Module 11

Optimizing file services

Module Overview

File Server Resource Manager

Implementing classification and file management
tasks
• Dynamic Access Control
Lesson 1: File Server Resource Manager

What is FSRM?
How to install and configure FSRM
Demonstration: Installing and configuring FSRM
What is quota management?
What are quota templates?
Demonstration: Monitoring quota usage
What is file screening management?
What are file groups?
What are file screen templates and file screen exceptions?
Demonstration: Implementing a file screen
What are storage reports?
What is FSRM?

FSRM enables the following functionality:

• Storage quota management
• File screening management
• Storage reports management
• Classification management
• File management tasks
How to install and configure FSRM

• Install FSRM by using:

• Server Manager
• Windows PowerShell:
Install-WindowsFeature –Name FS-Resource-Manager
–IncludeManagementTools
• Configure FSRM by using:
• File Server Resource Manage console
• Windows PowerShell:
set-FSRMSetting -SMTPServer “SMTPserver” -AdminEmailAddress
“fileadmin@adatum.com” -FromEmailAddress
“Lon-SVR1@adatum.com”
Demonstration: Installing and configuring FSRM

In this demonstration, you will learn how to:

• Install FSRM
• Configure FSRM
What is quota management?

• Use quota management to limit disk space usage

and provide notifications when thresholds are
reached
• Quota notifications can do any of the following:
• Send email notifications
• Log an event in Event Viewer
• Run a command or script
• Generate storage reports
What are quota templates?

• A quota template defines:

• A space limit
• The type of quota (hard or soft)
• A set of notifications to be generated when the quota
limit is approached
• FSRM provides a set of default quota templates in
the Quota Templates node
Demonstration: Monitoring quota usage

In this demonstration, you will learn how to:

• Create a quota
• Test a quota
What is file screening management?

• File screen management provides a method for

controlling the types of files that can be saved on
file servers
• File screen management consists of:
• Creating file screens
• Defining file screen templates
• Creating file screen exceptions
• Creating file groups
What are file groups?

• File groups are used to define a namespace for a

file screen, file screen exception, or storage report
• A file group consists of a set of file name patterns
that are grouped into:
• Files to include
• Files to exclude
What are file screen templates and file screen exceptions?

• File screen templates:

• Provide a definition for newly created file screens
• Enable control over file screens created from templates

• File screen exceptions enable you to override file

screens for a specific location or file group
Demonstration: Implementing a file screen

In this demonstration, you will learn how to:

• Create a file screen
• Test a file screen
What are storage reports?

• Storage reports provide information about file

usage on a file server
• Types of storage reports include:
• Duplicate Files
• File Screening Audit
• Files by File Group, Owner, or Property
• Folders by Property
• Large Files
• Least- and most-recently accessed files
• Quota Usage
What is a report task?

You can schedule reports by creating a Report Task,

which specifies:
• The volumes and folders to report on
• Which reports to generate
• Which parameters to use
• How often to generate the reports
• Which file formats to save the reports in
Demonstration: Generating on-demand storage reports

In this demonstration, you will learn how to generate

a storage report
Lesson 2: Implementing classification and file
management tasks

What is file classification?

What are classification rules?
Demonstration: Configuring file classification
What are file management tasks?
• Demonstration: Configuring file management
tasks
 What is file classification?

Classification management allows you to use an automated

mechanism to create and assign classification properties to
files

Classification rule

Payroll.rpt

IsConfidential
 What are classification rules?

• The file classification infrastructure scans files

automatically, and then classifies them according to
the contents of a file
• When planning for file classification implementation,
do the following:
• Identify classifications
• Determine classification method
• Determine schedule
• Perform review
Demonstration: Configuring file classification

In this demonstration you will learn how to:

• Create a classification property
• Create a classification rule
What are file management tasks?

• File Management Tasks enable administrators to

perform operations on files based on assigned
Classification Properties
• File Management Tasks can:
• Move files to other locations
• Archive expired files
• Delete unwanted files
• Rename files
• Apply AD RMS encryption
Demonstration: Configuring file management tasks

In this demonstration, you will learn how to:

• Create a file management task
• Configure a file management task to expire documents
Lab A: Quotas and file screening

Exercise 1: Configuring File Server Resource

Manager quotas
• Exercise 2: Configuring file screening and storage
reports

Logon Information
Virtual machines: 20744A-LON-DC1
20744A-LON-SVR1
User name: Adatum\Administrator
Password: Pa55w.rd

Estimated Time: 30 minutes

Lab Scenario
A. Datum Corporation is a medical research company with
approximately 5,000 employees worldwide that has
specific needs for ensuring that medical data and records
remain private. The company has a headquarters location
and multiple worldwide sites. A. Datum has recently
deployed a Windows Server 2016 server and Windows 10
client infrastructure. 
Each network client within the Adatum domain is provided
with a server-based home folder that is used for storing
personal documents or files that are works-in-progress. It
has come to your attention that home folders are
becoming very large, and might contain file types such as
MP3 files that are not approved under corporate policy.
You decide to implement FSRM quotas and file screening
to help address this issue.
Lab Review

What criteria do you need to meet to use FSRM for

managing a server’s file structure?
• In what ways can classification management and
file-management tasks decrease administrative
overhead when dealing with a complex file and
folder structure?
Lesson 3: Dynamic Access Control
Overview of Dynamic Access Control
Foundation technologies for Dynamic Access Control
What is identity?
What are claims and claim types?
Central access policies
Prerequisites for implementing Dynamic Access Control
Enabling support for Dynamic Access Control and claims in
AD DS
Implementing and configuring central access policies
Implementing file-access auditing
Implementing file classification
Overview of Dynamic Access Control

• Dynamic Access Control:

• Is an access control mechanism for file system resources
• Uses claims in the authentication token, resource properties on the
resource, and conditional expressions within permission and auditing
entries
• Dynamic Access Control is designed for four scenarios:
• Central access policy for managing access to files
• Auditing for compliance and analysis
• Protecting sensitive information
• Access-denied remediation
• Dynamic Access Control can give access to information:
• Based on values of attributes in AD DS
• Only from authorized devices
Foundation technologies for Dynamic Access Control

• Network protocols, including TCP/IP, RPC, SMB,

LDAP
• Name resolution; DNS
• AD DS and its dependent technologies
• The Microsoft Kerberos v5 implementation
including Kerberos armoring (FAST) and
Compound authentication
• Windows Security, including LSA, Netlogon
 What is identity?

File server Service ticket File server ACL

Adatum\Connie C:\Research\

User Group 1 SID OK Group 2 SID

SID Group 2 SID Modify Group 4 SID
… Full control Group 10 SID
Read …

Presents session ticket to

File server
User attempts to sign in

Kerberos ticket
Adatum\Connie AD DS
Receives a Kerberos ticket
User Group 1 SID
User SID Group 2 SID
…
What are claims and claim types?

• A claim is a statement by AD DS about a specific

object
• In Direct Access Control infrastructure, claims are
defined by specific user or device attributes
• The authorization mechanism extends to support
conditional expressions that include claims
• You can:
• Create user claims
• Create device claims
• Deploy claims between trusted forests
Central access policies

• Help you adhere to compliance regulations

• Deploy to file servers by using Group Policy
• Comprise rules that:
• Are targeted resources
• Are expressions that include:
• User or computer claims
• Groups
• Resource properties
• Should contain exceptions if you need to react quickly to
changes or emergencies
• Applies to a folder
 A central access policy

User claims Computer claims Resource properties

Department = Research Department = Research Department = Research
Title = Manager

Central access policy

For files that are classified as Research departmental files, allow
modify only access to users in the Research department and only from
the Research department computers
Prerequisites for implementing Dynamic Access Control

To implement Direct Access Control, you need to

have:
• A file server that is running Windows Server 2012 or newer,
with the FSRM enabled
• An updated AD DS schema or at least one Windows Server
2012 domain controller or newer
• Windows 8 or newer operating system running on client
computers that use device claims
Enabling support for Dynamic Access Control and claims
in AD DS

Enable support for Dynamic Access Control in AD DS by:

• Using the Default Domain Controllers GPO or creating a new GPO that
links to the Domain Controllers OU
• Configuring the setting by opening the Group Policy Management
Editor, and then expanding Computer Configuration, expanding
Polices, expanding Administrative Templates, expanding System,
and then expanding KDC
• Configure the KDC support for claims, compound authentication
and Kerberos armoring policy setting to one of the four listed options:
• Not supported
• Supported
• Always provide claims
• Fail unarmored authentication requests
Implementing and configuring central access policies

First, you configure a central access rule

Configuring a central access policy

Second, you configure a central access policy

Configuring a GPO with a central access policy

Third, you configure central access policies in a

GPO
• Open Computer Configuration, Open Policies, open
Windows Settings, open Security Settings, open File
System, and then open Central Access Policy
Implementing file-access auditing

Create an audit entry in the Global File SACL

Sample audit event (4659)

Event 4659, delete action performed on file

Sample staging event (4818)

Event 4818, Proposed Central Access Policy does

not grant the same access permissions as the
current Central Access Policy
Implementing file classification

• You can define resource

properties in AD DS or locally
on a file server by using
FSRM
• FSRM uses both resource
property definitions and local
classification properties
during file classifications
• You can configure file
classifications to run
automatically or you can run
them manually
Demonstration: Configuring Dynamic Access Control

In this demonstration, you will learn how to:

• Prepare AD DS for Dynamic Access Control
• Configure claims, resource properties, and access rules
• Classify files by using a file-classification mechanism
• Create and deploy a central access policy
Implementing access-denied assistance

• When implementing access-denied assistance:

• Define messages that users will receive when they
attempt to access resources
• Determine whether users should be able to send a
request for access
• Determine recipients for the access-request email
messages
• Consider target operating systems (Windows 8 and
newer)
• Use Group Policy or FSRM to enable and
configure access-denied assistance
• Choose the method for remediation
Demonstration: Configuring access-denied assistance

In this demonstration, you will learn how to

configure and implement access-denied assistance
Lab B: Implementing Dynamic Access Control
Exercise 1: Preparing for implementing Dynamic Access Control
Exercise 2: Implementing Dynamic Access Control
• Exercise 3: Validating and remediating Dynamic Access Control
Logon Information
Virtual machines: 20744A-LON-DC1
User name: Adatum\Administrator
Password: Pa55w.rd

Virtual machines: 20744A-LON-SVR1

User name: Adatum\Art
Password: Pa55w.rd

Virtual machines: 20744A-LON-CL1

User name: Adatum\Connie
Password: Pa55w.rd

Virtual machines: 20744A-LON-CL2

User name: Adatum\Beth
Password: Pa55w.rd
Estimated Time: 90 minutes
Lab Scenario

A. Datum Corporation is a medical research company with

approximately 5,000 employees worldwide that has specific needs for
ensuring that medical data and records remain private. The company
has a headquarters location and multiple worldwide sites. A. Datum
has recently deployed a Windows Server 2016 server and Windows 10
client infrastructure. 
A. Datum has a large and complex file server infrastructure. The
company manages access control to folder shares by using NTFS
access control lists, but in some cases, that approach does not provide
the desired results.
Most of the files that the various departments use currently are stored
in shared folders dedicated to these departments, but confidential
documents sometimes appear in other shared folders. You have been
provided with the requirement that only members of the Research
team should be able to access the Research team folders, and only
Executive department managers should be able to access highly
confidential documents.
 
Lab Scenario (continued)

The security department is also concerned that managers are accessing

files by using their home computers, which might not be highly secure.
Therefore, you must create a plan for securing the documents
regardless of where they are located, and ensure that the documents
can only be accessed from authorized computers. Authorized
computers for managers are members of the security group
ManagersWks. 

The support department reports that a high number of calls are

generated by users who cannot access resources. You must implement
a feature that helps users understand error messages better, and that
will enable them to request access automatically.
Lab Review

How do file classifications enhance Dynamic Access

Control usage?
• Can you implement Dynamic Access Control
without central access policy?
Module Review and Takeaways

• Review Questions
• Tools
• Best Practices
• Common Issues and Troubleshooting Tips