Microsoft 70-412: Objective 2.1 – Configure Advanced File Services

Hey everyone! I’m just getting over a few days of being pretty sick, so I apologize for the delay in getting the next post of the series out to you. The content in this post was pretty deep, so it was a good post to get back in the swing of things!

Table Of Contents

1) Configure Network File System (NFS) data store
2) Configure BranchCache
3) Configure File Classification Infrastructure (FCI) using File Server Resource Manager (FSRM)
4) Configure file access auditing

1) Configure Network File System (NFS) data store

Windows networks natively use the Server Message Block (SMB) protocol to support file and folder sharing, but UNIX and Linux use another protocol called Network File System (NFS) for the same purpose. To support UNIX and Linux clients on file shares, you can install the Server for NFS component (role service) of the File And iSCSI Services role.

The following improvements are available for NFS in Windows Server 2012:

  • Support for NFS version 4.1. This protocol version includes the following enhancements.
    Navigating firewalls is easier which improves accessibility.
    Supports the RPCSEC_GSS protocol which provides stronger security, and the ability for clients and servers to negotiate security.
    Supports UNIX and Windows file semantics.
    Takes advantage of clustered file server deployments.
    Supports WAN friendly compound procedures.
  • NFS module for Windows PowerShell. The availability of built-in NFS cmdlets makes it easier to automate various operations. The cmdlet names are consistent with other Windows PowerShell cmdlets (using verbs such as ‘Get’ and ‘Set’) which makes it easier for users familiar with Windows PowerShell to learn to use new cmdlets.
  • NFS management improvements. A new centralized UI-based management console simplifies configuration and management of SMB and NFS shares, quotas, file screens and classification, in addition to managing clustered file servers.
  • Identity Mapping improvements. New UI support and task-based Windows PowerShell cmdlets for configuring identity mapping, which allows administrators to quickly configure an identity mapping source, and then create individual mapped identities for users. Improvements make it easy for administrators to set up a share for multi-protocol access over both NFS and SMB.
  • Cluster resource model restructure. This improvement brings consistency between the cluster resource model for the Windows NFS and SMB protocol servers and simplifies administration. For NFS servers that have many shares, the resource network and the number of WMI calls required fail over a volume containing a large number of NFS shares are reduced.
  • Integration with Resume Key Manager. The Resume Key Manager is a component that tracks file server and file system state and enables the Windows SMB and NFS protocol servers to fail over without disrupting clients or server applications that store their data on the file server. This improvement is a key component of the continuous availability capability of the file server running Windows Server 2012.

Installing NFS with Powershell:
Install-WindowsFeature FS-NFS-Services -IncludeManagementTools

Installing NFS from Server Manager:

  1. Select the checkbox for “File and Storage Services” if it isn’t already enabled. Expand “File and iSCSI Services” and check the box next to Server for NFS:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - NFS 
  2. Click Next, and Next again on the Features screen.Confirm on this screen:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - NFS

     

  3. Wait for it to complete the installation:Microsoft 70-412 Certification Exam Blueprint Walkthrough - NFS

     

  4. In practice tests NFS isn’t covered very heavily, so I’m of the opinion that you’ll do fine if you know what NFS is, when it would be used, and the PowerShell installation string.You can create an NFS file share by right-clicking the folder you’d like to share and clicking the ‘NFS Sharing’ tab at the top:

    Microsoft 70-412 Certification Exam Blueprint Walkthrough - NFS

     

  5. On the NFS Advanced Sharing dialog, check the box to “Share this Folder”.
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - NFS 

    Share Name: The name of the folder will be your share name.
    Network Name: This is the name of the server
    Encoding: Select the type of encoding to be used for file and directory names in the shared directory. In addition to the default American National Standards Institute (ANSI) encoding, the following encoding is available:
    BIG5 (Chinese)
    EUC-JP (Japanese)
    EUC-KR (Korean)
    EUC-TW (Chinese)
    GB2312-80 (Simplified Chinese)
    KSC5601 (Korean)
    SHIFT-JIS (Japanese)The other checkboxes pertain to authentication options.

  6. The Permissions button at the bottom sets up access for clients and groups.
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - NFS

 

Back to Table of Contents

2) Configure BranchCache

BranchCache is a feature in Windows Server 2012 and Windows Server 2012 R2 that uses file caching to optimize network traffic across WAN links. It can be configured to cache Web data, File Server data, and/or data from applications that utilize BITS (Such as WSUS or SCCM). BranchCache will require having a BranchCache Content server at the home office, and Cache server(s) at the remote site to store frequently accessed data.

To optimize WAN bandwidth when users access content on remote servers, BranchCache copies content from your main office or hosted cloud content servers and caches the content at branch office locations, allowing client computers at branch offices to access the content locally rather than over the WAN. In practice, if a user makes a file request to a file server located at the main office from a remote branch office with BranchCache enabled, the content will be cached to the local server for any future requests. If another user tries to access the same file, they’ll be served the cached copy instead of the copy at the home office as long as the file hasn’t been modified.

BranchCache Modes
There are two modes for BranchCache:

  • Hosted Cache Mode: Dedicated server handles branchcache requests.
  • Distributed Cache Mode: No dedicated server. Instead, BranchCache clients (Windows 7 Enterprise or Ultimate, Windows 8 Enterprise, Windows 8.1 Enterprise) act as cache servers for their local subnets.

In practice, I’ve never seen a Distributed Cache architecture deployed in large enterprises due to concern about broadcast and other traffic for a large number of network nodes.

Deploying BranchCache in Hosted Cache Mode: 

Content Server(s). First things first- you need at least one content server in the primary location. Interestingly, you need to install one component for Web or BITS content and a separate one for File Services.

Web/BITS:

  • Installing BranchCache withPowershell:
    Install-WindowsFeature BranchCache -IncludeManagementTools
  • Installing BranchCache with Server Manager:
    Open Server Manager. Go to Add Roles. Install the BranchCache Feature.
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - BranchCache 

File Services:

  • Installing BranchCache for File Services with Powershell:
    Install-WindowsFeature FS-BranchCache -IncludeManagementTools
  • Installing BranchCache for File Services with Server Manager:
    Open Server Manager. Go to Add Roles. Install the BranchCache for Network Files role (Under File and iSCSI Services).
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - BranchCache

Additional Step- If you’re caching files, you will also need to enable hash publication for BranchCache in either Local security policy or Group Policy:
Microsoft 70-412 Certification Exam Blueprint Walkthrough - BranchCache
Hosted Cache Server:
Install the BranchCache feature on the server in the secondary location. Once installed, enable BranchCache hosted mode by running the below command:
Enable-BCHostedServer -RegisterSCP

Preload content on the Cache server if desired. On the primary (or content) server, run the following PowerShell commands for item you would like to preload:

  1. Publish-BCFileConent (If File content) or Publish-BCWebContent (If Web content). This will generate hashes of the data.
  2. Export-BCCachePackage – This produces a package of the staged data that can be imported by Cache servers.
  3. Transfer the package to the remote site. Then, import the data package on the cache server by running Import-BCCachePackage

Enable Branch Cache in AD:
Set the Cache servers in the Configure Hosted Cache Servers key:
Microsoft 70-412 Certification Exam Blueprint Walkthrough - BranchCache

Distributed Cache Mode:
You can configure the clients used for Distributed Cache mode using either Group Policy or Powershell.

Group Policy:

Open up Group Policy Management Editor and create a new policy.
Key location: Computer Configuration -> Policies -> Administrative Templates -> Network -> BranchCache
Microsoft 70-412 Certification Exam Blueprint Walkthrough - BranchCache

Enable BranchCache with the Turn On BranchCache key:
Microsoft 70-412 Certification Exam Blueprint Walkthrough - BranchCache
And Enable BranchCache Distributed Cache Mode with the key titled the same:

Microsoft 70-412 Certification Exam Blueprint Walkthrough - BranchCache

To do this in PowerShell, run the Enable-BCDistributed cmdlet on all of the client machines capable of supporting BranchCache distributed mode.

References:
http://technet.microsoft.com/en-us/network/dd425028.aspx “BranchCache”  

 

 
Back to Table of Contents

3) Configure File Classification Infrastructure (FCI) using File Server Resource Manager (FSRM)

Previous Microsoft exams have probed the File Screens, Auditing and Quota capabilities of FSRM. If you’ve gotten to the 70-412, you probably have a decent handle on these topics.

The blueprint specifically calls out configurations to the File Classification Infrastructure as appearing on the test, so that’s what we’ll dive into!

FCI allows organizations to automatically assign specific properties to files, and then perform actions based on those properties. An example is Compliance related- You could set a classification rule to look for strings of numbers like a Social Security or Credit Card number, and if a file contains numbers in that format, assign a PII (Personally Identifiable Information) or CC (Credit Card) classification.
Once that property is added, a later file management task will search for all files with a classification of PII or CC and applies an AD RMS policy to restrict printing, copying or access to the files.

Pretty powerful stuff if configured properly. The basic flow is:

  1. Identify a piece of data that should be structured
  2. Classify that data using an automated rule
  3. Perform an action based on the classification

Installing File Classification Infrastructure:

  1. Installing FCI with Server Manager:
    FCI is part of the FSRM role, under File and Storage Services:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - FCI
     
  2. Installing FCI with Powershell:
    Install-WindowsFeature FS-Resource-Manager

 

Using File Classification Infrastructure:

The Classification properties either managed per-server or can be managed centrally in Active Directory using the Active Directory Administrative Center under Dynamic Access Control (Itself a new feature in Server 2012)
Per Server:

  1. Open up the File Server Resource Manager tool (In Administrative Tools)
  2. Expand Classification Management and click on Classification Properties:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - FCI 
  3. Right Click in the center pane, and select “Create Local Classification Property”:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - FCI 
  4. In this window, name the policy and provide a brief description. Lets do Social Security number as our example (Mostly because it’s an easily recognized pattern of NNN-NN-NNNN). Select the Yes/No property type. Your window should now look somewhat similar to this:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - FCI 
  5. Click OK to save the classification.
  6. Create a classification rule to “Do Stuff” when we come across a file with this classification:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - FCI 
  7. Give the rule a name and a description. Note the enabled checkbox – enabled by default.
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - FCI 
  8. Click on the “Scope” tab. For this example, select Backup and Archive, Group and User files, as I wouldn’t expect Application files to contain social security numbers. You can select that one too to be safe, but this rule is already fairly intensive.Also select the directories/partitions to be scanned.
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - FCI

     

  9. Click on the “Classification” tab next. Set the `Classification Method’ drop down to `Content Classifier’ (This is the default) and assign our “Contains a Social Security number” property:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - FCI 
  10. Click on the “Configure” button to set a classification parameter. According to TechNet, the regular expression for a SS number is this: ^(?!000)([0-7]\d{2}|7([0-7]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - FCI
     
  11. On the Evaluation Type tab, check the box for ‘Re-evaluate existing property values’, ‘Overwrite the exiting value’ and check the box for ‘Clear Automatically Classified Property’:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - FCI 
  12. From here you can either run the rule once, or create a schedule – these options are available under the ‘Actions’ menu:
    Microsoft 70-412 Certification Exam Blueprint Walkthrough - FCI

In Active Directory:
Unfortunately my Lab environment is running a 2008R2 Forest Functional Level, so I won’t be able to fully illustrate Active Directory centralized file access policies.

To enable Dynamic Access Control in AD, edit the Default Domain Controllers policy. Navigate to Computer -> Policies -> Administrative Templates -> System -> KDC and enable the below key:
Microsoft 70-412 Certification Exam Blueprint Walkthrough - FCI

Then follow the walkthrough I just found on the WindowsITPro site:
http://windowsitpro.com/windows-server-2012/windows-server-2012-fci

 

Back to Table of Contents

4) Configure File Access Auditing

Security Auditing is one of the most powerful tools to help maintain the security of an enterprise. One of the key goals of security audits is regulatory compliance. Industry standards such as Sarbanes Oxley, Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry (PCI) require enterprises to follow a strict set of rules related to data security and privacy. Security audits help establish the presence of such policies and prove compliance with these standards. Additionally, security audits help detect anomalous behavior, identify and mitigate gaps in security policies, and deter irresponsible behavior by creating a trail of user activity that can be used for forensic analysis.

Follow this Microsoft TechNet Scenario document to implement File Access Auditing:
http://technet.microsoft.com/en-us/library/hh831476.aspx

 

Advertisements