Windows Server 2003 Networking - 9 (Configuring the File Server Role )

Configuring the File Server Role

Windows Server 2003 includes a handy wizard that automatically configures the computer as a file server. The following procedure shows you how to use this wizard.

1. Log on as an administrator.

You need administrator rights in order to make the changes called for by this wizard.

2. Choose Start➪Administrative Tools➪Manage Your Server.

The Manage Your Server screen appears, as shown in Figure 3-1. This screen shows the various roles that you’ve configured for the server. If the File Server role already appears, you can skip the rest of this procedure — you’ve already configured the computer to be a file server.

3. Choose Add Or Remove A Role.

A screen appears, suggesting that you take some preliminary steps, such  as connecting network cables and installing modems. Read this list just to make sure that you’ve done it all already.

4. Click Next until you get to the Server Role page.

The Server Role page, shown in Figure 3-2, lists the various roles that can be configured for the server.

Figure 3-2:

The Server Role page.

5. Select File Server and then click Next.

The File Server Disk Quotas page appears, as shown in Figure 3-3. This page lets you set up disk quotas to track  and limit the amount of disk space used by each user. The default setting is to limit each user to a paltry 5MB of disk space. Microsoft recommends that you set this limit low and then change it for users who need more space.

This page also lets you specify the consequences that will occur if a user exceeds the quota. By default, no  consequences are specified, so the quota is just a tracking device. If you want, you can tell Windows to refuse to let the user have more space than the quota specifies, or you can specify that an event should be logged to let you know that a user has exceeded the quota.

6. Specify the disk quota settings that you want to use and then click Next.

The Indexing Service page appears. This page lets you indicate whether you want to activate the Windows Indexing Service for the file server. In most cases, activating this service is a bad idea because it can dramatically

slow down the performance of the server. Few users take advantage of the Indexing Service, but if you need it, it’s available here.

7. Check Yes if you want to use the Indexing Service or leave No checked to disable Indexing and then click Next.

Figure 3-3:

The File Server Disk Quotas page.

A summary page appears, listing the options that you’ve selected.

8. Click Next.

The computer grinds and whirs for a moment as it configures the file server. In a moment, the Share A Folder Wizard appears. This wizard allows you to set up the initial file shares for the server.

9. Use the Share A Folder Wizard to share one or more folders.

For the complete procedure for using this wizard, see the section “Sharing a folder from the File Server Manager,” later in this chapter.

After you’re finished with the Share A Folder Wizard, the screen shown in Figure 3-4 is displayed.

10. Click Finish.

You’re returned to the Manage Your Server page, which now lists the File Server role as active. That’s it. You have now configured the computer to be a file server.

Managing Your File Server

Windows Server 2003 also includes a handy File Server Manager console, as

shown in Figure 3-5. From this console, you can easily create new shares, set

up the permissions for a share, delete a share, and so on. To summon the

File Server Manager, choose Start➪Administrative Tools➪Manage Your

Server and then choose Manage File Server.

Figure 3-4:

Congratulations! You have successfully created a file server.

The following sections describe some of the more common procedures that you’ll use when managing your file server.

Sharing a folder from the File Server Manager

To be useful, a file server should offer one or more shares — folders that have been designated as publicly accessible via the network. You can see a list of the current shares available from a file server by firing up the File Server Manager and clicking Shares in the console tree. The File Server Manager displays the share name, description, and network path for each share that you’ve already created. To create additional shares, use the Share A Folder Wizard, as described in the following procedure.

1. Select Shares from the console tree and then choose Action➪New Share.

The Share A Folder Wizard comes to life, as shown in Figure 3-6.

Figure 3-5:

The File Server Manager console.

2. Click Next.

The wizard asks you what folder you want to share, as shown in Figure 3-7.

3. Type the path of the folder that you want to share over the network and then click Next.

If you aren’t sure of the path, you can click Browse. This action calls up a dialog box that lets you search the server’s hard drive for a folder to share. You can also create a new folder from this dialog box if the folder

that you want to share doesn’t yet exist. After you’ve selected or created the folder to share, click OK to return to the wizard.

Next, the dialog box shown in Figure 3-8 appears.

Figure 3-7:

Specifying the folder to share.

4. Type the name that you want to use for the share in the Share Name

box and a description of the share in the Description box.

The default name is the name of the folder being shared. If the folder ame is long, you can use a more succinct name here. The description is strictly optional but can sometimes help users to determine the intended contents of the folder.

5. Click Next.

The dialog box shown in Figure 3-9 appears.

Figure 3-9:

The share was completed successfully.

6. If you want to create another share, check the Run The Wizard Again checkbox, click Finish, and return to Step 3; otherwise, click Finish to dismiss the wizard.

If you click Finish, you’re returned to the File Server Management console. The share or shares that you created will now appear in the list.

Sharing a folder without the wizard

If you think wizards should be confined to Harry Potter movies, you can set up a share without bothering the wizard. Just follow these steps:

1. Open the My Computer window and navigate to the folder that you want to share.

2. Right-click the folder and choose Sharing And Security.

This action brings up the Properties dialog box for the folder, with the Sharing tab already selected, as shown in Figure 3-10.

3. Select the Share This Folder option to designate the folder as shared.

The rest of the controls on this dialog box will be unavailable until you check this box.

4. Type the name that you want to use for the share in the Share Name box and a description of the share in the Description box.

The default name is the name of the folder being shared. If the folder name is long, you can use a more succinct name here. The description is strictly optional but can sometimes help users to determine the intended contents of the folder.

5. Change the user limit if you want.

In most cases, it’s best to leave this set at Maximum Allowed.

6. If you want to specify permissions now, click Permissions.

This brings up a dialog box that lets you create permissions for the share.

7. Click OK.

The folder is now shared.

Granting permissions

When you first create a file share, all users are granted read-only access to the share. If you want to allow users to modify files in the share or allow

them to create new files, you need to add additional permissions. Here’s how to do this via the File Server Manager:

1. Click Shares in the console tree.

A list of all the server’s shares appears.

2. Right-click the share you want to set permissions for, choose Properties, and then click the Share Permissions tab.

The dialog box shown in Figure 3-11 appears. This dialog box lists all the users and groups to whom you’ve granted permission for the folder. When you select a user or group from the list, the check boxes at the bottom of the list change to indicate which specific permissions you’ve assigned to each user or group.

3. Click Add.

The dialog box shown in Figure 3-12 appears.

4. Type the name of the user or group to whom you want to grant permission

and then click OK.

You’re returned to the Share Permissions tab, with the new user or group added. If you’re not sure of the name, click Advanced. This action brings up the dialog box shown in Figure 3-13. Here, you can click the Find Now button to display a list of all users and groups in the domain. Alternatively, you can enter the first part of the name that you’re looking for before you click Find Now to search more specifically. When you find the user or group that you’re looking for, click OK.

5. Check the appropriate Allow or Deny check boxes to specify which permissions to allow for the user or group.

6. Repeat Steps 3 through 5 for any other permissions that you want to add.

7. When you’re done, click OK.

Figure 3-12:

The Select Users, Computers, or Groups dialog box.

Here are a few other thoughts to ponder concerning adding permissions:

✦ If you want to just grant full access to everyone for this folder, don’t bother adding another permission. Instead, click the Everyone group to select it and then check the Allow box for each permission type.

✦ You can remove a permission by selecting the permission and then clicking Remove.

✦ If you’d rather not fuss with the File Server Manager, you can set the permissions from My Computer. Right-click the shared folder and choose Sharing And Security and then click Permissions. You can then follow the preceding procedure, picking up at Step 3.

✦ The permissions assigned in this procedure apply only to the share itself. The underlying folder can also have permissions assigned to it. If hat’s the case, whichever of the restrictions is more restrictive will always apply. For example, if the Share Permissions grant a user Full Control permission, but the folder permission grants the user only Read permission, the user will be given Read permission for the folder.

Figure 3-13:

Looking up users and groups.

Advanced Features for Managing File Servers

After you’ve configured the server’s File Server role, created shares, and granted permissions, you can usually let a file server run along pretty much unattended except for the occasional need to check the amount of free disk

space remaining on the server, and regularly backing up the server. However, you may need to use a few other options and features in some circumstances.

Configuring offline settings

The offline files feature allows a user to maintain a copy of shared files on his or her computer so that the user can access the files when not connected to the network. This feature is most useful for notebook computer

users who want to take their computers home with them or to travel with them. Windows saves a local copy of the user’s network files on the client computer and automatically synchronizes the copies. To control the offline settings for a share, right-click the share and choose Properties. Then, click the Offline Settings button. This brings up the dialog box shown in Figure 3-14. Here, you can choose one of three options for saving local copies of files in the share:

✦ Only the files and programs that users specify will be available offline:

This option puts the responsibility for specifying which files should be saved for offline use on the user. This is the option to use if only a portion of the files in the shared folder need to be available for offline use.

✦ All files and programs that users open from the share will be automatically

saved offline: This option automates offline storage by automatically saving a local copy of any file that the user retrieves from the share. You should use this option only for folders whose entire contents should be available to offline users.

✦ Files or programs from the share will not be available offline: Use this option to disable offline storage for the shared folder.

Figure 3-14: Configuring offline settings.

Setting up shadow copies

Shadow copies is a new feature for Windows Server 2003 that makes backups of a shared resource easy to get to on a scheduled basis. The user can access the shadow copies to retrieve files that were accidentally deleted or

modified. When you enable shadow copies, you can set up a schedule to dictate how often the shadow copy should be made and the amount of storage to allocate to shadow copies. To enable shadow copies, select the share and choose Configure Shadow Copies. The dialog box shown in Figure 3-15 appears. Click Enable to activate shadowing using the default schedule, which creates two shadow copies every day: one at 7 a.m. and the other at noon. To change this schedule, click Settings and set up the schedule however you want. The following paragraphs describe some additional things that you need to know about using shadow copies:

 ✦ Shadow copies can retain up to 64 versions of the shadowed data. When this limit is reached, the oldest copy is deleted.

✦ The shadow copy feature doesn’t copy all the files in the shared folder — only those that have changed since the last shadow copy was created.

Figure 3-15:

Enabling shadow copies.

✦ To access shadow copies, each user must install special client software on his or her computer. This software is automatically installed in the \%systemroot%\System32\clients\twclient folder on the server. You should copy the contents of this folder to a shared folder. Then, you can install the software on client computers by opening the shared folder and running twclient.msi.

✦ Shadow copies are not a substitute for regular backups!

Dealing with users

In the File Server Manager, you can click the Sessions folder in the console tree to display a list of all the users  who are currently accessing the file server, as shown in Figure 3-16. This information may be useful if you’re

considering shutting down the server, or if you’re just nosey and want to know who’s using the server.

The following are some of the more interesting things you can do to your file server’s users:

✦ You can force a user off your file server by right-clicking the user and choosing Disconnect.

✦ You can blow everyone off the server by clicking the Disconnect All Sessions link. This action is something you should do only in drastic circumstances.

Figure 3-16:

Finding out who’s on first.

✦ You can send a message to a user by clicking the Send Console Message link.

✦ If you’re really nosy, you can click the Open Files folder in the console tree to find out what files each user has open. If you want to gain an appreciation for how hard your file server works, do this sometime on a busy day.

Windows Server 2003 Networking - 8

Creating a New User

To create a new domain user account in Windows Server 2003, follow these steps:

1. Choose Start➪Administrative Tools➪Active Directory Users And Computers.

This fires up the Active Directory Users And Computer management console, as shown in Figure 2-1.

2. Right-click the domain that you want to add the user to and then choose New➪User.

This summons the New User Wizard, as shown in Figure 2-2.

3. Type the user’s first name, middle initial, and last name.

As you type the name, the New User Wizard automatically fills in the Full Name field.

4. Change the Full Name field if you want it to appear differently than proposed.

For example, you may want to reverse the first and last names so the last name appears first.

5. Type the user logon name.

This name must be unique within the domain. Pick a naming scheme to follow when creating user logon names. For example, use the first letter of the first name followed by the complete last name, the complete first name followed by the first letter of the last name, or any other scheme that suits your fancy.

6. Click Next.

The second page of the New User Wizard appears, as shown in Figure 2-3.

Figure 2-3:

Setting the user’s password.

7. Type the password twice.

You’re asked to type the password twice, so type it correctly. If you don’t type it identically in both boxes,  you’re asked to correct your mistake.

8. Specify the password options that you want to apply.

The following password options are available:

• User must change password at next logon.

• User cannot change password.

• Password never expires.

• Account is disabled.

9. Click Next.

You’re taken to the final page of the New User Wizard, as shown in Figure 2-4.

10. Verify that the information is correct and then click Finish to create the account.

If the account information is not correct, click the Back button and correct the error. You’re done! Now you can customize the user’s account settings. At a minimum, you’ll probably want to add the user to one or more roups. You may also want to add contact information for the user or set up other account options.

Setting User Properties

After you’ve created a user account, you can set additional properties for the user by right-clicking the new user and choosing Properties. This brings up the User Properties dialog box, which has about a million tabs that you

can use to set various properties for the user. Figure 2-5 shows the General tab, which lists basic information about the user, such as the user’s name, office location, phone number, and so on. The following sections describe some of the administrative tasks that you can perform via the various tabs of the User Properties dialog box.

Changing the user’s contact information

Several tabs of the User Properties dialog box contain contact information for the user. In particular:

✦ Address: Lets you change the user’s street address, post-office box, city, state, ZIP code, and so on.

✦ Telephones: Lets you specify the user’s phone numbers.

✦ Organization: Lets you record the user’s job title and the name of his or her boss.

Figure 2-5:

The General tab.

Setting account options

The Account tab of the User Properties dialog box, as shown in Figure 2-6, features a variety of interesting options that you can set for the user. From this dialog box, you can change the user’s logon name. In addition, you can change the password options that you set when you created the account and set an expiration date for the account.

The following account options are available in the Account Options listbox:

✦ User must change password at next logon: This option, which is selected by default, allows you to create a one-time-only password that can get the user started with the network. The first time the user logs on to the network, he or she is asked to change the password.

✦ User cannot change password: Use this option if you don’t want to allow users to change their passwords. (Obviously, you can’t use this option and the previous one at the same time.)

✦ Password never expires: Use this option if you want to bypass the password expiration policy for this user so that the user will never have to change his or her password.

✦ Store password using reversible encryption: This option stores passwords using an encryption scheme that hackers can easily break, so you should avoid it like the plague.

Figure 2-6:

The Account tab.

✦ Account is disabled: This option allows you to create an account that you don’t yet need. As long as the account remains disabled, the user won’t be able to log on. See the section “Disabling and Enabling User Accounts,” later in this chapter, to find out how to enable a disabled account.

✦ Smart card is required for interactive logon: If the user’s computer has a smart card reader to automatically read security cards, check this option to require the user to use it.

✦ Account is trusted for delegation: This option indicates that the account is trustworthy and can set up delegations. This is an advanced feature that’s usually reserved for Administrator accounts.

✦ Account is sensitive and cannot be delegated: Prevents other users from impersonating this account.

✦ Use DES encryption types for this account: Beefs up the encryption for applications that require extra  ecurity.

✦ Do not require Kerberos preauthentication: Select this option if you use a different implementation of the Kerberos protocol.

Specifying logon hours

You can restrict the hours during which the user is allowed to log on to the system by clicking the Logon Hours button from the Account tab of the User Properties dialog box.

 This brings up the dialog box shown in Figure 2-7. Initially, the Logon Hours dialog box is set to allow the user to log on at any time of day or night. To change the hours that you want the user to have access, click a day and time or a range of days and times and choose either Logon Permitted or Logon Denied.

Restricting access to certain computers

Normally, a user can use his or her user account to log on to any computer that’s a part of the user’s domain. However, you can restrict a user to certain computers by clicking the Logon To button in the Account tab of the

User Properties dialog box.

 This brings up the Logon Workstations dialog box, as shown in Figure 2-8.

To restrict the user to certain computers, select the radio button labeled “The following computers.” Then, for each computer you want to allow the user to log on from, type the computer’s name in the text box and click Add. If you make a mistake, you can select the incorrect computer name and click Edit to change the name or click Remove to delete the name.

Setting the user’s profile information

The Profile tab, shown in Figure 2-9, lets you configure the user’s profile information. This dialog box lets you configure three bits of information related to the user’s profile:

✦ Profile path: This field specifies the location of the user’s roaming profile.

✦ Logon script: The name of the user’s logon script. Logon scripts are a carryover from the early versions of  Windows NT server, which relied on logon scripts to configure the user’s computer when the user logged on. You can still use logon scripts, but profiles are the preferred way to specify the user’s logon configuration.

✦ Home folder: This is where you specify the default storage location for the user.

The Profile tab lets you specify the location of an existing profile for the

user, but it doesn’t actually let you set up the profile.

Figure 2-9

Resetting User Passwords

By some estimates, the single most time-consuming task of most network administrators is resetting user passwords. It’s easy to just think users are forgetful idiots, but put yourself in their shoes. We insist that they set their password to something incomprehensible, such as 94kD82leL384K, that they change it a week later to something more unmemorable, such as dJUQ63DWd8331, and that they don’t write it down. Then we get mad when they forget their passwords.

So when a user calls and says he or she forgot his or her password, the least we can do is be cheerful when we reset if for them. After all, they’ve probably already spent 15 minutes trying to remember it before they finally gave up and admitted failure.

Here’s the procedure to reset the password for a user domain account:

1. Log on as an administrator.

You have to have administrator privileges in order to perform this procedure.

2. Choose Start➪Administrative Tools➪Active Directory Users And Computers.

The Active Directory Users and Computer management console appears.

3. Click Users in the console tree.

4. In the Details pane, right-click the user who forgot his or her password and choose Reset Password.

5. Type the new password in both password boxes.

You have to type the password twice to ensure that you type it correctly.

6. If desired, check the User Must Change Password At Next Logon option.

If you check this option, the password that you assign will work for only one logon. As soon as the user logs on,  he or she will be required to change the password.

7. Click OK.

That’s all there is to it! The user’s password is now reset.

Disabling and Enabling User Accounts

If you want to temporarily prevent a user from accessing the network, you can disable his or her account. Then,  you can enable the account later , when you’re ready to restore the user to full access.

Here’s the procedure:

1. Log on as an administrator.

You have to have administrator privileges to perform this procedure.

2. Choose Start➪Administrative Tools➪Active Directory Users And Computers.

The Active Directory Users And Computer management console appears.

3. Click Users in the console tree.

4. In the Details pane, right-click the user that you want to enable or disable. Then, choose either Enable Account or Disable Account to enable or disable the user.

Deleting a User

Deleting a user account is surprisingly easy. Just follow these steps:

1. Log on as an administrator.

You have to have administrator privileges in order to perform this procedure.

2. Choose Start➪Administrative Tools➪Active Directory Users And Computers.

The Active Directory Users And Computer management console appears.

3. Click Users in the console tree.

4. In the details pane, right-click the user that you want to delete and choose Delete.

Windows will ask whether you really want to delete the user, just in case you’re kidding.

5. Click Yes.

Poof! The user is history.