Microsoft Azure AZ-800 — Section 19: Configure Windows Server storage Part 5
151. Configure file systems
Let’s take a look now at configuring the different file systems we can set up here on Windows Server, so here we are in Hyper-V. I’m just going to add an additional virtual hard drive to my NYC DC one, so, I’m going to right click or settings right here to my scuzzy controller and I’ll add a hard drive new, all right, dynamically expanding. And we’re just going to call this new data disk. Click next.
OK, we could say 127, that’s fine next and finish.
OK, so at that point, we’re just going to click, OK, we can now jump into our noisy CDK1 and take a look.
OK, so here I am in NY, CDK1 is going to open up server manager and go to file and storage services. And from there, I can click on disks and I can see my new disk now. If you don’t see your new disk, just click the refresh icon right here, and that should allow that disc to pop up after it’s done refresh.
So there’s my new disk you’ll see it says unknown. By the way, if it doesn’t say that it’s online, you can right click and say, Bring online from there. I’m now ready to create volumes on that so, I can click to create click next on the steps. Do I want to go ahead and initialize it with GPT Grid Partition Table? Yes, I do.
OK, as opposed to the old format which was in the air that limited you to only two terabytes on a volume, you didn’t have that limitation. Let’s do 60 gigs and then we’ll click next. We’ll set it to the drive next and we’ll start with an interface volume on our E drive. And I was going to call it NTFS, just kind of make it very clear as far as a label.
So, I’m going to click to create. All right. And so shortly after that should be good to go. It’s created and now we’re going to create another volume.
OK, so, we go back over here to discuss we’re going to go to task. New volume next. Next. Actually, select the disk.
OK, well, just do you have to do the remaining sixty seven gigs? So next, if drive is fine next and then we’re going to do Aria first for this.
OK.
So from there? We’re going to set this to our efforts.
OK. And we are now formatting it. By the way, you can do fat as well, but you do a removable media, you could add another disk and if you go through server manager, they’re going to try to forest you. But you can also do things to disk management, right click disk management as well. And disk part, so you can see through disk management that this NTFS and RDF.
OK.
So from there, if I open a file explorer, all right, I’ve got my two drives, there’s my NTFS drive, so, I want to right click that and go to properties, and you’re going to notice that from there, I’ve got a quota Tab. I got a security. I can, you know, got all this stuff, setting permissions and quotall that fun stuff. And if I actually go to my drive and let’s just create a folder or actually just create a file, we can right click that file. You can go to properties and we’ve got an advanced button here where we can turn on compression and encryption.
Now, if we go over to our IFS, right click our office. You’ll notice that we don’t have a quota Tab at all. It’s not showing up. I can right click, I can say new. Create a text file here, right click that file, go to properties and there’s no advanced button.
So right of the gates here you can see that there are some, you know, the limitations with all of this. But as far as like being resilient, having good integrity, RDF is going to be a winner. And really, you also want to consider using RSS and like a storage area network. We’re not really learning about surgery networks in this course, but if you utilize a surgery network where you got high amounts of redundancy, that’s really where RDF is going to shine. That and of course, if you want to use stores pools which are not covered in this video, but you know, we’ll store space storage spaces, a.k.a. stores pools is where that’s going to really benefit you.
OK. Again, you can also, If I go like, let’s go to disk management again. All right. And, you know, maybe I want to I want to delete something or extend some of the strengths, and let’s delete the refs or just right click Delete. By the way, you can change drive letter to if you want, but also can extend the filesystem sizes partition sizes by right clicking, saying extend.
So, if I wanted to extend this out, the maximum amount of space I can. And there you go. I just extend the full of the NTFS all the way out. If I want to shrink that, I can also shrink that as well.
OK, so go right here, shrink and you want to shrink it down. Let’s do there. And I just that’s now down to sixty eight. All right.
So pretty easy. As you can see to work with file systems, you can use device management, you can use server manager to do that suit to work with it. There’s also, of course, the disk part command as well.
So, if you go into a command prompt, you can type disk part hit or do a question mark. You can see the different commands that are available like extend and shrink. All right, of course you can. You can list out the drives if I list disk. I can see there’s two disk. I can say select disk one, which is the second disk and then list partition. I can see the partition sizes there and I can tell, see list volume and I can see all that. But again, if I ever want to, you know, utilize this command, I can actually write scripts if I want. That uses this command to automate things as well, which you can do things through PowerShell.
So but really, the Disk Port Command has a lot of capabilities that even with PowerShell, they haven’t really added. There’s a lot still with this part that you can do that a lot of the people out there recommend.
So anyway, those are the different ways we can work with file systems in our Windows server.
152. Visualizing Windows file permissions
Let’s get into the concept now of working with Windows Permissions now there’s a couple of angles you got to think about when you think about working with Windows informations, and that is the fact that there is what we call NTFS permissions, which affect rights either locally or remotely doesn’t matter. If you’re sitting locally at the machine or you’re connecting it remotely to the machine, NTFS permissions are going to affect you. And then there is the concept of share permissions, which is a type of permission that gets placed on a shared folder that gets made available across the network. And of course, that only affects people if they’re connecting in remotely to the share through the share.
OK. Of course, what happens when you combine all that together, when you have NTFS permissions and you have shared permissions? So that’s the kind of thing I want to look at with you right now and to help you understand that concept.
OK, so let’s get started.
So the first thing you want to do when you’re thinking about permissions is you want to if you’re trying to figure out a scenario with permissions, thing you want to do if you want to draw a little Table.
OK.
So you can draw out a really simple little Table here that makes life a whole lot easier. All right. And we’ll start out with just focusing on different users and groups, and we’ll talk about NTFS permissions to begin with here.
OK.
So, I’m just going to label this column objects, and I’m going to label this NTFS permissions, which of course, you know, on a on a Windows machine. You’ll see that by going to the security Tab of a file or folder.
OK, we’ll talk about share permissions in a moment.
Now imagine we’ve got a folder. That is called we’ll call it sales data.
OK. All right. And we’ve got a user named John Smith and John Smith is actually a sales and marketing manager. All right.
So, let’s say that he is actually part of he’s a he’s part of the sales department as part of the marketing department, but he’s also a manager.
OK.
So what can be a little crazy is imagine if your company was set up with three different groups. You had a sales group and you had a marketing group and you had a managers group. And let’s say that John Smith is a member of all three.
OK.
So the way that permissions would work here is, let’s say that on the sales group interface for this folder, maybe the salespeople have been given modify.
OK, so that means they can they can read data, they can write to it. They can make changes. They can’t delete symbols and files. They can’t take ownership or any of that. But they do have, you know, some permissions. And then let’s say that you gave, let’s say, marketing people had access, had read and execute because, you know, they’re marketing people. They’re not actually full salespeople. Maybe, you don’t want them changing your data, but they need to be able to see it. Okay. And then you have the managers group who has been given full control.
OK, now full control is normally reserved for administrators, but in this case, we’ll say managers maybe need a little extra power over that folder and they’ve been given full control.
So the question you know that’s raised here is what would happen if John Smith was to connect that folder? OK, it doesn’t matter if he’s sitting locally or remotely, what’s his permission is going to be? So the rule of thumb thing you want to remember here? When working with permissions, let’s say you’re just talking about NTFS permissions for a moment. The thing you want to remember is this NTFS plus NTFS equals cumulative. All right.
So, it’s not most restrictive or least restrictive, and none of that. It’s it’s cumulative. All right.
So cumulative essentially means just add all the permissions up and that your effective permissions.
OK.
So, if you think about it like this, you’ve got a sales group has modify.
OK, plus read and execute. Plus full control equals pull. You get all of that. But technically you could just say full control because full control has everything.
So John Smith’s effective permissions would be for control. All right. Think about it like this. Let’s let’s just use kind of a dumb analogy.
So you’re talking about fruit? OK, let’s say that we say that the sales department can eat apples, and we say that the marketing department can eat oranges. And then we say that managers can eat pineapple.
OK, so apples, oranges and pineapple? And then basically, John Smith’s part of all of that, he’s part of US sales marketing managers than he can eat all those fruit, all the fruit.
OK. He can have apples, oranges and pineapple now. The one thing to also remember here is this talking about allowed permissions. What about denied permission? So the rule thumb was denied. Permission is denied. Always wins.
So, if you deny, agree, they’re going to be denied. If I was to, let’s say, allow the salespeople access to or to eat apples and allow the marketing group the ability to eat oranges.
OK. And then allow the managers group the ability to eat pineapple, but they’re denied the ability to eat oranges. Well, then John Smith will be able to eat apple and pineapple. That’s it. Wouldn’t be able to eat oranges. The night always wins if there is a conflict.
OK, so that’s the thing to remember. All right.
So the other thing to think about here is what about share permissions? OK, so let’s just I’m going to move these permissions out of the way. Forget about NTFS permissions for a moment. Let’s just pretend that they don’t exist. Let’s talk about share permissions. All right.
So share permissions over here. The share permissions are located on the share Tab of a folder.
OK, have a share Tab of a folder, and that’s where they’re going to be actually stored.
OK? So sure. Permissions. The names are a little different, but ultimately you end up with the same, the same effect.
OK, so, let’s say that you give salespeople. Oh, and one other thing I do want to mention here is by default, on a shared folder, you’ll have everyone, everyone has denied. I’m sorry, everyone has read and of course, by default, everyone gets free, but we’ll throw that into the mix here in just a moment.
OK, I want to mention that now, but I’m going to I’ll explain it a little bit better in a minute moments.
So, let’s say the salespeople have been given change. Permissions exchange is basically the equivalent of modified onto NTFS lingo. Marketing has been given read, which is sort of the equivalent of reading execute on NTFS and then managers has been given full control. All right.
So essentially, what you end up with is the same thing because guess what? Share plus share equals cumulative. A lot of people, when they explain this, they’ll say least restrictive. You can say the least restrictive as well in this case, because it’s not going to make any difference.
OK, but anyway, if you add all that together, change plus read plus full control, you’re going to get full control. All right.
Now here’s where things get crazy. Let’s just look at the defaults, OK? Let’s look at the defaults here. And what I mentioned just a moment ago is the defaults on shared folders. A lot of times it’s going to be there’s a group called Everyone and the everyone group gets read automatically. And so then let’s throw the NTFS permissions back into the mix. All right, so here’s the NTFS permissions.
So the problem you run into here is whenever you combine the permissions together. In other words, NTFS plus share.
OK, when they conflict, it’s the most restrictive that will apply. The most restrictive that will apply is what you want to consider there. All right.
So think about it. Let’s let’s kind of work our way through here. If we if we do this, if we say, OK, well, let’s start with this. We’re going to we’re going to work this rule out first.
So modify plus read and execute plus full control, you’re going to get full control. And then, of course, read. And now let’s add this up. Most restrictive for control plus read equals read.
So basically, John Smith, if John Smith connects across a network into the shared folder here, he’s going to get read. But remember the other thing that I mentioned and that is it only takes effect if he’s accessing across the network. See these rules right here. These two rules right here. They only take effect if accessed over the network. That’s that’s something to remember.
So, if John Smith was actually sitting locally at the machine and accessing the data locally, then you’d only have to worry about NTFS permissions.
OK. All right.
Now, the last thing I want to get across to you here is let’s get rid of the everyone group and let’s let’s do the following on the cells share cells data share. We’re going to give change permissions to sales group marketing gets read and then managers. This time is going to get change.
So looking at this, a lot of times people would say, Oh, well, I know what the answer is going to be. It’s the most restrictive, which is going to be read, but you would be wrong if you said that. Here’s what you got to do. Work your way down this little chart. Start with NTFS first and add those together.
So modify plus read and execute equals full control.
OK, that’s true. You add all that together. You get full control because, well, full control has everything. They’ll work out the second roll share plus share change plus read plus change is change. Aha.
Now do the last one NTFS Plus share, so full control plus change equals change. That’s the most restrictive one. And there is your answer.
So that would be the effect permissions for John Smith if he’s accessing it across the network now. If he was accessing it locally, he wasn’t going through the share. He’d have full control.
OK, so hopefully now that gives you a good understanding of permissions. Always draw a little Table out, label everything based on what you’re trying to do here, and this going to really help you. I think with understanding the way permissions works I’ve had over over years. I’ve taught this for well over 20 years, and I’ll tell you that there’s lots of people who think they understand how permissions work, and then they’re a little bit shocked. And if you don’t believe me that this the way it works. Try this out on your own so you can see it with your own eyes.