Managing Files

File Security
Encrypting File System
NTFS provides excellent protection for files and folders as long as Windows is running.
However, an attacker who has physical access to a computer can start the computer from a
different operating system (or simply reinstall Windows) or remove the hard disk and connect
it to a different computer. Any of these very simple techniques would completely bypass
NTFS security, granting the attacker full access to files and folders.
EFS protects files and folders by encrypting them on the disk. If an attacker bypasses the
operating system to open a file, the file appears to be random, meaningless bytes.
Windows controls access to the decryption key and provides it only to authorized users.

Note: The EFS uses a certificate to store your encryption detail. It is important to backup
your certificate in an external drive in case your current PC crashes and you lose the
certificate. Once you lose the certificate, you won’t be able to open the encrypted files
anymore.

For the example, we are going to use a folder with the name “Important Files“. Right click the
folder and select Properties:
Click Advanced

Select Encrypts contents to secure data and select OK

Note that a folder may be compressed or encrypted, but not both.
You can either just apply the attribute to a folder or apply it to all subfolders and files as well.

 Apply changes to this folder, subfolders and files - Choose this to encrypt the
folder so that everything inside this folder is encrypted, and this includes files and
folders that are later moved to or created inside this folder.
 Apply changes to this folder only - Choose this to encrypt only the folder so that all
files/folders subsequently moved or created in this folder will be encrypted. Existing
files and folders are not encrypted.

Choose one radio button and then click OK.

If you encrypt a folder, Windows automatically encrypts all new files in the folder. Windows
Explorer shows encrypted files in green.
Backing up your encryption certificate

Windows store all the encryption detail in a certificate. This certificate acts like a key to your
safe. If you lose your certificate (the key to safe), you won’t be able to access your files
anymore. That’s why you need a backup file.

Go to the Start menu. Using the search function, type manage encryption. Select Manage
file encryption certificates

A window appears. It shows information about what you can do with the utility. Press Next
Select the certificate you want to backup. In this case, there is only one

Select the location to backup your certificate and enter a password to protect the file. It is
very important that you copy this file to other device, and of course that you remember the
password
Now, the program allows you to associate this certificate to previously encrypted files. In this
case, as we are creating a backup copy, just press Next

The utility will show a message with information, just press Close. Done!
Share Files Protected with EFS

To share an EFS-protected file

1. Open the Properties dialog box for an encrypted file.

2. In the General tab, click Advanced.
The Advanced Attributes dialog box appears.

You may share an encrypted file with additional users after you have encrypted the file. You
can only do this on a per file basis.  EFS file sharing allows other users you designate with
the ability to decrypt and encrypt your original encrypted file. These users may also move,
copy, or delete the encrypted file if they have such file permissions.

A user may be added by selecting the new Details... Button.

You will be presented with a window showing who has EFS access to this file.
Click the Add... button to add more users.

You may add other users (not groups) from the local machine or from the Active Directory,
provided the user has a valid EFS certificate. Users without a valid EFS certificate will not be
shown. A valid EFS certificate is automatically created whenever a user encrypts a file, and
the user can simply encrypt a file to have one created automatically. Select a user you want
to add.  If the user is in active directory, you can find the user via the Find User... button.
Click OK to return and view the user has been added to the EFS file share list. Click OK
again (3 times) and you are done.

How to Configure EFS Using Group Policy Settings

Users can selectively enable EFS on their own files and folders. However, most users are
not aware of the need for encryption and will never enable EFS on their own. Rather than
relying on users to configure their own data security, you should use Group Policy settings to
ensure that domain member computers are configured to meet your organization’s security
needs.
Within the Group Policy Management Editor, you can configure EFS settings by right-clicking
Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies
\Encrypting File System node and then choosing Properties to open the Encrypting File
System Properties dialog box
Data Recovery Agent
An encrypted file is inaccessible to anyone who lacks the decryption key, including system
administrators and, if they lose their original key, users who encrypted the files. To enable
recovery of encrypted files, EFS supports DRAs. DRAs can decrypt encrypted files. In
enterprise Active Directory environments, you can use Group Policy settings to configure
one or more user accounts as DRAs for your entire organization.

To configure an enterprise DRA

1. Configure an enterprise CA. For example, you can install the Windows Server 2008
Active Directory Certificate Services server role.
2. Create a dedicated user account to act as the DRA. Although you could use an existing
user account, the DRA has the ability to access any encrypted file—an almost unlimited
power that must be carefully controlled in most organizations. Log on using the DRA
account.

IMPORTANT Avoid giving one person too much power

For the DRA user account, or any highly privileged account, have two people type half the
account’s password. Then have each user write down half of the password and give the
password halves to different managers to protect. This requires at least two people to work
together to access the DRA account—a security concept called collusion. Collusion greatly
reduces the risk of malicious use by requiring attackers to trust each other and work
together.

3. Open the Group Policy Object in the Group Policy Management Editor.
4. Right-click Computer Configuration\Policies\Windows Settings\Security Settings\Public
Key Policies\Encrypting File System, and then choose Create Data Recovery Agent.
The Group Policy Management Editor creates a file recovery certificate for the DRA
account.

Installing the File Services Server Role

Windows Server 2008 can share folders without adding any server roles. However, adding
the File Services server role adds useful management tools along with the ability to
participate in DFS namespaces, configure quotas, generate storage reports, and other
capabilities.

To install the File Services server role

Choose Start > Administrative Tools > Server Manager

Choose Roles > Add Roles This will start the Add Roles Wizard. Click Next

On the Server Roles page check File Services then press Next
On the Select Role Services page, select from the following roles:

File Server Although not required to share files, adding this core role service allows you to
use the Share and Storage Management snap-in.

Distributed File System Enables sharing files using the DFS namespace and replicating
files between DFS servers. If you select this role service, the wizard will prompt you to
configure a namespace.

File Server Resources Manager Installs tools for generating storage reports, configuring
quotas, and defining file screening policies. If you select this role service, the wizard will
prompt you to enable storage monitoring on the local disks.

Services for Network File System Provides connectivity for UNIX client computers that use
Network File System (NFS) for file sharing. Note that most modern UNIX operating systems
can connect to standard Windows file shares, so this service is typically not required.

Windows Search Service Indexes files for faster searching when clients connect to shared
folders. This role service is not intended for enterprise use. If you select this role service, the
wizard will prompt you to enable indexing on the local disks.

Windows Server 2003 File Services Provides services compatible with computers running
Windows Server 2003
To manage quotas Check the File Server Resource Manager box and click Next. You will
then select the NTFS volumes you want to monitor:
Click on Options to see additional options for reports

The screen above shows the standard configuration for a volume, along with the reports that
are generated when that threshold is reached.

Select the reports you want, click “OK” to close that window, then click “Next’ to continue.
This last window before the confirmation lets you specify the folder where the reports are
saved and also the e-mail reporting details
Click Next, review the confirmation and click Install to finish the wizard.
Keep in mind that you can decide not to add any volumes during this install phase and add
them later, after FSRM is already installed.

The new Quota Management tool in File Server Resource Manager (FSRM) allows
administrators to monitor and manage hard disk space per volume, folder, or share. By
using File Server Resource Manager, administrators can place quotas on folders and
volumes, actively screen files, and generate comprehensive storage reports.

Using Quotas
When multiple users share a disk, whether locally or across the network, the disk will quickly
become filled usually because one or two users consume far more disk space than the rest.
Disk quotas make it easy to monitor users who consume more than a specified amount of
disk space. Additionally, you can enforce quotas to prevent users from consuming more disk
space (although this can cause applications to fail and is not typically recommended).
With Windows Server 2008 you should use the Quota Management console to configure
disk quotas. You can also configure quotas using the DirQuota command-line tool.
Additionally, you can configure disk quotas by using Group Policy settings or by using
Windows Explorer.

Disk quotas are a simple way to limit and control the amount of disk space your users
take up with their data. Quotas monitor and limit a user’s disk space on a per-partition
or per-volume basis; quotas do not stretch across multiple disks.

Disk quotas are per-volume. That is, you can enable quotas only at the volume level,
not the folder level.

Disk quotas are per-user. In other words, quotas are based on who owns files, not on
which folder they are stored in as long as the folders are on the same volume.
Configuring Disk Quotas Using the Quota Management Console
After installing the File Server Resource Manager role service, you can manage disk quotas
using the Quota Management console. In Server Manager, you can access the snap-in at
Roles\File Services\Share And Storage Management\File Server Resource
Manager\Quota
Management. The Quota Management console provides more flexible control over quotas
and makes it easier to notify users or administrators that a user has exceeded a quota
threshold or to run an executable file that automatically clears up disk space.

On File Server Resource Manager Page, expand Quota Management > Quotas, click
Create Quota…

On Create Quota Page, click on Browse, on Browse for Folder Page

To Create a Quota on a public folder expand to New > Public, click OK
To create a Quota for private folder > Browse to New > Private
On Create Quota  Page, Under Derive Properties from this quota template
(recommended)

Choose from the following standard templates:

100 MB Limit Defines a hard quota (a quota that prevents the user from creating more files)
of 100 MB per user, with e-mail warnings sent to the user at 85 and 95 percent. At 100
percent of the quota, this template sends an e-mail to the user and to administrators.

200 MB Limit Reports To User Defines a hard quota of 200 MB per user, with e-mail
warnings sent to the user at 85 and 95 percent. At 100 percent of the quota, this template
sends an e-mail to the user and to administrators and sends a report to the user.

200 MB Limit With 50 MB Extension Defines a 200 MB quota. When the 200MB quota is
reached, the computer sends an e-mail to the user and administrators and then applies the
250 MB Extended Limit quota to grant the user additional capacity.

250 MB Extended Limit Primarily used with the previous quota template to provide the
user an additional 50 MB of capacity. This template prevents the user from exceeding
250 MB.

Monitor 200 GB Volume Usage Provides e-mail notifications when utilization reaches 70,
80, 90 and 100 percent of the 200 GB soft quota.

Monitor 500 MB Share Provides e-mail notifications when utilization reaches 80, 100 and
120 percent of the 500 MB soft quota.
Quotas are always placed on a folder. You have the choice of basing your Quota on a
template or defining a custom one.

The power of Quota Templates becomes much more obvious when you use the option to
Auto apply template while creating a Quota:

This option requires that you select a template (not a custom Quota). A Quota is created
based on that template for all folders under the specified path.

Every time you add another subfolder to that folder, the template is automatically used to
create another Quota for it. This allows you much simpler configuration for certain folder
structures like web sites, project folders, etc.
To create your own quota templates

1. Right-click Quota Templates in the Quota Management console, and then choose
Create Quota Template.
2. Click on the Create Quota… then click on Custom Properties
In addition to specifying the space limit (hard or soft), you can also create different
thresholds, with different actions. The sample above sends e-mail alerts at 85%/95%/100%
and logs events at 95%/100%. If you click on the “Add…” button, you can see the
configuration options for each threshold.

You can even choose to execute a command when a threshold is reached, which is shown
on the screen below. If you are skilled with scripting, you can use this ability to perform a
number of sophisticated tasks.

E-mail Message Sends an e-mail notification to administrators or to the user. You can
define the [Admin Email] variable and other e-mail settings by right-clicking File Server
Resource Manager and then choosing Configure Options.
Event Log Logs an event to the event log, which is useful if you have management tools
that process events.
Command Runs a command or a script when a threshold is reached. You can use this to
run a script that automatically compresses files, removes temporary files, or allocates more
disk space for the user.
Report Generates a report that you can e-mail to administrators or the user. You can
choose from a number of reports.
File system quotas, which were first introduced in Windows Server 2003 R2, and are a part
of the File Server role in Windows Server 2008 (and Windows Server 2008 R2), offer many
benefits over disk quotas.  With file system quotas we can set quotas for specific folders on
the volume, we can use templates to ensure consistent application of quotas, and we can
set quotas which are automatically applied to all sub-folders of a folder.

Additionally, file system quotas are useful not just for limiting the amount of space users can
consume, but also for reporting on space used – quotas can be set with so-called “soft” limits
which are used for monitoring rather than enforcing limits.  This functionality can be
extremely useful for quickly determining which users or folders are consuming large amounts
of disk space on a file server.

Viewing Quotas

Administrators can view hard and soft quotas using FSRM, and viewing quotas this way can
be a quick method for finding large folders or large consumers of space.

File Screening Management

File Screening helps you restrict and/or monitor which file extensions can be used on your
file server. FSRM can provide both active screening (block file with certain extensions) or
passive screening (monitor file extensions without blocking).

Create, manage, and obtain information about file screens, which are used to block
selected file types from a volume or folder. When users attempt to save unauthorized
files, send an e-mail to the administrators or generate similar notifications.

Create file screen exceptions to override certain file screening rules.

Create and manage file screen templates to simplify file screening management.
Create and manage file groups. When used with file screens and file screen
exceptions, file groups determine which files will be blocked and which will be allowed.

The basic idea behind file screens is that you can prevent certain types of files from being
stored in certain locations if your server runs out of disk space unexpectedly because one of
the users uploaded their music collection to a network drive.

File screens can prevent this problem, because they can be used to ensure that users are
not allowed to store music files in the folder.

You can see the existing File Screens in the “File Screens” node under File Screening
Management. None are defined by default.

To add a File Screen, click on the Create File Screen… (on the Actions pane on the right)
As with Quotas, FSRM supplies some predefined File Screen Templates.
You can also opt to define your own File Screening properties, click on Custom Properties
The basic properties include the path to monitor, the type of monitoring (active or passive),
the file groups to block/monitor and the specific actions to take (e-mail, event log, command
or report).
You will probably want to use a template to define your File Screening. Below is the list of
pre-defined templates included with FSRM:

You can also create your own File Screening Templates, just like with Quota Templates.
FSRM includes a list of pre-defined File Groups, but also gives you the option of defining
your own file types.
Storage Reports Management

One important feature of FSRM is the ability to provide many reports associated with File
Server Management to make your life simpler when managing your file server. Those
reports include Files by Group, Files by Owner, Large Files, Most Recently Accessed Files
and Duplicate Files, just to mention a few (see screen below).

Reports can be generated manually, on a scheduled or triggered by a Quota or File Screen.

They can also be generated in different formats (see options on the screen below) and are
delivered to a folder defined when you installed the role service.

Below you see a number of those manually generated reports using the HTML format:
The Files by Owner report
Configuring Disk Quotas Using Windows Explorer

Although you should always use the Quota Management console to configure quotas in
Windows Server 2008, the operating system continues to support quota management using
Windows Explorer, using the same interface as earlier versions of Windows.

Open My Computer and right click the disk you want to view the disk quota usage.
Choose Properties.

Select the Limit Disk Space To option. Specify the limit and warning levels. Windows does
not notify users if they exceed either threshold. In fact, if you choose not to enforce quota
limits, the only difference between the two thresholds is the event ID that is added to the
System event log.

To add an event for the warning or limit levels, select the Log Event When A User Exceeds
Their Quota Limit check box or the Log Event When A User Exceeds Their Warning Level
check box.
In Quota tab of Properties window, click Quota Entries… to view disk quota usage.
Right click the user and choose Properties to view the details of limit settings.

Then you can see the Quota settings for this user.

Configuring Disk Quotas Using Group Policy

You can also configure simple disk quotas using Group Policy settings. In the Group Policy
Management Editor, select Computer Configuration\Policies\Administrative Templates\
System\Disk Quotas node

Enable Disk Quotas You must enable this policy to use disk quotas.

Enforce Disk Quota Limit Equivalent to selecting the Deny Disk Space to Users Exceeding
Quota Limit check box when configuring local disk quotas.

Default Quota Limit and Warning Level Defines the quota limit and warning levels, exactly
as you can when configuring disk quotas using Windows Explorer.

Log Event When Quota Limit Exceeded Equivalent to selecting the Log Event When A
User Exceeds Their Quota Limit check box in Windows Explorer.

Log Event When Quota Warning Level Exceeded Equivalent to selecting the Log Event
When A User Exceeds Their Warning Level check box in Windows Explorer.

Apply Policy to Removable Media Defines whether quotas are applied to removable
media. Typically, this policy should be disabled.

DFS
Large organizations often have dozens, or even hundreds, of file servers. This can make it
very difficult for users to remember which file server specific files are stored on.
DFS provides a single namespace that allows users to connect to any shared folder in your
organization. With DFS, all shared folders can be accessible using a single network drive
letter in Windows Explorer. For example, if your Active Directory domain is contoso.com, you
could create the DFS namespace \\contoso.com\dfs. Then, you could create the folder
\\contoso.com\dfs\marketing and map it to shared folders (known as targets) at both
\\server1\marketing and \\server2\marketing.

Besides providing a single namespace to make it easier for users to find files, DFS can
provide redundancy for shared files using replication. Replication also allows you to host a
shared folder on multiple servers and have client computers automatically connect to the
closest available server.

Installing DFS

You can install DFS when adding the File Services server role using the Add Roles Wizard,
or you can add the role service later using Server Manager by right-clicking Roles\File
Services and then choosing Add Role Services.

In Select Service Roles you can click on Distributed File System and it should also place a
check next to DFS Namespaces & DFS Replication; after this click Next.

NOTE: At the bottom you will see Windows Server 2003 File Services and File Replication
Service. You would only choose this if you were going to be synchronizing the 2008 server
with old servers using the FRS service.
On the Create a DFS Namespace screen you can choose to create a namespace now or
later.

Choose Create a namespace later using the DFS Management snap-in in Server
Manager and then click Next.

The next screen allows you to confirm your installation selections, so review and then click
Install.
In Server Manager you should now see File Services and under the Role Services you will
see the installed components:

Distributed File System

DFS Namespaces
DFS Replication
The Namespace Name and Settings page from using either the DFS install or by selecting
New Namespace… from the DFS Management snap-in.

The Namespace Server page. Type the name of the server that will host the namespace.
You can add servers later to host the namespace for redundancy

Enter the name of the namespace server and click Next

Enter the name of the namespace and click Next

Select the type of Namespace and click Next. Here it’s a domain-based namespace with
2008 mode enabled. Domain-based namespaces use the Active Directory domain
name as their root, and stand-alone namespaces use the server as their root.
This name acts as the share name when users access the DFS namespace—for
example, \\domain_name\namespace_name. Click the Edit Settings button to configure
the permissions for the namespace. Click Next.

Give Domain Admins or fileserveradmins Full Control on the share and Domain Users
Change permissions. Click OK when done adding the needed groups
On the review screen, click Create and then Close when it’s done. You will end up with a
brand new namespace with no folders:
Adding Folders to the DFS Namespace

After you create the namespace, you will add folders to it, specifying the associated folder
target. This means pointing to the actual file shares, making each one appear to users as a
folder under the namespace. Before you do that, you want to think long and hard about the
folder structure you’re creating. A basic goal of DFS is to create a stable infrastructure that
will not constantly change on your users.

To start, click on the “New Folder…” action on the panel on the right. In the example below, I
will enter the name of the folder which as “Finance”. I will also enter one associated folder
target, which will be “\\JOSEBDA-N2\FinanceDocs” (this share was configured beforehand).
Here are the results right before I click “OK” to create the new folder:

Here’s the end result in the “DFS Management” window:

I could also have folders with no targets (just to create a hierarchy in the namespace) or
folders with multiple folder targets.

Multiple Targets

It’s useful to have multiple copies of the same data stored in different file servers. One
reason for that is fault-tolerance (if one server is unavailable, you can still access the other
one). The other reason is to choose the copy of the data that is closer to you. If you’re in a
branch office and you want to access a very large file, you would rather get a copy from a
server in that branch.

It’s actually quite simple to add more folder targets to an existing folder or create the folder
with multiple targets initially. All you have to do is make sure that you provide the multiple
targets for the same folder in that namespace when you configure it.

If you’re using domain-based DFS, the clients will be directed to the target that is closest to
them. If there is no target nearby, the clients will be pointed to a remote one. This is similar
to what happens when clients are looking for a domain controller. DFS uses the site
information in Active Directory to determine which server works best.

A Dfs topology consists of a Dfs root, one or more Dfs links, and one or more Dfs shared
folders (also known as replicas), to which each Dfs link points.
In our example the referral status for both link targets is Enabled. This means DFS can refer
resource requests to either target. Therefore, if one of the file servers had to be taken offline
for maintenance, referrals for that server could be disabled and DFS would stop sending
requests to the server until referrals were re-enabled.

After creating a namespace, you can adjust settings by right-clicking it and then choosing
Properties.

The Properties dialog box for the namespace has three tabs:

General Allows you to type a description for the namespace.

Referrals When a client accesses the root of a namespace or a folder with targets, the client
receives a referral from the domain controller. Clients always attempt to access the first
target computer in the referral list and, if the first target computer does not respond, access
computers farther down the list. This tab gives you control over how multiple targets in a
referral list are ordered.

Select Random Order from the Ordering Method dropdown list to distribute referrals evenly
among all targets (with targets in the same site listed first).

Select Lowest Cost to direct clients to the closest target computer first using site link costs
(which you can define using the Active Directory Sites And Services console).

Select Exclude Targets Outside Of the Client’s Site. If you would rather have clients fail
instead of accessing a target in a different Active Directory site.

Advanced Choose from two polling configurations:

Optimize for Consistency or Optimize for Scalability.

Optimize for Consistency configures namespace servers to query the primary domain
controller (PDC) each time the namespace changes, which reduces the time it takes for
changes to the namespace to be visible to users. Optimize for Scalability reduces the
number of queries (thus improving performance and reducing utilization of your PDC)
Offline Files

Mobile users might need access to shared folders even when they’re disconnected from
your internal network. Offline Files makes this possible by allowing client computers to
automatically cache a copy of files on shared folders and by providing transparent access to
the files when the user is disconnected from the network. The next time the user connects to
the network, Offline Files synchronizes any updates and prompts the user to manually
resolve any conflicts.
To configure Offline Files caching for a shared folder

1. In Server Manager, select Roles\File Services\Share And Storage Management.

2. In the details pane, right-click the share you want to configure, and then choose
Properties.
3. In the Sharing tab, click Advanced.

In the Advanced, click the Caching tab select one of the three options, and click OK twice
Only the files and programs that users specify are available offline Users must
manually select the files they want to access while offline. This option works well when users
understand how to use Offline Files.

BranchCache improves the branch office experience by caching commonly used files
locally, either on a Windows Server 2008 R2 server or user workstations, rather than forcing
users to access files via centrally located network shares
It acts like a proxy in that it works only when requested by a client user. The typical user
scenario where BranchCache will be useful is where a branch office has a slow link back to
the central office.

No files or programs from the share are available offline Prevents users from
accessing Offline Files. This option is the best choice for confidential documents that should
not be stored on mobile computers.

All files and programs that users open from the share are automatically available
offline Files that users access while connected to the network are automatically cached for
a limited amount of time. This option works well when users do not understand how to use
Offline Files.

Backing Up and Restoring Files

With previous versions of Windows, administrators needed to rely on non-Microsoft software
to back up servers. With Windows Server 2008, the operating system has useful backup
capabilities built in.

Shadow Copies
Shadow copies allow backup software to access files that are in use. If backup software
(including Windows Server Backup and non-Microsoft applications) needs to access a file
that’s in use by a different application, Volume Shadow Copy creates a shadow copy of the
file in its current state and then gives the backup process access to the shadow copy.
This allows the application that’s using the file to make updates without affecting the backup.

If an application updates a file after a shadow copy is made, Windows must store both the
original and changed portion of the file. Because shadow copies store only changes to files,
the storage requirements are significantly less than the full size of files being accessed.

Managing Shadow Copies from Windows Explorer

1. Run Computer Management from Administrative Tools > Computer Management

In Windows Explorer, right-click a volume, and then choose Configure Shadow Copies.
The Shadow Copies dialog box appears.

Select the volume for which the shared folders is to be enabled. Click the Enable button.
A shadow copy will be created immediately by default and it will be displayed in the Shadow
copies of selected volume section. You can disable the feature by clicking the Disable
button.

Click the Settings button. This will open the Settings dialog box
In the Settings dialog box, provide the size limit for the shadow copies. Click the Schedule
button. This will open a window with the Schedule tab.

In the tab, users can create a new schedule, delete an existing schedule.
Click the OK button
Windows Server Backup

Windows Server Backup copies an entire disk volume (for example, the volume Windows is
installed on) to a .vhd file on a second local disk. After performing a backup, you can restore
individual files or an entire volume. If Windows cannot start (for example, if the system
volume has failed), you can start the computer from the Windows installation media, restore
the system volume from the backup, and have the OS up and running in less than an hour.

To install the Windows Server Backup Features

Click on Start and then click on Server Manager

Right click the Features Node and then choose Add Feature
Scroll down on the features list and click to add Windows Backup Features.
Select either the Windows Server Backup check box (for graphical tools) or the Command-
Line Tools check box (to script backups), or both check boxes.

Install and Close Additional Features Wizard and Server Manager

To open the Backup utility Click Start and in the search box type Backup and click on the
Windows Backup result

Click On Actions and then Backup Once

If you are creating the first backup of the domain controller, click Next to select Different
options.
Choose Custom and Click Next

Choose the C: drive and also Enable System Recovery

Choose Local Drives for Destination type, you could also use a network drive location to
backup your files to

Choose Physical Drive E: as the destination for backup, in our example, click Next
If you are backing up to a remote shared folder, on the Specify remote folder page, type the
path to the shared folder, select Do not inherit under the Access Control section, click Next.

Choose the default of specifying the advanced option, this lets you choose VSS copy
backup, if you have other backup products installed on your computer, it will not interfere
with them.
Click Backup on the Confirmation Prompt

Backup will now proceed, it will take some time, depending upon how many applications,
roles, features and data you have on your server to be backed up.
Click Close on the Backup Completed Screen
Your Backed up files are present at the destination location, along with the Backup
Catalogue and Media id information

Windows creates a WindowsImageBackup folder in the root of the backup media.

Inside that folder, it creates a folder with the current computer’s name. It then creates a
Catalog folder containing the GlobalCatalog and BackupGlobalCatalog files and a “Backup
<year>-<month>-<date> <time>” folder containing the .vhd disk image file.
MORE INFO Installing VHDMount
Microsoft Virtual Server 2005 R2 SP1 includes VHDMount, a command-line tool for
mounting .vhd files so that you can browse their contents. This is an excellent way to extract
files from a Windows Server backup.

Scheduling Backups

Scheduling backups requires a dedicated local disk. You cannot use the Backup Schedule
Wizard to back up to a disk that will be used by other applications, and you cannot back up
to a shared folder on the network. After running the Backup Schedule Wizard, the backup
target disk will not be visible in Windows Explorer.

Open the Windows Server Backup console from the Administrative Tools and select Backup
Schedule from Action Panel.

On the Getting Started page of the Backup Schedule Wizard, click Next.
Select Custom on Backup Configuration Page and Press Next
Select C: (default) and D: on Backup Items
Specify the Time on when you want to Run the backups

Select Backup Destination: and press Next. It will show warning, press Yes to continue.
Press Next on Label Destination Disk

On the Confirmation page, review your selections, and click Finish

Recovering Individual Files

You can restore individual files from a backup or a recent shadow copy

In Windows Explorer, right-click a file to restore, then choose Restore Previous Versions.
The properties dialog box appears with the Previous Versions tab selected.

Select the version you want to restore, and then click Restore.

Recovering Files or Volumes

To recover a server from a backup

Click Start, choose Administrative Tools, and then choose Windows Server Backup.
The Windows Server Backup console appears. In the Actions pane, click Recover.
The Recovery Wizard is launched. On the Getting started page you are asked to decide
where the backup files are located make a selection then click Next

On the Select Backup Date page, choose the backup date from which to recover. Click Next
On the Select Recovery Type page, choose one of the following three options, and then
click Next

Files and folders Browse files that have been backed up and select specific files, folders, or
both to be recovered.
Applications This option allows you to selectively restore application data.
Volumes Allows you to restore an entire volume. However, you cannot use this to restore
the operating system volume.

If Files and folders was selected

If Applications was selected

Choose the Application You can confirm the details by clicking on View Details. This will
show you the files that will be restored

Choose the option to Recover to original location and click Next

If Volumes was selected

On the Confirmation page, click Recover.

On the Recovery Progress page, click Close.

Recovering from a Backup When Windows Will Not Start

If Windows cannot start or if you need to recover the entire system volume from a backup,
you can start the computer from the Windows Server 2008 DVD and use the Windows
Complete PC Restore Wizard to recover the operating system.

1. Start the computer by using the Windows Server 2008 DVD

2. On the first screen Click Next.

Select the Repair your computer option in the lower-left corner of screen.

It will show you any currently installed operating systems. Click Next
If this screen is blank you may have to load a third-party driver for your mass storage driver.
You can click Load Drivers to load the mass storage driver from your USB flash drive.

Click Windows Complete PC Restore.

It will report A valid backup location could not be found. Click cancel.
Select Restore a different backup then Next.

Click Advanced
If the network adapter driver is included with Windows Server 2008 you can click “Search for
a backup on the network. If the network adapter driver is not included you have to click
“install a driver” and browse to your driver to load it.

Click Yes to the “Are you sure you want to connect to the network” and then specify the path
of your backup. You can use IP address instead to eliminate any netbios/dns issues.

Select the location of the backup and then click Next.

Select the backup then Next.

You are presented with the restore options.

The exclude disks option enables you to exclude disks from the restore process.
The advanced button has the following options.

Click Finish to confirm the settings.

Click Finish to confirm the settings.

The computer will restart automatically or you can delay it

Exam Questions

You are an enterprise administrator for Certkiller. The corporate network of Certkiller
consists of a single Active Directory domain called Certkiller .com. The domain consists of a
file server that runs Windows Server 2008.
A network users of the company started restoring a critical large file by using the Previous
Versions tab. The users wanted to view the progress of the file restoration. Which of the
following options would you choose to view the progress of the file restoration?

A. Click on Sessions under the Shared Folders node in the Computer Management.
B. Click on Open Files under the Shared Folders node in the Computer Management
C. Run vssadmin.exe query reverts on the command prompt.
D. Run shadow.exe /v on the command prompt.
E. None of the above

Answer C
To view the progress of the file restoration, you need to run vssadmin.exe query reverts from
the command prompt.
The Windows Server 2003 Volume Shadow Copy Service can also be administered from the
command line by using the VSSAdmin tool that is included with Windows Server
2003. This tool replicates the features of the Shadow Copies tab of the volume Properties
screen and can be called from batch files and scripts. VSSAdmin does not follow the typical
"Command /switch" form, but instead uses a list of fixed commands to guide its function.
Query Reverts queries the status of in-progress revert operations.

Question
You are an enterprise administrator for Certkiller . The corporate network of the company
consists of a single Active Directory domain. All the servers in the domain run Windows
Server 2008. A member server Called Certkiller Server1 has a SaleRecords folder created
on it on the D: drive.
The D:\ SaleRecords folder is corrupted. The most recent backup version is
01/28/2008-09:00. Which of the following options would you choose to restore all the files in
the D:\ SaleRecords folder back to the most recent backup version, without affecting other
folders on the server?

A. Run the Wbadmin start recovery -version: 01/28/2008-09:00-itemType:File

-items:d:\SaleRecords -overwrite -recursive -quiet command.
B. Run the Wbadmin start recovery -backuptarget:D: -version:
01/28/2008-09:00-overwrite -quiet command.
C. Run the Recover d:\ SaleRecords command.
D. Run the Wbadmin restore catalog -backuptarget:D: -version: 01/28/2008-09:00-quiet
command.

Answer A

Explanation:
To restore all the files in the D:\ SaleRecords folder back to the most recent backup
version without affecting other folders on the server, you need to run the Wbadmin start
recovery -version:10/29/2007-09:00 -itemType:File -items:d:\ SaleRecords-overwrite
-recursive -quiet command.
Wbadmin start recovery runs a recovery based on the parameters that are specified. In the
above query, the -version 10/29/2007-09:00 specifies the version identifier of the backup to
recover, -itemtype:File specifies type of items to recover. In this case it is the file that needs
to be recovered. The -items:d:\SaleRecords specifies that d:\SaleRecords folder needs to be
recovered. -Overwrite causes Windows Server Backup to overwrite the existing file with the
file from the backup. -recursive will only recover files which reside directly under the
specified folder. And -quiet runs the subcommand with no prompts to the user.

Question
As an administrator at Certkiller .com, you install a member server named ebms1 that has
Windows Server 2008 as its primary operating system. The Terminal Services role is
installed on the ebms1.
The Terminal Server user profiles are in a folder named as UPT on a server called CKTS.
On CKTS3, a home folder is placed for each user. As you monitor CKTS, you find out that
there is only 5% of hard disk space remaining because the users are saving their files on
their profiles on CKTS instead of using their home folders. You have to limit the amount of
disk space allocated to each user to 200 MB. What should you do to achieve that?
A. On the ebms1, configure a group policy object. Configure a default quota limit to 200
MB and set a warning level policy
B. Create a new group policy object and link it to the CKTS. Configure the UPT folder to limit
the disk space quota to allocate 200 MB to all users.
C. Configure the disk quotas for the volume that hosts UPT folder. Limit the users to use
only 200 MB of space.
D. Configure each profile by activating disk quota on each profile. Apply folder redirection
settings to redirect the users to save their files on CKTS3
E. None of the above

Answer C

Explanation:
To limit the amount of disk space allocated to each user to 200 MB, you need to
configure the disk quotas for the volume that hosts UPT folder and then limit the users to use
only 200 MB of space.
Configuring a quota limit through group policy will not help in Terminal services scenario.
Also disk quotas cannot be configured for each user profile rather it is configured on a
volume or a folder.

Question
Certkiller Server1 was accessed by many network users, who work on the server and used
to store data on it. To manage the server space, you configured quotas on the server. Which
of the following options would you choose to view each user's quota usage on a per folder
basis?

A. Run dirquota.exe quota list on the command prompt.

B. Create a File Screen using File Server Resource Manager.
C. Review the Quota Entries list from the properties of each volume.
D. Create a Storage Management report from File Server Resource Manager.
E. None of the above

Answer D

Explanation
To view each users quota usage on a per folder basis, you need to create a Storage
Management report from File Server Resource Manager. File Server Resource Manager
allows you to create quotas to limit the space allowed for a volume or folder and generate
notifications when the quota limits are approached or exceeded. It also allows you to
generate storage reports instantly, on demand.
To manage storage resources on a remote computer, you can connect to the computer from
File Server Resource Manager. While you are connected, File Server Resource Manager will
display the objects created on the remote computer.

Question
You are an enterprise administrator for Certkiller. The corporate network of the company
runs Windows Server 2008 servers. One of the servers called Certkiller Server1 has file
server role installed on it.
Certkiller Server1 is accessed by 100 network users, who work on the server and used to
store data on it. To manage the server space, you decided to configure quotas on the server.
Because too many quotas need to be configured, you decided to use a new quota template
to apply quotas to 100 folders. Which of the following options would you choose to modify
the quota settings for all 100 folders by using the minimum amount of administrative effort?
A. Modify the quota template.
B. Create a file screen template and apply it to the root of the volume that contains the
folders.
C. Delete and create the quota template again.
D. Create a new quota template, apply it to all the folders, and then modify the quota for
each folder.
E. None of the above

Answer A

Explanation:
To modify the quota settings for all 100 folders by using the minimum amount of
administrative effort, you can simply modify the quota template with the new settings that
you want for all the 100 folders.
If you base your quotas on a template, you can automatically update all quotas that are
based on a specific template by editing that template. This feature simplifies the process of
updating the properties of quotas by providing one central point where all changes can be
made.

Question
You are an enterprise administrator for Certkiller. The corporate network of Certkiller
consists of a file server that runs Windows Server 2008. All the network users store data on
the file server on a shared folder. Because the data stored by the network users is critical for
the company, you don't want to deny users to store data on the shared folder when they
exceed their 500 MB limit of data storage.
However, you want to receive a notification when a user stores more than 500 MB of data in
the shared folder. Which of the following elements would you create to accomplish this task?

A. A Passive Screening File Screen.

B. An Active Screening File Screen.
C. A soft quota.
D. A hard quota.
E. An indirect quota

Answer C

Explanation:
To allow users to store more than 500 MB of data in the shared folder and to receive a
notification when a user stores more than 500 MB of data in the shared folder, you need to
create a soft quota. A soft quota does not enforce the quota limit but generates all
configured notifications.
A hard quota cannot be used because it prevents users from saving files after the space limit
is reached and generates notifications when the volume of data reaches each configured
threshold.