Windows 7 / Getting Started

---

Disk Volumes for Virtual Service Offerings

You should also create a standard disk structure for each server in the VSO. It is similar to the one created for resource pools, but includes some minor differences. This structure should include the following:

• C: Drive: This is the system disk.
• D: Drive: The data storage disk.
• E: Drive: An optional disk for servers hosting database applications as well as for file servers. In the Microsoft world, this includes servers hosting very large Active Directory Domain Services databases (domain controllers), SQL Server, and Exchange. For servers running database applications, this disk is used to store transaction journals. For file servers, this drive is used to support near-term backups.
• Y: Drive: The DVD/CDRW server drive.

No matter how your server is constructed, it should use this structure for its logical appearance. Since all hard disk drives can be extended, even virtual hard drives, no other drive letters should be required.

On a file server, the disk that requires the most structure is the D: drive, since it is the disk that will store user and group shared data and documents. This disk should include a master folder for each of the different data types identified previously. In addition, it is a good idea to structure the disk folders according to content.

Rely on the following principles when creating the folders in the D: drive:

• First, group information according to content. This means that three top-level folders are required: Data, Applications, and Administration. Each will be used to regroup subfolders that will store similar content.
• Second, use representative folder names. If a folder will be used to store user data, call it UserData.
• Third, use combined words. That is, do not include spaces or special characters between words. If your folder name is User Data, type it as UserData. Unfortunately, there are still some vestiges of NetBIOS in WS08. NetBIOS prefers word strings that do not use spaces or other special characters. Even Web-based technologies prefer folder names that do not include spaces. Spaces also complicate any file paths you may need to reference in scripts or command-line tools by requiring quote marks at the beginning and the end.
• Fourth, name your folders the way you will want to have your shares appear. A good example here is the use of the dollar sign ($) at the end of a folder name. Remember that when you share a folder with the dollar sign at the end, it becomes a "hidden" share; i.e., it cannot be seen through network browsing mechanisms.
• Fifth, create the same folder structure on all servers that have a file and print vocation, even though you will not share each of the folders on each server. This strategy allows you to quickly activate a folder share when a file server is down. Since each server has the same folder structure, activating a shared folder in an emergency is quick and easy.

Using these guidelines, folders should be created according to the details outlined in Table-1.

NTFS Permissions

Windows Server 2008 is similar to previous versions of Windows in that permissions on shared folders are based on a combination of NTFS and shared folder permissions. As such, the same rules apply. This means that since it is complex to manage both file and share permissions, it becomes much easier to focus on NTFS permissions, since these are the last permissions applied when users access files through network shares.

Combining shared folder permissions with NTFS permissions can become confusing and difficult to troubleshoot if you mix and match them. In order to simplify the process, you should use only NTFS permissions in most cases, because the most restrictive permissions are always applied.

Folder Name	Share Name	Offline Settings	NTFS Permissions	Share Permissions	Comment
Applications	Applications	Automatically Available and Optimized For Performance	Users: Read plus Read and Execute Administrators: Full Control	Everyone: Reader	This folder shares centrally located applications.
Department n	Department n	User-selected	Department: Read User Representative: Modify Administrators: Full Control	Everyone: Contributor	Data can be encrypted, but should not be compressed. This folder is the main folder for the department; only user representatives can write to this folder and create subfolders.
Project n	Project n	User-selected	Project members: Modify Administrators: Full Control	Everyone: Contributor	Data can be encrypted, but should not be compressed.
Public	Public	No Caching	Everyone: Modify Administrators: Full Control	Everyone: Contributor	Data should not be either encrypted or compressed. Specific documents or subfolders can be set to read only for most users.
serData$	serData$	Automatically Available and Optimized For Performance	Everyone: Modify Administrators: Full Control	Everyone: Contributor	Data can be encrypted, but should not be compressed. This folder will be used to support folder redirection for all users.
HotFixes$	HotFixes$	No caching	Everyone: Read plus Read and Execute Administrators: Full Control	Everyone: Read	Data should not be encrypted or compressed.
ServicePacks$	ServicePacks$	No caching	Everyone: Read plus Read and Execute Administrators: Full Control	Everyone: Read	Data should not be encrypted or compressed.
Sources$	Sources$	No caching	Everyone: Read plus Read and Execute Administrators: Full Control	Everyone: Read	Data should not be encrypted or compressed.
Tools$	Tools$	No caching	Everyone: Read plus Read and Execute Administrators: Full Control	Everyone: Read Administrators team: Contributor	Data should not be encrypted or compressed.

In Windows Server 2008, there are two primary ways to share a folder. The first is to right-click the folder and select Share. This command opens a File Sharing dialog box, which lists the creator of the folder as its owner. The drop-down list includes two items: Everyone and Find. In most cases, you can assign share rights to the Everyone group, since you will spend more time controlling access through the security or NTFS permissions of the folder. If you need to locate another group, select Find and type the name of the group to locate it in Active Directory Domain Services (ADDS). Once you've selected the right group, click the Add button. Windows Server 2008 automatically assigns the Reader role to the group you added. To change the role, click the drop-down menu to select another one. You can assign the Contributor role, since you control permissions more tightly within the Security tab of the folder's properties. To complete the sharing process, click the Share button. A User Account Control (UAC) prompt will be displayed. Approve the change and click Done when you have completed the operation.

The second way to share a folder is to do it through the folder's Property dialog box. Right-click the folder and select Properties. Click the Sharing tab and then click Advanced Sharing. Approve the UAC prompt. This displays a new dialog box, which lets you control each of the features of the shared folder in one single location. Select the Share This Folder check box. Now you can change the name of the share, control permissions, and control caching settings. Note that when you share folders in this manner, Windows Server 2008 automatically assigns the same basic permissions to every new shared folder: Everyone Read. This is different from all previous versions of Windows! If users need to write to a shared folder, these permissions must be modified to Everyone Change. If not, the most restrictive permissions apply and no one is allowed to write to a shared folder.

CAUTION: It will be important for you to ensure that you take the time to verify shared folder permissions before finalizing the share. Otherwise, you will receive several support calls on non-functioning shares.

It is quite all right to set share permissions on just about anything to Everyone Change (or Contributor) because NTFS permissions will apply, even though your share permissions are not restrictive. Microsoft set the default behavior of the shared folder process to read-only in order to provide better security for enterprises that did not prepare their NTFS settings beforehand. To be safe from prying users when you share your folders, you should always apply NTFS permissions before a share is enabled.

The best practice in terms of shared folder permissions is to set permissions according to the following:

• Set Everyone Read (or Reader) for all shared application folders, installation folders, support tool folders, and so on.
• Set Everyone Change (or Contributor) for all shared data folders, and set appropriate NTFS permissions on a per-folder basis.

There is rarely any need for the Everyone Full Control (or Co-Owner) shared folder permission setting.

CAUTION: It is important to set Everyone Change as the shared folder permissions for the shared folder hosting the redirection of user data. Otherwise, the automatic folder creation process that is enabled whenever the policy applies to a new user will be unable to automatically create the user's data folders.

Disk Quotas

Another important factor in file sharing is disk quotas. Windows Server 2008 offers a true disk quota management process through the File Server Resource Manager (FSRM). WS08 quota usage is identified by file ownership. This means that you can track a user's total quota usage on a folder-by-folder basis. Quotas can be assigned on specific folders. They can either be definitive or relative. Definitive quotas, sometimes called hard quotas, automatically stop users from storing additional data once the limit has been reached. With a relative or soft quota, you as the administrator will receive a warning when the limit has been reached by the user, but the user will still have the ability to store data on the server.

You'll use the mode that best meets your needs, but since disk space is cheap and it is easy to expand virtual disks, you could aim for the relative quota approach, setting limits and then determining if you will increase this limit for users when warnings arrive.

You can also set automatic quotas, relying on a template to set a quota on a folder. When you do this, the quota template will automatically be applied to every subfolder you create. For example, automatic quotas are ideal for the UserData$ share since they are automatically applied whenever a subfolder for folder redirection is created for a user.

Quotas are values you need to monitor on an ongoing basis, so it is nice to know that WS08 will provide extensive reports on the file resources of your file servers. Not only will it monitor the shared folder usage, but it will also report on usage by user, as well as total available disk space, giving you lots of warning if or when you need to expand the disk used to store shared folder data. Several predefined reports are available: largest files, most used files, recently used files, files by owner, files by group, and much more. Reports can be run interactively or on a scheduled basis.

Quotas will also allow you to perform some form of file screening, making sure users store only acceptable file formats on your servers. For example, you probably prefer that your users not store executable files in their data folders. This can be done through file screening. Once again, this feature relies on templates that are assigned to the file server. As with quotas, you can use a hard or soft policy for file screening, completely blocking users from saving files to a share or simply getting a warning that an unauthorized file type was stored on your server. File screening is not a "be all, end all" system since it relies only on the file extension to work. Sophisticated users can easily rename the extensions of the files they want to store to circumvent the policy. You might consider the performance impact of having your file servers screen each and every file that is stored on them and opt for a written policy instead-a policy that you distribute to end users and that you support with FSRM's powerful reporting capabilities.