File Sharing using Samba
Using Windows Server 2008? No problem!
- File server, the most basic of these functions, is responsible for sharing and managing data services.
- Distributed File System (DFS) is a framework for creating a centralized point of entry for accessing data over the network. It uses a common namespace as the entry point. Windows Server 2008 has improved on this feature.
- File Server Resource Manager (FSRM) provides a number of tools for managing and reporting on file server resources, including folders and files. This allows users to access information about the quantity and type of data stored on your servers, as well as control and manage these resources. Administrators can use the FSRM to place quotas on folders and volumes, actively screen files, and generate comprehensive storage reports.
- Services for Network File System provides a file-sharing system for networks that use both Windows and UNIX/Linux as operating systems. This service allows users to transfer files between computers using Windows Server 2008 and UNIX.
- Windows Server 2003 File Services provides backwards compatibility for computers running Windows Server 2003 by providing access to the File Replication Service and the Indexing Service.
File and Folder Sharing
File and folder sharing is a basic way of making resources available on a network. This creates a network access point for clients to access files and folders. Clients access the shared resources by using the Server Message Block (SMB) protocol, which is used over private networks and the Internet by using TCP/IP.
Windows Server 2008 supports public folder sharing and standard file sharing. If public folder sharing is enabled on your network, it allows users to share files with all users logged on locally or over the network. In Windows Server 2008, public folders are located in the %systemdrive%\Users\Public directory or c:\Users\Public by default. In a workgroup environment, password protection is used to control access to public folders. Network access can be restricted to either read and execute permissions or read, write, create, and delete permissions. Public folder sharing is managed in the Network and Sharing Center.
Standard file sharing makes files and folders accessible from a network location. In WIndows Server 2008, the New Technology File System, or NTFS, is the preferred format for file systems because of its more robust features and file-level security. Windows Server 2008 also supports File Allocation Table 32 (FAT32) volumes. On NTFS systems, access to shared resources is determined by combining NTFS user-level file and folder permissions and share-level permissions. FAT32 systems only support share permissions.
Windows Server 2008 splits access control permissions into two categories: share-level permissions and user-level permissions. These permissions allow authorized clients to access resources on the server.
Share-level permissions, or share permissions, are defined at the shared resource level and only apply when files and folders are accessed over a network, as opposed to a user who is accessing resources on the computer he is logged into (the “local machine”). NTFS permissions are retained when files and folders are backed up, while shared permissions are not. The permissions you can set at the share level include:
- Read: Allows you to view and execute applications, files, and subdirectories but not make changes to them.
- Change: Includes read permissions and the ability to add, delete and change files or subdirectories.
- Full Control: Clients with this permission can perform all available functions on all files and folders within the share.
- Deny: Denies access to files and folders within the share. Generally only used when you need to break inherited attributes on a certain file or folder or make absolutely certain that some group can’t get at a resource.
Default and Administrative Shares are mostly created when Windows Server 2008 is installed. Administrative shares are typically hidden from regular users and always end with a dollar sign ($). Because of this, most administrative shares can be identified by name. These shares give access to specific resources, perform different functions and include the following information:
Drive letter shares, also called administative shares, provide users with quick over-the-network access to drives on a remote system. By default, all hard disk drives are assigned an administrative share when Windows Server 2008 is installed.
- Admin$ is a share that provides clients with access to Windows Server 2008 system files on a remote computer. These system files are located in the c:\Windows directory and are known by the environmental variable of %systemroot%.
- Windows Server 2008 uses the IPC$ share to share resources (not files and folders) and facilitate communications between processes and computers. IPC$ is also used for any remote management function not related to the sharing of files, such as the authentication process between two computers wanting to communicate.
- NETLOGON appears on all domain controllers (DCs) in an Active Directory Domain Services (AD DS) environment. This share stores information users read and access as part of the network logon and logoff process. This includes logon scripts, installation programs, and profile information. By default, it is located in the %systemroot%\sysvol\%domainname%\SCRIPTS directory on every DC.
- PRINT$ is fairly self-explanatory, in that it stores print drivers that are provided to clients when they install a network printer from the server. It is stored in the %systemroot%\Windows32\spool\drivers directory.
- SYSVOL is used by DCs for internal operations and is located in the %systemroot%\SYSVOL\sysvol directory.
NETLOGON and SYSVOL are also used to test AD DS replication. One way to test if your Domain Controllers are replicating correctly is to place a test file in the NETLOGON or SYSVOL folder and wait for it to propagate to other DCs.
One way to create shares that are hidden from ordinary users is to append a dollar sign ($) to the end of the name of the share you want to hide.
User-Level Permissions are created at the file or folder level. On Windows Server 2008, these permissions are based on the NTFS file system. NTFS offers improved security and more detailed configuration settings than FAT32 and permissions set using this file system apply anytime that a file or folder is accessed.
You set file and folder permissions by placing users in a group and then assigning permission to the groups. Each user will then inherit permissions from the groups they are a member of. Files will inherit permissions from the folder they are in, unless you go in and set permissions individually. When two competing permission levels are set, the more restrictive one will prevail. This can be confusing to network administrators and frustrating for ordinary users, as improper permissions can result in unwanted users gaining access to a resource or incorrect restrictions on user access.
What Do Filesystems Have To Do With Anything?
Access Control Lists and Authentication
NTFS uses access control lists (ACLs) to define permissions to resources. An ACL is assigned to each file and folder objust on a Windows Server 2008 computer. Each ACL contains access control entries (ACEs), which are the individual permissions assigned to a specific user or group on an object.
Network access to resources are managed through user permissions and rights. In Windows Server 2008, tokens are objects associated with each user’s account, as well as computers and groups, that validates the user’s identity and privileges. Windows includes security identifiers (SIDs) as part of the tokens to ensure that every user, computer, and resource on a network is unique. User SIDs are matched against each resource’s SID to determine what privileges that specific user has.
On Windows Server 2008, you can deploy shares in your choice of four ways: through the Shared Folders console, through Windows Explorer, in Command Prompt with the Net share command, or with the Share and Storage Management console.
You can access the Shared Folders console in Computer Management or as a stand-alone MMC snap-in. It is a GUI-based tool for managing shares and the connections to them and viewing files being accessed within the shares. This is useful when maintaining or troubleshooting servers because you can alert users accessing the files or folders on the server if your system requires a reboot or maintenance that will affect their ability to access the resources.
Most people who use computers on a daily basis are familiar with Windows Explorer. This tool allows you to create or find folders and files and modify their properties to allow sharing. A new tool in Windows Server 2008 is File Sharing Wizard, which helps simplify sharing by combining shared and NTFS permissions. Windows Explorer also allows for advanced sharing in the Sharing tab of a folder’s Properties dialogue box.
Net Share is used through the command line (more often called the “command prompt”) that allows you to type in commands to create, manage, or view shares. See the full-sized video below for a demo on how Net Share works.
The Share and Storage Management Console is meant to centralize both sharing tasks and administration for disk volumes and disk storage systems. This console includes the Provision a Shared Folder Wizard, which helps you select the folder or volume you want to share, set the protocol to share it with, set the NTFS permissions on the resource, configure the share permissions, publish it to DFS, set NFS permissions (if applicable), and apply storage quotas (if file server resource manager is installed).
Offline files, also called caching, provide a way for clients to access shared file resources when they’re not connected to the network. It does this by caching copies of network files on local systems for use when they are offline. This feature is defined by administrators at the shared resource level. This feature is most useful for clients who have laptop computers and want to take their work with them. They can modify the cached document as modify and the document will be synchronized with the original shared resources when they reconnect to the network. As a security consideration, you should only allow caching for documents that will not compromise sensitive company data or confidential information.
Distributed File System
Distributed File System (DFS) is a set of client and server services that allows companies to deploy their shared file resources, known as targets, as a single file structure while distributing the resources across multiple servers and network locations. This allows servers to share the work load, creates redundancy and fault tolerance, and improves availability. In Windows Server 2008, DFS is divided into two categories: DFS namespace and DFS replication.
DFS Namespace permits network administrators to create an entry point for shared file resources using a naming convention they create. This namespace makes the files distributed through DFS transparent to users. They only see a single shared folder that may contain subfolders and files.
DFS namespaces may be implemented as a domain-based namespace or a standalone namespace. A domain-based namespace is stored on one or more servers as part of Active Directory Domain Services. This offers increased scalability and availability because it can be spread across more than one server. A stand-alone namespace is stored on a single server. This may limit availability; however, servers can increase availability if they are hosted on a failover cluster.
Domain-based namespaces can be implemented in either of these two modes, depending on the resources used:
- Windows Server 2008 Mode requires a domain to be running in Windows Server 2008 Active Directory Domain Services (AD DS) functional mode. All namespace servers must run Windows Server 2008. This allows for access-based enumeration (ABE) of your DFS root and for multiple servers to host the namespace. With ABE enabled, users cannot access or view files or folders if they do not have the appropriate permissions. Without ABE, users may be able to see a file or folder but cannot access it.
- In Windows Server 2000 Mode, a domain must run Windows 2000 mixed AD DS functional mode or higher, and all namespace servers must run at least Windows Server 2000. This mode allows the use of multiple namespace servers and supports the use of DFS replication to target folders.
The type of namespace deployed depend on factors within your network. For example:
- Are you running an AD DS domain?
- Do you need support for DFS servers not running Windows Server 2008?
- Do you need multiple DFS servers or just one?
- Will your environment support moving to Windows Server 2008 functional mode on all your DCs?
- Does your solution require scalability?
- Do you need to replicate across LAN or WAN connections?
DFS replication synchronizes all data within a DFS structure. DFS replication allows servers to stay current if they are connected across a WAN or limited bandwidth network by using a multimaster replication engine such as Active Directory Domain Services. This replaces the File Replication Service (FRS) which was used by previous versions of Windows Server. If the servers are located in different AD DS sites, clients using DFS will be referred to shared folders located within the same AD DS site when available. This helps reduce routing file resource requests across WAN links.
DFS replication can be used on its own or combined with DFS namespace. Combining the two gives advantages such as:
- Data collection. This allows you to take data from multiple servers and collect it in a central location on one server. This is helpful if you need to perform local server backups from a single server.
- Data distribution. DFS allows you to distribute data across multiple locations so that users can use a copy of a resource located in their geographic location. AD DS sites are used to determine which DFS resources are local to the user.
- Load balancing. This allows you to deploy multiple servers that hold copies of your data. When users attempt to access a document stored in DFS, the will be directed to a DFS server in their AD DS site or the closest AD DS site.
DFS replication also allows you to centralize your backups. Because the same data is stored on all the servers, you can perform backups on a single server that captures all the necessary files. Once deployed, DFS has a hierarchical namespace structure that allows users to locate information using a UFC path location.
To deploy DFS on your network, some configuration tasks will need to be completed in addition to installing the necessary roles. These include installing the File Services role and the Distributed File System role services, creating a namespace, adding folders to the namespace, configuring the DFS referral order, and creating a DFS replication group. By default, DFS is not an installed role on Windows Server 2008. You will need to install both DFS and File Services, which can be done through Server Manager.
You can also create a centralized namespace for resources spread across more than one server by also selecting the DFS Namespace service. If you are using a stand-alone DFS root, the Namespace is \\\ where is the name of the server and is the name of you namespace. For domain-based implementation, the namespace is \\\.
DFS namespaces use a referral order to determine the DFS server that will provide shared resources to client requests. By default, the referral order uses AD DS sites to determine which DFS server is closest to a client. In AD DS, sites are groups of computers separated by a low-bandwidth connection, such as two branch offices connected to a central office across WAN links. During the connection process, DFS does not directly connect clients to a target server. Instead, the DFS infrastructure provides a client with a referral that contains the name of the server for the client to use while connecting to resources.
Clients receive referrals in the following order:
- DFS targets in the same site as the client. This order is randomized by DFS.
- DFS targets from external sites. This order is determined by the AD DS site costs. The higher the cost of connecting to a target server, the lower it appears on the referral list.
Clients cache the referrals for a default of 300 seconds. This can be configured at the namespace level by adjusting the settings for individual folders. You can do this in the folders’ properties in the Referrals tab. You can also use the Properties dialog box to exclude clients outside of client’s site, which blocks clients from looking outside their current site for DFS targets, and Clients fail back to preferred targets, which causes users to fail back to a preferred or lower cost target when a target server is unavailable.
File Server Resource Manager
The File Server Resource Manager (FSRM) console allows users to manage files and disk quotas, screen files using built-in and custom templates, and create reports on storage resources. As with previous versions of Windows Server, Windows Server 2008 uses NTFS-formatted drives to offer disk quotas based on user usage per volume. With FSRM, system administrators can now work with quotos at the file level. Quotas allow system administrators to both monitor space usage and enforce space usage limits. FSRM quotas use actual file size instead of logical file size. This means that a 10-MB file compressed to 1 MB will appear as 1 MB with FSRM quotas. Quotas are divided into two types: hard and soft. Hard quotas do not allow users to exceed the set limit and is used to enforce storage limits. Soft quotas allow users to exceed the set limit and should only be used for monitoring purposes.
Filter screening is another new feature of FSRM that allows administrators to block specific types of files from being stored in Windows Server 2008 file directories. Filters can be defined using built-in templates, custom-created templates, or specific file types.
FSRM also helps you to create reports on storage resources. This helps you make predictions about future storage needs and identify the types of data being stored by users. FSRM is very useful for tracking patterns that might indicate suspicious activity by a user or justifying the addition of adding more storage in the future.
Managing & Troubleshooting File and Folder Sharing