Installing and Configuring Distributed File System (DFS)

Subjects covered in this summary note:

  • Installing and Configuring Distributed File System (DFS)
  • Managing Files
  • Managing File Security:
  • NTFS File Permissions:
  • Encrypting File System:
  • Sharing Files Protected with EFS:
  • Configuring EFS by Using Group Policy Settings:
  • BitLocker:
  • Sharing Folders:
  • Quotas:
  • Configuring Disk Quotas by Using the Quota Management Console:
  • Configuring Disk Quotas by Using Group Policy:
  • older Sharing:
  • Sharing Folders from Windows Explorer:
  • Distributed File System:
  • Installing DFS:
  • Configuring DFS:
  • Create DFS folders:

Managing Files

When you share some documents on your network, they must remain protected from unauthorized access. To control access, use NTFS file permissions and Encrypting File System (EFS). To provide redundancy, create a Distributed File System (DFS) namespace and use replication to copy files between multiple servers. You can use quotas to ensure that no single user consumes more than his or her share of disk space (which might prevent other users from saving files). To accomplish these, you need to learn the following skills:

  • Managing File Security
  • Sharing Folders
  • Backing Up and Restoring Files

Managing File Security:

Windows server provides three technologies for controlling access to files, folders, and volumes: NTFS file permissions, EFS, and BitLocker.

NTFS File Permissions:

NTFS file permissions determine which users can view or update files. The default permission for different file types are:

  • User files: Users have full control permissions over their own files. Administrators also have full control. Other users who are not administrators cannot read or write to a user’s files.
  • System files: Users can read, but not write to, the %SystemRoot% folder and subfolders. Administrators can add and update files. This allows administrators, but not users, to install updates and applications.
  • Program files Similar to the system files permissions, the %ProgramFiles% folder permissions are designed to allow users to run applications and allow only administrators to install applications. Users have read access, and administrators have full control.

The default file and folder permissions work well for desktop environments. File servers, however, often require you to grant permissions to groups of users to allow collaboration. Administrators can assign users or groups any of the following permissions to a file or folder:

  • List Folder Contents
  • Read
  • Read & Execute
  • Write
  • Modify
  • Full control

To protect a file or folder with NTFS, follow these steps:

  1. Open Windows Explorer (for example, by clicking Start and then choosing Computer).
  2. Right-click the file or folder, and then choose Properties. The Properties dialog box for the file or folder appears.
  3. Click the Security tab.
  4. Click the Edit button. The Permissions dialog box appears.
  5. If the user you want to configure access for does not appear in the Group Or User Names list, click Add. Type the user name, and then click OK.
  6. Select the user you want to configure access for. Then, select the check boxes for the desired permissions in the Permissions For Users list. Denying access always overrides allowed access.
  7. Repeat steps 5 and 6 to configure access for additional users.
  8. Click OK twice.

Additionally, there are more than a dozen special permissions that you can assign to a user or group. To assign special permissions, click the Advanced button on the Security tab of the file or Administrator Properties dialog box.

A user who does not have NTFS permissions to read a folder or file will not see it listed in the directory contents. This feature, known as Access-based Enumeration (ABE), was introduced with Windows Server 2003 Service Pack 1.

Encrypting File System:

NTFS provides excellent protection for files and folders as long as Windows is running. However, an attacker who has physical access to a computer can start the computer from a different operating system (or simply reinstall Windows) or remove the hard disk and connect it to a different computer. Any of these very simple techniques would completely bypass NTFS security, granting the attacker full access to files and folders.

EFS protects files and folders by encrypting them on the disk. If an attacker bypasses the operating system to open a file, the file appears to be random, meaningless bytes. Windows controls access to the decryption key and provides it only to authorized users.

To protect a file or folder with EFS, follow these steps:

  1. Open Windows Explorer (for example, by clicking Start and then choosing Computer).
  2. Right-click the file or folder, and then click Properties. The Properties dialog box appears.
  3. On the General tab, click Advanced. The Advanced Attributes dialog box appears.
  4. Select the Encrypt Contents To Secure Data check box.
  5. Click OK twice.

If you encrypt a folder, Windows automatically encrypts all new files in the folder. Windows Explorer shows encrypted files in green.

The first time you encrypt a file or folder, Windows might prompt you to back up your file encryption key. Choosing to back up the key launches the Certificate Export Wizard, which prompts you to password-protect the exported key and save it to a file. Backing up the key is very important for stand-alone computers, because if the key is lost, the files are inaccessible. In Active Directory environments, you should use a data recovery agent (DRA).

Sharing Files Protected with EFS:

If you need to share EFS-protected files with other users on your local computer or across the network, you need to add their encryption certificates to the file.

To share an EFS-protected file, follow these steps:

  1. Open the Properties dialog box for an encrypted file.
  2. On the General tab, click Advanced. The Advanced Attributes dialog box appears.
  3. Click the Details button. The User Access dialog box appears,
  4. Click the Add button. The Encrypting File System dialog box appears.
  5. Select the user you want to grant access to, and then click OK.
  6. Click OK three more times to close all open dialog boxes.

The user you selected will now be able to open the file when logged on locally.

Configuring EFS by Using Group Policy Settings:

Users can selectively enable EFS on their own files and folders. However, most users are not aware of the need for encryption and will never enable EFS on their own. Rather than relying on users to configure their own data security, you should use Group Policy settings to ensure that domain member computers are configured to meet your organization’s security needs.

Within the Group Policy Management Editor, you can configure EFS settings by right-clicking the Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System node and then choosing Properties to open the Encrypting File System Properties dialog box.


BitLocker encrypts entire volumes and helps prevent operating system files from being maliciously modified.

EFS encrypts folders and files for individual users. You cannot use EFS to encrypt system files. To encrypt entire volumes and protect system files, use BitLocker Drive Encryption.

When you enable BitLocker protection for a volume, BitLocker encrypts every byte on the volume, including system files and the paging file. When you start the computer, BitLocker loads before Windows, acquires a decryption key, verifies the integrity of the system, and then transparently decrypts files on the volume until Windows shuts down. In this way, BitLocker provides protection that can be completely transparent to end users.

In addition to helping protect data, BitLocker also helps reduce the risk of an attacker altering system files. If BitLocker detects that a system file has unexpectedly changed or that the hard disk has been moved to a different computer, BitLocker prevents Windows from starting. This can help protect users from rootkits, which are a type of malware that runs beneath the operating system and are very difficult to detect or remove.

Individual users can enable BitLocker from Control Panel, but most enterprises should use Active Directory Domain Services (AD DS) to manage keys.

To enable BitLocker from Control Panel, perform these steps:

  1. Add the BitLocker feature. In Server Manager, right-click Features, and then click Add Features. The Add Features Wizard appears.
  2. On the Select Features page, select BitLocker Drive Encryption. Click Next.
  3. On the Confirm Installation Selections page, click Install.
  4. On the Installation Results page, click Close. Click Yes to restart the computer.
  5. After the computer restarts, the Resume Configuration Wizard appears. Click Close.
  6. Perform a full backup of the computer. Even though BitLocker is very stable and corruption is unlikely, there is a possibility that you will be unable to access the protected volume once BitLocker is enabled.
  7. Run a check of the integrity of the BitLocker volume. To check the integrity of a volume, right-click it in Explorer, and then click Properties. On the Tools tab, click Check Now. Select both check boxes, and then click Start.
  8. Open Control Panel, and then click the System And Security link. Under BitLocker Drive Encryption, click the Protect Your Computer By Encrypting Data On Your Disk link.
  9. On the BitLocker Drive Encryption page, click Turn On BitLocker.
  10. When prompted, click Yes to start BitLocker setup.
  11. If the Turn On The TPM Security Hardware page appears, click Next, and then click Restart.
  12. On the Set BitLocker Startup Preferences page, select your authentication method. The choices available to you vary depending on whether the computer has TPM hardware. Additionally, the available choices can be controlled by the Group Policy settings contained within Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.
  13. If you chose to require a startup key, the Save Your Startup Key page appears. Connect a USB flash drive, select it, and then click Save.
  14. On the Save The Recovery Password page, choose the destination (a USB drive, a local or remote folder, or a printer) to save your recovery password. The recovery password is a small text file containing brief instructions, a drive label and password ID, and the 48-digit recovery password. Save the password and the recovery key on separate devices and store them in different locations. Click Next.
  15. On the Encrypt The Volume page, select the Run BitLocker System Check box, and click Continue. Then, click Restart Now. After Windows restarts, BitLocker verifies that the volume is ready to be encrypted.
  16. BitLocker displays a special screen confirming that the key material was loaded. Now that this has been confirmed, BitLocker begins encrypting the C drive after Windows starts, and BitLocker is enabled.

BitLocker encrypts the drive in the background so that you can continue using the computer. After enabling BitLocker, you can choose to turn off BitLocker from the Control Panel tool.

You have two options:

  • Disable BitLocker Drive Encryption
  • Decrypt The Volume

Sharing Folders:

One of the most common ways for users to collaborate is by storing documents in shared folders. Shared folders allow any user with access to your network and appropriate permissions to access files. Shared folders also allow documents to be centralized, where they are more easily managed than they would be if they were distributed to thousands of client computers.

For the purpose of sharing folders and managing them, windows server offers the feature of File Service Server Role. So first install it. From Server Manager, add this role. On the Select Role Services page, select from the following roles:

  • File Server
  • Distributed File System
  • File Server Resources Manager
  • BranchCache for network files


When multiple users share a disk, whether locally or across the network, the disk will quickly become filled—usually because one or two users consume far more disk space than the rest of the users. Disk quotas make it easy to monitor users who consume more than a specified amount of disk space. Additionally, you can enforce quotas to prevent users from consuming more disk space (although this can cause applications to fail and is not typically recommended).

Configuring Disk Quotas by Using the Quota Management Console:

After installing the File Server Resource Manager role service, you can manage disk quotas by using the Quota Management console. In Server Manager, you can access File Server Resource Manager. The Quota Management console provides more flexible control over quotas and makes it easier to notify users or administrators that a user has exceeded a quota threshold, or to run an executable file that automatically clears up disk space.

Configuring Disk Quotas by Using Group Policy:

You can also configure simple disk quotas by using Group Policy settings. In the Group Policy Management Editor, select the Computer Configuration\Policies\Administrative Templates\System\Disk Quotas.

Folder Sharing:

You can share folders across the network to allow other computers to access them, as if the computers were connected to a local disk.

Sharing Folders from Windows Explorer:

The simplest way to share a folder is to right-click the folder in Windows Explorer, choose Share With, and then choose Specific People. The File Sharing dialog box appears and allows you to select the users who will have access to the folder. Click Share to create the shared folder, and then click. Done.

Using the appeared dialog box, you can select either Read or Read/Write permissions.

Distributed File System:

Large organizations often have dozens, or even hundreds, of file servers. This can make it very difficult for users to remember which file server specific files are stored on.

DFS provides a single namespace that allows users to connect to any shared folder in your organization. With DFS, all shared folders can be accessible using a single network drive letter in Windows Explorer. For example, if your Active Directory domain is, you could create the DFS namespace \\\dfs. Then, you could create the folder \\\dfs\marketing and map it to shared folders (known as targets) at both \\server1\marketing and \\server2\marketing.

Besides providing a single namespace to make it easier for users to find files, DFS can provide redundancy for shared files by using replication. Replication also allows you to host a shared folder on multiple servers and have client computers automatically connect to the closest available server.

Installing DFS:

  • First login to your Windows Server 2016 DC machine and open server manager.
  • Open Add Roles and Features Wizard and move on to Server roles.
  • Expand File and Storage Services.
  • Under File and Storage Services you can find File and iSCSI Services expand it and select File Server, DFS Namespaces, DFS Replication, and File Server Resource Manager.

Configuring DFS:

After the DFS role has been installed, open the DFS Management console, and right-click Namespaces and choose New Namespace.

  • Type the name of the server that will host the namespace.
  • Click on Next. Choose a name for your namespace in the following screen. This will be the name of your domain sharing path. For example\files.
  • Click on Edit Settings to edit permissions on the share. By default everyone only has “read” permissions. Click on Next on the following screen. Choose the Namespace Type.
  • Choose the Domain-based namespace and click on Next. Review the settings and then click on Create.
  • Test your DFS Namespace is working by typing the network path in Explorer (e.g.\files).

It works! But nothing there yet though.

Create DFS folders:

We will add folders to the DFS namespace now. From your DFS Management console, right-click the namespace we just created, and choose New Folder.

  • Type the name of the folder, then click on Add.
  • Type the path of the Shared folder you want to add to the Namespace.
  • Click on OK.

Let’s go to the network path again (e.g.\files) and you should see the folder we just added.



DFS Namespaces is a great feature in Windows server to organize your network shares. When using DFS namespaces it does not matter where the shared folders are located, they are all accessible from a single path. it makes it easier to move file servers around too without breaking the access paths.

Note: this text is a summary of DFS implementation on window server 2016 from ‘Exam Ref 70-741 Networking with Windows Server 2016, MCTS Self-Paced Training KIT Exam 70-642, and’

Data Analyst, Programmer, Network Engineer, Play Football & Bowling