The cipher command is useful when it comes to EFS. Cipher is a command- line utility that allows you to change and/or configure EFS. When it comes to using the cipher command, you should be aware of a few things:
■ You can decrypt files by running Cipher.exe in the command prompt window (advanced users).
■ You can use Cipher to modify an EFS- encrypted file.
■ You can use Cipher to import EFS certificates and keys.
■ You can also use Cipher to back up EFS certificates and keys.
Let’s take a look at some of the switches that you can use with cipher. Table 11.4 describes many of the cipher switches you can use. This table comes from Microsoft’s TechNet site. Microsoft continues to add and improve switches, so make sure you check Microsoft’s website to see whether there are any changes.
TABLE 11.4 Using the cipher switches
cipher switch | Description |
/e | This switch allows you to encrypt specified folders. With this folder encrypted, any files added to this folder will automatically be encrypted. |
/d | This switch allows you to decrypt specified folders. |
/s: dir | With this switch, the operation you are running will be performed in the specified folder and all subfolders. |
/i | By default, when an error occurs, cipher automatically halts. By using this switch, cipher will continue to operate even after errors occur. |
/f | The force switch (/f) will encrypt or decrypt all of the specified objects, even if the files have been modified by using encryption previously. Cipher, by default, does not touch files that have been encrypted or decrypted previously. |
/q | This switch shows you a report about the most critical information of the EFS object. |
/h | Normally, system or hidden files are not touched by encryption. By using this switch, you can display files with hidden or system attributes. |
/k | This switch will create a new file encryption key based on the user currently running the cipher command. |
/? | This shows the cipher help command. |
Configuring Distributed File System
One problem that network administrators have is deciding how to share folders and communicating to end users how to find the shares. For example, if you share a folder called StormWind Documents on server A, how do you make sure your users will find the folder and the files within it? The users have to know the server name and the share name. This can be a huge problem if you have hundreds of shares on multiple servers. If you want to have
multiple copies of the folder called StormWind Documents for fault tolerance and load balancing, the problem becomes even more complicated.
Distributed File System (DFS) in Windows Server 2022 offers a simplified way for users to access geographically dispersed files. DFS allows you to set up a tree structure of virtual directories that allows users to connect to shared folders throughout the entire network.
You have the ability to take shared folders that are located on different servers and transparently connect them to one or more DFS namespaces— virtual trees of shared folders throughout an organization. The advantage of using DFS is that if one of the folders becomes unavailable, DFS has failover capability that will allow your users to connect to the data on a different server.
You can use the DFS tools to choose which shared folders will appear in the namespace and also to decide how the names of these shared folders will show up in the virtual tree listing.
Advantages of DFS
One of the advantages of DFS is that when a user views this virtual tree, the shared folders appear to be located on a single machine. These are some of the other advantages of DFS:
Simplified Data Migration DFS gives you the ability to move data from one location to another without the user needing to know the physical location of the data. Because the users do not need to know the physical location of the shared data, you can simply move data from one location to another.
Security Integration You do not need to configure additional security for the DFS shared folders. The shared folders use the NTFS and shared folder permissions that you have already assigned when the share was set up.
Access- Based Enumeration (ABE) This DFS feature (disabled by default) displays only the files and folders that a user has permissions to access. If a user does not have access to a folder, Windows hides the folder from the user’s DFS view. This feature is not active if the user is viewing the files and folders locally.
Types of DFS
The following are types of DFS:
DFS Replication (DFSR) You have the ability to manage replication scheduling and bandwidth throttling using the DFS management console. Replication is the process of sharing data between multiple machines. Replicated shared folders allow you to balance the load and have fault tolerance. DFS also has read- only replication folders.
DFS Namespace The DFS Namespace service is the virtual tree listing in the DFS server. You can set up multiple namespaces on the DFS, allowing for multiple virtual trees within DFS. The DFS Namespace service was once known as Distributed File System in Windows 2000 Server and Windows Server 2003 (in case you still use Server 2003).
In Exercise 11.13, you will install the DFS Namespace service on the file server. You need to start the installation using the Server Manager MMC.
EXERCISE 11.13
Installing the DFS Namespace Service
- Open Server Manager by clicking the Server Manager icon or running server manager.exe.
- Select Add Roles And Features from the dashboard.
- Select Next in the Before You Begin pane (if shown).
- Select Role-B ased or Feature-Based installation and click Next to continue.
- Select the Select A Server From The Server Pool option and click Next.
- On the Select Server Roles screen, expand File And Storage Services and select the DFS Namespace and DFS Replication options (see Figure 11.20). Then click Next. If a dialog box appears, click the Add Features button.
FIGURE 11.20 Select Server Roles
7. At the Select Features screen, click Next.
8. At the Confirmation screen, click the Install button.
9. After the installation is complete, click the Close button.
10. Close Server Manager.
Once you have installed DFS, it’s time to learn how to manage DFS with the DFS Management MMC. The DFS Management console (see Figure 11.21) gives you one place to do all of your DFS configurations. The DFS Management console allows you to set up DFS Replication and DFS Namespace. Another task you can do in the DFS Management console is add a folder target— a folder that you add to the DFS namespace (the virtual tree) for all your users to share.
Database Cloning
For the first time ever in DFS, Windows Server 2022 includes a new DFS database cloning function. This new feature allows you to accelerate replication when creating folders, servers, or recovery systems. You will now have the ability to extract the DFS database from a single DFS server and then clone that database to multiple DFS servers.
You can use PowerShell and the Export- DfsrClone cmdlet to export the volume that contains the DFS database and configuration XML file settings. When you execute this PowerShell cmdlet, a trigger is engaged that exports the DFS service, and the system will not proceed until the service is completed. You then use the PowerShell cmdlet Import- DfsrClone to import the data to a specific volume. The service will then validate that the replication was transferred completely.
Recovering a DFS Database
Windows Server 2022 DFS database recovery is a feature that allows DFS to detect a corrupted database, thus allowing DFS to rebuild the database automatically and continue with normal operations of DFS replication. One advantage to this is that when DFS detects and fixes a corrupted database, it does so with no file conflicts.
Before the introduction of this feature, if a DFS database were determined to be corrupted, DFS Replication would delete the database and start again with an initial nonauthoritative sync process. This would cause newer file versions to be overwritten by older data, causing real data loss.
DFS in Windows Server 2022 uses local files and an update sequence number (USN) to fix a corrupted database, ensuring no loss of data.
Optimizing DFS
Windows Server 2022 DFS allows you to configure variable file staging sizes on individual DFS servers. This allows you to set a minimum file size for a file to stage. This increases the staging size of files, and that in turn increases the performance of the replication.
Prior to Windows Server 2022, DFS Replication used a hard- coded 256 KB file size to determine staging requirements. If a file size were larger than 256 KB, that file would be staged before it replicated. The more file staging that you have, the longer replication takes on a DFS system.