Module 7: Providing

Network Access to File

Resources
Contents

Overview 1
Introduction to Shared Folders 2
Creating Shared Folders 3
Combining NTFS and Shared Folder
Permissions 13
Using Administrative Shared Folders 14
Publishing a Shared Folder in Active
Directory 16
Lab A: Sharing and Securing Network
Resources 17
Configuring Shared Folders by Using Dfs 25
Lab B: Configuring Domain-based Dfs 34
Review 40
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, Active Desktop, Active Directory, ActiveX, BackOffice, DirectX, FrontPage, JScript,
MS-DOS, NetMeeting, PowerPoint, Visual Basic, Visual Studio, Windows, Windows Media, and
Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries.

Other product and company names mentioned herein may be the trademarks of their respective
owners.

Project Lead: Rick Selby

Instructional Designers: Kelly Bowen, Victoria Fodale (ComputerPREP),
H. James Toland III (ComputerPREP), Kathryn Yusi (Independent Contractor),
Barbara Pelletier (S&T Onsite)
Lead Program Manager: Andy Ruth (Infotec Commercial Systems)
Program Manager: Chris Gehrig (Infotec Commercial Systems),
Joern Wettern (Wettern Network Solutions)
Graphic Artist: Kimberly Jackson (Independent Contractor)
Editing Manager: Lynette Skinner
Editor: Kelly Baker (The Write Stuff)
Copy Editor: Kathy Toney (S&T Consulting)
Online Program Manager: Debbi Conger
Online Publications Manager: Arlo Emerson (Aditi)
Online Support: David Myka (S&T Consulting)
Multimedia Development: Kelly Renner (Entex)
Courseware Test Engineers: Jeff Clark, H. James Toland III (ComputerPREP)
Testing Developer: Greg Stemp (S&T OnSite)
Compact Disc Testing: Data Dimensions, Inc.
Courseware Testing: Data Dimensions, Inc.
Production Support: Carolyn Emory (S&T Consulting)
Manufacturing Manager: Rick Terek (S&T OnSite)
Manufacturing Support: Laura King (S&T OnSite)
Lead Product Manager, Development Services: Bo Galford
Lead Product Manager: Gerry Lang
Group Product Manager: Robert Stewart
Simulation and interactive exercises were built with Macromedia Authorware.
 Module 7: Providing Network Access to File Resources iii

Instructor Notes
Presentation: This module provides students with the knowledge and skill to set up shared
75 Minutes folders and to control access to the folders through permissions. This includes
combining shared folder permissions with NTFS file system permissions.
Labs:
60 Minutes At the end of this module, students will be able to:
! Explain the purpose and use of shared folders.
! Create shared folders.
! Combine NTFS permissions and shared folder permissions.
! Use Administrative shared folders.
! Publish a folder in the Active Directory™ directory service.
! Configure shared folders by using Distributed file system (Dfs).

Materials and Preparation

This section provides you with the required materials and preparation tasks that
are needed to teach this module.

Required Materials
To teach this module, you need the following:
• Microsoft® PowerPoint® file 2152B_07.ppt.

Preparation Tasks
To prepare for this module, you should:
! Read all of the materials for this module.
! Complete the labs.
! Study the review questions and prepare alternative answers to discuss.
! Anticipate questions that students may ask. Write out the questions and
provide the answers.
iv Module 7: Providing Network Access to File Resources

Module Strategy
Use the following strategy to present this module:
! Introduction to Shared Folders
Present an overview of shared folders, including their purpose and benefits.
! Creating Shared Folders
First, present the requirements for sharing a folder. Then, demonstrate
sharing a folder while explaining the options. Next, present shared folder
permissions. Emphasize that if there are conflicting permissions, being
denied a permission takes precedence over being granted the same
permission. Then, demonstrate how to grant shared folder permissions and
how to modify shared folder settings. Finally, demonstrate how to connect
to a shared folder using My Network Places, Map Network Drive, or the
Run command.
! Combining NTFS and Shared Folder Permissions
Present the information on combining NTFS and shared folder permissions.
Emphasize that the resulting permissions is the most restrictive of either the
combined NTFS permissions or the combined shared folder permissions.
! Using Administrative Shared Folders
Present the information about administrative shared folders. Emphasize that
these folders are automatically created by Microsoft Windows® 2000,
hidden from users who browse, and only accessible to users with
administrative privileges. In addition, mention that the Admin$ shared
folder is where Windows 2000 is installed.
! Publishing a Shared Folder in Active Directory
Present information on the benefits of publishing shared folders in Active
Directory. Emphasize that users can find a published shared folder even if
its physical location changes.
! Configuring Shared Folders by Using Dfs
First, provide an overview of Dfs, including its benefits. Emphasize that Dfs
provides a logical tree structures for folders and files that are physically
located anywhere on the network. Then, present the different types of Dfs
roots. Mention that a domain-based Dfs root provides fault tolerance. Next,
provide information on how a user gains access to files and folders in a Dfs
hierarchy. Emphasize that Dfs does not use separate NTFS permissions or
shared folder permissions for Dfs links.
Then, present information on creating a Dfs root. Demonstrate the process.
Follow this with information on adding Dfs links. Demonstrate the process.
Next, present information on configuring replicas. Mention the role of the
File Replication service (FRS) in keeping replicas automatically
synchronized.
 Module 7: Providing Network Access to File Resources v

Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.

Important The lab in this module is also dependent on the classroom

configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for course 2152B, Implementing Microsoft
Windows 2000 Professional and Server.

Lab Setup
To prepare student computers for the labs in this module, complete module 1,
“Installing or Upgrading to Windows 2000,” in course 2152B, Implementing
Microsoft Windows 2000 Professional and Server.

Lab Results
There are no configuration changes on student computers that affect replication
or customization.
• Performing the labs in this module introduces no configuration changes.
 Module 7: Providing Network Access to File Resources 1

Overview
Slide Objective
To provide an overview of
the module topics and
objectives. ! Introduction to Shared Folders
Lead-in ! Creating Shared Folders
In this module, you will learn
about providing network ! Combining NTFS and Shared Folder Permissions
access to files and network
resources in Windows 2000. ! Using Administrative Shared Folders
! Publishing a Shared Folder in Active Directory
! Configuring Shared Folders by Using Dfs

Defer any student questions As an administrator you must ensure that users can gain access to folders on the
about Dfs until the Dfs network that contain the files that they need to do their work. You can do this
section of this module. by sharing these folders. To enhance security, you can control who can gain
access to these shared folders. If the files and folders users need are stored
throughout the network, you can use Distributed file system (Dfs) to make it
easier for users to gain access to these files and folders.
At the end of this module, you will be able to:
! Explain the purpose and use of shared folders.
! Create shared folders.
! Combine NTFS file system permissions and shared folder permissions.
! Use Administrative shared folders.
! Publish a folder in the Active Directory™ directory service.
! Configure shared folders by using Dfs.
2 Module 7: Providing Network Access to File Resources

Introduction to Shared Folders

Slide Objective
To illustrate the use of
Apps
Apps Data
Data
shared folders.
Lead-in
You can use shared folders Sales
to provide network users
with access to files and
network resources. User

Server Hosting
Shared Folder
Shared Folders:
! Can Contain Applications, Data, or Users’ Personal Data
! Enable Centralized Administration

Use shared folders to provide users with access to files and folders across a
network. Users can connect to the shared folder over the network to access the
folders and files they contain. Shared folders can contain applications, data, or a
user’s personal data. Using shared application folders centralizes administration
by allowing you to install and maintain applications on a server instead of on
client computers. Using shared data folders provides a central location for users
to gain access to common files and makes it easier for you to back up data
contained in those files.
 Module 7: Providing Network Access to File Resources 3

# Creating Shared Folders

Slide Objective
To identify the topics related
to creating shared folders.
Lead-in ! Requirements for Sharing Folders
To share a folder, you must ! Sharing a Folder
have rights on the computer
where the folder resides. ! Shared Folder Permissions
! Granting Permissions and Modifying Shared Folder
Settings
! Connecting to Shared Folders

To share a folder, you must be a member of one of the groups that have the
rights to share folders on the type of computer where the folder resides.
When you share a folder, you can control access to the folder and its
contents by granting permissions to selected users and groups. You can also
control access to the folder by limiting the number of users who can
concurrently connect to the shared folder. After you create a shared folder,
you may want to modify the folder properties to stop sharing the folder,
change the shared folder name, or change user and group permissions to the
shared folder. Microsoft® Windows® 2000 also shares some folders
automatically for administrative purposes.
4 Module 7: Providing Network Access to File Resources

Requirements for Sharing Folders

Slide Objective Requirements Are Determined by:
To identify the requirements
for sharing folders. ! Whether the Shared Folders Are on a Domain or a Workgroup
Computer
Lead-in
To share a folder, you must ! The Type of Operating System Running on the Computer on
Which the Shared Folder Resides
be a member of the
Administrators, Server You
To Youmust
mustbe
beaa
Operators, or Power Users ToShare
ShareFolders
Folders member of
groups. member of
Administrators
Administratorsor
or
In
In aa Windows
Windows 2000
2000 Domain
Domain Server
ServerOperators
Operators

Administrators
Administratorsor
or
In
In aa Windows
Windows 2000
2000 Workgroup
Workgroup Power
PowerUsers
Users

On
On aa Client
Client Computer
Computer Running
Running Windows
Windows Administrators
Administratorsor
or
2000 Professional
2000 Professional Power
PowerUsers
Users

In Windows 2000, the only groups that can share folders are the Administrators,
Key Point Server Operators, and Power Users groups. These groups are default accounts
Groups with the ability to
share folders include the
that are installed in the User folder in Computer Management, or in the Builtin
Administrators, Server folder in Active Directory Users and Groups. The requirements for sharing
Operators, and Power Users folders are determined by the following:
groups.
! Whether the shared folder resides on a computer that is in a domain or in a
workgroup.
! The type of operating system running on the computer on which the shared
folder resides.

The following table describes who can share folders.

To share folders You must be a member of

In a Windows 2000 domain The Administrators or Server Operators group.

Note that the Power Users group can share folders
residing on a stand-alone server in a
Windows 2000 domain.
In a Windows 2000 workgroup The Administrators or Power Users group.

On client computer running The Administrators or Power Users group.

Windows 2000 Professional
 Module 7: Providing Network Access to File Resources 5

Sharing a Folder
Slide Objective Applications Properties

To illustrate the options for General Web Sharing Sharing Security

sharing folders. You can share this folder among other users on your
network. To enable sharing for this folder, click
Lead-in Share this folder.
The first step for sharing a Do not share this folder
folder is to assign it a Share this folder
shared folder name. Required
Required Share name: Applications

Comment: Application files

User Limit: Maximum allowed Optional

Allow Users

To set permissions for how users access

this folder over the network, click Permissions. Permissions

To configure settings for offline access to

Caching
this shared folder, click Caching.

OK Cancel Apply

When you share a folder, you give it a shared folder name, provide a comment
Delivery Tip
to describe the folder and its contents, limit the number of users who have
Demonstrate the steps to access to the folder, and grant permissions. You also have the option to share
share a folder. the same folder multiple times. This enables you to consolidate multiple shared
folders into one folder, while allowing users to use the same shared folder name
Mention to students that that was used before the folders were consolidated.
because some client
computers only see a limited To create a shared folder, right-click the folder in Windows Explorer, and then
number of characters in a click Sharing. On the Sharing tab, configure the options described in the
shared folder name when following table.
they connect, they should
be sure that all of the client Option Description
computers on their network
Share this folder Click to share the folder.
can see the shared folder
names they set up. Share name Enter the name that users from remote locations use to make a
connection to the shared folder. The default shared folder name is
the folder name. This option is required.
Note: Some client computers that connect to a share point only
see a limited number of characters.
Comment Enter an optional description for the shared folder name. The
comment appears in addition to the shared folder name when users
at client computers browse the server for shared folders. You can
use this comment to identify the contents of the shared folder.
6 Module 7: Providing Network Access to File Resources

(continued)

Option Description

User Limit Enter the number of users who can concurrently connect to the
shared folder. This option is not required. If you click Maximum
Allowed, Windows 2000 Professional supports up to 10
connections. Windows 2000 Server can support as many
connections as the number of licenses purchased.
Permissions Click to set the shared folder permissions that apply only when the
folder is accessed over the network. This option is not required.
By default, the Everyone group is granted the Full Control
permission for all new shared folders.
 Module 7: Providing Network Access to File Resources 7

Shared Folder Permissions

Slide Objective
To identify shared folder Shared
Shared Folder
Folder
permissions. Permissions
Permissions Data
Data
Lead-in Read
You can use shared folders Read
to provide network users Change
Change
with access to files and Full
FullControl
Control
network resources. User
! Shared Folder Permissions Are Cumulative
! Deny:
! Overrides all other permissions
! Is granted only if necessary

Users can be granted or denied permission to shared folders. Folder permissions

Key Points only apply to users who connect to the folder over the network; they do not
Using shared folders
centralizes administration
restrict access to users who gain access to the folder at the computer where the
and provides a central folder is stored. You can grant shared folder permissions to user accounts,
location for users to gain groups, and computer accounts.
access to common
resources. The Permissions
Shared folder permissions To control how users gain access to a shared folder, you use shared folder
apply to folders and not to permissions. Shared folder permissions apply to folders that are shared, not to
individual files. individual files. The following table describes what each of these permissions
allows a user to do.
If students want an example
of when they would grant Permission Allows the user to
permissions to a computer
Read Display folder names, file names, file data, and attributes; run
account, mention a specific
computer on which any user application files; and change folders within the shared folder.
that logs on to the computer Change Create folders; add files to folders; change data in files; append data to
should be able to access a files; change file attributes; delete folders and files; and perform
shared folder. actions permitted by the Read permission.
Explain that the Full Control Full Control Change file permissions; take ownership of files; and perform all tasks
permission is granted to the permitted by the Change and Read permission. By default, the
Everyone group by default Everyone group has this permission.
when you share a folder.
8 Module 7: Providing Network Access to File Resources

Key Points Important If you want to give only some users permission to a shared folder,
If an administrator only remove the Everyone group, otherwise all users have the Full Control
wants certain users to gain permission to the folder. If you change the permission for the Everyone group
access to a shared folder, to Deny, then all users are denied access to the shared folder including the users
the administrator must you want to have access to the file.
remove the default
Everyone group.

Make sure the students Permissions Are Cumulative

understand what the A user’s effective permissions for a resource are the combination of the shared
Everyone group is. folder permissions that you grant to the individual user account and the shared
folder permissions that you grant to the groups to which the user belongs. For
example, if a user has the Read permission for a folder and is a member of a
group with the Write permission for the same folder, then the user has both the
Read and Write permissions for that folder.

Denying Overrides Other Permissions

You can also deny shared folder permissions. Denied permissions override any
Key Point allowed permission set for user accounts and groups. It is recommended you
Denied permissions take
precedence over any
only deny shared folder permissions when you want to ensure specific users do
permission you otherwise not have access to a shared folder. If you deny shared folder permissions to a
grant for user accounts and user, the user will not have that permission, even if you allow that permission
groups. for a group of which the user is a member. If you simply do not grant a shared
folder permission to a user, that user could become a member of a group that
has the shared folder permission and would then have the permission.

Tip Use the Authenticated Users group instead of the Everyone group to assign
most rights and permissions. Doing so minimizes the risk of unauthorized
access because Windows 2000 makes only valid user accounts on the computer,
or in Active Directory, members of the Authenticated Users system group.
 Module 7: Providing Network Access to File Resources 9

Granting Permissions andg Modifying Shared Folder Settings

Slide Objective
To illustrate the dialog ! When You Grant Shared Folder Permissions:
boxes for granting
permissions and modifying $ A shared folder can reside on an hard disk formatted to
shared folders. NTFS, FAT, or FAT32 file system
Lead-in $ Users also need the appropriate NTFS permission on an
After you share a folder, you
NTFS volume
can specify which users ! You Can Modify Shared Folder Settings to:
have access to it by granting
shared folder permissions to $ Stop sharing a folder
selected user accounts and $ Modify the share name
groups. In addition, you can
always modify shared folder $ Modify permissions
settings.
$ Create multiple shares for a shared folder
$ Remove a share

After you share a folder, you can control which user accounts, groups, and
computers have access to it by using shared folder permissions. You can also
modify the existing shared folder settings.

Delivery Tip Granting Shared Folder Permissions

Demonstrate the steps to
You can grant shared folder permissions when the folder is on a drive formatted
grant shared folder
permissions.
to use the NTFS, FAT (file allocation table), or FAT32 file system.

Important For users to gain access to a shared folder on a NTFS volume, they
need the appropriate NTFS permissions for each file and folder in addition to
the shared folder permissions. You set NTFS permissions for files and folders
that reside on a NTFS volume on the Security tab in the Properties dialog box.

To grant shared folder permissions to user accounts, groups, and computer

accounts, perform the following steps:
1. Open the Properties dialog box for the shared folder. On the Sharing tab,
click Permission to open the Permissions dialog box.
2. Click Add. In the Select User, Groups, or Computers dialog box, click
Look in to see a list of domains (including the local computer) from which
you can select user account and group names.
3. Select the user account or group for which you want to grant permissions.
4. Select the Allow check box of the appropriate permissions for the user
account, group, or computer.
10 Module 7: Providing Network Access to File Resources

Modifying Shared Folder Settings

You can modify shared folders on the Sharing tab in the Properties dialog box
Delivery Tip for the folder.
Demonstrate the steps to
modify a shared folder The following table provides the different modifications you can make to
setting. shared folders and describes how to make them.
To Do this
Key Point
If an administrator modifies Stop sharing a folder Click Do not share this folder.
a shared folder name by
stop sharing and then re- Modify the share name Click Do not share this folder to stop sharing the folder, and
sharing a folder, the original then click Apply to apply the change. Click Share this
shared folder permissions folder, and then type the new shared folder name in the
are lost and have to be Share name box.
redone. Important: This removes all existing shared folder
permissions, which need to be recreated.
Modify shared folder Click Permissions. In the Permissions dialog box, add or
permissions remove users or modify permissions by selecting the user.
Then, select the individual permissions to allow or deny.
Share a folder multiple Click New Share to share a folder with an additional shared
times folder name. Use additional shared folder names to
consolidate multiple shared folders into one folder. This
allows users to continue to use the original shared folder
name. This option only appears when the folder is already
shared.
Remove a shared Click Remove Share. This option only appears after the
folder name folder has been shared more than once.

Key Points Important If you stop sharing a folder while a user has a file open, the user
If an administrator stops may lose data. If you click Do not share this folder, and a user has a
sharing a folder while a user connection to the shared folder, Windows 2000 displays a dialog box notifying
has a file open, the user you that a user has a connection to the shared folder.
may lose data. In addition, if
a user is connected to the
shared folder when an
administrator stops sharing
it, Windows 2000 displays a
dialog box notifying the
administrator of this
situation.
 Module 7: Providing Network Access to File Resources 11

Connecting to Shared Folders

Slide Objective 22 Open
11 Explore
To illustrate the options for Search for Computers…
connecting to a shared
folder. Map Network Drive…
My
My Network
Network Disconnect Network Drive…
Lead-in Places
Places
There are three ways to Map Network Drive
Create Shortcut
Windows can help you connect to a shared network
gain access to a shared folder and Rename
assign a drive letter to the connection so
folder on another computer. that you can access the folder using My Computer.
Specify theProperties
drive letter for the connection and the
folder that you want to connect to:
Run 33
Drive: E:
Type the name of a program, folder document, or Path: \\sales\public Browse...
Internet resource, and Windows will open it for you. Example: \\server\share
Open: \\sales\public Reconnect at logon
Connect using a different user name.
Connect to a Web folder or FTP site.
OK Cancel Browse...

<Back Finish Cancel

After you share a folder, users can gain access to the folder across the network.
Delivery Tip Users can gain access to a shared folder on another computer by using My
Demonstrate connecting to
a shared folder by using the
Network Places, Map Network Drive, or the Run command.
three different methods. If
you are short of time, show Using My Network Places
only one of the methods.
In many instances, the easiest way to gain access to a shared folder is to use My
Network Places.
To connect to a shared folder by using My Network Places, perform the
following steps:
1. Double-click My Network Places.
2. Enter the network path of the shared folder you want to connect to or click
Browse to find the computer on which the shared folder is located.
3. Double-click the shared folder to open it.

Note When you open a shared folder over the network, Windows 2000
automatically adds it to My Network Places.

Using Map Network Drive

Map a network drive if you want a drive letter and icon associated with a
specific shared folder. This makes it easier to reference the location of a file in a
shared folder. For example, instead of pointing to
\\Server\Shared_Folder_Name\File, you would point to Drive:\File. You use
drive letters to gain access to shared folders for which you cannot use a
universal naming convention (UNC) path, such as a folder for an older
application.
12 Module 7: Providing Network Access to File Resources

To map to a network drive, perform the following steps:

1. Right-click My Network Places, and then click Map Network Drive.
2. In the Map Network Drive wizard, select the drive letter that you want to
use.
3. Enter the name of the shared folder you want to connect to or click Browse
to find the shared folder.
To gain access to a shared folder that you will use on a recurring basis,
select Reconnect at logon to connect automatically each time you log on.

Using the Run Command

When you use the Run command to connect to a network resource, a drive
letter is not required, which allows for an unlimited number of connections that
are independent of available drive letters.
To connect a shared folder to a network drive, perform the following steps:
1. Click Start, and then click Run.
2. In the Run dialog box, enter a UNC path in the Open box, and then click
OK.
When you enter the server name in the Open box, a list of available shared
folder names appears. Windows 2000 gives you the option to choose one of
the entries based on the shared folders that are available to you.
 Module 7: Providing Network Access to File Resources 13

Combining NTFS and Shared Folder Permissions

Slide Objective
To illustrate the combination
of shared folder permissions Public
Public
and NTFS permissions. FC
Users
Users
Lead-in
One strategy for controlling Rules That Apply:
access to an NTFS volume Read
Read File1
! NTFS Permissions Are Required File1
is to share folders with the on NTFS volumes
default permissions and
then control access to these ! Users Must Have the Appropriate
folders by granting NTFS NTFS and Shared Folder Full
Full Control
Control File2
File2
permissions. Permissions
! The Most Restrictive of the
Combined Shared Permissions NTFS Volume
or the Combined NTFS
Permissions Applies

One strategy for controlling access to network resources on an NTFS partition

Delivery Tip is to share folders with the default shared folder permissions, and then to
Identify the group’s effective control access to these folders by granting NTFS permissions.
permissions for File1 and
File2 in the slide. When you share a folder on a partition formatted with NTFS, both the shared
folder permissions and the NTFS permissions combine to secure file resources.
NTFS permissions apply whether the resource is accessed locally or over a
network.
When you grant shared folder permissions on an NTFS volume, the following
Key Point rules apply:
When an administrator
combines NTFS and shared ! NTFS permissions are required on NTFS volumes. By default, the Everyone
folder permissions, the most groups has the Full Control permission.
restrictive of the combined
NTFS permissions or the ! Users must have the appropriate NTFS permissions for each file and
combined shared folder subfolder in a shared folder, in addition to shared folder permissions, in
permissions applies. order to gain access to those resources.
! When you combine NTFS permissions and shared folder permissions, the
resulting permission is the most restrictive permission of the combined
shared folder permissions or the combined NTFS permissions.
14 Module 7: Providing Network Access to File Resources

Using Administrative Shared Folders

Slide Objective ! Administrators Use Administrative Shared Folders to
To identify hidden
administrative shared
Perform Administrative Tasks
folders. ! Administrative Shared Folders Are Hidden From Normal
Lead-in Users
Windows 2000 provides
hidden shared folders for ! Administrators Have the Full Control Permission
administrative purposes.
Share
Share Purpose
Purpose
C$,
C$,D$,
D$,E$
E$ The
The root
root of
of each
each partition
partition isis automatically
automatically shared
shared

Admin$
Admin$ The
The C:\Winnt
C:\Winnt folder
folder isis shared
shared as
as Admin$
Admin$
The
The folder
folder containing
containing the
the printer
printer driver
driver files
files isis shared
shared
Print$
Print$ as
as Print$
Print$ (created
(created when
when the
the first
first printer
printer isis created)
created)

Windows 2000 automatically shares folders that enable you to perform

Key Points administrative tasks. These shared folders are appended with a dollar sign ($).
Administrative shared
The dollar sign hides the shared folder from users who browse the computer in
folders are hidden from
users that browse their
My Network Places. The root of each drive including hard drives and
computers. CD-ROMs, the systemroot folder, and the location of the printer drivers are all
hidden shared folders that Windows 2000 creates automatically.
The Admin$ is the
systemroot folder.
Administrators can use a
shared folder name to gain
access to Windows 2000
without knowing the name of
the folder it is installed in.
Delivery Tip
Demonstrate creating a
hidden shared folder by
appending a dollar sign to
the shared folder name.
 Module 7: Providing Network Access to File Resources 15

By default, members of the Administrators group have the Full Control

permission for administrative shared folders. You cannot modify the
permissions on administrative shared folders. The following table describes the
purpose of the administrative shared folders that Windows 2000 automatically
provides.
Shared
Folder Purpose

C$, D$, These shared folders are used to remotely connect to a computer and
E$, and so perform administrative tasks. The root of each partition on a hard disk is
on automatically shared. When you connect to this folder, you have access to
the entire partition.
Admin$ The systemroot folder, which is C:\Winnt by default. Administrators can
gain access to this shared folder to administer Windows 2000 without
knowing the folder in which it is installed.
Print$ This folder provides access to printer driver files for client computers.
When you install the first shared printer, the
Systemroot\System32\Spool\Drivers folder is shared as Print$. Only
members of the Administrators, Server Operators, and Print Operators
groups have Full Control permission. The Everyone group has Read
permission.

Hidden shared folders are not limited to those that Windows 2000 automatically
creates. You can share additional folders and append a dollar sign ($) to the
end of the shared folder name. Then, only users who know the folder name can
gain access to it. These hidden folders are not considered administrative shared
folders.
16 Module 7: Providing Network Access to File Resources

Publishing a Shared Folder in Active Directory

Slide Objective Server1
To illustrate the process of Active Directory
publishing folders in Active Publish
Publish to
to Active
Active
Folder1
Folder1 Directory ed
Directory. Directory lis h
Pub
Lead-in er 1
Fold er2
In Windows 2000, you can Server2 Fold
publish shared folders in
Active Directory. This
Folder2 Publish
Publish to
to Active
Active
method of sharing makes it Folder2
Directory
Directory
very convenient to locate a
shared folder.
! Users Can Easily Find Shared Folders Even if the
Physical Location of the Folders Changes
! You Can Publish Any Shared Folders That Are
Accessible by a UNC Name

Publishing resources, including shared folders, in Active Directory enables

Key Points users to search Active Directory and find resources on the network even if the
Publishing a shared folder in
Active Directory, enables
physical location of the resources changes. For example, if you move a shared
users to find the folder even folder to another computer, all shortcuts pointing to the Active Directory object
if its physical location that represents the published shared folder will continue to work, as long as you
changes. update the reference to the physical location. Users do not have to update their
connections.
To be published, a shared
folder must be accessible by You can publish any shared folder in Active Directory that can be accessed by
a UNC name. using a UNC name. After a shared folder is published, a user at a computer
running Windows 2000 can use Active Directory to locate the object
representing the shared folder and then connect to the shared folder.
To publish a shared folder in Active Directory, perform the following steps:
Delivery Tip
Demonstrate the steps for 1. Open Active Directory Users and Computers from the Administrative
publishing a shared folder in Tools menu.
Active Directory.
2. In the console tree of Active Directory Users and Computers, right-click the
domain in which you want to publish the shared folder, point to New, and
then click Shared Folder.
3. In the Shared Folder Name box, type the folder name as you want it to
appear in Active Directory.
4. In the Network Path box, type the path to the shared folder (UNC name),
and then click OK.
Administrators and users can find information in Active Directory by using
the Search command on the Start menu, My Network Places on the
desktop, or Active Directory Users and Computers.
 Module 7: Providing Network Access to File Resources 17

Lab A: Sharing and Securing Network Resources

Slide Objective
To introduce the lab.
Lead-in
In this lab, you will share a
folder and assign
permissions. Then, you will
configure shared folder
settings.

Explain the lab objectives.

Objectives
After completing this lab, you will be able to:
! Share a folder.
! Assign shared folder permissions to user accounts and groups.
! Connect to a shared folder.
! Stop sharing a folder.
! Determine the effects of combining shared folder and NTFS file system
permissions.

Prerequisites
Before working on this lab, you must have knowledge of how Windows 2000
uses shared folder and NTFS permissions to secure access to networks.

Lab Setup
To complete this lab, you need a computer running Windows 2000 Advanced
Server configured as a member server of the nwtraders.msft domain.

Estimated time to complete this lab: 30 minutes

18 Module 7: Providing Network Access to File Resources

Exercise 1
Sharing Folders

Scenario
Users on your network need to gain access to a number of applications on a server that you
administer. You have already installed the applications in a folder, named Apps, and have assigned
NTFS permissions on all of the application folders within. You now need to share the Apps folder
and configure the permissions for it so that the users can access the folder from the network.

Goal
In this exercise, you will create share points on your member server to provide access to the Apps
folder from the network.

Tasks Detailed Steps

1. Log on to nwtraders as a. Log on using the following information:

Adminx (where x is your User name: Adminx (where x is your assigned student number)
student number) with the Password: domain
password of domain and Log on to: nwtraders
share the b. In Windows Explorer, navigate to the
C:\MOC\Win2152b\Labfiles C:\MOC\Win2152b\Labfiles\Lab07\Apps folder.
\Lab7\Apps folder as Apps.
c. Open the Properties dialog box for the Apps folder, and then click the
Sharing tab.

Note: Notice that the Apps folder currently is not shared.

1. (continued) d. Click Share this folder.

The share name defaults to the name of the folder. If you
wanted the share name to be different from the name of the
folder, you would change it here.
e. In the Comment box, type Shared Applications and then click OK.

How does Windows Explorer change the appearance of the Apps folder to indicate that it is a shared folder?
(You may have to refresh your screen by pressing F5.)
Windows Explorer shows an icon of a hand holding the Apps folder. The icon indicates that the
folder is shared.
 Module 7: Providing Network Access to File Resources 19

Exercise 2
Assigning Shared Folder Permissions

Scenario
You have shared the folder that contains the applications used by all the employees of your
company, giving users the ability to connect to it over the network. Even though you have
configured NTFS permissions to provide user rights, company policy dictates that the default
permissions for the folder be removed and replaced with the permissions listed in the company
policy.
To configure share permissions, you must determine what the current permissions are for the shared
applications folder, and then assign shared folder permissions to groups in your domain in
accordance with company policy.

Goal
In this exercise, you will modify the default share permissions on the Apps folder to limit access
rights to a specific group of users.

Tasks Detailed Steps

1. Determine the current a. Open the Properties dialog box for Apps.
permissions for the Apps b. On the Sharing tab, click Permissions.
shared folder.

What are the default permissions for the Apps shared folder?
Everyone has Full Control.

2. Remove the default a. In the Permissions for Apps dialog box, verify that Everyone is
permissions and assign the selected, and then click Remove.
Full Control permission to b. Click Add.
the local Administrators
group. c. In the Look in box, click Server (where Server is your assigned
computer name).
d. Under Name, click Administrators, click Add, and then click OK.
20 Module 7: Providing Network Access to File Resources

Tasks Detailed Steps

What type of access does the Administrators group have?

Read permission.

2. (continued) e. Under Permissions, allow the Administrators group the Full Control
permission, and then click OK.
f. Click OK to close the Apps Properties dialog box, and then close
Windows Explorer.
 Module 7: Providing Network Access to File Resources 21

Exercise 3
Connecting to a Shared Folder

Scenario
You have installed a number of applications, configured NTFS permissions to limit access to the
different applications, and configured a share to provide your network users with access to those
applications across the network. You now need to verify that users can connect to the applications
folder from other computers on the network by using various methods to connect to the shared
applications folder.

Goal
In this exercise, you will log on as a user that should have limited access rights to the shares created
in earlier exercises in order to verify that access is limited as expected.

Tasks Detailed Steps

1. Connect to the shared Apps a. Click Start, and then click Run.
folder on your computer by b. In the Open box, type \\Server (where Server is your assigned
using the Run command. computer name), and then click OK.

Which shared folders are currently available?

In addition to the share you just created, the Printers, Colorpri, Reports, and Scheduled Tasks
folders are available. Any shared printers also appear. On a domain controller, the Netlogon and
Sysvol folders are also shared.

Note: Normally you would connect to another computer to verify the functionality of a shared folder. For the
purpose of this lab, you will connect to your computer.

1. (continued) c. Double-click Apps to confirm that you can gain access to the folder.
d. Close the Apps on Server (where Server is your computer name)
window.

2. Map a network drive to the a. Right-click My Network Places, and then click Map Network Drive.
shared folder on the b. In the Drive box, click P.
instructor computer
\\London\Corpdata by using c. In the Folder box, type \\london\corpdata
Map Network Drive. d. Clear the Reconnect at logon check box.
Note: You will gain access to this shared folder in this exercise only. Disabling the option to reconnect will
ensure that Windows 2000 does not automatically attempt to reconnect to this shared folder later.
22 Module 7: Providing Network Access to File Resources

Tasks Detailed Steps

2. (continued) e. To complete the connection, click Finish.

Windows Explorer opens, showing the contents of the new
shared folder. Notice that the title bar displays Corpdata on
London.
f. Close the Corpdata on London window.
g. Open My Computer, and then locate Corpdata on London (P:).

How does My Computer indicate that this drive points to a remote shared folder?
My Computer uses an icon that shows a network cable attached to the drive. The icon indicates a
mapped network drive.

3. Disconnect the mapped a. In My Computer, right-click CorpData on London (P:), and then
network drive from the click Disconnect.
shared CorpData folder on b. Close My Computer, and then log off.
the instructor computer
using My Computer.
4. Log on to nwtraders as a. Log on using the following information:
Studentx (where x is your User name: Studentx (where x is your assigned student number)
assigned student number) Password: domain
with the password of Log on to: nwtraders
domain and attempt to b. Right-click My Network Places, and then click Map Network Drive.
connect to the shared
CorpData folder on the c. In the Drive box, click P.
instructor computer. d. In the Folder box, type \\london\corpdata
e. Clear the Reconnect at logon check box if necessary, and then click
Finish.

Windows 2000 displays a message indicating that access is

denied.

Why were you denied access to the CorpData shared folder?

Because the user account that you used to log on does not have the required permissions to gain
access to the shared folder. Only the Administrators group can gain access to the CorpData shared
folder.

4. (continued) f. Click OK to close the message.

 Module 7: Providing Network Access to File Resources 23

(continued)

Tasks Detailed Steps

5. Connect to the shared a. Right-click My Network Places, and then click Map Network Drive.
CorpData folder as Adminx b. In the Drive box, click P:\London\Corpdata.
(where x is your assigned
student number) with the c. In the Folder box, type \\London \Corpdata
password of domain. d. Click Connect using a different user name.
e. In the Connect As dialog box, in the User name box, type Adminx
(where x is your assigned student number).
f. In the Password box, type domain and then click OK.
g. Clear the Reconnect at logon check box if necessary, and then click
Finish.
A message appears, indicating that drive P is already
connected. This is because there is an IPC connection from
the previous attempt.
h. Click Yes to replace the current connection.

In Windows Explorer, can you gain access to drive P? Why or why not?
Yes. The Adminx account has the appropriate permissions to gain access to the shared folder.

5. (continued) i. Close all windows, and log off.

24 Module 7: Providing Network Access to File Resources

Exercise 4
Removing a Folder Share

Scenario
You need to perform extensive changes to the applications folder and need to prevent users
from accessing the files while you are making changes. You will stop sharing the folder in
order to prevent users from connecting.

Goal
In this exercise, you will stop sharing the Apps folder on your member server.

Tasks Detailed Steps

1. Log on to nwtraders as a. Log on using the following information:

Adminx (where x is your User name: Adminx (where x is your assigned student number)
student number) with the Password: domain
password of domain and Log on to: nwtraders
stop sharing the Apps folder. b. In Windows Explorer, navigate to the
C:\MOC\Win2152b\Labfiles\Lab07 folder.
c. Open the Properties dialog box for the Apps folder.
d. On the Sharing tab, click Do not share this folder, and then click OK.
Windows 2000 no longer displays the icon that identifies Apps
as a shared folder.
e. Close Windows Explorer.
f. Click Start, and then click Run.
g. In the Open dialog box, type \\Server\Apps (where Server is your
computer name), and then click OK.

Were you able to make a connection to \\Server\Apps?

No. The folder is no longer shared.

1. (continued) h. Click OK to close the message, click Cancel to close the Run dialog
box, and then log off.
 Module 7: Providing Network Access to File Resources 25

# Configuring Shared Folders by Using Dfs

Slide Objective
To introduce the topics for
configuring shared folders
by using Dfs. ! Introduction to Dfs
Lead-in ! Types of Dfs Roots
Dfs provides a mechanism
for administrators to create ! Accessing Files Resources Through Dfs
logical views of folders and
files, regardless of where ! Creating a Dfs Root
those files are physically
located on the network. ! Adding Dfs Links
! Adding Replicas for Fault Tolerance
! Configuring Replication

With more and more files being distributed across local area networks (LANs),
administrators face growing problems as they try to provide users with the
access that they need. Dfs provides a mechanism for administrators to create
logical views of folders and files, regardless of where those files are physically
located on the network. Dfs also allows administrators to distribute shared
folders and workloads across several servers for more efficient network and
server resource use. Fault-tolerant network storage resources are also available
by using Dfs. Domain-based Dfs features ensure that users can continue to gain
access to shared folders even if a server becomes unavailable.
26 Module 7: Providing Network Access to File Resources

Introduction to Dfs
Slide Objective Dfs
Dfs Tree
Tree Structure
Structure Server1
To illustrate the structure of
Dfs. Sales Data
Sales Data
Lead-in North
Dfs
Dfs Root
Root
Dfs organizes shared North
folders and simplifies East
navigation to the shared Dfs
Dfs Links
Links
South East
folders.
West Server2

With
WithDfs
Dfsyou
youcan:
can: Sales Data

!! Organize
Organizeresource
resource South
!! Facilitate
Facilitatenavigation
navigation
West
!! Facilitate
Facilitateadministration
administration
!! Preserve
Preservepermissions
permissions

Explain to students that Dfs Dfs is a service that provides a single point of reference and a logical tree
provides a single network structure for file system resources that may be physically located anywhere on
access point that Dfs clients the network. Using Dfs to share network resources across the network, provides
can use for accessing the following benefits:
resources located on
several servers. ! Organizes resources. Dfs uses a tree structure that contains a root and Dfs
links. A Dfs link is a portion of the Dfs hierarchy. Each Dfs root can have
multiple links beneath it, each of which points to a shared folder.
! Facilitates navigation. A user who navigates through a Dfs tree does not
Key Point need to know the name of the server that physically stores the resource to
Users can easily navigate
through a Dfs tree without
locate a specific resource on the network. After connecting to a Dfs root,
knowing the physical users can browse and gain access to all resources below the root, regardless
location of the folder or file of the physical location of the server on which the resource is located.
they are seeking. ! Facilitates administration. Dfs simplifies the administration of multiple
shared folders. If a server fails, you can move the location of the shared
folder from one server to another without users being aware of the change.
Users continue to use the same path for the link.
! Preserves permissions. A user can gain access to a shared folder through
Dfs as long as the user has the required permission to gain access to the
shared folder.

Note Only client computers with Dfs client software can gain access to Dfs
resources. Computers running Windows 2000, Microsoft Windows NT®
version 4.0, and Microsoft Windows 98 include Dfs client software. You must
download and install a Dfs client on computers running Microsoft Windows 95.
 Module 7: Providing Network Access to File Resources 27

Types of Dfs Roots

Slide Objective
To identify the two types of ! A Dfs Root Represents the Highest Level of the Dfs
Dfs roots. Topology
Lead-in
You have the option of
! The Types of Dfs Roots Are:
establishing either a stand-
alone Dfs root or a domain- Stand-
Stand-Alone Dfs
Stand-Alone DfsRoot
Root Domain-
Domain-Based Dfs
Domain-Based DfsRoot
Root
based Dfs root.
!! Is
Is stored
storedon
onaasingle
singlecomputer
computer !! Hosted
Hosted on
on aadomain
domaincontrollers
controllers or
or
!! Does member
memberserver
server
Does not
notuse
useActive
ActiveDirectory
Directory
!! Cannot !! Has
Has its
its Dfs
Dfs topology
topology automatically
automatically stored
stored
Cannothave
haveroot-level
root-levelDfs
Dfs shared
shared
folders ininActive
ActiveDirectory
Directory
folders
!! Can !! Can
Canhave
haveroot-level
root-level Dfs
Dfs shared
sharedfolders
folders
Canhave
have only
only aasingle
singlelevel
level ofof Dfs
Dfs
links
links !! Can
Canhave
have multiple
multiplelevels
levels ofof Dfs
Dfs links
links

A Dfs root is the highest level of the Dfs topology and is the starting point for
Key Points the hierarchy of shared folders. A Dfs root can be defined at the domain level or
A stand-alone Dfs root
provides no fault tolerance
at the server level. A domain may have any number of Dfs roots, but each
because the Dfs topology is server running Windows 2000 can host only one Dfs root. You can configure
stored on a single computer. the following types of Dfs roots:

A domain-based Dfs root

! Stand-alone Dfs roots. This Dfs root is hosted on a single computer and the
provides fault tolerance Dfs topology is stored on that computer. A stand-alone Dfs root provides no
because the Dfs topology is fault tolerance if the computer that stores the shared folders or Dfs topology
stored in Active Directory. fails. Fault tolerance ensures data integrity when a hardware failure occurs.
In addition, a stand-alone Dfs cannot have root-level Dfs shared folders and
supports only a single level of Dfs links.
! Domain-based Dfs roots. This Dfs root is hosted on several domain
controllers or member servers and the Dfs topology is stored in Active
Directory. Because changes to a Dfs tree are automatically synchronized
with Active Directory, you can restore a Dfs tree topology if the server
hosting a Dfs root should fail. In addition, a domain-based Dfs root can have
root-level Dfs shared folders and can support multiple levels of Dfs links.

Note You can only use domain-based Dfs roots on computers that are
members of a domain.
28 Module 7: Providing Network Access to File Resources

Accessing File Resources Through Dfs

Slide Objective Server Hosting
To describe how to gain Dfs Root
access to file resources
through Dfs.
Sales
Sales Data
Data
Lead-in
You gain access to file 11
resources through Dfs in the North
22
same way that you gain
access to other shared
East
folders. The process of
Sales
Sales Data
Data
gaining access is
3
transparent to users.
Client
Clientconnects
connectsto
toaaDfs
Dfsserver
server
South
Client
Clientreceives
receivesaareferral
referralto
tothe
theDfs
Dfslink
link Server1

Dfs
Dfsclient
clientconnects
connectsto
tothe
theDfs
Dfslink
link

Explain the three steps on Because a Dfs hierarchy appears just as a regular folder hierarchy, users can
the slide. gain access to file resources through Dfs in the same way that they gain access
Key Points to regular shared folders. The difference is that Dfs provides users with a single
When a Dfs client connects access point for resources that can be located in several physical locations.
to a Dfs root, the Dfs client Users can navigate through Dfs by using Windows Explorer.
sees all first-level Dfs links.
When a user connects to a Dfs root, the user sees all first level Dfs links as
When a Dfs client connects folders in the Dfs root. The user can then connect to one of the Dfs links by
to a Dfs link, it requests the opening the folder that the link represents. The user can also directly connect to
location of the shared folder a Dfs link. Whenever a user accesses a Dfs link, the following happens:
representing the Dfs link.
1. The Dfs client establishes a connection to the server that hosts Dfs.
2. The server that hosts Dfs returns the physical location of the shared folder
that the Dfs link represents.
3. The Dfs client establishes a connection with the server that contains the
shared folder. The Dfs client then caches this referral so that it can continue
to connect to the shared folder represented by the Dfs link without
contacting the server hosting the Dfs root again. Periodically the Dfs client
contacts the server hosting the Dfs root to update the referral.

Important Dfs does not use separate NTFS permissions or shared folder
permissions for Dfs links. Windows 2000 applies all permissions that you
assign to the shared folder to which the Dfs link points.
 Module 7: Providing Network Access to File Resources 29

Creating a Dfs Root

Slide Objective
To identify the options for To
To Create
Create aa Dfs
Dfs Root
Root
creating a Dfs root.
Lead-in Open
OpenDistributed
DistributedFile
FileSystem
System
When you create a Dfs root,
you select the type of Dfs
root, specify a host domain Select
Selectthe
the New
New Dfs
Dfs Root
Root Option
Option
or host server, assign a
shared folder to host the Dfs Configure
Configurethe
theCreate
CreateNew
NewDfs
DfsRoot
Root Wizard
Wizard
root, and then name the Dfs Options:
Options:
root. Select
Select Dfs
DfsRoot
RootType
Type
Specify
SpecifyDomain
Domainto to Host
Host Dfs
Dfs
Specify
SpecifyServer
Server to
to Host
Host Dfs
Dfs
Specify
SpecifyShare
Sharefor
for Dfs
DfsRoot
Root
Provide
ProvideName
Namefor
for Dfs
Dfs Root
Root

When you create a Dfs root, you select the type of Dfs root, specify a host
domain or host server, assign a shared folder to host the Dfs root, and then
name the Dfs root. For a standalone Dfs root, client computers connect to a
server and shared folder. For a domain-based Dfs root, client computers connect
to a domain and a shared folder. To create a domain-based or stand-alone Dfs
root, perform the following steps:
1. On the Administrative Tools menu, click Distributed File System.
Delivery Tip
Demonstrate the steps for 2. On the Action menu, click New Dfs Root.
creating a Dfs root.
3. In the Create New Dfs wizard, configure the options that are described in
Explain that the steps for
the following table.
creating a domain-based Option Description
and stand-alone Dfs root are
similar. Select the Dfs root type Selects the type of Dfs root that you want to create.
Click Create a domain Dfs root or Create a
standalone Dfs root.
Specify the host domain for Specifies the domain that stores the Dfs topology.
the Dfs root A domain can host multiple Dfs roots.
-or-
Specify the host server for Specifies the first host server, which is the initial
the Dfs root connection point for all resources in the Dfs tree.
You can create a Dfs root on any server running
Windows 2000.
Specify the Dfs root share Specifies the shared folder to host the Dfs root.
You can choose an existing shared folder or create
a new shared folder.
Name the Dfs root Provides the descriptive name for the Dfs root that
Windows Explorer displays.
30 Module 7: Providing Network Access to File Resources

Adding Dfs Links

Slide Objective
To identify the options for To
To Add
Add aa Dfs
Dfs Link
Link
adding Dfs links.
Lead-in Select
Select the
the Dfs
DfsRoot
Root
A Dfs link exists below the
Dfs root and can refer to a
shared folder with or without Select
Select the
the New
New Dfs
DfsLink
LinkOption
Option
subfolders.
Configure
Configurethe
theAdd
AddtotoDfs
DfsDialog
Dialog Box
Box
Options
Optionsby
bySelecting:
Selecting:
Link
Linkname
name
Send
Sendthe
theuser
user to
tothis
this shared
sharedfolder
folder
Comment
Comment
Clients
Clientscache
cachethis
thisreferral
referralfor
for
xxseconds
seconds

A link is mapped to a standard shared folder on the network. A new Dfs link
can refer to a shared folder with or without subfolders. A Dfs link can also point
to another Dfs root. This configuration allows you to create a large Dfs tree that
combines other Dfs trees.
To add a Dfs link, perform the following steps:
Delivery Tip
Demonstrate the steps for 1. In Distributed File System, click the Dfs root to which you will add a Dfs
adding a Dfs link. link.
2. On the Action menu, click New Dfs Link.
3. In the Add to Dfs dialog box, configure the options described in the
following table.
Option Description

Link name Specifies the logical name for a subfolder of a Dfs root.
The link name appears as a folder in the Dfs logical
hierarchy and is the name users will see when they
connect to Dfs.
Send the user to this Specifies the physical location of the shared folder to
shared folder which the link refers.
Comment Additional information (optional) to help keep track of
the shared folder.
Clients cache this Length of time for which client computers cache a
referral for x seconds referral to a Dfs link. After the referral time expires, a
client computer queries the Dfs server about the
location of the link, even if the client computer has
previously established a connection with the link.
 Module 7: Providing Network Access to File Resources 31

Adding Replicas for Fault Tolerance

Slide Objective
To illustrate the use of Sales
Sales
replicas for fault tolerance. Dfs
Data
Data
Sales
Sales Data
Data Dfs Share
Share
Lead-in North Sales
Sales
Configuring multiple replicas Data
Data
of a Dfs link creates fault North Server1
tolerance. East North

East Server2
East

Replicas Provide: Sales

Sales
Data
Data
! Fault Tolerance
North
! Load Balancing
Server3
East

A replica is another instance of a Dfs link. Copies of a Dfs link reside on at

Key Point least one other server. These replicas provide fault tolerance. When one replica
Replicas provide fault
tolerance and load
of a Dfs link becomes unavailable (for example, because the computer hosting
balancing. the replica is unavailable), Dfs clients automatically connect to the other
replica. This ensures uninterrupted access to shared folders. In addition, when
multiple client computers connect to a Dfs link that has multiple replicas, these
client computer requests are distributed across all of the servers hosting the
replicas. This load balancing ensures that users experience faster response times
because multiple servers are simultaneously responding to client computer
requests.
To add a replica, perform the following steps:
1. In Distributed File System, right-click the Dfs link for which you want to
create a new replica, and then click New Replica.
2. In the Add a New Replica dialog box, click Browse to select the shared
folder for the new replica.

Note Each Dfs link can have up to 32 replicas.

3. Select Automatic Replication if you want the File Replication service

(FRS) to automatically replicate any changes that occur in any replica of the
Dfs link to all other replicas. Select Manual Replication if you want no
replication. Click OK.
32 Module 7: Providing Network Access to File Resources

Configuring Replication
Slide Objective
Server1 Hosting
To illustrate the replication Sales
Sales Data
Data
Dfs Root
process. (Initial Master)
Lead-in North
You configure replication Active Directory
among multiple replicas of a
Dfs link to ensure that each East
replica contains the same
data.

Sales
Sales Data
Data

North

Server2 Hosting
Dfs Root East

When you configure multiple replicas of the same Dfs link, you need to ensure
Mention the role that FRS
that each replica always contains the same data. To automatically keep the
plays in automatic
replication.
contents of the replicas synchronized as changes to one or more of the replicas
occur, Windows 2000 provides the File Replication service. If you do not use
Key Points FRS, you must manually copy files that change to all replicas of a Dfs link.
You configure replication
among multiple replicas of a
Dfs link after creating the Setting Up Automatic Replication
replicas to keep the Enable automatic replication by using the Replication Policy window of the
contents of the replicas Distributed File System console. To set replication policy, select one of your
synchronized. Dfs shared folders as the initial master (master copy), which then replicates its
contents to the other Dfs shared folders in the set of Dfs shared folders.
Replication occurs as part of Active Directory replication.
To set replication policy, perform the following steps:
1. Open Distributed File System.
2. Right-click a Dfs root or Dfs link, and then click Replication Policy.
3. In the list of shared folders, click a Dfs shared folder that you want to use as
the master folder for replication.
By default, the first Dfs folder that you create becomes the master folder for
replication. If you want to change this default, click Initial Master.
After you have set a master for replication, the Initial Master button no
longer appears when you subsequently display this window. This is because
you only set a master once to initiate replication; from then on, the Dfs
shared folders replicate to one another whenever data in one of the Dfs
shared folders changes.
 Module 7: Providing Network Access to File Resources 33

4. Click all of the replicas that will participate in replication, and then click
Enable.
5. To prevent a replica from participating in replication—for example when
you do not want Dfs replication to create network traffic—select the replica,
and then click Disable.

Checking the Status of a Dfs Replicas

Delivery Tip You can perform periodic status checks of Dfs replicas to ensure that replica
Demonstrate how to check sets are still valid for Dfs shared folders and that the replicas that you assigned
the status of replicas. are being referenced properly by Dfs. When you perform these status checks on
replica sets, the results indicate one of the following conditions:
Point out the green check
marks and cross marks that ! The replica was found and is accessible. This indicates that everything is
appear after status check. functioning correctly.
Tell students what these
marks mean. ! The replica was found but is not accessible. This means that NTFS
permissions or shared folder permissions may be not be configured
properly.
! The replica was not found. This means that the shared folder is not
available, for example, because the computer hosting it is not running.

To check status of a Dfs shared folder, perform the following steps:

1. Open Distributed File System.
2. In Distributed File System, right-click the Dfs root or Dfs link whose
replication status you want to check, and then click Check Status.
34 Module 7: Providing Network Access to File Resources

Lab B: Configuring Domain-based Dfs

Slide Objective
To introduce the lab.
Lead-in
In this lab, you will create
replicas, add Dfs links, and
remove replicas and Dfs
links.

Explain the lab objectives.

Objectives
After completing this lab, you will be able to:
! Create a Dfs root replica.
! Create a Dfs link.

Prerequisites
Before working on this lab, you must have:
! Knowledge about how Microsoft Windows 2000 uses shared folder and
NTFS file system permissions to secure access to network resources.
! The knowledge and skills to share folders.
! Knowledge about the purpose of Dfs, including how Dfs provides fault
tolerance.

Lab Setup
To complete this lab, you need:
! A computer running Windows 2000 Advanced Server that is configured as a
member server of the nwtraders.msft domain.
! A folder, C:\Moc\Win2152b\Labfiles\Lab07\Site Reports, shared as
Reports.

Estimated time to complete this lab: 30 minutes

 Module 7: Providing Network Access to File Resources 35

Exercise 1
Create a New Root Replica

Scenario
Your corporation wants to distribute reports to each office in the corporation using Dfs. The
Corporate office has created a Dfs root called Corporate Reports. You must create a Dfs root replica
on your server to provide fault tolerance.

Goal
In this exercise, you will create a Domain-based Dfs root replica.

Tasks Detailed Steps

1. Log on to nwtraders as a. Log on using the following information:

Adminx (where x is your User name: Adminx (where x is your assigned student number)
assigned student number) Password: domain
with password of domain Log on to: nwtraders
and attempt to create a new b. Open Distributed File System from the Administrative Tools menu.
root replica of
\\nwtraders.msft\corporate c. In Distributed File System, in the console tree, right-click Distributed
data. As part of the Dfs File System, and then click Display an Existing Dfs Root.
wizard, create a new shared d. On the Display an Existing Dfs Root page, expand nwtraders.msft,
folder on your server, named expand Domain Dfs roots, click Corporate Data, and then click OK.
Corpdata, for the share point e. In Distributed File System, in the console tree, right-click
on your server to host the \\nwtraders.msft\Corporate Data, and then click New Root Replica.
Dfs root.
f. On the Specify the Host Server for the Dfs Root page, verify that
your server’s FQDN is listed, and then click Next.
g. On the Specify the Dfs Root Share page, click Create a new share.
h. In the Path to share box, type
c:\moc\Win2152b\Labfiles\lab07\corpdata
i. In the Share name box, type Server Dfs Replica (where Server is your
assigned computer name), and then click Finish.

A message appears indicating that the share does not exist.

j. Click Yes to create the folder.

A message appears indicating there is a network error.

k. Click OK to close the error message, click Cancel to close the New
Dfs Root wizard, and then close Distributed File System.
36 Module 7: Providing Network Access to File Resources

(continued)

Tasks Detailed Steps

What permissions does a user account need in order to create a domain-based Dfs?
The user account must have domain-wide administrative rights. To gain these rights, a user account
must be a member of an administrative group such as the Domain Admins group.

2. Logged on as Adminx, use a. Click Start, point to Programs, point to Administrative Tools, hold
the secondary logon, the SHIFT key and right-click Distributed File System, and then click
[email protected] Run as.
with a password of domain, b. In the Run as Other User box, verify that Run the program as the
to create a new root following user is selected.
replica of
\\nwtraders.msft\corporate c. In the User name box, type DAdmin
data. Create a new shared d. In the Password box, type domain
folder on your server named e. In the Domain box, type nwtraders.msft and then click OK.
Corpdata for the share point
on your server to host the f. In Distributed File System, in the console tree, right-click Distributed
Dfs root. Configure your File System, and then click Display an Existing Dfs Root.
root replica to participate in g. In the Display an Existing Dfs Root dialog box, expand
automatic replication. nwtraders.msft, expand Domain Dfs roots, click Corporate Data,
and then click OK.
h. In Distributed File System, in the console tree, right-click
\\nwtraders.msft\Corporate Data, and then click New Root Replica.
i. On the Specify the Host Server for the Dfs Root page, verify that
your server’s FQDN is listed, and then click Next.
j. On the Specify the Dfs Root Share page, verify that Use an existing
share is selected, click Server Dfs Replica (where Server is your
assigned computer name) if necessary, and then click Finish.

In the details pane of Distributed File System, your server is

listed as a root replica.

Wait for the instructor before proceeding. The instructor must configure the initial replication settings before
you continue on with this exercise.

2. (continued) k. In Distributed File System, in the console tree, right-click

\\nwtraders.msft\Corporate Data, and then click Replication Policy.
l. On the Replication Policy page, click your server’s shared folder
entry, click Enable, and then click OK.

Note: In task 1, you created the shared folder on your server using the administrative rights associated with
the Adminx user account, but you could not create the Dfs root replica using that account. In task 2, you did
not have to create the share point on your server because you created the shared folder in task 1.

2. (continued) m. Minimize Distributed File System.

 Module 7: Providing Network Access to File Resources 37

(continued)

Tasks Detailed Steps

3. View the data in the a. Click Start, and then click Run.
\\nwtraders.msft\corporate b. In the Open box, type \\nwtraders.msft\corporate data and then
data folder, and then verify click OK.
that the shared folder you
created on your server has A number of folders are listed in the Dfs shared folder.
the same data.
c. Click Start, and then click Run.
d. In the Open box, type \\Server\Server Dfs Replica (where Server is
your assigned computer name), and then click OK.

Is the content of the \\nwtraders.msft\corporate data share the same as the content of the \\server\server Dfs
Replica share? Why?
Yes. Replication of the domain-based Dfs has occurred.

3. (continued) e. Close the two shared folder windows.

38 Module 7: Providing Network Access to File Resources

Exercise 2
Adding a Dfs Link to an Existing Dfs Root

Scenario
To provide the entire corporation with a single share point for viewing corporate reports and remote
office reports, you must create a Dfs link for your site under the corporate Dfs root.

Goal
In this exercise, you will create a Dfs Link under the \\nwtraders.msft\Corporate Data Dfs root.

Tasks Detailed Steps

1. Create a Dfs link under a. Restore Distributed File System.

\\nwtraders.msft\Corporate b. In the console tree, right-click \\nwtraders.msft\Corporate Data, and
Data named Server Reports then click New Dfs Link.
(where Server is your
assigned computer name). c. In the Create a New Dfs Link dialog box, under Link name, type
Server Reports (where Server is your assigned computer name), and
then click Browse.
d. In the Browse for Folder dialog box, expand Entire Network,
expand Microsoft Windows Network, expand nwtraders, expand
Server (where Server is your assigned computer name), click Reports,
and then click OK.
e. In the Create a New Dfs Link dialog box, click OK.

The link appears under Corporate Data in the console tree.

f. Minimize Distributed File System.

2. View the data in the a. Click Start, and then click Run.
\\nwtraders.msft\Corporate b. In the Open box, type \\nwtraders.msft\corporate data and then
Data Dfs share. click OK.

Why does your Dfs link show up as a folder when you open \\nwtraders.msft\Corporate Data? Is the Dfs link
fault-tolerant?
Your Dfs link shows up as a folder under the root so that the client who connects to the Dfs shared
folder sees one connection point with a number of subfolders. The Dfs link is not fault-tolerant, but a
link replica could be created on a different server to provide fault tolerance for the Dfs link.

2. (continued) c. Close the Corporate Data window.

 Module 7: Providing Network Access to File Resources 39

Exercise 3
Removing a Dfs Link and Dfs Root Replica

Scenario
Your corporation has decided to use an Exchange mail server distribution list to provide access to
corporate reports. You must remove the Dfs link, and then remove the Dfs root replica.

Goal
In this exercise, you will remove the Dfs link that you created, and then remove the Dfs root replica
that you created.

Tasks Detailed Steps

1. Remove the Dfs link for a. Restore Distributed File System.

your server. b. In Distributed File System, in the console tree, expand
\\nwtraders.msft\Corporate Data if necessary, right-click Server
Reports (where Server is your assigned computer name), and then
click Remove Dfs Link.
c. In the Distributed file system message, click Yes to proceed.

The Dfs link for your server is removed from the console
tree.

2. Remove the Dfs root replica a. In Distributed File System, in the details pane, right-click
for your server. \\Server\Server Dfs Replica, and then click Remove Replica.
b. In the Distributed file system message, click Yes to proceed.

Your server is removed from the details pane.

c. Close any open windows, and then log off.
40 Module 7: Providing Network Access to File Resources

Review
Slide Objective
To reinforce module
objectives by reviewing key
points. ! Introduction to Shared Folders
Lead-in ! Creating Shared Folders
The review questions cover
some of the key concepts ! Combining NTFS and Shared Folder Permissions
taught in the module.
! Using Administrative Shared Folders
! Publishing a Shared Folder in Active Directory
! Configuring Shared Folders by Using Dfs

1. When a folder is shared, which folders and files within that folder does a
user with the Read permission have access to by default?
A user with the Read permission has access to all folders and files in the
shared folder. However, the user cannot change any files or folders.

2. What is the best way to secure files and folders that you share on NTFS
partitions?
Put the files that you want to share in a shared folder and retain the
default shared folder permission (the Everyone group with the Full
Control permission). Then grant the appropriate NTFS permissions to
users and groups for the files and folders within the shared folder.

3. The information that users in your corporation need is distributed

throughout the network on various servers. This forces users to remember
the names of all of the servers and shared folders on the entire network.
What could you do to solve this problem?
Install Dfs on one computer and create links that point to all of the
shared folders.
 Module 7: Providing Network Access to File Resources 41

4. A user attempts to connect to another computer by using the UNC name

\\server\c$ to gain access to all of the files and folders on the C: partition,
but is denied access. The user knows that the C$ shared folder is
automatically created by default. How could you explain the user’s inability
to gain access to that shared folder?
The user does not have administrative privileges on the computer that
they are trying to access. A hidden shared folder is created at the root
of each defined partition, but is only accessible by users with
administrative privileges.

5. You have shared and can access several folders on the server you
administer, but when you attempt to locate them by searching Active
Directory Users and Computers, they are not found. What could the problem
be? How could you resolve it?
You have not published the files in Active Directory. To do this, you
must open Active Directory Users and Computers, right-click the
domain in which you want to publish the shared folder, point to New,
and then click Shared Folder. You must then provide a shared folder
name and the path (UNC name) to publish a shared folder.

6. When users gain access to a Dfs link, how will they know that Dfs redirects
their requests to a different physical folder?
Users do not notice that the request is redirected. Dfs is completely
transparent to users.
THIS PAGE INTENTIONALLY LEFT BLANK