What’s New in Windows Server 2016 Federation Services?

The corporate environment requires many collaboration application services to promote a seamless workflow environment. Windows Server 2016 represents major steps towards an environment that supports cloud features and an improved level of security and innovations. Some of the improvements found in Windows Server 2016 include:

  • Active Directory Federation Services (ADFS)
  • Microsoft IP Address Management (IPAM)
  • Conditional Access
  • Temporary group membership

Our main concern will be to highlight the new things Active Directory Federation Services (ADFS) bring into a Windows Server 2016 network environment.

Active Directory Federation Services gives access to single Logons across the entire network on a different application such as Office 365, SaaS applications, and other cloud-based applications.

In general, the IT department can enforce Logons and access controls to both modern and legacy software. The user benefits by accessing a seamless Login using the same account credential and the developers will also have an easy time managing running applications because the authentication process is handled by the federation services.

Here are some of the new features that came with Windows Server 2016 Federation Service:

Eliminate the Use of Passwords on A Private Network

Active Directory Federation Services gives three possibilities for Logons without passwords. This eliminates the risk of the network being compromised by leaked or stolen passwords.

Using Azure Authentication Features

Federation 2016 services are based on Multi-Factor Authentication (MFA) that allows signing in using an Azure MFA code without the need to key in the username and password. The user will be prompted for a username and a one-time password (OTP) code for authentication.

When the MFA code is used as an additional authentication method, the user will be prompted to give the usual authentication credentials and later on prompted for text, OTP, or a voice password before logging in.

Setting a Federation Service to work with Azure MFA is now simple because organizations will implement Azure without the need of having a physical Azure server location. Azure can be configured to work in both local and private networks or be incorporated within an access control policy of the organization.

Allowing Password-less Access

Active Directory Federation Services 2016 uses device configuration capabilities to allow access on network-based devices. Users log in using the devices and its validity tested for attribute changes to maintain the integrity of the device and network security. Use of accepted devices ensures that granted access is granted to specific devices, private network access is only accepted via managed devices, and authentication requires several steps for any non-compliant computer or devices.

Using Windows Hello for Business Credentials

Workstations using the Windows 10 Operating System have an inbuilt Windows Hello and Windows Hello for Business. The credentials used are protected by gestures such as fingerprints, facial recognition, voice recognition, etc. Using the Windows 10 capabilities means that users can sign in to a Federation Server 2016 without the need of a password.

Secure Access to Applications

Windows Server 2016 Federation Services works with the latest modem protocols to offer a better experience to Windows 10, Android, and iOS users.

Some access control policies can be changed without necessarily having the knowledge of the claim rules language. This made it almost impossible to configure and maintain policies. Using Federation Services, one can simply use built-in templates to be applied in common policies such as:

  • Limit access to Local Area Network only
  • Allow everyone to access the server and ask for an MFA from private networks
  • Allow everyone to access the server and ask for an MFA from a specific group

Using templates is recommended because they are easy to customize and add exceptions or additional policies that can be applied to one or many applications.

Allow Logons without Active Directory Lightweight Directory Access Protocol (LDAP) Directories

Most firms use Active Directories alongside third-party directories for Logons. The introduction of Federation Services allows for the authentication of users whose credentials are stored in LDAP. This further helps third-party users whose data are stored in LDAP v3 compliant directories, also works with users in a forest with an Active Directory that has its two-way trust not configured. Users found in Active Directory Lightweight Directory Services are able to sign in.

Flawless Sign-in Experience

All applications using Active Directory Federation Services give users ability to customize Login experience. This is more appropriate for organizations dealing with various companies and brands. In previous editions, there was a common sign-on experience with customization facility available only for a single application. The Windows Server 2016 gives you the ability to customize messages, images, web themes, and logos. Additional customized web pages can be created for every business platform.

Improved Management and System Operations

Streamlined Auditing

Auditing is streamlined in Active Directory Federation Services 2016, unlike the previous versions where every single vent necessitated an event log.

Improved Interoperability with Security Assertion Markup Language (SAML 2.0)

Additional SAML protocols that support trusts importation with multiple entries are found in Active Federation Services 2016. This allows for the configuration of Active Directory to be part of confederations and implementations that conform to the eGov 2.0 standard.

Simple Password Management for Office 365 Users

Active Directory Federation Services enable password configuration that allows sending of password expiry claims within protected applications. For instance, Office 365 users rely on updates implemented via Exchange and Outlook to get notifications on the expiry status of their passwords.

Migration from AD FS Windows Server 2012 to AD FS Windows Server 2016 Made Easier

Previous editions demanded that configurations be exported from the old farm and importing into the new farm. When moving from Windows Server 2012 to Windows Server 2016, adding a new Windows Server 2016 to Windows Server 2012 and eventually adding Windows Server 2012 to the farm by verifying functionalities and removing the old server from the load balancer. The new features are ready to use once Windows Server 2016 is running and upgraded to farm behavior level 2016.

Conclusion

Federation Services help in managing identities across different networks and as such forms the foundation of cybersecurity in the cloud world. With this information, it is time to optimize your Active Directory environment by giving it a new design and restructure it before migrating to the latest Windows Server 2016 Federation Services.

 

 

 

Unauthorized Access to Sensitve Data?

Analyze and Report Data Access on Windows Folders in Under 60 Seconds!

 

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

How to Migrate Filesystems Data to Windows Server 2016

One of the most difficult and time-consuming tasks for IT Administrators is migrating file shares and their permissions. Before embarking on the migration, some procedures need to be followed to avoid mishaps like broken file systems or lost files.

The most common form of data migration is done by carrying all files and permissions. Microsoft has an inbuilt tool and PowerShell commands used as the migration tools. The migration utility eases the migration process by moving several roles, features, and even the operating system to a new server.

Depending on the prevailing circumstances prompting the migration we need to answer questions like:

1. Are we preserving the existing domain?
2. What are the settings of the old server?
3. Was the server running on a virtual machine?
4. Was the virtual machine on a different platform from the one we are moving files into?

Regardless of the reason behind the migration, different methods can be used to initiate the migration. If the existing server system has some pending issues, you are advised to sort them out before starting the migration process.

Using the Windows Server Migration Tool

We need to install the migration tool to ease the migration process. The Microsoft Server Migration tool will transfer server roles, feature, and some operating system to the destination server.

1. To get started, you need to install the migration tool through the PowerShell console using the following command:
Install-WindowsFeature –ServerName DestinationServer

2. Create a deployment folder on the destination server using the smidgeploy.exe utility (it is installed as an additional utility by the above command). To specify some specific attributes, use the following command:
C:\Windows\System32\ServerMigrationTools\SmigDeploy.exe /package /architecture amd64 /os WS08R2 /path <deployment folder path>

3. Create a deployment folder on the destination server, and then transfer its contents to the old server.

4. Use the Remote Desktop Protocol (RDP) to connect to the old server and run the smidgeploy.exe usually found on the following path:
C:\<DeploymentFolder>\SMT_<OS>_<Architecture>

5. After the installation, enable the destination server to accept deployment data. This is done using the PowerShell console using the following command:
Add-PsSnapin microsoft.windows.servermanager.migration

The PSSnapin command will activate all the PowerShell cmdlets.

6. Run the Receive-SmigServerData to open connection to the destination server. The time it takes to open connection is less than five minutes.

Sending Data to the Destination Server

1. Use the Send-SmigServerData in the PowerShell console. The following command defines the source path (remember the deployment folder that was copied from the destination server):
Send-SmigServerData -ComputerName <DestinationServer> -SourcePath <SourceDeploymentFolder> -DestinationPath <DestinationDeploymentFolder> -Include All –Recurse

2. When prompted for the password, use the password that was issued when running the Receive-SmigServerData on the destination server.

3. When the command completes, all file properties should be transferred to the destination server.

TIP: Confirm that all shares were transferred successfully by using Get-SmbShare in the PowerShell.

Alternatives to Windows Server Migration Tools

This involves taking the most recent backups and restores them on the new server. The backup method restores the data and not the file system. All the file permissions on the new server will be the same as before when they were on the old server. This is a generally fast approach, but the speed depends on file sizes.

1. Using the Free Disk2VHD Tool
If the current server is not virtualized, the Disk2VHD utility from Microsoft is reliable and fast because the subsystem allows the storage of files regardless of their sizes.

All NTFS permissions are retained and transferred to the new drive. The advantage of using this tool is the automatic creation of a fully compatible Hyper-V virtual drive.

2. Copy Utilities
Microsoft has many built-in coper utilities that transfer files with all permissions. The common server migration copy utilities are the XCOPY and ROBOCOPY.

Using XCOPY
The typical command should look like this:
XCOPY “\\sourceServer\ShareName\*.*” “\\destServer\ShareName\” /E /C /H /X /K /I /V /Y >Copy.log 2>CopyErr.Log

The parameters taken by the commander are:

/E – Copies both empty and directories with content.
/C – Copies without acknowledging errors.
/H – Copies all hidden and system files.
/X – Copies file audit settings (implies /O).
/K – Copies attributes; without this attribute will reset read-only attributes.
/I – Creates a directory if the file destination does not exist.
/V – Verifies the size of each new file.
/Y – Suppresses the prompt asking to overwrite existing destination file.

The command will execute and leave the output to a file and a corresponding error log file.

Using ROBOCOPY
The Robocopy command looks similar to this:
ROBOCOPY “\\sourceserver\ShareName” “\\destServer\ShareName” /E /COPYALL /R:0 /LOG:Copy.log /V /NP

The parameters taken by the command are:

/E – Copy all directories and its subdirectories.
/COPYALL – COPY ALL file info.
/R:0 – Number of Retries on failed copies: default 1 million. (When set to 0 it disables retries so that copy can go on uninterrupted.)
/LOG – Output the LOG file status.
/V – Produce output in details.
/NP – No Progress – Copy without displaying the percentage of files copied.

3. File Synchronization or Replication
Microsoft has many inbuilt tools that help system Administrators replicate data between two servers. This is disaster preparedness plan done to ensure data is available at all times.

The Distributed File System Replication (DSFR) is one way of synchronizing the contents between two shares. They can work with the Distributed File Name Space. Using the DFSR enables user shares via the path: \\Domain\share and not \\server\share

Both the DFSR and the DFS can bring together more than two servers to use one share pointing to multiple servers. Using the DFSR is easy when it comes to adding another server on an existing migration configuration.

Shares and Permissions

Since Windows 2000, file shares are stored in the registry at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Shares

Instead of recreating shares, you can export this key to get all your drive paths and permission used by define shares. Using the registry to export shares means that all drive letters in the new server must match with the old server paths. To avoid any confusion, you are advised to assign same drive letters on both servers.

Conclusion

Whichever way you choose to migrate filesystems should be the most convenient and comfortable for you. All this depends on the level of skill and time needed to reduce the downtime likely to affect server operations.

Storage Replication in Windows Server 2016

Storage Replica is a new Windows Server technology feature on Windows Server 2016. This facilitates the replication of volumes between clusters for discovery or servers. It also allows the users to craft stretch failover clusters which span at least two sites, and with all the nodes kept in sync.

Note: This feature is only available in the Datacenter edition of Windows Server 2016.

Storage Replica reinforces asynchronous and synchronous replications.

  • Asynchronous replication mirrors the data across sites which lie beyond metropolitan ranges over the network links which have higher latencies, minus any guarantee that both sites have any identical copies of data by the instance of failure.
  • Synchronous replication has the duty of reflecting the data within the low-latency network site which have crash-consistent volumes to make certain that there is zero data loss at the file-system level amid the failure.

Why You Need Storage Replication

The storage replica is an ideal tool for the modern requirement for disaster recovery alongside the preparedness abilities in Windows Server 2016 Datacenter Edition. The Windows Server, for the first time, offers the users with a peace of mind of no data loss, an ability to synchronously safeguard data on various floors, racks, building, cities, counties, and campuses.

After a disaster strikes, the data will be accessible elsewhere without any data loss. The same principle applies prior to the striking of the disaster; the storage replica allows the users to switch workloads to much safer locations before catastrophes are served with a few moments warning (again, without any data loss).

The storage replica is also reliable as it reinforces the asynchronous replication for extended ranges and networks of higher latency. Since it is not a check-point, the delta of adjustments will be somehow much lower as compared to the snapshot-based outputs. Again, the storage replica mainly operates at the partition layer, and is therefore able to replicate all VSS snapshots modelled by the Windows Server and backup software. This permits the application of unstructured operator data synchronously replicated.

The storage replica can also permit users to decommission the existing file replication systems like DFS replication which were pressed into the duty as the low-end disaster recovery remedy. The DFS replication works quite perfectly over very low bandwidth networks, though its latency is relatively higher most of the time. This is majorly contributed by its need for files to close and also its artificial throttles which are meant to eradicate the network congestion.

Supported Configurations

The Stretch Cluster allows the users to configure storage and computer in one cluster, where other nodes share a set of symmetric storage whole, some nodes share the other, and then asynchronously or synchronously replicate with the site awareness. This instance can leverage storage spaces with the shared SAN, SAS Storage and ISCSI-attached LUNs. It is regulated with the PowerShel and Failover manager graphical gadget, and permits for the automated failover.

Cluster to Cluster permits the replication in between two separate clusters, where a single cluster asynchronously or synchronously replicates with another cluster. Ideally, the instance can permit the utilization of storage spaces directly, SAN and ISCSI-attached LUNs and Storage Spaces with shared SAS storage. It is naturally managed by the PowerShell and demands manual intervention for the failover. There is an inclusion of support for Azure Site recovery of this instance.

Server to Server permits both asynchronous and synchronous replication between at least two standalone servers leveraging the Storage Spaces with the shared SAS storage, ISCSI-attached LUNs and SAN. This is also managed by the PowerShell, alongside the server manager tool and demands a manual intervention for the failover.

The Key Features of Storage Replication

Simple Management and Deployment
The storage replica has a model mandate for an ease of use. The crafting of the replication affiliation between two servers demands only one PowerShell command. The deployment stretch clusters leverages the intuitive wizard in the Failover Cluster Manager gadget.

Host and Guest
All abilities of Storage Replica are in both virtualized guest and host-based deployments. This implies that the guests are able to replicate their data volumes if running on non-Windows virtualization platforms even in public clouds, so long as Windows Server 2016 Datacenter Edition in the guest is utilized.

Block-Level Replication, Zero Data Loss
With the help of synchronous replication, there is zero possibility of any data being lost. With the block-level replication, there is no probability of any file getting blocked.

User Delegation
The operators can delegate the permissions to manage the replication without being an affiliate of the built-in Administrators team on the replicated modes, hence reducing their access to the unrelated sections.

Network Constraint
The storage replica can at times be limited to the individual networks server and by the replicated volumes, with the aim of providing backup, application, and management software bandwidth.

High Performance Initial Sync
The storage replica reinforces the seeded initial sync, where there is already a subset of data on a target from the initial backups, copies, or shipped rives. The initial application can only copy the differing blocks, possibly reducing the initial sync time and regulating data with an aim of preventing the data from utilizing the limited bandwidth.

Use of SMB 3 as the transport protocol which is also supported via the TCP/IP model.

Prerequisites

  1. Two servers with two volumes on each server or location. One location will be for storage of data and the other for storage of logs.
  2. Volumes need to be of the same size both at the main server and remote server.
  3. Log volumes should also be of identical sizes across the two volumes.
  4. Data volumes should not exceed 10TB and should be of NTF
  5. Both servers need to be running Windows Server 2016.
  6. There must be at least 2GB of RAM alongside two cores for every server.
  7. There must be one TCP/Ethernet connection on each of the server for synchronized replication, but most preferably RDMA.
  8. The network between the servers with a reliable amount of bandwidth to accommodate the user’s IO write workload and an average of 5ms round-trip latency for an effective synchronous replication.

How it Works

The above diagram depicts how storage replication works in synchronous configuration.

The application will write data onto the File System volume labelled Data. This will be intercepted by I/O (input/output) filtering and be written onto the Log Volume located on the same server. This data will then be replicated across to the remote server’s log volume. When this data is written on the log volume, an acknowledgement is sent back to the primary server and to the application. On the remote server, data will be flushed from the Logs volume to the Data volume.

Note: The purpose of the Log Volume is to record and verify all the changes that occur across both blocks. Furthermore, in synchronous model configuration, the primary server needs to await acknowledgement from the remote server. If network latency is high, this will lead to a degraded network and slow down the replication process. Consider using RDMA which has a low network latency.

In asynchronous replication model, data would be written to the Log Volume located on the main server and thereafter, an acknowledgement sent to the application. Data would then be replicated from the Log Volume on the primary server to the Log Volume on the remote server. Should the link deteriorate between the two servers, the primary server will block all changes until the link is restored whereupon replication of changes will continue.

Setting Up Storage Replication

  1. Import-module StorageReplica
    Launch Windows PowerShell and verify the presence of Storage Replica Module.
  2. Test-SRTopology -SourcheComputerName CHA-SERVER1 -SourceVolumeName f: -SourceLogVolumeName e: -DestinationComputerName CHA-SERVER2 -DestinationVolumeName f: -DestinationLogVolumeName e: -DurationInMinutes 30 -ResultPath c:\temp
    Test the storage replica Volume by running the command above.
  3. PowerShell will then generate an HTML report that will give an overview of the requirements met.
  4. NewSRPartnership -SourceComputerName CHA-SERVER1 -SourceRGName SERVER1 -SourceVolumeName e: -SourceLogVolumeName f: -DestinationComputerName CHA-SERVER2 –DestinationRGName SERVER2 –DestinationVolumeName e: -DestinationLogVolumeName f:
    Begin setting up the replication configuration using the command above.
  5. Set-SRPartnership –ReplicationMode Asynchronous.
    Run Get-SRgroup to generate a list of configuration properties. It is set to run on synchronous replication by default & Log file set to 8GB. This can be set to asynchronous using the command above.

When we head out to the remote server and open File Explorer, Local Disk E will be inaccessible, while Logs will be stored on Volume F.

When data is written on the source server, it will be replicated block by block to the destination or remote server.

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

Performance Tuning for Windows Server Active Directory 2016

The Active Directory is a standardized and central database for Windows Server systems that houses user accounts used for authentication, file shares, printers, computers, and other settings such as security groups. The main purpose of Active Directory is to allow only authorized users to logon to the network and act as a central management for network resources.

Once you have set up a Windows Server in your environment, you might have business requirements that are not supported by your server’s default settings. For instance, you may desire to scale down on your power/energy consumption, maximize your server’s output and have the lowest server latency. It’s for this reason that we must always ensure that our AD is running optimally. And one way to ensure that is by performance tuning.

We are going to give you a few tips on how you can tweak your server settings and scale up your AD’s performance and energy efficiency, especially when you have varied workload.

For performance turning to reap maximum impact, tuning should be centered around server hardware, workload, energy budget, as well as performance objectives of the server. We are going to describe crucial tuning considerations that can yield improved systems’ performance coupled with optimal energy consumption.

We’ll break down each setting and outline its benefits to help you make an informed decision and achieve your goals as far as workload, system’s performance, and energy utilization is concerned.

Hardware Considerations

This encompasses the RAM, Processor, storage, and Network Card.

RAM

To increase scalability of the server, the least possible amount of required RAM is calculated as follows:

Current size of database + Total size of SYSVOL + Recommended RAM by OS + Vendor Recommendations

Any additional RAM can be added in anticipation of the database’s growth and workload in the server’s lifetime. For remote sites with few users, these requirements can be relaxed as they will not require much RAM to cache much information to service requests.

In virtualization scenarios, avoid committing too much memory to the host machine. In some cases, memory overcommit happens where more memory is allocated to the guest machines than the underlying host machine. This is not such a big deal, but it becomes a huge mountain if the total size of memory collectively allocated to guest machines exceeds that of the host machine and the host begins paging. Remember, the objective of RAM optimization is to minimize time required going back to the disk.

16GB RAM is a reasonable amount of memory for a physical server. For virtual machines, though, an estimated size of 12GB would be considered decent enough with anticipation of future upgrade and growth of the database and resources.

Cache Memory

This is a type of RAM that is easily and quickly accessible by the microprocessor more than the ordinary RAM. The cache performance of an Active Directory depends on the memory space allocated for caching. Data access done at the memory level is faster than access instructions on physical volumes.

To make this processing highly efficient, more memory must be added to minimize disk input / output requests. The viable option is to have enough RAM installed to handle all operations of the operating system and the installed applications. Therefore, system logs and databases should be placed on separate volumes to offer more flexibility in storage layout.

To improve the I/O request on a hard disk, the Active Directory should implement the following hardware configurations:

  1.     Use of RAID controllers
  2.     Increase the number of disks handling log files
  3.     Support write cache on disk controllers

The subsystem performance of each volume should be reviewed; the idea is to have enough room for sudden changes in load to avoid client request non-responsiveness. Data consistency will only be guaranteed when all changes are written to logs.

Non-critical tasks such as system scans, backups, and activities taking place when the system is not overloaded should be scheduled. Backup procedures and scanning programs with low I/O requests should be used because they reduce competition with critical services in the Active Directory.

Network

To investigate the degree of traffic which should be supported, it’s prudent to make a mention of 2 broad categories of network capacity planning for Active Directory Domain Services.

Firstly, we have replication traffic which passes back and forth across Domain controllers. Then, we have client-to-server network traffic also known as intra-site traffic. Client-server traffic is much simpler to plan for since it involves minimal client requests to the Active Directory in contrast to the huge volumes of data sent back by the Active Directory Domain Services.

A bandwidth of 100Mbps will be adequate in environments serving close to 5,000 users sharing a server. A 1GB Network Card is recommended for environments where users exceed 5,000 per server.

In virtualized environments, the network adapter should be in a position to support the Domain Controller load and the rest of the guests or virtual machines which are sharing the virtual switch which is attached to the physical network card.

Storage

Planning storage on the server entails two things: storage size and performance.

For Active Directory, sizing is only a consideration for large environments. This is because even for a 180GB hard drive, SYSVOL and NTDS.DIT can fit quite easily. It’s therefore not prudent to allocate so much disk space in this area.

However, you should ensure that 110% of the NTDS.DIT size is available for defragmentation. From there henceforth, one should plan for growth over a 3-to-5-year lifespan of the Hardware. An estimate of about 300% the size of NTDS.DIT database file will be satisfactory to accommodate growth over time and allow for offline defragmentation.

Processors

Processors with limited free cycles increase the wait times leading to execution. Server optimization should ensure that enough room is available to handle workload surges and in the long run minimize response time to client requests. Reducing the workload on the processors involve, selecting the best processors, directing client requests to available processors, and using processor information to gauge system performance.

Performance Tuning

Performance tuning on the Active Directory has two objectives:

  • The optimal configuration and performance of the Active Directory to balance the load efficiently
  • All work sent to the Active Directory have to be efficient

For the objectives above to work, three areas need to be looked at

Capacity Planning

This means having enough number of domains that can handle redundancy and client requests within a short time. All the server hardware must be able to handle existing load. Capacity planning involves scaling up operations across multiple servers. Adding more resources like RAM to the server is essential in preventing possible failures by ensuring that every aspect of the server is working as intended.

A typical capacity planning takes place in three stages:

  1.     Evaluating the existing environment by determining the current challenges.
  2.     Determining the hardware needed according to the findings in the step above.
  3.     Validating the employed system to ensure that it works within the defined specifications.

Server-side Tuning

The domain controllers in the Active Directory are configured to handle loads efficiently. The System Administrator is supposed to balance the demands of individual users against available resources. Add-on products that manage bandwidth and port usage may be implemented to restrict network resource uses.

Active Directory Client/Application Tuning

The Active Directory has to be set up so that the client and application requests use the Active Directory to achieve maximum efficiency.

Domain Controllers and Site Considerations

Placing domain controllers and site considerations revolve around optimization for referrals and optimizations with trusts in mind.

A well-defined site definition is central to the performance of servers. Clients not getting requested services may report poor performance when querying the Active Directory. Since client requests can come from IPv4 or IPv6, an Active Directory is supposed to be configured to get data from IPv6 addresses. By default, the operating system usually picks IPv6 over IPv4 if both are configured to send/receive data.

Most domain controllers use name resolution for reverse lookup when determining the client’s site. When this happens, delays in the thread pool are inevitable leading to unresponsiveness from the domain controller. By optimizing the name resolution framework, quick response is assured from the domain controllers.

An alternative is to locate read/written domain controllers where read-only domain controllers are used. Optimizing this scenario means:

  • Using an application code change to contact writable domain controllers when read-only domain controller would be sufficient.
  • Placing the read/write domain controller at the center of operations to reduce latency.

Optimization for Referrals

Referrals define how Lightweight Direct Access Protocol (LDAP) requests are processed when domain controllers do not have a copy of the requested partition. When the output of a referral request is found, it has the name of the partition, port number, and DNS name.

This information is used by the client to send requests to the server hosting the partition. The recommendation is to make sure that the Active Directory that has the site definitions and domain controllers are in place to reflect the client’s needs. Implementing domain controllers from multiple domains in a single site and relocation the applications may also help fine-tuning the domain controllers.

Optimization with Trusts in Mind

In a domain with multiple forests, trusts have to be defined depending on the domain hierarchy. All secure channels at the root of the forest may be overloaded due to increasing authentication requests between the domain controllers. This will cause delays in far-flung Active Directories and this overload in inter-forest and low-level trust scenarios. Some of the recommendations to help reduce forest trust overload.

  • Using MacConcurrentAPI to help distribute load across a secure channel.
  • Create shortcut links to trusts as needed depending on available load.
  • All domain controllers within a domain should be able to handle name resolutions and communicate trusted domain controllers.
  • All trust should be based on locality considerations.
  • Reduce the chances of running into MaxConcurrentAPI challenges by enabling Kerberos as needed as well as reducing the use of secure channels.

Name resolution taking place over firewalls takes a toll on the system and will, in turn, impact the clients negatively. To overcome this, access to trusted domains need to be optimized through the following steps:

  1.     The WINS and DNS should resolve names within the trusting domain controllers by listing the domains. This step is to counter the problem of static records which tend to cause connectivity problems over time. A manual maintenance of all the forwarders and secondary copies of the resource environment needed by the clients need to be maintained.
  2.     Converging all site names shared between trusted domains reflecting domain controllers that re on the same location by ensuring IP and subnet addresses are linked to sites within the forest.
  3.     Ensure all ports are open and firewalls configured to accommodate all trusts. Closed or restricted ports will lead to several failed communication attempts, forcing the client to experience timeouts and hung threads or applications.
  4.     Domain controllers forming a trusting domain should be installed on the same physical location.

When no domain is specified disabling trust checks on the availability domain, trust checks are recommended.

 

 

 

Do you have unclear NTFS Permissions assignments?
Do you have too many special permissions set on your fileservers?
Or blocked NTFS Permission Inheritance?

Protect yourself and your clients against security leaks and get your free trial of the easiest and fastest NTFS Permission Reporter now!

File Server Resource Manager (FSRM) Overview

File Server Resource Manager (FSRM) is a Microsoft Windows Server role created for managing and classifying data stored on file servers. It includes some interesting features which can be configured by using the File Server Resource Manager snap-in or by using Windows PowerShell.

Here’s an overview of the features included in the FSRM.

File Classification Infrastructure

This offers automatic classification process based on custom properties with the purpose of an easier and a more effective way of managing files.

It classifies files and applies policies based on that classification. Once files are classified, a management task can be either public or private. As an example, we can take public or private file classification. Once the files have set class, a management task can be created to perform some actions on a file (RMS encryption for example).

It can be instructed to perform encryption on files classified as private but exclude files classified as public.

File Management Task

Enables applying of conditional policy or action to files based on classification. Conditions of the policies can include file location, classification properties, file creation date, file modification date, or date of last access to file.

The tasks that can be managed are ability to expire files, encrypt files, or run some custom command.

Quota Management

This allows a limitation of allowed space for a volume or folder. Quotas are automatically applied to new folders that are created on a volume. It is possible to define quota templates which can be applied to new volumes or folders.

File Screening Management

This provides control over the type of files that can be stored on a server. For example, the user can create file screen which does not allow storing JPEG files in the personal shared folder on a file server.

Storage Reports

Storage reports are used to help identify trends in disk usage and classification of user data. It can monitor selected groups of users and restrict attempts to save unauthorized files.

Important thing to notice is that File Server Resource Manager supports only NTFS File System format and does not support the Resilient File System (ReFS).

Practical Applications

Some practical applications for File Server Resource Manager include:

  • If File Classification Infrastructure is used with the Dynamic Access Control, a policy that grants access to files and folders based on the way files are classified on the file server.
  • The user can create File Classification rule which tags any file that contains at least 10 Social Security numbers as personal pieces of the information file.
  • Any file that has not been modified in the last 10 years can be set as expired.
  • Quotas (i.e. 200 MB) can be created per user. A notification to the admin user can also be set when the quota is at 80% (i.e. 180 MB of 200).
  • It is possible to schedule a report which runs at the specific time weekly with a purpose of generating a list of most recently accessed files from a previously selected period. This can help the admin user determine the weekend storage activity and plan server downtime accordingly.

Storage on Windows Server 2016: An Overview

Windows Server 2016 Data Center brought interesting new and improved features in the field of virtual workload data centers (SDDC). 

SDDC stands for Software-Defined Data Center, which is defined as data centers with a virtualized infrastructure delivered as a service. Microsoft finds SDDC as a more flexible, cost-effective data center platform based on Hyper-V. It offers the possibility of moving entire operation models away from a physical data center. 

Software-Defined Storage

For virtualized workloads technology in Windows Server 2016 consist of 4 new and improved features: 

  • Storage spaces direct – A new Windows Server 2016 features an extended existing Windows Server SDS (Software-defined Storage). This enables the building of highly-available (HA) storage systems with local storage. HA storage systems are highly scalable and much cheaper than traditional SAN or NAS arrays. It simplifies procurator and deployment and offers higher efficiency and performance. 
  • Storage replica – This provides block-level replication between servers or clusters and is intended primarily for disaster prevention, such as the ability to restore service to an alternate data center with minimal downtime or data loss, or even to shift services to an alternate site. It supports two types of replication: synchronous (primarily used for high-end transactional applications that need instant failover if the primary node fails) and asynchronous (commits data to be replicated to memory or a disk-based journal which then copies the data in real-time or at scheduled intervals to replication targets). 
  • Storage Quality of Service (QoS) – A feature that provides central monitoring and managing of storage performance for virtual machines using Hyper-V and the Scale-Out File Server roles. In Windows Server 2016, QoS can be used to prevent all storage resources consumption of single VM. This also monitors performance details of all running virtual machines and the configuration of the Scale-Out File Server cluster from one place. Plus, it defines performance minimums and maximums for virtual machines and ensures that they are met. 
  • Data Deduplication – A feature that helps in reducing the impact of redundant data on storage costs. Data Deduplication optimizes free space on a volume by examining the data on the volume for duplication. Once identified, duplicated portions of the volume’s dataset are stored once and are (optionally) compressed for additional savings. 

 General Purpose File Servers

  • Work folders, which were first presented in Windows Server 2012 R2, allows users to synchronize folder across multiple devices. It can be compared to existing solutions such as Dropbox, but with a difference of using your file server as the repository and that it doesn’t rely on a service provider. This way of synchronization is convenient for companies because of its own infrastructure used as a server, and for users who can work on files with no limits to corporate PC or being online.  
  • Offline Files and Folder Redirection are features that when used together, redirect the path of local folders (such as the Documents folder) to a network location while caching the contents locally for increased speed and availability.  
  • Separate Folder Redirection enables users and admins to redirect the local folder to other (network) locations. It makes files available from any computer on the network. Offline files allow access to files, even when online, or in case of slow network. When working offline, files are retrieved from the Offline Files folder at local access speeds. 
  • Roaming Users Profiles redirects user profiles to a file share so that users receive the same operating system and application settings on multiple computers. 
  • DFS Namespaces enables a user access to group-shared folders from different servers to one logically structured namespace. It makes handling shared folders on multiple locations easier from one place. 
  • File Server Resource Manager (FSRM) is a feature set in the File and Storage Services server role which helps classify and manage stored data on file servers. It uses features to provide insight into your data by automating classification processes, to apply a conditional policy or action to files based on their classification, limit the space that is allowed for a volume or folder, control the types of files that user can store on a file server and provides reports on disk usage. 
  • iSCSI Target Server is a role service which automizes management tasks. This is useful in a network or diskless boots as it creates block and heterogeneous storages. It’s also useful for testing applications before deployment in storage area networks. 

File Systems and Protocols

  • NTFS and ReFS – A primarily new and a more resilient file system, which maximizes data availability, scaling, and integrity of large data sets across different workloads. 
  • SMB (Server Message Block) –  Provides access to files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.  
  • Storage Class Memory – Provides performance similar to computer memory, but with the data persistence of normal storage drives. 
  • BitLocker – Protects data and system against offline attacks and stores data on volumes in an encrypted format. Even if the computer is tampered with or when the operating system is not running, this still provides protection. 
  • NFS (Network File System) – Provides a file sharing solution for enterprises that have heterogeneous environments that consist of both Windows and non-Windows computers. 

SDDC represents a diversity of traditional data centers where infrastructure is defined by hardware and devices. Components are based on network, storage, and server virtualization. 

Active Directory Federation Services in Windows Server 2016 

.When we look at IT businesses today, the most common spoken word is the “cloud”. Cloud computing made a huge impact in a way of functioning and business organization. 

But with more possibilities, usually we get more problems. And one of biggest challenges with doing business in the cloud is security and access control, especially in organizations with the need of extranet access. 

With that in mind, Microsoft has introduced an improvement to the Microsoft Windows Server 2016 system. 

Active Directory Federation Services  (ADFS)  

Active Directory Federation Services (ADFS) provides access control and single sign-in across a wide variety of applications like Office 365, cloud-based SaaS applications, and other applications on the corporate network. 

It enables organizations to provide a sign-in and access control to both modern and legacy applications — on-premises and in the cloud — with the unified set of credentials and policies. 

ADFS was first presented as an additional download in Windows Server 2003 R2 edition. But in the Windows Server 2016 edition, it became one of the most significant components of the system. 

ADFS 2016 has numerous improvements to offer. But the two most important ones are the three new options for signing in without using passwords and support for any LDAPv3 directory. 

Azure Multi-Factor Authentication  

The first option is the use of the Azure Multi-Factor Authentication (MFA) adapter for ADFS. Azure MFA can be configured for intranet or extranet, or as part of any access control policy. 

In the past, the Azure MFA server on premise was the only way of eliminating passwords as authentication methods. Now, with a configuration on the MFA adapter, the primary authentication method is the username and the OTP (One Time Password) code from the Azure Authenticator app. 

With MFA as the additional authentication method, the user provides primary authentication credentials (using Windows Integrated Authentication — username and password, smart card, or user/device certificate), then comes a prompt for text, voice, or OTP based Azure MFA login. 

 Access from Compliant Devices

ADFS 2016 upgraded device registration capabilities and enabled sign-on and access control based on the device compliance status. Sign-in is now possible with device credentials. And if/when device attributes change, compliance is re-evaluated, which brings certainty in enforcing policies. 

This can be allowed by enabling the following policies:  

  • Enable Access only from devices that are managed and/or compliant. 
  • Enable Extranet Access only from devices that are managed and/or compliant.  
  • Multi-factor authentication for computers that are neither managed nor compliant.

Windows Hello for Business  

The Windows Hello for Business (formerly known as Microsoft Passport for Work) feature can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) user input to sign in. ADFS 2016 supports this way of authentication and enables user sign-in on all ADFS applications without the need for a password. 

LDAPv3 Support  

Another improvement in ADFS 2016 is support for a combination of Active Directory and third-party directories. With the addition of ADFS support for authenticating users stored in LDAP v3-compliant directories, ADFS can now be used for:  

  • Third party, LDAP v3-compliant directories.
  • Active Directory forests where an Active Directory two-way trust is not configured. 
  • Active Directory Lightweight Directory Services (AD LDS).

New and Improved Migration Procedure 

Earlier, this operation was pretty painful for administrators. It required building completely new parallel server farm and export of configuration from old one which will then be imported into a new one. 

In ADFS 2016, Microsoft took a different approach, and simplified the process by a lot.  

Now, moving from ADFS (on Windows Server 2012 R2) to ADFS 2016 requires adding new Windows Server 2016 to an existing Windows Server 2012 R2 farm. This will completely run as 2012 R2, but with adding more servers to the farm and removing old ones from the load balancer, the system will allow upgrade and usage of new features.  

More Features

Other than these, some more important new options and interesting features of ADFS 2016 are:

  • Supports the latest modern protocols which will provide a better user experience on the most relevant platforms (Windows, iOS, Android).
  • Ability to add industry standard OpenID Connect and OAuth 2.0-based authentication and authorization to applications in development.
  • A way to customize messages, images, logos, and web themes per application.
  • Streamlined auditing for easier administrative management and configuration to participate in confederations such as InCommon Federation and other implementations conforming to the eGov 2.0 standard. 

ADFS 2016 provided the best improvements in the development of the Windows Server systems, especially in the extranet access situation. Most experts agree that listening to user feedback made a significant impact.

New Active Directory Features in Windows Server 2016

Active Directory is an extensively-used service on many enterprise networks. Besides offering authentication and authorisation services in Windows domain-type networks, Active Directory supports several other capabilities, which makes it popular.

Windows Server 2016 Active Directory Improved Features

In Windows Server 2016, the Active Directory Domain Services (AD DS) received some enhancements intended to assist organisations realise optimised performance for their network resources.

In this article, we are going to talk about four significant features improved in AD DS.

Privileged Access Management (PAM)

Microsoft has introduced privileged access management (PAM) feature to assist in safeguarding AD DS from credential theft attacks. Examples of such types of attacks include spear phishing and pass-the-hash.

At its core, PAM depends on the Microsoft Identity Manager (MIM) as well as a domain functional level that is not below Windows Server 2012 R2.

The MIM is important for provisioning what is called the bastion Active Directory forest. Whenever PAM is configured, MIM generates a new Active Directory forest, which is segregated to be accessed by privileged accounts. The created Active Directory environment is freed from any illicit activities.

With the creation of the trusted Active Directory environment, MIM can now determine the assigning of permissions to users.

MIM offers workflows for granting administrative privileges, which is based on the type of requests approved. If users are given extra administrative privileges, they are also given memberships in the shadow security groups found in the created secure forest.

What’s more, membership to the groups is time-bound. MIM has an expiring links feature which allows memberships to be revoked after the allocated time period elapses. Users are given just enough time to complete the allocated administrative duties. This time-controlled membership is defined as a time-to-live variable.

If a user enjoys time-controlled membership in several security groups, Microsoft has included improvements in Kerberos Key Distribution Center (KDC) to take care of such a situation by restricting his or her Kerberos ticket lifetime to the lowest attainable time-to-live value.

Furthermore, PAM also provides improved monitoring tools. As such, it makes it easy to quickly establish the users who requested access permissions, the level of access that was given, and the type of tasks that were completed.

Azure Active Directory Join

With the Azure Active Directory Join feature, you can deploy your identity management tasks to the cloud and benefit from centralised management for your corporate and personal devices.

The main objective of the Azure Active Directory Join is to offer the advantages of an on-premise Active Directory environment without much hassles to the users.

This new feature enables users to access Oxygen Services without the need of a Microsoft account. Oxygen Services, with its various features and settings, will be available on devices that are connected to on-premise Windows domain as well as devices connected to the Azure Active Directory account.

Azure Active Directory Join also allows devices, whether they are corporate-owned or BYOD, to benefit from single-sign on web applications. It also allows those devices to be managed using the Mobile Device Management (MDM) integration tool, even if they are not in the Windows intune tool.

It is also possible to use the feature to configure “Kiosk” mode for shared corporate and personal devices. There are also some developer improvements that enhance the process of creating applications for both enterprise and personal uses.

Microsoft Passport

The use of weak credentials is one of the major security issues facing the IT industry today. Most users do not care about their password security and engage in insecure habits like using the same password in numerous places, using poorly crafted passwords, and using simple passwords that are easy to guess.

Fortunately, Microsoft Passport intends to provide a solution to this issue. It incorporates two-factor authentication techniques that enhance the security of users’ passwords without needing the traditional, complex methods like physical smart cards.

Microsoft Passport is created to work together with Windows Hello (the in-built biometric sign-in for the Windows operating system).

Its two-factor authentication technique utilises the credentials available to the user together with the precise credentials of the device the user is accessing. Every user accessing a device is given a precise authenticator (referred to as hello) or a PIN, which verifies the identity of the user before being allowed access.

Microsoft is calling this new Passport feature “password-less authentication”, which can be deployed to safeguard traditional on-premise Active Directory environments and Azure Active Directory environments.

Additionally, the Passport feature can also be used in FIDO (Fast Identity Online) accounts. With the FIDO capabilities, Passport can be used in extensive array of platforms and devices, eliminating the need to remember multiple passwords.

Deprecated features

There are a few features that are no longer supported in Windows Server 2016. For example, the old File Replication Service (FRS), which was utilised to replicate folder data between servers, has now been exclusively replaced with Distributed File Service (DFS) Replication. DFS is useful in replicating SYSVOL.

Furthermore, the Windows Server 2003 functional levels are not recognised in Windows Server 2016. Consequently, to achieve increased reliability and performance, all domain controllers still depending on Windows Server 2003 are required to be taken out from the domain.

Therefore, it is recommended for companies to increase their functional level to Windows Server 2008 (or even to a higher level). Shifting to the higher functional levels guarantees optimal SYSVOL replication compatibility as well as faster support for enhanced performance.

Conclusion

Each of the above Active Directory features are intended to enhance the experience of the large community of Windows Server 2016 users.

PAM offers a technique for preventing credential theft when data is being exchanged in very sensitive environments.

Azure Active Directory Join functionalities allow users to benefit from the advantages of on-premise Active Directory without much hassles. Microsoft Passport aims to revolutionise the way authentication takes place.

Finally, the deprecated features points to Microsoft’s commitment to eliminate flaws and inconsistencies in Windows Server 2016.

Useful Resources

Here is a guide how to set up Active Directory in Windows Server 2016: https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/

 

 

Report NTFS Permissions in 60 Seconds!

Download your Free Edition of the easiest and fastest NTFS Permission Reporter now!

Quota Management in Windows Server 2016

Quota management is a valuable feature that enables you to restrict the storage capacity of shared resources in Windows Server 2016. If you create quotas, you will limit the space allocated for a volume or a folder—allowing you to practice capacity management conveniently.

Quota Management in Windows Server 2016

To set quotas in the Windows Server, you’ll need to use a tool called File Server Resource Manager (FSRM). This tool assists in managing and organising data kept on file servers.

The File Server Resource Manager tool consists of the following five features.

  • File classification infrastructure—this feature allows you to organise files and implement policies.
  • File management tasks—it enables you to implement conditional policies or tasks.
  • Quota management—it assists you to restrict the space available on shared folders.
  • File screening management—it allows you to limit the type of files that users can keep. For example, you can set a file screen to prevent users from creating MP3 files on the files server.
  • Storage reports—with this feature, you can generate reports to understand trends in disk utilisation and how data is organised, which enables you to spot unauthorised activities.

In this article, we are going to talk about the quota management feature in FSRM.

Setting up File Server Resource Manager

We need to install the File Server Resource Manager tool before using it for quota management.

A quick way to complete its setup is through the GUI server manager. Here are the steps for installing the tool.

1. Start by logging into the Windows Server 2016. Then, on the Server Manager’s dashboard, click on “Manage” and select “Add Roles and Features”.

2. On the “Before you begin” screen click “Next”.

3. Select “Role-based or feature-based installation” and click “Next”.

4. Select your destination server and click “Next”.

5. On the “Select Server roles” dashboard, expand “File and Storage Services” and “File and iSCSI Services”. Th

en, select “File Server Resource Manager”.

6. On the window that pops up, Click the “Add Features” button to incorporate the required features. Click “Next”.

7. If you do not need to add any extra features, just leave the default settings and click “Next”.

8. Confirm the installation selections and Click “Install” to start the process.

9. After the installation process is complete, click the “Close” button.

10. You can now access the File Server Resource Manager from the administrative interface and use it to create quotas.

Creating Quotas Using FSRM

As earlier mentioned, quota management enables you to set restrictions and define the extent of space available for users in the server. For example, you can limit all users to a maximum of 5GB on a shared folder. As such, the users cannot add data to the folder that exceeds 5GB.

You can also configure the File Server Resource Manager tool to be sending notifications whenever the specified usage limit is reached. For example, you can specify that an email is to be sent if 85% of the space has been consumed.

Creating quotas using the FSRM tool is a two-step process:

  • Create a template
  • Create a quota

a) Create a template

Before setting quotas, you need to either create a quota template or choose a default template already available on the File Server Resource Manager tool.

It is recommended that you create quotas solely from templates. This way, you can easily manage your quotas by making changes to the templates rather than the individual quotas. The one central location for managing quotas eases the enactment of storage policy rules.

Here are the steps for creating a quota template.

1. Under the “Quota Management” Section, right-click the “Quota Templates” button and go for “Create Quota Template”.

2. On the window that pops up, enter the Template name and the space limit. If you choose the “Hard quota” option, users will be unable to surpass the specified limit. A hard quota is good for controlling the amount of data allowed on a folder or a disk.

On the other hand, if you select the “Soft quota” option, users will be able to exceed the allocated limit. A soft quota is mostly used for monitoring space usage and producing notifications.

3. Lastly, to set notification thresholds, press the “Add” button. On the window that pops up, input your notification specifications.

You can specify that an email is to be sent, an entry is to be made to the event log, a command is to be run, or a report is to be generated. For example, you can state the whenever usage reaches 85%, send an email message to the administrator.

Thereafter, click “OK” to complete creating the quota template.

b) Create a quota

After setting up the quota template or using a default quota template, you need to create the quota.

Here are the steps for creating a quota.

1. On the File Server Resource Manager’s dashboard, right-click on “Quotas” and go for “Create Quota”.

2. On the “Create Quota” window, in the “Quota path” section, browse the path to the volume or folder that the storage capacity restriction will be applied.

Then, choose either the “Create quota on path” or the “Auto apply template and create quota…” option.

If you select the first option, quota will only be applied to the primary folder. For example, if you limit the parent folder to only 5GB, then the other subfolders will share the space specified in the main folder.

On the other hand, if you choose the second option, then the quota will also be applied to the subfolders. For example, if you restrict the main folder to 5GB, then the subfolders will also have individual quotas of 5GB each.

Subsequently, on the “Derive properties from this quota template” option, choose the template you created previously.

If satisfied with the quota properties, click “Create”.

After you’ve created the quota, you can see it on the File Server Resource Manager’s dashboard. Thereafter, you’ll be able to limit the amount of space allowed on your shared resources.

 

I hope these clear things up.

Want to learn about NTFS Permissions, Share Permissions, and how to use them, get your free course HERE!

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!

 

Optimizing File Server Performance in Windows Server 2016

If you have a file server system in your company, you may want to tune some parameters and settings to enhance its performance. For example, you may want the highest possible throughput on your server to meet the growing workload needs.

This article gives a set of guidelines that you can implement to optimize the file server settings in Windows Server 2016 and benefit from optimized performance.

How to Optimize File Server Performance?

1. Choose a Proper Hardware

Foremost, you should go for a good hardware that will sufficiently support your performance incremental efforts. If the hardware cannot meet the expected file server load, the software adjustments may not yield significant fruits.

Here are some important hardware parameters you should optimise.

  • Response times
  • Growth expectations
  • Loading factors—such as average load and peak load
  • Capacity level

2. Optimise SMB Parameters

The Server Message Block (SMB) protocol is included into the Windows server to enhance the sharing of files and other resources across the network. The latest version available on Windows Server 2016 is 3.1.1, and it comes with several helpful features you can optimise to get the most of it.

Here are some tips on how to optimise the various SMB parameters.

a) Practice “least privilege” principle

You can practice the principle of least privilege by limiting access to some services or features. If a file server or a file client do not need any feature, just disable it. Period.

Some of the features you can disable include:

  • SMB signing
  • SMB encryption
  • NTFS encryption
  • File system filters
  • Client-side caching
  • Scheduled tasks
  • IPSEC

Btw, check out our FolderSecurityViewer to analyze and report NTFS permissions. Download the Free Edition now!

b) Configure power management mode

A constant high workload will reduce the speed and performance of your server. Therefore, for a comfortable working experience, you should make sure that the configurations for any BIOS as well as operating system power management is done correctly.

For example, this may consist of High Performance mode or even modified C-State. To avoid any bottlenecks, remember to install the most up-to-date, robust, and quickest storage and networking device drivers.

c) Follow file copying best practices

Users usually copy files from one location to the other on file servers. There are some best practices you can follow to enhance the speed of transferring files.

Windows has numerous utilities you can run on the command prompt and conveniently transfer files. And, the recommended ones are Robocopy and Xcopy.

If using Robocopy, it’s advisable to include the /mt option to quickly copy and transfer several small files. It is also advisable to use the /log option to lessen console output by enabling redirection to NUL device or to a file.

If using Xcopy, you can significantly increase performance by including the /q option (which lowers CPU overhead) and /k option (which lowers network traffic) to your present parameters.

d) Practice SMB performance tuning

It is important to note that the performance of a file server will largely depend on the parameters set on the SMB protocol. If the parameters are well tuned, the file server performance can greatly improve.

Here is table giving some of the registry settings that can influence the operation of the SMB file servers, together with some recommended practices.

Parameter Registry Settings Recommendations
Smb2CreditsMin

and

Smb2CreditsMax

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Smb2CreditsMin

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Smb2CreditsMax

The defaults are 512 and 8192 correspondingly.

Check SMB Client Shares\Credit Stalls /Sec to observe any problems with credits.

AdditionalCriticalWorkerThreads HKLM\System\CurrentControlSet\Control\Session Manager\Executive\AdditionalCriticalWorkerThreads The default is 0. You could raise the value if the quantity of cache manager dirty data is consuming a larger percentage of memory.
MaxThreadsPerQueue HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\MaxThreadsPerQueue The default is 20. In case the SMB2 work queues are increasing significantly, raise the value.
AsynchronousCredits HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\MaxThreadsPerQueue The default is 512. In case a big quantity of concurrent asynchronous SMB commands is needed, raise the value.

Here is an example of how the settings can be applied to achieve optimum file server performance on Windows server 2016. Note that the settings are not suited for all computing situations, and you should assess the effect of every individual settings before using them.

Parameter Value Default
AdditionalCriticalWorkerThreads 64 0
MaxThreadsPerQueue 64 20

3. Optimise NFS Parameters

The Network File System (NFS) model available in Windows server 2016 is important for enabling client-server communications in mixed Windows and UNIX conditions.

Here is table giving some of the registry settings that can influence the operation of the NFS file servers, together with some recommended practices.

Parameter Registry Settings Recommendations
OptimalReads HKLM\System\CurrentControlSet\Services\NfsServer\Parameters\OptimalReads The default is 0. Before making any changes to the setting, evaluate its effect on system file cache grow.
RdWrNfsHandleLifeTime HKLM\System\CurrentControlSet\Services\NfsServer\Parameters\RdWrNfsHandleLifeTime The default is 5. Appropriately set it to ensure optimal control of the lifetime of NFS cache.
CacheAddFromCreateAndMkDir HKLM\System\CurrentControlSet\Services\NfsServer\Parameters\CacheAddFromCreateAndMkDir The default is 1. Adjust the value to 0 to deactivate the inclusion of entries to the cache in CREATE and MKDIR directories.
MaxConcurrentConnectionsPerIp HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rpcxdr\Parameters\MaxConcurrentConnectionsPerIp The default is 16. Raise it to the highest value of 8192 to increase the number of connections for every IP address.

4. Uninstall Unused and Redundant Features

Windows server 2016 has dozens of logging, monitoring, and debugging tools, most of which you may not find useful.

The amount of space available on the server is critical and allowing unused and redundant tools to just sit there is not doing any justice to your server.

On a regular basis, you should visit the “Service Control Manager” section and remove services and features that do not add value to your file server.

You should uninstall any utility or application that you find not useful, and your file server performance will greatly improve.

For example, you should always deactivate the DOS 8.3 short file names. For backward compatibility, your Windows server 2016 may contain the DOS 8.3 file names, especially if you upgraded your server from an older version of Windows.

These days, the 8.3 short file name is unnecessary, and they do not add any value to the operation of the file servers. Therefore, disabling this feature will provide some additional speed to your Windows server 2016.

References

Microsoft. (2017). Performance tuning for SMB file servers. Retrieved from https://docs.microsoft.com/en-us/windows-server/administration/performance-tuning/role/file-server/smb-file-server

Apachelounge. (2017). Performance tuning guidelines for Windows Server 2016. Retrieved from https://www.apachelounge.com/download/contr/Perf-tun-srv-2016.pdf

 

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!