Installing and Configuring Distributed File System (DFS)

Subjects covered in this summary note:

  • Installing and Configuring Distributed File System (DFS)
  • Managing Files
  • Managing File Security:
  • NTFS File Permissions:
  • Encrypting File System:
  • Sharing Files Protected with EFS:
  • Configuring EFS by Using Group Policy Settings:
  • BitLocker:
  • Sharing Folders:
  • Quotas:
  • Configuring Disk Quotas by Using the Quota Management Console:
  • Configuring Disk Quotas by Using Group Policy:
  • older Sharing:
  • Sharing Folders from Windows Explorer:
  • Distributed File System:
  • Installing DFS:
  • Configuring DFS:
  • Create DFS folders:

Managing Files

  • Managing File Security
  • Sharing Folders
  • Backing Up and Restoring Files

Managing File Security:

NTFS File Permissions:

  • User files: Users have full control permissions over their own files. Administrators also have full control. Other users who are not administrators cannot read or write to a user’s files.
  • System files: Users can read, but not write to, the %SystemRoot% folder and subfolders. Administrators can add and update files. This allows administrators, but not users, to install updates and applications.
  • Program files Similar to the system files permissions, the %ProgramFiles% folder permissions are designed to allow users to run applications and allow only administrators to install applications. Users have read access, and administrators have full control.

The default file and folder permissions work well for desktop environments. File servers, however, often require you to grant permissions to groups of users to allow collaboration. Administrators can assign users or groups any of the following permissions to a file or folder:

  • List Folder Contents
  • Read
  • Read & Execute
  • Write
  • Modify
  • Full control

To protect a file or folder with NTFS, follow these steps:

  1. Open Windows Explorer (for example, by clicking Start and then choosing Computer).
  2. Right-click the file or folder, and then choose Properties. The Properties dialog box for the file or folder appears.
  3. Click the Security tab.
  4. Click the Edit button. The Permissions dialog box appears.
  5. If the user you want to configure access for does not appear in the Group Or User Names list, click Add. Type the user name, and then click OK.
  6. Select the user you want to configure access for. Then, select the check boxes for the desired permissions in the Permissions For Users list. Denying access always overrides allowed access.
  7. Repeat steps 5 and 6 to configure access for additional users.
  8. Click OK twice.

Additionally, there are more than a dozen special permissions that you can assign to a user or group. To assign special permissions, click the Advanced button on the Security tab of the file or Administrator Properties dialog box.

A user who does not have NTFS permissions to read a folder or file will not see it listed in the directory contents. This feature, known as Access-based Enumeration (ABE), was introduced with Windows Server 2003 Service Pack 1.

Encrypting File System:

EFS protects files and folders by encrypting them on the disk. If an attacker bypasses the operating system to open a file, the file appears to be random, meaningless bytes. Windows controls access to the decryption key and provides it only to authorized users.

To protect a file or folder with EFS, follow these steps:

  1. Open Windows Explorer (for example, by clicking Start and then choosing Computer).
  2. Right-click the file or folder, and then click Properties. The Properties dialog box appears.
  3. On the General tab, click Advanced. The Advanced Attributes dialog box appears.
  4. Select the Encrypt Contents To Secure Data check box.
  5. Click OK twice.

If you encrypt a folder, Windows automatically encrypts all new files in the folder. Windows Explorer shows encrypted files in green.

The first time you encrypt a file or folder, Windows might prompt you to back up your file encryption key. Choosing to back up the key launches the Certificate Export Wizard, which prompts you to password-protect the exported key and save it to a file. Backing up the key is very important for stand-alone computers, because if the key is lost, the files are inaccessible. In Active Directory environments, you should use a data recovery agent (DRA).

Sharing Files Protected with EFS:

To share an EFS-protected file, follow these steps:

  1. Open the Properties dialog box for an encrypted file.
  2. On the General tab, click Advanced. The Advanced Attributes dialog box appears.
  3. Click the Details button. The User Access dialog box appears,
  4. Click the Add button. The Encrypting File System dialog box appears.
  5. Select the user you want to grant access to, and then click OK.
  6. Click OK three more times to close all open dialog boxes.

The user you selected will now be able to open the file when logged on locally.

Configuring EFS by Using Group Policy Settings:

Within the Group Policy Management Editor, you can configure EFS settings by right-clicking the Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System node and then choosing Properties to open the Encrypting File System Properties dialog box.

BitLocker:

EFS encrypts folders and files for individual users. You cannot use EFS to encrypt system files. To encrypt entire volumes and protect system files, use BitLocker Drive Encryption.

When you enable BitLocker protection for a volume, BitLocker encrypts every byte on the volume, including system files and the paging file. When you start the computer, BitLocker loads before Windows, acquires a decryption key, verifies the integrity of the system, and then transparently decrypts files on the volume until Windows shuts down. In this way, BitLocker provides protection that can be completely transparent to end users.

In addition to helping protect data, BitLocker also helps reduce the risk of an attacker altering system files. If BitLocker detects that a system file has unexpectedly changed or that the hard disk has been moved to a different computer, BitLocker prevents Windows from starting. This can help protect users from rootkits, which are a type of malware that runs beneath the operating system and are very difficult to detect or remove.

Individual users can enable BitLocker from Control Panel, but most enterprises should use Active Directory Domain Services (AD DS) to manage keys.

To enable BitLocker from Control Panel, perform these steps:

  1. Add the BitLocker feature. In Server Manager, right-click Features, and then click Add Features. The Add Features Wizard appears.
  2. On the Select Features page, select BitLocker Drive Encryption. Click Next.
  3. On the Confirm Installation Selections page, click Install.
  4. On the Installation Results page, click Close. Click Yes to restart the computer.
  5. After the computer restarts, the Resume Configuration Wizard appears. Click Close.
  6. Perform a full backup of the computer. Even though BitLocker is very stable and corruption is unlikely, there is a possibility that you will be unable to access the protected volume once BitLocker is enabled.
  7. Run a check of the integrity of the BitLocker volume. To check the integrity of a volume, right-click it in Explorer, and then click Properties. On the Tools tab, click Check Now. Select both check boxes, and then click Start.
  8. Open Control Panel, and then click the System And Security link. Under BitLocker Drive Encryption, click the Protect Your Computer By Encrypting Data On Your Disk link.
  9. On the BitLocker Drive Encryption page, click Turn On BitLocker.
  10. When prompted, click Yes to start BitLocker setup.
  11. If the Turn On The TPM Security Hardware page appears, click Next, and then click Restart.
  12. On the Set BitLocker Startup Preferences page, select your authentication method. The choices available to you vary depending on whether the computer has TPM hardware. Additionally, the available choices can be controlled by the Group Policy settings contained within Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.
  13. If you chose to require a startup key, the Save Your Startup Key page appears. Connect a USB flash drive, select it, and then click Save.
  14. On the Save The Recovery Password page, choose the destination (a USB drive, a local or remote folder, or a printer) to save your recovery password. The recovery password is a small text file containing brief instructions, a drive label and password ID, and the 48-digit recovery password. Save the password and the recovery key on separate devices and store them in different locations. Click Next.
  15. On the Encrypt The Volume page, select the Run BitLocker System Check box, and click Continue. Then, click Restart Now. After Windows restarts, BitLocker verifies that the volume is ready to be encrypted.
  16. BitLocker displays a special screen confirming that the key material was loaded. Now that this has been confirmed, BitLocker begins encrypting the C drive after Windows starts, and BitLocker is enabled.

BitLocker encrypts the drive in the background so that you can continue using the computer. After enabling BitLocker, you can choose to turn off BitLocker from the Control Panel tool.

You have two options:

  • Disable BitLocker Drive Encryption
  • Decrypt The Volume

Sharing Folders:

For the purpose of sharing folders and managing them, windows server offers the feature of File Service Server Role. So first install it. From Server Manager, add this role. On the Select Role Services page, select from the following roles:

  • File Server
  • Distributed File System
  • File Server Resources Manager
  • BranchCache for network files

Quotas:

Configuring Disk Quotas by Using the Quota Management Console:

Configuring Disk Quotas by Using Group Policy:

Folder Sharing:

Sharing Folders from Windows Explorer:

Using the appeared dialog box, you can select either Read or Read/Write permissions.

Distributed File System:

DFS provides a single namespace that allows users to connect to any shared folder in your organization. With DFS, all shared folders can be accessible using a single network drive letter in Windows Explorer. For example, if your Active Directory domain is contoso.com, you could create the DFS namespace \\contoso.com\dfs. Then, you could create the folder \\contoso.com\dfs\marketing and map it to shared folders (known as targets) at both \\server1\marketing and \\server2\marketing.

Besides providing a single namespace to make it easier for users to find files, DFS can provide redundancy for shared files by using replication. Replication also allows you to host a shared folder on multiple servers and have client computers automatically connect to the closest available server.

Installing DFS:

  • Open Add Roles and Features Wizard and move on to Server roles.
  • Expand File and Storage Services.
  • Under File and Storage Services you can find File and iSCSI Services expand it and select File Server, DFS Namespaces, DFS Replication, and File Server Resource Manager.

Configuring DFS:

  • Type the name of the server that will host the namespace.
  • Click on Next. Choose a name for your namespace in the following screen. This will be the name of your domain sharing path. For example forevergeeks.com\files.
  • Click on Edit Settings to edit permissions on the share. By default everyone only has “read” permissions. Click on Next on the following screen. Choose the Namespace Type.
  • Choose the Domain-based namespace and click on Next. Review the settings and then click on Create.
  • Test your DFS Namespace is working by typing the network path in Explorer (e.g. forevergeeks.com\files).

It works! But nothing there yet though.

Create DFS folders:

  • Type the name of the folder, then click on Add.
  • Type the path of the Shared folder you want to add to the Namespace.
  • Click on OK.

Let’s go to the network path again (e.g. forevergeeks.com\files) and you should see the folder we just added.

Yeah!

Conclusion

DFS Namespaces is a great feature in Windows server to organize your network shares. When using DFS namespaces it does not matter where the shared folders are located, they are all accessible from a single path. it makes it easier to move file servers around too without breaking the access paths.

Note: this text is a summary of DFS implementation on window server 2016 from ‘Exam Ref 70-741 Networking with Windows Server 2016, MCTS Self-Paced Training KIT Exam 70-642, and ittutorials.net’

Data Analyst, Programmer, Network Engineer, Play Football & Bowling

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store