There are some significant differences between Windows NT 4 and Windows 2000 involving file management and disk storage. Many of the basic disk management topics, such as FAT versus NTFS, RAID levels, and basic file permissions, are covered in Part I.
Windows 2000 supports both basic disks and dynamic disks . Basic disks can contain primary and extended partitions, and logical drives can be added within the extended partition. This is the familiar setup in DOS- and Windows-based computers. Dynamic disks are an optional new feature included with Windows 2000, but you may not want to upgrade your basic disks to dynamic disks.
Dynamic diskadvantages
Can resize a dynamic disk without rebooting.
A single dynamic disk can span multiple physical disks and can support RAID 0, 1, and 5.
Dynamic disk disadvantages
Can only be accessed by Windows 2000 computers
Less fault tolerant than basic disks
Windows 2000 comes standard with a new version of its secure filesystem, NTFS5. Version 5 of NTFS has a few new features, such as reparse points and Native Structured Storage, both of which are covered later in this section.
Windows 2000 domain controllers must use NTFS. Microsoft recommends that all Windows 2000 clients also use NTFS, unless they are used as multi-boot machines. The reason for this exception is that most operating systems cannot read an NTFS volume.
Windows 2000 allows an administrator to limit and monitor the amount of disk storage used by every user on an NTFS volume. Disk quotas do not apply to non-NTFS volumes. The quota data is calculated by determining ownership of files and folders. If a user owns a file, that file will be charged against their quota. Compressed files are charged against the quota at their uncompressed file size.
Reparse points allow additional functionality to be layered on top of the normal NTFS functionality. User-defined functions can be executed when a file or folder that contains a reparse attribute is opened. You may be familiar with a different definition of parsing from the programming world. In this case, parsing refers to the actual way the identifying name of a file or folder is used by the operating system to determine what to do next.
In standard NTFS, if a file is double-clicked on and the user has permission to open the file, the operating system would proceed to open the file. If that file has a reparse attribute, when the operating system attempts to parse the file name, functionality is turned over to a user-defined process, and instead of directly opening the file, it might perform some other task first. A good example of this is described below.
One new feature that takes advantage of reparse points is Native Structured Storage (NSS). This allows files that contain embedded ActiveX components to be stored separately from the ActiveX component itself. When the file is opened, a reparse point is read in the filename, which causes both the ActiveX component and the document to be opened and the application to behave as if the two files were stored together in the same file. This procedure provides a more efficient way to store ActiveX embedded files on Windows 2000 NTFS volumes.
Windows 2000 has a domain-wide shortcut tracking system that will make sure that all of your shortcuts continue to point to the correct targets even if changes have been made to the path that the shortcut refers to. If the client computer is subscribed to the link tracking service , all shortcuts will be automatically updated even if the file location, volume location, computer name, or share name that the targeted resource resides on changes. This feature is only available through NTFS and only within the Windows 2000 domain that the client resides in.
In some specialized applications, such as a large database, certain areas of the data file may contain large areas of filler data (all binary zeros). Instead of storing each individual zero bit, the location of a range of zero bits can be stored and the disk space that would have been used by the complete file can be reassigned as free space. When the file is opened, the actual data is read normally and the range of zeros is dynamically restored. This feature is only available with Windows 2000 and NTFS.
The Change Journal is used to keep track of changes that occur on an NTFS volume. This data is stored as a stream with a time limit, so that the log file automatically deletes older data while making room for more current data.
A unique sequence number is assigned to all changes on a volume. This information is useful for many tasks, including incremental backups and directory replication.
Windows 2000 allows users to view files and folders that are physically distributed on multiple computers throughout the domain inside a single folder. A Distributed Filesystem (Dfs) folder on the server will automatically link the user to the correct location of the resource. A Dfs root is the main folder that contains the Dfs links, which are subfolders that are mapped to resources throughout the Windows 2000 domain. Dfs is covered in detail in both Part III and Part IV.
If a file server crashes, a system administrator can point the Dfs link to an alternate location, and users will automatically connect to the new location without noticing a change. Dfs does not affect the permissions of the resources it links to. A user must have permissions for the remote resource to gain access to it through the Dfs link.
A standalone Dfs root is a folder that is physically located on only one server. If you are using Active Directory, you can create a domain Dfs root instead, which will be replicated across multiple servers, providing greater fault tolerance. You can create both standalone and domain Dfs roots using the Dfs snap-in.
After you’ve created the Dfs root folder, you can create Dfs links by choosing the Action → New Dfs Link from the Dfs snap-in. With a domain Dfs root, each Dfs link can point to multiple identical shared resources, and the server will automatically distribute traffic between the copies of the shared resource.
In addition to the fault tolerance provided by using a domain Dfs, you can configure the server to automatically replicate the Dfs data. Dfs replication is disabled by default, but you can enable it by changing the replication policy in the Dfs snap-in. A quick way to do this is by right-clicking on the Dfs folder and choosing Replication Policy . You’ll see a list of servers; choose the ones you want to participate and then press the Enable button.
The File Replication Service automatically copies and synchronizes files throughout the domain. It uses unique sequence numbers, covered earlier in this chapter, to make sure the most recent changes are applied. FRS is included as a standard feature of Windows 2000 Server and runs automatically on all domain controllers.
One of FRS’s main responsibilities is that it automatically replicates the Windows 2000 system volume among all the domain controllers. Because there is no PDC, all domain controllers have equal status in the network.
FRS uses a reversible virtual ring topology among the FRS-enabled servers to define the order of replication among the participants. During replication, if the next DC in line is unavailable, another DC is automatically contacted to continue the replication process seamlessly.
For replication purposes, the domain model is temporarily superceded by a logical structure called a site. The main requirement for a site is that subnets within a site are connected by at least a 512 Kbps connection. Other than that one stipulation, a site may contain multiple domains, or a single domain can contain multiple sites. Data can be replicated within a site or between sites. There are two main types of replication: intrasite and intersite.
Intrasite replication passes data between domain controllers within the same site. It is configured automatically and runs every five minutes by default; however, replication is trigger-based , meaning if a replicating server has any changes, it will notify its replication partner. The data that passes between the replicating partners is not compressed.
Intersite replication passes data between domain controllers in separate sites. The default synchronization interval is three hours, but you can configure it manually. The data passed between domain controllers on different sites is compressed up to 90 percent.
The Encrypted Filesystem is part of the new NTFS included with Windows 2000 Server. The Encrypted Filesystem uses a set of four keys: a public key, a private key, a random file encryption key (FEK), and a recovery key. The Windows 2000 EFS uses the Data Encryption Standard X (DESX). Encryption and keys are covered in greater detail in the security chapter.
A public key is used to encrypt files that can later be decrypted by applying either the matching private key or by using the recovery key, which was automatically generated at the time of encryption. In North America a 128-bit FEK is used. Otherwise, a 40-bit FEK is used.
The more bits in the encryption key, the stronger the encryption. However, using the Windows 2000 EFS doesn’t necessarily mean your data is completely private. A system administrator with the appropriate permissions can use a special recovery key to decrypt data without the use of the user’s private key.
A system administrator can create a domain-wide policy to determine which accounts will have permission to decrypt files using recovery keys. This policy will apply to all computers that are members of the domain. If you are using a standalone machine that is not a member of a Windows 2000 domain, the local administrator account will have permission to use recovery keys. This policy is called the Encrypted Data Recovery Policy (EDRP).
Encryption can be used on individual files or entire folders. After a file is encrypted, the subsequent decryption and re-encryption are done automatically as the file is opened, modified, and saved. If a failure occurs during the encryption process, the entire file remains unencrypted. It is not possible for a file to become partially encrypted. You may have to reboot the system to have the file restored to a useable state if a serious error occurs during the encryption process.
To encrypt all the data in a folder, right-click on the folder and choose Advanced from the Properties menu. Choose Encrypt Contents to Secure Data and click OK. The Confirm Attribute Changes dialog box will appear. Choose Apply Changes To This Folder, Subfolders, and Files to automatically encrypt the existing contents of the folder. From then on, the process of encrypting and decrypting files in that folder or any of its subfolders will be automatic.
You can also encrypt files or folders from the command line using the
cipher
command. The cipher
command has many parameters that perform specific operations.
Parameters are separated from the cipher command
and each other by a single space. Some parameters can be used in
combination with others. They are listed in Table 8-4.
Table 8-4. The cipher Command
Windows 2000 NTFS includes a built-in data compression feature. This allows files and folders to occupy less space. If a file is compressed, NTFS will automatically uncompress it when it is opened and re-compress it when it is closed or saved. You can view or change compression settings for a file from the Advanced Attributes dialog, as shown in Figure 8-2. You can also set compressed files and folders to have a different color by selecting Tools → Folder Options → View, then selecting Display Compressed Files and Folders with Alternate Color.
When you copy or move compressed files (as shown in Table 8-5), you may notice that the performance is slower than with uncompressed files. If a user requests that EFS compress a previously compressed file (such as a WinZip archive), if the file cannot be made any smaller, the archive bit is changed to indicate it’s compressed and the file is otherwise left as is.
Table 8-5. Moving Compressed Data
|
Situation |
Result |
|---|---|
|
Copying a file within an NTFS volume |
The file inherits the state of the destination folder. |
|
Moving a file within an NTFS volume |
The compression state remains unchanged. |
|
Copying a folder within an NTFS volume |
The folder inherits the state of the destination folder. |
|
Moving a folder within an NTFS volume |
The compression state remains unchanged. |
|
Copying a file between NTFS volumes |
The file inherits the state of the destination folder. |
|
Moving a file between NTFS volumes |
The file inherits the state of the destination folder. |
|
Copying a folder between NTFS volumes |
The folder inherits the state of the destination directory. |
|
Moving a folder between NTFS volumes |
The folder inherits the state of the destination directory. |
|
Copying a file from NTFS to FAT |
Everything is uncompressed. |
|
Moving a file from NTFS to FAT |
Everything is uncompressed. |
|
Copying a folder from NTFS to FAT |
Everything is uncompressed. |
|
Moving a folder from NTFS to FAT |
Everything is uncompressed. |
|
Copying or moving to a floppy disk |
Everything is uncompressed. |
Windows 2000 Server comes with a built-in backup program called Windows Backup. You can use this utility to back up files manually or to schedule automatic backups. Windows Backup is permission based, and only those users with the proper file access permissions can back up or restore files. You can back up a single file, the whole network, or anything in between (see Table 8-6).
All files can be backed up by anyone in the Administrators, Backup Operators, or System Operators group. Otherwise, the user will need to have at least Read permission to perform a backup and Write permission to perform a restore. Windows Backup can be run from a command line by executing ntbackup.exe.
Table 8-6. Windows Backup Types
|
Type |
Description |
Archive Bit |
|---|---|---|
|
Full |
Backs up all the selected files and folders |
Cleared |
|
Copy |
Backs up all the selected files and folders |
Unchanged |
|
Incremental |
Backs up only selected files and folders with an archive bit |
Cleared |
|
Differential |
Backs up only selected files and folders with an archive bit |
Unchanged |
|
Daily |
Backs up all the files and folders that have been modified that day |
Unchanged |
With the number of choices available for backup, you should be able to find a backup strategy to fit your needs. Following is a list of the available built-in backup types and when they might be most useful:
- Full
This is the simplest type of backup. All you have to do is choose the files and folders you want to back up, and they’ll be copied. To let the other backup methods know a file has been backed up already, the archive bit is cleared when a file is copied by this method.
- Copy
This method is especially useful to make an extra copy of a file without changing the file’s archive bit attribute. Because other methods, like incremental and differential, look for a file’s archive bit, a copy backup won’t interfere with these types because it leaves the archive bit unchanged.
- Incremental
An incremental strategy is a good choice to save disk space while retaining automation. It will only back up the selected files that have the archive bit and, because it clears the archive bits for files it has backed up, it won’t back up the same file needlessly.
- Differential
This method will also save disk space compared to a full backup, but it leaves the archive bit unchanged and can potentially back up an unchanged file multiple times. Although it backs up only files with archive bits set, it doesn’t clear the archive bits on files it has backed up.
- Daily
This method is most useful for the traditional automated late night backup. It doesn’t use the archive bits, it uses the last modified timestamp of a file to determine whether or not it should back it up. Daily backup doesn’t modify the archive bits of files it backs up.