive does not have at least 1 MB of free space at the end of the disk.

4. Which of the following Windows Server 2012 features enables users to access files that they have accidentally overwritten?

a. Offline Files b. parity-based RAID c. Windows Installer 4.0 d. Volume Shadow Copies 5. Which of the following RAID levels yields the largest percentage of usable disk space?

a. RAID 0 b. RAID 1 c. RAID 5 d. RAID 6 6. To use Shadow Copies, you must enable the feature at which of the following levels?

a. the file level b. the folder level c. the volume level 7. Which of the following are not true about differences between network attached storage (NAS) devices and storage area network (SAN) devices?

a. NAS devices provide a file system implementation; SAN devices do not .

b. NAS devices must have their own processor and memory hardware; SAN devices do not require these components Configuring Local Storage | 95 c. NAS devices require a specialized protocol, such as Fibre Channel or iSCSI; SAN devices use standard networking protocols.

d. NAS devices must run their own operating system and typically provide a web inter- face for administrative access; SAN devices do not have to have either one.

8. Which of the following volume types supported by Windows Server 2012 do not pro- vide fault tolerance? (Choose all that apply) a. Striped b. Spanned c. Mirrored d. RAID-5 9. A JBOD drive array is an alternative to which of the following?

a. SAN b. SCSI c. RAID d. iSCSI Best Answer Choose the letter that corresponds to the best answer. More than one answer choice may achieve the goal. Select the BEST answer.

1. What scenario would an organization prefer centralized servers and storage to having individual servers and storage per department?

a. Each department typically works with its own applications and documents, rarely needing access to other departments.

b. Each department typically works with its own applications and documents, occasion- ally needing access to other departments.

c. Everyone in the organization works with his or her own individual resources.

d. Everyone in the organization works with the same set of resources.

2. Concerning storage solutions, select the disk configuration that offers the least expensive disk consumption.

a. Just a Bunch of Disks (JBOD) b. Disk mirroring c. RAID 5 d. RAID 3 3. Concerning storage solutions, select the disk configuration that offers the most protec- tion in case of drive failure.

a. RAID 0 b. RAID 1 c. RAID 5 d. Large volume on a single drive 4. What is the next step after creating a virtual hard disk (VHD)?

a. Mounting it either through Server Manager or the Disk Management snap-in b. Initializing the disk and creating volumes on it, just as you would a physical disk c. Using the VHD (creation of the VHD file readies the disk for storage) d. Mounting the VHD file to a Hyper-V virtual machine 5. What is a key advantage of Server Manager over the Disk Management snap-in?

a. The Server Manager now offers disk-related functions from the navigational pane.

b. Server Manager is more user-friendly. 96 | Lesson 3 c. The Disk Management snap-in enables you to create VHD files and mount them on the computer.

d. Server Manager can perform many of the same functions for servers all over the network.

Build a List 1. Order the steps to create and mount a VHD.

a. Select the virtual hard disk format option (VHD or VHDX).

b. Select one of the following VHD types (Fixed size or Dynamically expanding).

c. Click OK for the system to create and attach the VHD file. The VHD appears as a disk in the Disk Management snap-in.

d. Log on with administrative privileges and open Server Manager.

e. Click Tools > Computer Management.

f. Specify the Location path and name for the new VHD file, and then specify the maximum size of the disk.

g. Click Disk Management, and then click Create VHD from the Action menu.

2. Order the steps to create a virtual disk.

a. Log on with administrative privileges and open Server Manager.

b. In the Virtual Disks tile, select New Virtual Disk from the Tasks menu.

c. From their respective pages, select the pool in which you want to create a virtual disk and type a name for the virtual disk.

d. Click Files and Storage Services > Storage Pools.

e. From the Select the Storage Layout page, choose among Simple, Mirror, and Parity options.

f. From the Specify the Provisioning Type, choose among Thin and Fixed options.

g. Specify the virtual disk size, and then click Create to confirm.

3. Order the steps to create a storage pool. Not all steps will be used.

a. Confirm selection and close the wizard.

b. In the Storage Pools tile, select the primordial space on the server where you want to create the pool. From the Tasks menu, select New Storage Pool.

c. Log on with administrative privileges and open Server Manager.

d. In the New Storage Pool Wizard, specify a storage pool name and subsystem.

e. Click Files and Storage Services > Storage Pools.

f. Specify a name, server, and physical disks for the pool. ■ Business Case Scenario Scenario 3-1: Planning Storage On a new server running Windows Server 2012, Morris created a storage pool that consists of two physical drives holding 1 TB each. Then he created three simple virtual disks out of the space in the storage pool. Using the Disk Management snap-in, Morris then created a RAID- 5 volume out of the three virtual disks.

With this in mind, answer the following questions: 1. In what way is Morris’s storage plan ineffectual at providing fault tolerance?

2. Why will adding a third disk to the storage pool fail to improve the fault tolerance of the storage plan?

3. How can Morris modify the storage plan to make it fault tolerant? 97 7 0 - 4 1 0 E X A M O B J E C T I V E Objective 2.1 – Con gure le and share access. This objective may include but is not limited to: Create and con gure shares; con gure share permissions; con gure of ine les; con gure NTFS permissions; con gure access-based enumeration (ABE); con gure Volume Shadow Copy Ser vice (VSS); con gure NTFS quotas. LESSON HEADING E XAM OBJECTIVE Designing a File-Sharing Strategy Arranging Shares Controlling Access Mapping Drives Creating Folder Shares Create and configure shares Configure access-based enumeration (ABE) Configure offline files Assigning Permissions Understanding the Windows Permission Architecture Understanding Basic and Advanced Permissions Allowing and Denying Permissions Inheriting Permissions Understanding Effective Access Setting Share Permissions Configure share permissions Understanding NTFS Authorization Assigning Basic NTFS Permissions Configure NTFS permissions Assigning Advanced NTFS Permissions Understanding Resource Ownership Combining Share and NTFS Permissions Configuring Volume Shadow Copies Configure Volume Shadow Copy Service (VSS) Configuring NTFS Quotas Configure NTFS quotas Configuring File and Share Access 4 L E S S O N 98 | Lesson 4 K E Y T E R M S access control entries (ACEs) access control list (ACL) access-based enumeration (ABE) advanced permissions authorization basic permissions effective access NTFS quotas Offline Files security identifiers (SIDs) security principal Why should the administrators of an enterprise network want users to store their les on shared server drives, rather than their local workstation drives? The answers to this question typically include the following: To enable users to collaborate on projects by sharing files To back up document files more easily To protect company information by controlling access to documents To reduce the number of shares needed on the network To prevent the need to share access to workstations To monitor users’ storage habits and regulate their disk-space consumption To insulate users from the sharing and permission assignment processes Without these problems, le sharing would simply be a matter of creating a share on each user’s workstation and granting everyone full access to it. Because of these problems, however, this practice would lead to chaos in the form of lost les, corrupted workstations, and endless help calls from confused users.

Server-based le shares should provide users with a simpli ed data storage solution that they can use to store their les, share les with other users, and easily locate the les shared by their colleagues. Behind the scenes, and unbeknown to users, you can use server-based storage tools to protect everyone’s les, regulate access to sensitive data, and prevent users from abusing their storage privileges. ■ Designing a File-Sharing Strategy TH E B OTTOM L I N E Decide where users should store their files and who should be permitted to access them.

Arranging Shares The rst step in designing a le-sharing strategy is to decide how many shares to create and where to create them.

Simply installing a big hard drive in a server and giving everyone access to it would be as chaotic as sharing everyone’s workstation drives. Depending on your organization’s size, you might have one single le server or many servers scattered around the network. For many large organizations, departmental or workgroup le servers are viable solutions. Each user has his or her “local” server, the directory layout of which becomes familiar. If you have separate le servers for the various departments or workgroups in your organization, Configuring File and Share Access | 99 developing a consistent directory structure and duplicating it on all the servers is a good idea so that if users have to access a server in another department, they can nd their way around. A well-designed sharing strategy provides each user with three resources: A private storage space, such as a home folder, to which the user has exclusive access A public storage space, where users can store files that th ey want colleagues to be able to access Access to a shared workspace for communal and collaborative documents One way to implement this strategy would be to crea te one share called Home, with a private folder for each user on it, and a second share called Publ ic, again with a folder for each user. Depending on your network’s hardware con guration, you could create both shares on a separate server for each department or workgroup, split the shares and folder among multiple servers in each department, or even create one big le server cont aining all the shares for the entire company. MORE INFORMATION Even if you split the Home and Public shares among multiple servers, you can still make them appear as a single unified directory tree by using the Windows Server 2012 Distributed File System (DFS). See Objective 2.1, “Configure Distributed File System (DFS),” in Exam 70-411, “Administering Windows Server 2012.” ✚ Controlling Access On most enterprise networks, the principle of “least privileges” should apply. This principle states that users should have only the privileges they need to perform their required tasks, and no more.

A user’s private storage space should be exactly th at—private and inaccessible, if not invisible, to other users. This is where each user can store his or her private les without exposing them to other users. Therefore, each user should have full privil eges to his or her private storage with the ability to create, delete, read, write, and modify les. Othe r users should have no privileges to that space at all.

The easiest way to create private folders with the appropriate permissions for each user is to create a home folder through each Active Directory user object. TAKE N OTE * Each user should also have full privileges to his or her public folder. This is where users can share les informally. For example, when Ralph asks Alice for a copy of her budget spreadsheet, Alice can simply copy the le from her private folder to her public folder. Then, Ralph can copy the le from Alice’s public folder to his own private folder, and access it from there. Thus, public and private folders vary in that other users should be able to list the contents of all public folders and read the les stored there, but not be able to modify or delete les in any folder but their own. Users should also be able to navigate throughout the Public folder tree, so that they can read any user’s les and copy them to their own folders.

Although users should have full privileges to their personal folders, you should not leave their storage practices unmonitored or unregulated. Later in this lesson, you learn how to set NTFS quotas limiting users’ storage space. TAKE N OTE * In the shared workspace for collaborative documents, users should have privileges based on their individual needs. Some users need read access only to certain les, whereas others might have to modify those les as well. You should limit the ability to create and delete les to managers or supervisors.

Administrators, of course, must have the privileges required to exercise full control over all users’ private and public storage spaces, as well as the ability to modify permissions as needed. 100 | Lesson 4 Administrators typically use NTFS permissions to assign these privileges on a Windows Server 2012 le server. You have no compelling reason to use the FAT (File Allocation Table) le system in Windows Server 2012. NTFS provides not only the most granular user access control, but also other advanced storage features, including le encryption and compression.

The new ReFS le system introduced in Windows Server 2012 lacks features such as encryption and compression, but it still supports the NTFS permission system.

To simplify the administration process, you should always assign permissions to security groups rather than to individuals. Assigning permissions to groups enables you to add new users or move them to other job assignments without modifying the permissions themselves.

On a large Active Directory Domain Services (AD DS) network, you might also consider the standard practice of assigning the NTFS permissions to a domain local group, placing the user objects to receive the permissions in a global (or universal) group, and making the global group a member of a domain local group.

Except in special cases, explicitly denying NTFS permissions to users or groups usually is not necessary. Some administrators prefer to use this capability, however. When various administrators use different permission assignment techniques on the same network, it can become extremely dif cult to track down the sources of certain effective permissions. Another way to simplify the administration process on an enterprise network is to establish speci c permission assignment policies, so that everyone performs tasks the same way. X REF For more information on NTFS permission assignments, see “Assigning Permissions,” later in this lesson. Mapping Drives After you create the folders for each user and assign permissions to the folders, you need to make sure that users can access their folders.

One way of doing this is to use the Folder Redirection settings in Group Policy to map each user’s Documents folder to his or her home folder on the network share. This process is invisible to users, enabling them to work with their les without even knowing they are stored on a network drive.

Another way to provide users with easy and consistent access to their les is to map drive letters to each user’s directories with logon scripts, so they can always nd their les in the same place, using Windows Explorer. For example, you might consider mapping drive F: to a user’s private home folder and drive G: to the user’s Public folder. A third drive letter might point to the root of the Public share, so that the user can access other people’s public folders.

Many users do not understand the fundamental concepts of network drive sharing and le management. Often, they just know that they store their les on the F: drive and are unaware that another user’s F: drive might point to a different folder. However, consistent drive letter assignments on every workstation can simplify support for users experiencing problems storing or retrieving their les.

After you con gure the disks on a le server, you must create shares for network users to be able to access those disks. As noted in the planning discussions earlier in this lesson, you should have a sharing strategy in place by the time you are ready to actually create your shares.

This strategy should consist of the following information: ■ Creating Folder Shares TH E B OTTOM L I N E Sharing folders makes them accessible to network users. Configuring File and Share Access | 101 What folders you will share What names you will assign to the shares What permissions you will grant users to the shares What Offline Files settings you will use for the shares If you are the Creator Owner of a folder, you can share it on a Windows Server 2012 computer by right-clicking the folder in any Windows Explorer window, selecting Share with , Speci c People from the context menu, and following the instructions in the File Sharing dialog box, as shown in Figure 4-1. CERTIFICATION READY Create and configure shares.

Objective 2.1 Figure 4-1 The File Sharing dialog box This method of creating shares provides a simpli ed interface that contains only limited control over elements such as share permissions. You can specify only that the share users receive Read or Read/Write permissions to the share. If you are not the Creator Owner of the folder, you can access the Sharing tab of the folder’s Properties sheet instead. Clicking the Share button launches the same dialog box, and clicking the Advanced Sharing button displays the dialog box shown in Figure 4-2. Clicking the Permissions button in the Advanced Sharing dialog box provides greater control over share permissions through the standard interface shown in “Setting Share Permissions,” later in this lesson. Figure 4-2 The Advanced Sharing dialog box 102 | Lesson 4 However, to take control of the shares on all your disks on all your servers and exercise granular control over their properties, use the File and Storage Services homepage in Server Manager.

Windows Server 2012 supports two types of folder shares: Server Message Blocks (SMB) is the standard file-sharing protocol used by all versions of Windows.

Network File System (NFS) is the standard file-sharing protocol used by most UNIX and Linux distributions.

When you install Windows Server 2012, the setup prog ram installs the Storage Services role service in the File and Storage Services role by de fault. However, before you can create and manage SMB shares using Server Manager, you must ins tall the File Server role service; to create NFS shares, you must install the Server for NF S role service, as shown in Figure 4-3. For network users to be able to see the shares you create on the file server, you must make sure that the Network Discovery and File Sharing settings are turned on in the Network and Sharing Center control panel. TAKE N OT E * Figure 4-3 Installing File and Storage Services role services To create a folder share using Server Manager, use the following procedure.

C R EAT E A F O L D ER S H AR E GET READ Y. Log on to Windows Server 2012, using an account with Administrator privi- leges. The Server Manager window appears.

1. Click the File and Storage Services icon and, in the submenu that appears, click Shares . The Shares homepage appears, as shown in Figure 4-4.

2. From the Tasks menu, select New Share . The New Share Wizard appears, displaying the Select the profile for this share page, as shown in Figure 4-5. Configuring File and Share Access | 103 3. From the File share pro le list, select one of the following options:

SMB Share–Quick provides basic SMB sharing with full share and NTFS permissions.

SMB Share–Advanced provides SMB sharing with full share and NTFS permissions an d access to services provided by File Server Resource Manager.

SMB Share–Applications provides SMB sharing with settings suitable for Hyper-V and other applications.

NFS Share–Quick provides basic NFS sharing with authentication and permissions.

NFS Share–Advanced provides NFS sharing with authentication and permissions, plus access to services provided by File Server Resource Manager. Figure 4-4 The Shares homepage Figure 4-5 The Select the profile for this share page in the New Share Wizard 104 | Lesson 4 4. Click Next . The Select the server and path f or this share page appears, as shown in Figure 4-6. Figure 4-6 The Select the server and path for this share page of the New Share Wizard 5. Select the server on which you want to create the share, and then either select a volume on the server or specify a path to the folder you want to share. Then click Next . The Specify share name page appears, as shown in Figure 4-7. Figure 4-7 The Specify share name page of the New Share Wizard Configuring File and Share Access | 105 6. In the Share name text box, specify the name you want to assign to the share and cli ck Next . The Configure share settings page appears, as shown in Figure 4-8. MORE INFORMATION Selecting one of the NFS share profiles adds two pages to the wizard: Specify authentication methods and Specify the share permissions . Both of these pages provide access to functions implemented by the Server for NFS role service, as covered in Objective 2.1, “Configure Advanced File Services,” in Exam 70-412, “Configuring Advanced Windows Server 2012 Services.” ✚ Figure 4-8 The Configure share settings page of the New Share Wizard 7. Select any or all of the following options:

Enable access-based enumeration prevents users from seeing les and folders they do not have permission to access.

Allow caching of share enables of ine users to access the contents of the share.

Enable BranchCache on the le share enables BranchCache servers to cache les accessed from this share.

Encrypt data access causes the server to encrypt remote le access to this share. CERTIFICATION READY Configure access-based enumeration (ABE).

Objective 2.1 CERTIFICATION READY Configure offline files.

Objective 2.1 Access-based enumeration (ABE) , a feature first introduced in Windows Server 2003 R2, applies filters to shared folders based on individual user’s permissions to the files and subfolders in the share. Simply, users who cannot access a particular shared resource cannot see that resource on the network. This feature prevents users from searching through files and folders they cannot access. You can enable or disable ABE for shares at any time by opening the share’s Properties sheet in the Sharing and Storage Management console and clicking Advanced , to display the same Advanced dialog box displayed by the Provision a Shared Folder Wizard . TAKE N OT E * 106 | Lesson 4 8. Click Next . The Specify permissions to control access pag e appears, as shown in Figure 4-9. Offline Files , also known as client-side caching, is a Windows feature that enables client systems to maintain local copies of files they access from server shares. When a client selects the Always available offline option for a server-based file, folder, or share, the client system copies the selected data to the local drive and updates it regularly, so that the client user can always access it, even if the server is offline. To enable clients to use the Offline Files feature, the share must have the Allow caching of share check box selected. Windows Server 2012 and Windows 8 also have a new Always Offline mode for the Offline Files feature that causes clients to always use the cached copy of server files, providing better performance. To implement this mode, you must set the Configure slow-link mode Group Policy setting on the client to a value of 1 millisecond. TAKE N OT E * Figure 4-9 The Specify permissions to control access page of the New Share Wizard MORE INFORMATION For more information on permissions, see “Assigning Permissions,” later in this lesson. To set NTFS permissions, see “Assigning Basic NTFS permissions” and “Assigning Advanced NTFS permissions.” ✚ 9. Modify the default share and NTFS permissions as needed and click Next . The Confirm selections page appears, as shown in Figure 4-10. MORE INFORMATION Selecting one of the Advanced share profiles adds two pages to the wizard: Specify folder management properties and Apply a quota to a folder or volume . Both these pages provide access to functions of the File Server Resource Manager application, as covered in Objective 2.2, “Configure File Server Resource Manager (FSRM),” in Exam 70-411, “Administering Windows Server 2012.” ✚ Configuring File and Share Access | 107 10. Click Create . The View results page appears as the wizard creates the share. CLOSE the New Share Wizard.

After you create a share with the wizard, the new share appears in the Shares tile of the Shares homepage in Server Manager, as shown in Figure 4-11. Figure 4-10 The Confirm selections page of the New Share Wizard Figure 4-11 A new share on the Shares homepage in Server Manager 108 | Lesson 4 Figure 4-12 A share’s Properties sheet in Server Manager USING WINDOWS POWERSHELL Windows Server 2012 includes a new Windows PowerShell module called SmbShare, which you can use to create and manage folder shares. To create a new share, you use the New-SmbShare cmdlet with the following basic syntax:

New–SmbShare –Name < share name > -Path < path name > [-FullAccess < group >] [-ReadAccess < group >] [-NoAccess < group >] For example, to create a new share called Data from the C:\Docs folder with the Allow Full Control permission granted to the Everyone special identity, use the following command:

New-SmbShare –Name Data -Path C:\Docs -FullAccess Everyone You can now use the tile to manage a share by right-clicking it and opening its Properties sheet, or by clicking Stop Sharing. The Properties sheet for a share in Server Manager (see Figure 4-12) provides access to the exact same controls found on the Specify permissions to control access and Con gure share settings pages in the New Share Wizard.

Earlier in this lesson, you learned about controlling access to a le server to provide network users with the access they need, while protecting other les against possible intrusion and damage, whether deliberate or not. To implement this access control, Windows Server 2012 uses permissions. ■ Assigning Permissions TH E B OTTOM L I N E Protect your data by controlling who can access it. Configuring File and Share Access | 109 Permissions are privileges granted to speci c system entities, such as users, groups, or computers, enabling them to perform a task or access a resource. For example, you can grant a speci c user permission to read a le while denying that same user the permissions needed to modify or delete the le.

Windows Server 2012 has several sets of permissions that operate independently of each other. As a server administrator, you should be familiar with the operation of the following four permission systems: Share permissions control access to folders over a network. To access a file over a network, a user must have appropriate share permissions (and appropriate NTFS permissions, if the shared folder is on an NTFS volume).

NTFS permissions control access to the files and folders stored on disk volumes formatted with the NTFS file system. To access a file, whether on the local system or over a network, a user must have the appropriate NTFS permissions.

Registry permissions control access to specific parts of the Windows registry. An application that modifies registry settings or a user attempting to manually modify the registry must have the appropriate registry permissions.

Active Directory permissions control access to specific parts of an AD DS hierarchy.

Although file servers typically do not function as AD DS domain controllers, server administrators might use these permissions when servicing computers that are members of a domain.

All these permission systems operate independently of each other and sometimes combine to provide increased protection to a speci c resource. For example, you might grant Ralph the NTFS permissions needed to access a spreadsheet stored on a le server volume. If Ralph sits down at the le server console and logs on as himself, he can access that spreadsheet. However, if Ralph is working at his own computer, he cannot access the spreadsheet until you create a share containing the le and grant Ralph the proper share permissions. While all these permissions systems are operating all the time, server administrators do not necessarily have to work with all of them regularly. In fact, many administrators never have to manually alter a Registry or Active Directory permission. However, many do work with NTFS and share permissions daily. TAKE N OTE * For network users to be able to access a shared fol der on an NTFS drive, you must grant them both share permissions and NTFS permissions. As you saw earlier, you can grant these permissions as part of the share creation process, but you can also modify the permissions at any time afterward.

Understanding the Windows Permission Architecture Permissions protect all les, folders, shares, registry keys, and AD DS objects.

To store the permissions, each element has an access control list (ACL). An ACL is a collection of individual permissions, in the form of access control entries (ACEs). Each ACE consists of a security principal (the name of the user, group, or computer granted the permissions) and the speci c permissions assigned to that security principal. When you manage permissions in any of the Windows Server 2012 permission systems, you are actually creating and modifying the ACEs in an ACL.

It is important to understand that, in all Windows operating systems, permissions are stored as part of the protected element, not the security principal granted access. For example, when you grant a user the NTFS permissions needed to access a le, the ACE you create is stored in 110 | Lesson 4 the le’s ACL; it is not part of the user account. You can move the le to a different location, and its permissions go with it. To manage permissions in Windows Server 2012, you use a tab in the protected element’s Properties sheet, like the one shown in Figure 4-13, with the security principals listed at the top and the permissions associated with them at the bottom. Share permissions are typically found on a Share Permissions tab, and NTFS permissions are located on a Security tab. All Windows permission systems use the same basic interface, although the permissions themselves vary. Server Manager also provides access to NTFS and share permissions, using a slightly different interface. Figure 4-13 The Security tab of a Properties sheet For example, you can use NTFS permissions to control not only who has access to a spreadsheet, but also the degree of access. You might grant Ralph permission to read and modify the spreadsheet, but Alice can only read it, and Ed cannot see it at all.

To provide this granularity, each Windows permission system has an assortment of permissions that you can assign to a security principal in any combination. Depending on the permission system you are working with, you might have dozens of different permissions available for a single system element.

If this is all starting to sound extremely complex, don’t worry. Windows provides preconfigured permission combinations suitable for most common access control chores.

When you open the Properties sheet for a system ele ment and look at its Security tab, the NTFS permissions you see are called basic permissions. Basic permissions are actually combinations of advanced permissions , which provide the most granular control over the element.

Understanding Basic and Advanced Permissions The permissions protecting a particular system element are not like the keys to a lock, which provide either full access or no access at all. Permissions are designed to be granular, enabling you to grant speci c degrees of access to security principals. CERTIFICATION READY Prior to Windows Server 2012, basic permissions were known as standard permissions and advanced permissions were known as special permissions. Candidates for certification exams should be aware of these alternative terms. Configuring File and Share Access | 111 For example, the NTFS permission system has 14 advanced permissions that you can assign to a folder or le. However, it also has 6 basic permissions that are various combinations of the 14 advanced permissions. In most cases, you work only with basic permissions. Many administrators rarely, if ever, work directly with advanced permissions.

If you do nd it necessary to work with advanced permissions directly, Windows makes it possible. After you click the Advanced button on the Security tab of any Properties sheet, you access the ACEs for the selected system element directly through an Advanced Security Settings dialog box (see Figure 4-14). System Manager provides access to the same dialog box through a share’s Properties sheet. Figure 4-14 The Advanced Security Settings dialog box Allowing and Denying Permissions When you assign permissions to a system element, you are, in effect, creating a new ACE in the element’s ACL.

ACEs come in two basic types: Allow and Deny . This makes approaching permission management tasks possible from two directions:

Additive: Start with no permissions and then grant Allow permissions to individual security principals to provide them with the access they need.

Subtractive: Start by granting all possible Allow permissions to individual security principals, providing them with full control over the system element, and then grant them Deny permissions for the access you do not want them to have.

Most administrators prefer the additive approach, b ecause Windows, by default, attempts to limit access to important system elemen ts. In a properly designed permission hierarchy, the use of Deny permissions is often not needed at all. Many administrators frown on their use, because combining Allow and Den y permissions in the same hierarchy can often make determining the effective permissions dif cult for a speci c system element. 112 | Lesson 4 Figure 4-15 A sample xfer directory structure Because the administrator has assigned all users th e Allow Read and Allow List Folder Contents standard permission to the xfer folder, as shown in Figure 4-16, everyone can read the les in the xfer directory. Because the a ssigned permissions run downward, all subfolders beneath xfer inherit those permissions, and all users can read the les in all the subfolders.

Permission inheritance means that parent elements p ass their permissions down to their subordinate elements. For example, when you grant A lice Allow permissions to access the root of the D: drive, all the folders and subfolder s on the D: drive inherit those permissions, and Alice can access them. The princip le of inheritance simpli es the permission assignment process enormously. Without it , you would have to grant security principals individual Allow permissions for every le, folder, share, object, and key they need to access. With inheritance, you can grant acce ss to an entire le system by creating one set of Allow permissions. In most cases, whether consciously or not, system a dministrators take inheritance into account when they design their le systems and AD DS trees. The location of a system element in a hierarchy is often based on how the ad ministrators plan to assign permissions.

For example, the section of a directory tree shown in Figure 4-15 is intended to be where network users can temporarily store les that they want other users to access, as discussed earlier in this lesson.

Inheriting Permissions The most important principle in permission management is that permissions tend to run downward through a hierarchy. This is called permission inheritance. Configuring File and Share Access | 113 The next step is to assign each user the Allow Full Control permission to his or her own subfolder, as shown in Figure 4-17. This enables ea ch user to create, modify, and delete les in his or her own folder, without compromising the sec urity of other users’ folders. Because the user folders are at the bottom of the hierarchy, no subf olders inherit the Full Control permissions. Figure 4-16 Granting Allow permissions to the xfer folder Figure 4-17 Granting Full Control to individual user folders 114 | Lesson 4 In some situations, you might want to prevent subordinate elements from inheriting permissions from their parents. You can do this in two ways: Turn off inheritance: When you assign advanced permissions, you can conf igure an ACE not to pass its permissions down to its subo rdinate elements. While not recommended by Microsoft’s best practices, this effectively blocks the inheritance process.

Deny permissions: Assigning a Deny permission to a system element ov errides any Allow permissions that the element might have i nherited from its parent objects. Understanding Effective Access A security principal can receive permissions in many ways, and it is important for you to understand how these permissions interact.

The combination of Allow permissions and Deny permi ssions that a security principal receives for a given system element, whether explic itly assigned, inherited, or received through a group membership, is called the effective access for that element. Because a security principal can receive permissions from so many sources, con ict for those permissions happens often, so rules de ne how the permissions combine to form the effective access. These rules are as follows:

Allow permissions are cumulative: When a security principal receives Allow permissions from more than one source, the permissi ons are combined to form the effective access permissions. For example, if Alice receives the Allow Read and Allow List Folder Contents permissions for a partic ular folder by inheriting them from its parent folder, and receives the Allow Writ e and Allow Modify permissions to the same folder from a group membership, Alice’s effective access for the folder is the combination of all four permissions. If you then explicitly grant Alice’s user account the Allow Full Control permission, this fif th permission is combined with the other four.

Deny permissions override Allow permissions: When a security principal receives Allow permissions, whether explicitly, by inheritance, or from a group, you can override those permissions by granting the principal Deny permissions of the same type. For example, if Alice receives the A llow Read and Allow List Folder Contents permissions for a particular folder by inh eritance, and receives the Allow Write and Allow Modify permissions to the same fold er from a group membership, explicitly granting the Deny permission s to that folder prevents her from accessing it in any way.

Explicit permissions take precedence over inherited permissions: When a security principal receives permissions by inheriting them from a parent or from group memberships, you can override them by explicitly assigning contradicting permissions to the security principal itself. For example, if Alice inherits the Deny Full Access permission for a folder, explicitly assigning her user account the Allow Full Access permission to that folder overrides the denial.

Of course, rather than examine and evaluate all pos sible permission sources, you can just open the Advanced Security Settings dialog box and click the Effective Access tab, as shown in Figure 4-18. On this tab, you can select a user, gro up, or device and view its effective access, with or without the in uence provided by speci c groups. Configuring File and Share Access | 115 Figure 4-18 The Effective Access tab of the Advanced Security Settings dialog box Setting Share Permissions On Windows Server 2012, shared folders have their own permission system, which is completely independent from the other Windows permission systems.

For network users to access shares on a le server, you must grant them the appropriate share permissions. By default, the Everyone special identity receives the Allow Full Control share permission to any new shares you create on a domain member server. On a standalone server, the Everyone special identity receives only the Allow Read share permission for new shares.

To modify the share permissions for an existing share via Windows Explorer, you open the Properties sheet for the shared folder, select the Sharing tab, and then click Advanced Sharing and Permissions to open the Share Permissions tab, as shown in Figure 4-19. CERTIFICATION READY Configure share permissions.

Objective 2.1 Figure 4-19 The Share Permissions tab for a shared folder 116 | Lesson 4 By using this interface, you can add security principals and allow or deny them the three share permissions listed in Table 4-1. Table 4-1 Share Permissions and their functions SH A R E PE R M I S S I O N AL L O W S O R D E N I E S SE C U R I T Y PR I N C I PA L S T H E AB I L I T Y TO: Full Control Change file permissions Take ownership of files Perform all tasks allowed by the Change permission Change Create folders Add files to folders Change data in files Change file attributes Delete folders and files Perform all actions permitted by the Read permission Read Display folder names, filenames, file data and attributes Execute program files Access other folders within the shared folder To set share permissions via Server Manager while creating a share or modifying an existing one, use the following procedure.

S ET S H AR E PE R M I S SI O N S GET READY. Log on to Windows Server 2012, using an account with domain administrative privileges.

1. In the Server Manager window, click the File and Storage Services icon. In the submenu, click Shares . The Shares homepage appears.

2. In the Shares tile, right-click a share and, from the context menu, select Properties .

The Properties sheet for the share appears.

3. Click Permissions . The Permissions page appears, as shown in Figur e 4-20. The share permission system is relatively simple and has only three permissions. There is no distinction between basic and advanced permissions in this system. TAKE N OT E * The New Share Wizard displays this same permissions interface on its Specify permissions to control access page. The rest of this procedure applies equally well to that page and its subsequent dialog boxes. TAKE N OT E * Configuring File and Share Access | 117 4. Click Customize Permissions . The A dvanced Security Settings dialog box for the share appears.

5. Click the Share tab to display the interface shown in Figure 4-21. Figure 4-20 The Permissions page of a share’s Properties sheet in Server Manager Figure 4-21 The Share tab of the Advanced Security Settings dialog box for a share in Server Manager 6. Click Add. A Permission Entry dialog box for the share appears, as shown in Figu re 4-22. 118 | Lesson 4 7. Click the Select a principal link to display th e Select User, Computer, Service Account, or Group dialog box, as shown in Figure 4-23. Figure 4-22 A Permission Entry dialog box for a share in Server Manager Figure 4-23 The Select User, Computer, Service Account, or Group dialog box 8. Type the name of or search for the security principal to which you want to assign share permissions and click OK . The Permission Entry dialog box displays the security principal you speci ed. This procedure, like all procedures in this book, assumes that the Windows Server 2012 computer is a member of an AD DS domain. On a computer that is not a domain member, some of the dialog boxes vary slightly in appearance. TAKE N OT E * Configuring File and Share Access | 119 11. Click OK to close the Advanced Security Settings dialog box.

12. Click OK to close the share’s Properties sheet. CLOSE the Server Manager window.

When assigning share permissions, you must be aware that they do not combine like NTFS permissions. If you grant Alice the Allow Read and Allow Change permissions to the shared C:\Documents\Alice folder and later deny her all three permissions to the shared C:\Documents folder, the Deny permissions prevent her from acces sing any les through the C:\Documents share, including those in the C:\Documents\Alice folder. H owever, she can still access her les through the C:\Documents\Alice share because of the Allow permi ssions. In other words, the C:\Documents\ Alice share does not inherit the Deny permissions f rom the C:\Documents share. Figure 4-24 A new share permission entry in a share’s access control list Understanding NTFS Authorization Most Windows installations today use the NTFS and ReFS le systems, as opposed to FAT32. One main advantage of NTFS and ReFS is that they support permissions, which FAT32 does not. As described earlier in this lesson, every le and folder on an NTFS or ReFS drive has an ACL that consists of ACEs, each of which contains a security principal and the permissions assigned to that principal.

As discussed later in this lesson, many file server administ rators simply leave the Allow Full Control share permission to the Everyone special identity i n place, essentially bypassing the share permission system, and rely solely on NTFS permissions for g ranular file system protection. TAKE N OTE * 9. Select the type of permissions you want to assign ( Allow or Deny ).

10. Select the check boxes for the permissions you want to assign and click OK . The Advanced Security Settings dialog box displays the new access control entry you just created, as shown in Figure 4-24. 120 | Lesson 4 Assigning Basic NTFS Permissions Most le server administrators work with basic NTFS permissions almost exclusively because they do not need to work directly with advanced permissions for most common access-control tasks.

Table 4-2 lists the basic permissions that you can assign to NTFS les or folders, and the capabilities that they grant to their possessors. Table 4-2 NTFS Basic Permissions STA N DA R D P E R M I S S I O N WH E N AP P L I E D TO A FO L D E R , E N A B L E S A SE C U R I T Y PR I N C I PA L TO: W H E N AP P L I E D TO A FI L E , E N A B L E S A S E C U R I T Y PR I N C I PA L TO: Full Control Modify the folder permissions Take ownership of the folder Delete subfolders and files contained in the folder Perform all actions associated with all the other NTFS file permissions Modify the file permissions Take ownership of the file Perform all actions associated with all the other NTFS folder permissions Modify Delete the folder Perform all actions associated with the Write and the Read & Execute permissions Modify the file Delete the file Perform all actions associated with the Write and the Read & Execute permissions Read and Execute Navigate through restricted folders to reach other files and folders Perform all actions associated with the Read and List Folder Contents permissions Perform all actions associated with the Read permission Run applications List Folder Contents View the names of the files and subfolders contained in the folder Not applicable Read See the files and subfolders contained in the fo lder View the folder’s ownership, permissions, and attributes Read the file contents View the file’s ownership, permissions, and attributes Write Create new files and subfolders inside the f older Modify the folder attributes View the folder’s ownership and permissions Overwrite the file Modify the file attributes View the file’s ownership and permissions In the NTFS permission system, which ReFS also supports, the security principals involved are users and groups, which Windows refers to using security identi ers (SIDs). When a user attempts to access an NTFS le or folder, the system reads the user’s security access token, which contains the SIDs for the user’s account and all groups to which the user belongs. The system then compares these SIDs to those stored in the le or folder’s ACEs, to determine what access the user should have. This process is called authorization. While the security principals to which you can assign NTFS permissions can be users or groups, Microsoft recommends as a best practice that you not assign permissions to individual users, but to groups instead. This enables you to maintain your permission strategy by simply adding users to and removing them from groups. TAKE N OT E * Configuring File and Share Access | 121 To assign basic NTFS permissions to a shared folder, the options are essentially the same as with share permissions. You can open the folder’s Properties sheet in Windows Explorer and select the Security tab, or you can open a share’s Properties sheet in Server Manager, as in the following procedure.

AS S I G N BAS I C N T F S P ER M I S S I ON S GET READ Y. Log on to Windows Server 2012, using an account with domain administrative privileges. The Server Manager window appears.

1. Click the File and Storage Services icon and, in the submenu that appears, click Shares . The Shares homepage appears. CERTIFICATION READY Configure NTFS permissions.

Objective 2.1 2. In the Shares tile, right-click a share and, from the context menu, select Properties.

The Properties sheet for the share appears.

3. Click Permissions . The Permissions page appears. NTFS permissions are not limited to shared folders. Every file and folder on an NTFS volume has permissions. Whereas this procedure desc ribes the process of assigning permissions to a shared folder, you can open the Pr operties sheet for any folder in a Windows Explorer window, click the Security tab, and work with its NTFS permissions in the same way. TAKE N OTE * 4. Click Customize Permissions . The Advanced Security Settings dialog box for the share appears, displaying the Permissions tab, as shown in Figure 4-25. This dialog box is as close as the Windows graphical interface can come to displaying the contents of an ACL. Each line in the Permission Entries list is essentially an ACE and includes the following information:

Type speci es whether the entry allows or denies the permission.

Principal speci es the name of the user, group, or device principal receiving the permission.

Access speci es the name of the permission assigned to the security principal. If the entry is used to assign multiple advanced permissions, the word Special appears in this eld.

Inherited From speci es whether the permission is inherited and, if so, from where it is inherited.

Applies To speci es whether the permission is to be inherited by subordinate objects and, if so, by which ones. The New Share Wizard displays this same permissions interface on its Specify permissions to control access page. The rest of this procedure applies equally well to that page and its subsequent dialog boxes. TAKE N OTE * 122 | Lesson 4 6. Click the Select a principal link to display the Select User , Computer, Service Account, or Group dialog box.

7. Type the name of or search for the security principal to which you want to assign share permissions and click OK . The Permission Entry dialog box displays the security principal you speci ed.

8. From the Type drop-down list, select the type of permissions you want to assign ( Allow or Deny ).

5. Click Add . A P ermission Entry dialog box for the share appears, as shown in Figu re 4-26. Figure 4-25 The Advanced Security Settings dialog box for a share in Server Manager Figure 4-26 A Permission Entry dialog box for a share in Server Manager Configuring File and Share Access | 123 11. Click OK to close the Advanced Security Settings dialog box. MORE INFORMATION If you are using the File Classification Infrastruc ture capabilities in Windows Server 2012, you can u se the Add a condition to limit access drop-down lists to assign permissions based on you r classifications. For more information on FCI, see Objective 2.1, “Configure Advanced File Services,” in Exam 70 -412, “Configuring Advanced Windows Server 2012 Ser vices.” ✚ Assigning Advanced NTFS Permissions In Windows Server 2012, the capability to manage advanced permissions is integrated into the same interface you use to manage basic permissions.

In the Permission Entry dialog box, clicking the Show advanced permissions link changes the list of basic permissions to a list of advanced permissions (see Figure 4-27). You can then assign advanced permissions in any combination, just as you would basic permissions. Figure 4-27 A Permission Entry dialog box displaying advanced permissions 9. From the Applies to drop-down list, specify which subfolders and les should inherit the permissions you are assigning.

10. Select the check boxes for the basic permissions y ou want to assign and click OK. The Advanced Security Settings dialog box displays the new access control entry y ou just created. Assigning permissions to a single folder takes only a moment, but for a folder with a large number of files and subfolders subordinate to it, t he process can take a long time, because the system must modify the ACL of each folder and file. TAKE N OTE * 12. Click OK to close the Properties sheet. CLOSE the Server Manager window. 124 | Lesson 4 Table 4-3 lists the NTFS advanced permissions that you can assign to les and folders, and the capabilities they grant to their possessors. Table 4-3 NTFS Advanced Permissions SP E C I A L PE R M I S S I O N FU N C T I O N S Traverse Folder/ Execute File The Traverse Folder permission allows or denies security principals the ability to move through folders that they do not have permission to access, so they can reach files or folders that they do have permission to access. This permission applies only to folders.

The Execute File permission allows or denies security principals the ability to run program files. This permission applies only to files.

List Folder/ Read Data The List Folder permission allows or denies security principals the ability to view the file and subfolder names within a folder. This permission applies only to folders.

The Read Data permission allows or denies security principals the ability to view the contents of a file. This permission applies only to files.

Read Attributes Allows or denies security principals the ability to view the NTFS attributes of a file or folder.

Read Extended Attributes Allows or denies security principals the ability to view the extended attributes of a file or folder.

Create Files/ Write Data The Create Files permission allows or denies security principals the ability to create files within the folder. This permission applies only to folders.

The Write Data permission allows or denies security principals the ability to modify the file and overwrite existing content. This permission applies only to files.

Create Folders/ Append Data The Create Folders permission allows or denies security principals the ability to create subfolders within a folder. This permission applies only to folders.

The Append Data permission allows or denies secur ity principals the ability to add data to the end of the file but not to modify, delete, or overwrite existing data in the file. This permission applies only to files.

Write Attributes Allows or denies security principals the ability to modify the NTFS attributes of a file or folder.

Write Extended Attributes Allows or denies security principals the ability to modify the extended attributes of a file or folder.

Delete Subfolders and Files Allows or denies security principals the ability to delete subfolders and files, even if the Delete permission has not been granted on the subfolder or file.

Delete Allows or denies security principals the ability to delete the file or folder.

Read Permissions Allows or denies security principals the ability to read the permissions for the file or folder.

Change Permissions Allows or denies security principals the ability to modify the permissions for the file or folder.

Take Ownership Allows or denies security principals the ability to take ownership of the file or folder.

Synchronize Allows or denies different threads of multithreaded, multiprocessor programs to wait on the handle for the file or folder and synchronize with another thread that might signal it.

As mentioned earlier in this lesson, basic permissions are combinations of advanced permission designed to provide frequently needed access controls. Table 4-4 lists all the basic permissions and the advanced permissions that compose them. Configuring File and Share Access | 125 Table 4-4 NTFS Basic Permissions and their Advanced Permission equivalents BA S I C PE R M I S S I O N S AD VA N C E D PE R M I S S I O N S Read List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Synchronize Read and Execute List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Synchronize Traverse Folder/Execute File Modify Create Files/Write Data Create Folders/Append Data Delete List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Synchronize Write Attributes Write Extended Attributes Write Create Files/Write Data Create Folders/Append Data Read Permissions Synchronize Write Attributes Write Extended Attributes List Folder Contents List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Synchronize Traverse Folder/Execute File Full Control Change Permissions Create Files/Write Data Create Folders/Append Data Delete Delete Subfolders and Files List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Synchronize Take Ownership Write Attributes Write Extended Attributes 126 | Lesson 4 A user with administrative privileges can revoke his or her own permissions, as well as everyone else’s, preventing them from accessing a resource. However, the NTFS permissions system includes a “back door” that prevents these orphaned les and folders from remaining permanently inaccessible. Every le and folder on an NTFS drive has an owner, and the owner always has the ability to modify the permissions for the le or folder, even if the owner has no permissions him- or herself. By default, the owner of a le or folder is the user account that created it. However, any account possessing the Take Ownership special permission (or the Full Control standard permission) can take ownership of the le or folder.

The Administrator user can take ownership of any le or folder, even those from which the previous owner has revoked all Administrator permissions. After the Administrator user takes ownership of a le or folder, he or she cannot assign ownership back to the previous owner. This prevents the Administrator account from accessing other users’ les undetected.

The other purpose for le and folder ownership is to calculate disk quotas. When you set quotas specifying the maximum amount of disk space particu lar users can consume, Windows calculates a user’s current disk consumption by adding the siz es of all the les and folders that the user owns.

To change the ownership of a le or folder, you mu st open the Effective Access tab of the Advanced Security Settings dialog box and select the Change link by the Owner setting. Understanding Resource Ownership As you study the NTFS permission system, you might realize that it seems possible to lock out a le or folder—that is, assign a combination of permissions that permits access to no one at all, leaving the le or folder inaccessible. In fact, this is true.

Combining Share and NTFS Permissions You must understand that the NTFS and share permission systems are completely separate from each other, and that for network users to access les on a shared NTFS drive, they must have both the correct NTFS and the correct share permissions.

The share and NTFS permissions assigned to a le or folder can con ict. For example, if a user has the NTFS Write and Modify permissions for a folder and lacks the share Change permission, that user cannot modify a le in that folder.

The simplest of the Windows permission systems is t he share permission system, which provides only basic protection for shared network resources. Share permissions provide only three levels of access, compared to the far more complex system of NTFS permissions. Network administrators generally prefer to use either NTFS or share permis sions, but not both.

The Effective Access displayed in the Advanced Security Settings dialog box shows only the effective NTFS permissions, not the share permissio ns that might also constrain user access. TAKE N OT E * Share permissions provide limited protection, but this might be suf cient on some small networks. Share permissions might also be the only alternative on a computer with FAT32 drives, because the FAT le system does not have its own permission system.

On networks already possessing a well-planned system of NTFS permissions, share permissions are not really necessary. In this case, you can safely leave the Full Control share permission to Everyone, overriding the default Read permission, and allow the NTFS permissions to provide security. Adding share permissions to the mix would only complicate the administration process, without providing any additional security.

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!