While you’d think Microsoft is luring organizations into using their cloud services as the main method for sharing files, most organizations have no need to share files beyond their organization’s borders or to access files in a web browser; as such, most organizations rely on file servers to share files among their employees. Today, I’ll show you how to transform a Server Core installation into a Dynamic Access Control-aware file server.

Both file sharing and the File Server role have been an integral part of Server Core installations since their first inceptions.

In fact, Server Core installations have always been, by default, able to act as file servers after you configure the built-in firewall to allow SMB traffic. This way, you will end up with a functioning file server; however, I would only recommend doing so to transfer files, programs, and utilities to your Server Core installation. If you truly want to benefit from a Server Core installation, install some File Server Role Services on it.

Overview of File Services in Server Core

Just like the Certificate Services Server Role in the previous article, the File Server Server Role offers a couple of Server Role Services in two distinct categories:

  • File and iSCSI services
    • File Server
      The File Server Role Service allows you to manage file shares and enables users to access files on Server Core installations, from the network, using the Server Message Block (SMB) protocol.
    • BranchCache for Network Files
      BranchCache is a technology that allows computers in branch offices to cache commonly downloaded files from file and web shares on which BranchCache is enabled, and then provide those files to other computers in the branch office. The BranchCache for Network Files Role Service offers the caching functionality for file shares.
    • Data Deduplication
      Installing and configuring the Data Deduplication Role Service helps save disk space by storing a single copy of identical data on an NTFS-formatted volume.
    • DFS Namespaces
      DFS Namespaces enable you to group file shares that are located on different servers into one or more logically structured namespaces based on DNS names.
    • DFS Replication
      DFS Replication is used to replicate data between multiple servers over limited-bandwidth network connections and local area network connections.
    • File Server Resource Manager (FSRM)
      This Role Service enables scheduled storage reports, file classification, file quotas, and screening policies. It is a prerequisite for Dynamic Access Control (DAC).
    • File Server VSS Agent Service
      If you’re looking to perform volume shadow copies of applications that store data files on your file server, you’ll need this Role Service.
    • iSCSI Target Server and iSCSI Target Storage Provider (VDS and VSS)
      The iSCSI Target Server Role Service enables your Server Core installation to serve data on the iSCSI protocol. The iSCSI Target Storage Provider (VDS and VSS) Role Service allows for remote management through standard programs and for performing volume shadow copies.
    • Server for NFS
      If you’d like to share files with UNIX-based computers and other computers that use the network file system (NFS) protocol, this Role Service is for you.
  • Storage Services
    This Role Service enables basic file sharing and remote and local storage management functionality. In addition, it allows for creating storage pools and storage spaces.

By default, the Storage Services Role Service is the only File Server Role Service installed. This explains the ability to access the hidden and administrative shares (for example, C$) on your Server Core installation.

How to install File Services in Server Core

Before you can install any of the File Server Role Services, you’ll need to install the File and iSCSI Services Role Service. This can easily be done by running the following PowerShell one-liner (start off by typing PowerShell first, to get the PowerShell prompt):

Install-WindowsFeature File-Services

This way, the File Server Services Role (FS-Fileserver) will automatically be installed and the Windows Firewall will be configured to allow SMB traffic. Optionally, you can install one of the other Server Role Services. The table below shows the Role Service names you can use in combination with the Install-WindowsFeature PowerShell cmdlet:

File and iSCSI Services Role DescriptionFile and iSCSI Services Role Feature Name
BranchCache for Network FilesFS-BranchCache
Data DeduplicationFS-Data-Deduplication
DFS NamespacesFS-DFS-Namespace
DFS ReplicationFS-DFS-Replication
File Server Resource ManagerFS-Resource-Manager
File Server VSS Agent ServiceFS-VSS-Agent
iSCSI Target ServerFS-iSCSITarget-Server
iSCSI Target Storage Provider (VDS and VSS)iSCSITarget-VSS-VDS
Server for NFSFS-NFS-Service

Configuring File Services on Server Core

The following three scenarios show you the possibilities of the File Server Role on Server Core installations of Windows Server 2012:

Creating a basic file server

One of the easiest things to do is create a basic file server. In fact, you have already done that by installing the File and iSCSI File Services Role Service above.

Now, to create some file shares for users, you could fire up Computer Management (compmgmt.msc) or the shared folders MMC Snap-in (fsmgmt.msc) from a Windows 8 or a Server with a GUI Windows Server 2012 installation. Alternatively, you can create folders and shares from the command line.

For instance, to create a folder on the E:\ NTFS-formatted volume, give the built-in group Authenticated users “modify NTFS” rights, and share it as Groupdata with modify permissions on the share, use the following commands:

md E:\Groupdata
icacls E:\Groupdata /grant "Authenticated Users": (OI)(CI)(M)

PowerShell

New-SmbShare -Name Groupdata -Path E:\Groupdata -FolderEnumerationMode AccessBased -CachingMode Documents -EncryptData $True -FullAccess Everyone 

How to create a file share

How to create a file share

Oops. By using the New-SMBShare cmdlet, I already created a share with a couple of advanced features like Access-Based Enumeration (ABE), the caching mode, and encryption requirements for the SMB traffic. See how easy that is! 🙂

Creating a DAC-aware file server

One of the neat new features of Windows Server 2012 is Dynamic Access Control. DAC allows you to grant access to files and folders, based on attributes of a user’s account in Active Directory or the account of the computer that user is working on.

First, if you haven’t already done so, you will need to make your file server a member of the Active Directory domain. Then, you will need to install the File Server Resource Manager File Server Role Service. The following PowerShell command is particularly useful (and short) to use for this purpose:

Install-WindowsFeature FS-Resource-Manager

Now, you can plan and create your Central Access Policies and automatic file classification, and roll out all this new stuff to your Server Core-based File Server through Group Policies. More information can be found here.

Enabling data deduplication on a file server

Another cool feature that’s new in Windows Server 2012 File Services is data deduplication. This feature allows you to cut up files into storage chunks, store identical chunks of data in the Storage Information folder of an NTFS-formatted volume, and then link to these identical chunks from multiple files, which drastically reduces the storage used over time.

To use this feature, first we’ll need to install the role service. The following PowerShell command will do exactly that:

Install-WindowsFeature FS-Data-Deduplication

Now, we only have to configure the data deduplication policy for the volume. In the example below, we’ll enable data deduplication on E:\ using PowerShell with default settings (you can change these with Set-DedupVolume afterwards):

Enable-DedupVolume E:

To get things rolling, we’ll run the following PowerShell command to start deduplication:

Start-DedupJob -Volume E: -Type Optimization

Enable data deduplication

Enable data deduplication

Concluding

The File Server Role in Server Core installations of Windows Server 2012 is a very modular Server Role, allowing you to create highly available, highly performing File Servers, iSCSI target servers, and NFS servers.

1 Comment
  1. Avatar
    Martin 5 years ago

    When I try to connect from another computer through MMC, I get a message that RPC server is unavailable, probably because the connection is being blocked by firewall.

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account