- Managing Existing Partitions and Drives
- Assigning Drive Letters and Paths
- Changing or Deleting the Volume Label
- Deleting Partitions and Drives
- Converting a Volume to NTFS
- Resizing Partitions and Volumes
- Repairing Disk Errors and Inconsistencies
- Defragmenting Disks
- Compressing Drives and Data
- Encrypting Drives and Data
- Understanding Encryption and the Encrypting File System
- Working with Encrypted Files and Folders
- Configuring Recovery Policy
Managing Existing Partitions and Drives
Disk Management provides many ways to manage exist partitions and drives. Use these features to assign force letters, erase partitions, set the active agent partition, and more. In summation, Windows Server 2008 R2 provides other utilities to carry out coarse tasks such as converting a bulk to NTFS, checking a drive for errors, and cleaning up unused phonograph record distance .
Windows Vista, Windows 7, Windows Server 2008, and later releases of Windows support hot-pluggable media that use NTFS volumes. This new feature allows you to format USB flash devices and other similar media with NTFS. There are also enhancements to prevent data loss when ejecting NTFS-formatted removable media.
Assigning Drive Letters and Paths
You can assign drives one drive letter and one or more drive paths, provided that the drive paths are mounted on NTFS drives. Drives don ’ t have to be assigned a drive letter or way. A drive with no designators is considered to be unmounted, and you can mount it by assigning a campaign letter or path at a by and by date. You need to unmount a drive before moving it to another computer .
Windows can not modify the driveway letter of system, boot, or page file volumes. To change the drive letter of a system or boot volume, you need to edit the register as described in Microsoft Knowledge Base article 223188 ( hypertext transfer protocol : //support.microsoft.com/kb/223188/en-us ). Before you can change the drive letter of a page file volume, you might need to move the page file to a different book .
To manage drive letters and paths, right-click the drive you want to configure in Disk Management, and then chink Change Drive Letter And Paths. This opens the dialogue box shown in Figure 12-7. You can nowadays do the follow :
- Add a drive path Click Add, blue-ribbon Mount In The Following Empty NTFS Folder, and then type the path to an existing booklet, or click Browse to search for or create a booklet .
- Remove a drive path Select the drive path to remove, click Remove, and then click Yes .
- Assign a drive letter Click Add, blue-ribbon Assign The Following Drive Letter, and then choose an available letter to assign to the drive .
- Change the drive letter Select the stream drive letter, and then snap Change. Select Assign The Following Drive Letter, and then choose a different letter to assign to the drive .
- Remove a drive letter Select the stream drive letter, suction stop Remove, and then click Yes .
If you try to change the letter of a drive that’s in use, Windows Server 2008 R2 displays a warning. You need to exit programs that are using the drive and try again or allow Disk Management to force the change by clicking Yes when prompted .
name 12-7. You can change the drive letter and path assignment in the Change Drive Letter And Paths dialogue box .
Changing or Deleting the Volume Label
The volume label is a textbook descriptor for a drive. With FAT32, the volume label can be up to 11 characters and can include spaces. With NTFS, the volume label can be up to 32 characters. additionally, although FAT32 doesn ’ thyroxine admit you to use some limited characters, including * / \ [ ] : ; | = ,. + “ ? < >, NTFS does allow you to use these special characters .
Because the bulk label is displayed when the drive is accessed in assorted Windows Server 2008 R2 utilities, including Windows Explorer, it can provide information about a drive ’ randomness contents. You can change or delete a book label using Disk Management or Windows Explorer .
Using Disk Management, you can change or delete a label by following these steps :
- Right-click the partition, and then click Properties .
- On the General pill of the Properties dialogue box, type a raw label for the volume in the Label textbook box or delete the existing label. Click OK .
Using Windows Explorer, you can change or delete a pronounce by following these steps :
- Right-click the drive icon, and then click Properties .
- On the General tab of the Properties dialogue box, type a newfangled pronounce for the volume in the Label text corner or delete the existing label. Click OK .
Deleting Partitions and Drives
To change the shape of a drive that ’ s amply allocated, you might need to delete existing partitions and coherent drives. Deleting a partition or a drive removes the associated file system, and all data in the file system is lost. Before you delete a division or a drive, you should back up any files and directories that the partition or drive contains .
To protect the integrity of the system, you can’t delete the system or boot partition. However, Windows Server 2008 R2 does let you delete the active partition or volume if it is not designated as boot or system. Always check to be sure that the partition or volume you are deleting doesn’t contain important data or files. You can delete a basal partition, a volume, or a logical drive by following these steps :
- In Disk Management, right-click the partition, volume, or drive you want to delete, and then click Explore. Using Windows Explorer, move all the datum to another volume or verify an existing backup to ensure that the datum was properly saved .
- In Disk Management, right-click the partition, bulk, or force again, and then click Delete Partition, Delete volume, or Delete Logical Drive as allow .
- confirm that you want to delete the selected item by clicking Yes .
The steps for deleting an offer partition differ slightly from those for deleting a primary coil division or a legitimate drive. To delete an stretch partition, follow these steps :
- Delete all the coherent drives on the partition following the steps listed in the previous procedure .
- Select the offer partition area itself and delete it .
Converting a Volume to NTFS
Windows Server 2008 R2 provides a utility for converting FAT volumes to NTFS. This utility, Convert ( Convert.exe ), is located in the % SystemRoot % booklet. When you convert a volume using this joyride, the charge and directory structure is preserved and no data is lost. Keep in mind, however, that Windows Server 2008 R2 doesn ’ metric ton provide a utility program for converting NTFS to FAT. The only manner to go from NTFS to FAT is to delete the partition by following the steps listed in the previous section and then to re-create the division as a FAT volume .
The Convert Utility Syntax
Convert is run at the control prompt. If you want to convert a tug, use the surveil syntax :
convert volume /FS:NTFS
where book is the drive letter followed by a colon, drive path, or bulk name. For exemplar, if you want to convert the D drive to NTFS, use the trace command :
convert D: /FS:NTFS
If the volume has a label, you are prompted to enter the volume label for the force. You are not prompted for a volume tag if the disk doesn ’ deoxythymidine monophosphate have a label .
The complete syntax for Convert is shown here :
convert volume /FS:NTFS [/V] [/X] [/CvtArea:filename] [/NoSecurity]
The options and switches for Convert are used as follows :
|volume||Sets the volume to work with|
|/FS : NTFS||Converts to NTFS|
|/V||Sets verbose mood|
|/X||Forces the volume to dismount before the conversion ( if necessary )|
|/CvtArea : filename||Sets the name of a conterminous charge in the root directory to be a placeholder for NTFS system files|
|/NoSecurity||Removes all security attributes and makes all files and directories accessible to the group Everyone|
convert C: /FS:NTFS /V
The following sample statement uses Convert :
Using the Convert Utility
Before you use the Convert utility, determine whether the partition is being used as the active boot partition or a system division containing the operate system. You can convert the active bang partition to NTFS. Doing so requires that the system gain single access to this partition, which can be obtained only during startup. frankincense, if you try to convert the active bang partition to NTFS, Windows Server 2008 R2 displays a prompt asking if you want to schedule the repel to be converted the following prison term the system starts. If you click Yes, you can restart the organization to begin the conversion process .
Often, you will need to restart a system several times to completely convert the active boot partition. Don’t panic. Let the system proceed with the conversion. Before the Convert utility actually converts a drive to NTFS, the utility checks whether the drive has adequate free space to perform the conversion. Generally, Convert needs a block of free space that ’ s roughly peer to 25 percentage of the full space used on the drive. For exercise, if the drive stores 200 GB of data, Convert needs about 50 GB of absolve outer space. If the drive doesn ’ thymine have enough release space, Convert aborts and tells you that you need to free up some space. On the other hand, if the drive has enough free space, Convert initiates the conversion. Be patient. The conversion action takes respective minutes ( longer for large drives ). Don ’ thyroxine access files or applications on the force while the conversion is in build up .
You can use the /CvtArea option to improve performance on the volume so that outer space for the master file table ( MFT ) is reserved. This option helps to prevent fragmentation of the MFT. How ? Over prison term, the MFT might grow larger than the space allocated to it. The operate system must then expand the MFT into other areas of the disk. Although the Disk Defragmenter utility can defragment the MFT, it can not move the beginning section of the MFT, and it is very improbable that there will be space after the MFT because this will be filled by file data .
To help prevent fragmentation in some cases, you might want to reserve more quad than the default ( 12.5 percentage of the partition or bulk size ). For example, you might want to increase the MFT size if the book will have many small or average-size files quite than a few large files. To specify the come of space to reserve, you can use FSUtil to create a placeholder file adequate in size to that of the MFT you want to create. You can then convert the volume to NTFS and specify the name of the placeholder file to use with the /CvtArea option .
In the follow example, you use FSUtil to create a 1.5-GB ( 1,500,000,000 bytes ) placeholder file named Temp.txt :
fsutil file createnew c:\temp.txt 1500000000
To use this placeholder file for the MFT when converting driveway C to NTFS, you would then type the following instruction :
convert c: /fs:ntfs /cvtarea:temp.txt
Notice that the placeholder file is created on the division or volume that is being converted. During the conversion process, the file is overwritten with NTFS metadata and any fresh distance in the file is reserved for future function by the MFT .
Resizing Partitions and Volumes
Windows Server 2008 R2 doesn ’ t user Ntldr and Boot.ini to load the operate system. alternatively, Windows Server 2008 R2 has a preboot environment in which Windows Boot Manager is used to control inauguration and load the boot application you ’ ve selected. Windows Boot Manager besides last frees the Windows operating arrangement from its reliance on MS-DOS so that you can use drives in fresh ways. With Windows Server 2008 R2, you can extend and shrink both basic and dynamic disks. You can use either Disk Management or DiskPart to extend and shrink volumes. You can not shrink or extend striped, mirrored, or striped-with-parity volumes .
In extending a bulk, you convert areas of unallocated space and add them to the existing volume. For cross volumes on active disks, the quad can come from any available moral force phonograph record, not only from those on which the book was primitively created. frankincense, you can combine areas of unblock space on multiple moral force disks and use those areas to increase the size of an existing bulk .
Before you try to extend a volume, be aware of several limitations. First, you can extend simple and spanned volumes only if they are formatted and the file system is NTFS. You can’t extend striped volumes. You can’t extend volumes that aren’t formatted or that are formatted with FAT32. Additionally, you can’t extend a system or boot volume, regardless of its configuration. You can shrink a simple volume or a cross volume by following these steps :
- In Disk Management, right-click the volume that you want to shrink, and then click Shrink book. This option is available only if the volume meets the previously discussed criteria .
- In the field provided in the Shrink dialogue box, shown in Figure 12-8, enter the come of space to shrink .
visualize 12-8. Specify the amount of space to shrink from the bulk. The Shrink dialogue corner provides the follow information :
- Total Size Before Shrink In MB Lists the entire capacity of the volume in megabytes. This is the format size of the book .
- Size Of Available Shrink Space In MB Lists the maximal measure by which the book can be shrunk. This doesn ’ thymine typify the sum amount of free space on the volume ; rather, it represents the sum of space that can be removed, not including any data reserved for the maestro file board, book snapshots, foliate files, and impermanent files .
- Enter The Amount Of Space To Shrink In MB Lists the total measure of space that will be removed from the volume. The initial value defaults to the utmost total of space that can be removed from the volume. For optimum drive performance, you ’ ll want to ensure that the drive has at least 10 percentage of complimentary space after the flinch operation .
- Total Size After Shrink In MB Lists what the full capacity of the book will be ( in megabytes ) after the flinch. This is the new format size of the volume .
- Click Shrink to shrink the book .
You can extend a simple volume or a cross volume by following these steps :
- In Disk Management, right-click the bulk that you want to extend, and then click Extend volume. This option is available only if the volume meets the previously discussed criteria and release outer space is available on one or more of the system ’ s dynamic disks .
- In the Extend bulk Wizard, read the basic message, and then click Next .
- On the Select Disks page, select the disk or disks from which you want to allocate free quad. Any disks presently being used by the volume are automatically selected. By default, all remaining free space on those disks is selected for use .
- With moral force disks, you can specify the extra outer space that you want to use on other disks by performing the follow tasks :
- Click the magnetic disk, and then click Add to add the magnetic disk to the Selected list .
- blue-ribbon each disk in the Selected number, and then, in the Select The Amount Of Space In MB list, specify the sum of unallocated space to use on the selected disk .
- Click Next, confirm your options, and then click Finish .
Repairing Disk Errors and Inconsistencies
Windows Server 2008 R2 includes feature enhancements that reduce the amount of manual care you must perform on harrow drives. The pursuit enhancements have the most impact on the manner you work with disks :
- Transactional NTFS
- Self-healing NTFS
Transactional NTFS allows file operations on an NTFS volume to be performed transactionally. This means programs can use a transaction to group sets of file and register operations so that all of them succeed or none of them succeed. While a transaction is active, changes are not visible outside the transaction. Changes are committed and written amply to disk entirely when a transaction is completed successfully. If a transaction fails or is incomplete, the program rolls back the transactional sour to restore the file system to the state it was in anterior to the transaction .
Transactions that span multiple volumes are coordinated by the Kernel Transaction Manager ( KTM ). The KTM supports mugwump recovery of volumes if a transaction fails. The local resource director for a volume maintains a discriminate transaction logarithm and is creditworthy for maintaining threads for transactions separate from threads that perform the charge exercise .
traditionally, you have had to use the Check Disk tool to fix errors and inconsistencies in NTFS volumes on a phonograph record. Because this process can disrupt the handiness of Windows systems, Windows Server 2008 R2 uses self-healing NTFS to protect file systems without requiring you to use offprint alimony tools to fix problems. Because much of the self-healing work is enabled and performed mechanically, you might need to perform volume maintenance manually only when you are notified by the operate system that a trouble can not be corrected mechanically. If such an mistake occurs, Windows Server 2008 R2 notifies you about the trouble and provides potential solutions .
Self-healing NTFS has many advantages over Check Disk, including the stick to :
- Check Disk must have single access to volumes, which means arrangement and bang volumes can be checked only when the operate system starts up. On the other hand, with self-healing NTFS, the charge system is always available and does not need to be corrected offline ( in most cases ) .
- Self-healing NTFS attempts to preserve as much data as potential if corruption occurs and reduces failed file system mounting that previously could occur if a bulk was known to have errors or inconsistencies. During resume, self-healing NTFS repairs the volume immediately so that it can be mounted .
- Self-healing NTFS reports changes made to the volume during repair through existing Chkdsk.exe mechanisms, directory notifications, and update succession number ( USN ) diary entries. This feature besides allows empower users and administrators to monitor repair operations through Verification, Waiting For Repair Completion, and Progress Status messages .
- Self-healing NTFS can recover a volume if the boot sector is clear but does not identify an NTFS volume. In this case, you must run an offline joyride that repairs the bang sector and then allow self-healing NTFS to initiate recovery .
Although self-healing NTFS is a terrific enhancement, at times you may want to ( or may have to ) manually check the integrity of a harrow. In these cases, you can use Check Disk ( Chkdsk.exe ) to check for and ( optionally ) compensate problems found on FAT, FAT32, and NTFS volumes. Although Check Disk can check for and correct many types of errors, the utility primarily looks for inconsistencies in the file system and its relate metadata. One of the ways Check Disk locates errors is by comparing the volume bitmap to the magnetic disk sectors assigned to files in the file system. Beyond this, the utility of Check Disk is rather limited. For example, Check Disk can ’ deoxythymidine monophosphate compensate corrupted data within files that appear to be structurally intact .
Running Check Disk from the Command Line
You can run Check Disk from the command prompt or within other utilities. At a dominate prompt, you can test the integrity of the E drive by typing the follow command :
To find and repair errors that are on the E drive, use the following command :
chkdsk /f E:
Check Disk can’t repair volumes that are in use. If a volume is in use, Check Disk displays a prompt that asks if you want to schedule the volume to be checked the next time you start the system. Click Yes to schedule this. The accomplished syntax for Check Disk is shown here :
chkdsk [volume[[path]filename]]] [/F] [/V] [/R] [/X] [/I] [/C] [/L[:size]]
The options and switches for Check Disk are used as follows :
|volume||Sets the volume to work with .|
|[ path ] filename||FAT/FAT32 only : Specifies files to check for fragmentation .|
|/F||repair errors on the phonograph record .|
On FAT/FAT32 : Displays the entire way and name of every file on the disk. On NTFS : Displays cleanup messages, if any.
Read more: Download XAMPP for Windows – Free – 8.1.0
|/R||Locates bad sectors and recovers clear information ( implies /F ) .|
|/X||Forces the volume to dismount first gear if necessity ( implies /F ) .|
|/I||NTFS entirely : Performs a minimal confirmation of index entries .|
|/C||NTFS alone : Skips control of cycles within the booklet structure .|
|/L : size||NTFS only : Changes the log file siz|
Running Check Disk Interactively
You can run Check Disk interactively by using Windows Explorer or Disk Management. Follow these steps :
- Right-click the repel, and then click Properties .
- On the Tools yellow journalism of the Properties dialogue box, snap Check immediately .
- As shown in Figure 12-9, you can now do the succeed :
- Check for errors without repairing them. Click Start without selecting either of the discipline boxes .
- Check for errors and fix them. Make the appropriate selections in the check boxes to fix file system errors, recover bad sectors, or both, and then click Start .
digit 12-9. Use Check Disk to check a disk for errors and repair them .
Any clock you add files to or remove files from a drive, the data on the drive can become break up. When a drive is fragmented, large files can ’ thymine be written to a single continuous area on the harrow. As a consequence, the operational arrangement must write the file to respective smaller areas on the disk, which means more clock is spent reading the file from the harrow. To reduce fragmentation, Windows Server 2008 R2 can manually or automatically defragment disks using Disk Defragmenter. The more frequently data is updated on drives, the more often you should run this joyride .
You can manually defragment a phonograph record by following these steps :
- In Server Manager, select the Storage node and then the Disk Management lymph node. Right-click a drive, and then click Properties .
- On the Tools tab key, pawl Defragment now. In the Disk Defragmenter dialogue box, select a disk, and then click Analyze Disk. Disk Defragmenter then analyzes the disk to determine whether it needs to be defragmented. If indeed, it recommends that you defragment now .
- In the Disk Defragmenter dialogue box, select a disk, and then click Defragment Disk .
Depending on the size of the disk, defragmentation can take several hours. You can click Stop Operation at any time to stop defragmentation. When you enable automatic defragmentation, Windows Server 2008 R2 runs Disk Defragmenter automatically on a particular schedule, such as at 1:00 A.M. every Wednesday. adenine farseeing as the computer is powered on at the scheduled function time, automatic defragmentation occurs. You can configure and manage automated defragmentation by following these steps :
- In Server Manager, select the Storage node and then the Disk Management node. Right-click a drive, and then click Properties .
- On the Tools check, click Defragment now. This displays the Disk Defragmenter dialogue box, shown in Figure 12-10 .
figure 12-10. Disk Defragmenter analyzes and defragments disks efficiently .
- To cancel automated defragmentation, chatter Configure Schedule, clear Run On A Schedule, and then click OK. Click Close, and skip the remaining steps .
- To enable automatize defragmentation, snap Turn On Schedule. In the Modify Schedule dialogue box, shown in Figure 12-11, choice Run On A Schedule, and then set the race agenda. In the Frequency list, you can choose Daily, Weekly, or Monthly. If you choose a weekly or monthly run schedule, you need to select the function day of the workweek or calendar month from the Day list. ultimately, the Time list lets you set the prison term of the day that automated defragmentation should occur .
- If you want to modify the run schedule, chatter Configure Schedule. In the Modify Schedule dialogue box, shown in Figure 12-11, set the run schedule as discussed in the former pace .
- If you want to manage which disks are defragmented, chink Select Disks. In the Select Disks For Schedule dialogue box, choose which disks should be defragmented. By default, all disks installed within or connected to the computer are defragmented, and any new disks are defragmented mechanically american samoa well. In the Disks To Include In Schedule list, select the check boxes for disks that should be defragmented automatically and clear the check boxes for disks that should not be defragmented mechanically. Click OK .
- Click OK, and then click Close to save your settings .
Windows Vista with SP1 or later, Windows 7, and Windows Server 2008 or later releases of Windows automatically perform cyclic pickup defragmentation. With this feature, when a scheduled defragmentation pass is stopped and rerun, the computer automatically picks up the next unfinished volume in line to be defragmented .
name 12-11. Set the run agenda for automated defragmentation .
Compressing Drives and Data
When you format a campaign for NTFS, Windows Server 2008 R2 allows you to turn on the built-in compression feature. With compression, all files and directories stored on a drive are automatically compressed when they ’ ra created. Because this compaction is guileless to users, compressed data can be accessed just like regular data. The difference is that you can store more information on a compress drive than you can on an decompress driveway .
real WORLD Although compression is certainly a useful feature when you want to save disk space, you can’t encrypt compressed data. Compression and encryption are mutually exclusive alternatives for NTFS volumes, which means you have the choice of using compression or using encryption. You can’t use both techniques. For more information on encryption, see “Encrypting Drives and Data” later in this chapter. If you try to compress encrypted data, Windows Server 2008 R2 automatically decrypts the data and then compresses it. Likewise, if you try to encrypt compressed data, Windows Server 2008 R2 uncompresses the data and then encrypts it .
To compress a drive and all its contents, follow these steps :
- In Windows Explorer or Disk Management, right-click the drive that you want to compress, and then click Properties .
- On the General pill, blue-ribbon Compress Drive To Save Disk Space, and then click OK .
- In the Confirm Attribute Changes dialogue box, select whether to apply the changes to subfolders and files, and then click OK .
Compressing Directories and Files
If you decide not to compress a drive, Windows Server 2008 R2 lets you selectively compress directories and files. To compress a file or directory, follow these steps :
- In Windows Explorer, right-click the file or directory that you want to compress, and then click Properties .
- On the General tab of the Properties dialogue box, chatter Advanced. In the Advanced Attributes dialogue box, select the Compress Contents To Save Disk Space check box, as shown in Figure 12-12. Click OK doubly .
trope 12-12. With NTFS, you can compress a file or directory by selecting the Compress Contents To Save Disk Space check box in the Advanced Attributes dialogue box .
For an person file, Windows Server 2008 R2 marks the file as compressed and then compresses it. For a directory, Windows Server 2008 R2 marks the directory as compressed and then compresses all the files in it. If the directory contains subfolders, Windows Server 2008 R2 displays a dialogue box that allows you to compress all the subfolders associated with the directory. Simply blue-ribbon Apply Changes To This Folder, Subfolders, And Files, and then click OK. Once you compress a directory, any new files added or copied to the directory are compressed mechanically .
If you move an uncompressed file from a different drive, the file is compressed. However, if you move an uncompressed file to a compressed folder on the same NTFS drive, the file isn’t compressed. Note also that you can’t encrypt compressed files .
Expanding Compressed Drives
You can remove compression from a drive by following these steps :
- In Windows Explorer or Disk Management, right-click the campaign that contains the data you want to expand, and then click Properties .
- clear the Compress Drive To Save Disk Space check box, and then click OK .
- In the Confirm Attribute Changes dialogue corner, select whether to apply the deepen to subfolders and files, and then click OK .
Windows always checks the available disk space before expanding compressed data. You should too. If less free space is available than used space, you might not be able to complete the expansion. For example, if a compressed drive uses 150 GB of space and has 70 GB of free space available, you won’t have enough free space to expand the data .
Expanding Compressed Directories and Files
If you decide that you want to expand a compressed file or directory, follow these steps :
- Right-click the file or directory in Windows Explorer, and then click Properties .
- On the General tab key of the Properties dialogue corner, click Advanced. Clear the Compress Contents To Save Disk Space check box. Click OK doubly .
With files, Windows Server 2008 R2 removes compaction and expands the file. With directories, Windows Server 2008 R2 expands all the files within the directory. If the directory contains subfolders, you besides have the opportunity to remove compression from the subfolders. To do this, select Apply Changes To This Folder, Subfolders, And Files when prompted, and then click OK .
Windows Server 2008 R2 also provides command-line utilities for compressing and uncompressing data. The compression utility is called Compact (Compact.exe). The uncompression utility is called Expand (Expand.exe) .
Encrypting Drives and Data
NTFS has many advantages over other charge systems that you can use with Windows Server 2008 R2. One of the major advantages is the capability to automatically encrypt and decrypt data using the Encrypting File System ( EFS ). When you encrypt data, you add an extra level of auspices to sensitive data, and this supernumerary layer acts as a security across-the-board blocking all other users from reading the contents of the code files. indeed, one of the big benefits of encoding is that alone the designated exploiter can access the data. This benefit is besides a disadvantage in that the drug user must remove encoding before authorize users can access the data .
As discussed previously, you can’t compress encrypted files. The encryption and compression features of NTFS are mutually exclusive. You can use one feature or the other but not both .
Understanding Encryption and the Encrypting File System
File encoding is supported on a per-folder or per-file basis. Any file placed in a booklet marked for encoding is automatically encrypted. Files in code format can be read alone by the person who encrypted the file. Before early users can read an code charge, the exploiter must decrypt the file or grant special access to the file by adding a user ’ sulfur encoding key to the file .
Every encrypted file has the alone encoding keystone of the exploiter who created the file or presently has possession of the file. An code file can be copied, moved, or renamed just like any other file, and in most cases these actions don ’ t affect the encoding of the datum. ( For details, see “ Working with Encrypted Files and Folders ” former in this chapter. ) The drug user who encrypts a file always has access to the file, provided that the drug user ’ s public-key certificate is available on the computer that he or she is using. For this drug user, the encoding and decoding serve is handled automatically and is transparent .
EFS is the process that handles encoding and decoding. The nonpayment apparatus for EFS allows users to encrypt files without needing extra permission. Files are encrypted using a public/private key that EFS mechanically generates on a per-user basis .
encoding certificates are stored as separate of the data in exploiter profiles. If a drug user works with multiple computers and wants to use encoding, an administrator needs to configure a roll profile for that exploiter. A roaming profile ensures that the exploiter ’ sulfur profile data and public-key certificates are accessible from other computers. Without this, users won ’ metric ton be able to access their code files on another computer .
SECURITY ALERT An alternative to a roaming profile is to copy the user’s encryption certificate to the computers that the user uses. You can do this by using the certificate backup and restore process discussed in “Backing Up and Restoring the System State” in Chapter 16. “Data Backup and Recovery”. Simply back up the certificate on the user’s original computer and then restore the certificate on each of the other computers the user logs on to. EFS has a built-in data recovery system to guard against data loss. This recovery organization ensures that encrypted data can be recovered in the event that a drug user ’ s public-key certificate is lost or deleted. The most park scenario for this is when a user leaves the company and the associated exploiter explanation is deleted. A director might have been able to log on to the drug user ’ second account, arrest files, and save crucial files to other folders, but if the user report has been deleted, encrypted files will be accessible merely if the encoding is removed or if the files are moved to a FAT or FAT32 book ( where encoding international relations and security network ’ thyroxine supported ) .
To access encrypted files after the exploiter account has been deleted, you need to use a recovery agent. convalescence agents have access to the charge encoding samara necessity to unlock data in code files. To protect sensitive data, however, recovery agents don ’ metric ton have access to a user ’ randomness individual key or any private key information .
Windows Server 2008 R2 won ’ t code files without designated EFS convalescence agents. therefore, recovery agents are designated mechanically, and the necessity convalescence certificates are generated automatically adenine well. This ensures that encrypted files can always be recovered .
EFS recovery agents are configured at two levels :
- Domain The recovery agent for a knowledge domain is configured mechanically when the first Windows Server 2008 R2 sphere control is installed. By default, the recovery agent is the domain administrator. Through Group Policy, world administrators can designate extra recovery agents. Domain administrators can besides delegate convalescence agent privileges to delegate security administrators .
- Local computer When a calculator is region of a workgroup or in a stand-alone shape, the recovery agent is the administrator of the local calculator by default. extra recovery agents can be designated. Further, if you want local anesthetic recovery agents in a knowledge domain environment quite than domain-level recovery agents, you must delete the recovery policy from Group Policy for the knowledge domain .
You can delete convalescence agents if you don ’ t want them to be used. however, if you delete all convalescence agents, EFS will no longer code files. One or more recovery agents must be configured for EFS to routine .
Encrypting Directories and Files
With NTFS volumes, Windows Server 2008 R2 lets you choose files and folders for encoding. When a file is encrypted, the file data is converted to an encrypted format that can be read entirely by the person who encrypted the file. Users can encrypt files entirely if they have the proper access permissions. When you encrypt folders, the folder is marked as code, but entirely the files within it are actually encrypted. All files that are created in or added to a folder marked as encrypted are encrypted mechanically .
To encrypt a file or directory, follow these steps :
- Right-click the file or directory that you want to encrypt, and then click Properties .
- On the General check of the Properties dialogue box, suction stop Advanced, and then select the Encrypt Contents To Secure Data check box. Click OK doubly .
You can’t encrypt compressed files, system files, or read-only files. If you try to encrypt compressed files, the files are automatically uncompressed and then encrypted. If you try to encrypt system files, you get an error. For an individual file, Windows Server 2008 R2 marks the file as encrypted and then encrypts it. For a directory, Windows Server 2008 R2 marks the directory as encrypted and then encrypts all the files in it. If the directory contains subfolders, Windows Server 2008 R2 displays a dialogue box that allows you to encrypt all the subfolders associated with the directory. Simply choice Apply Changes To This Folder, Subfolders, And Files, and then click OK .
On NTFS volumes, files remain encrypted even when they’re moved, copied, or renamed. If you copy or move an encrypted file to a FAT or FAT32 drive, the file is automatically decrypted before being copied or moved. Thus, you must have proper permissions to copy or move the file. You can grant particular access to an encrypted file or folder by right-clicking the charge or booklet in Windows Explorer and then selecting Properties. On the General tab key of the Properties dialogue box, click Advanced. In the Advanced Attributes dialogue box, click Details. In the Encryption Details For dialogue box, users who have access to the encrypted file are listed by name. To allow another exploiter access to the charge, click Add. If a drug user security is available for the exploiter, select the user ’ mho identify in the list provided, and then click OK. Otherwise, click Find User to locate the certificate for the exploiter .
Working with Encrypted Files and Folders
previously, I said that you can copy, move, and rename encrypted files and folders just like any other files. This is on-key, but I qualified this by saying “ in most cases. ” When you work with code files, you ’ ll have few problems ampere long as you work with NTFS volumes on the same computer. When you work with other file systems or other computers, you might run into problems. Two of the most common scenarios are the take after :
- Copying between volumes on the same computer When you copy or move an code file or folder from one NTFS bulk to another NTFS book on the same computer, the files remain code. however, if you copy or move encrypted files to a FAT or FAT32 volume, the files are decrypted before transfer and then transferred as standard files. FAT and FAT32 don ’ thyroxine accompaniment encoding .
- Copying between volumes on a different computer When you copy or move an code file or booklet from one NTFS volume to another NTFS bulk on a different calculator, the files remain code a farseeing as the destination calculator allows you to encrypt files and the remote control computer is trusted for delegating. otherwise, the files are decrypted and then transferred as standard files. The lapp is true when you copy or move encrypted files to a FAT or FAT32 bulk on another calculator. FAT and FAT32 don ’ deoxythymidine monophosphate defend encoding .
After you transfer a medium file that has been encrypted, you might want to confirm that the encoding is still applied. Right-click the file and then select Properties. On the General pill of the Properties dialogue box, chink Advanced. The Encrypt Contents To Secure Data option should be selected .
Configuring Recovery Policy
convalescence policies are configured automatically for sphere controllers and workstations. By default, domain administrators are the indicate recovery agents for domains, and the local anesthetic administrator is the destine recovery agent for a stand-alone workstation .
Through the Group Policy console, you can view, assign, and delete convalescence agents. To do that, follow these steps :
- Open the Group Policy comfort for the local computer, site, world, or organizational whole you want to work with. For details on working with Group Policy, see “ Understanding Group Policies ” in chapter 5. “ Automating Administrative Tasks, Policies, and Procedures ” .
- Open the Encrypted Data Recovery Agents node in Group Policy. To do this, expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies, and then select Encrypting File System .
- The paneling at the properly lists the recovery certificates presently assigned. Recovery certificates are listed according to who issued them, who they are issued to, exhalation data, purpose, and more .
- To designate an extra convalescence agent, right-click Encrypting File System, and then click Add Data Recovery Agent. This starts the Add Recovery Agent Wizard, which you can use to select a previously generated certificate that has been assigned to a drug user and scratch it as a destine recovery certificate. Click Next .
- On the choose Recovery Agents page, you can select certificates published in Active Directory or use certificate files. If you want to use a publish security, click Browse Directory, and then, in the Find Users, Contacts, And Groups dialogue box, select the user you want to work with. You ’ ll then be able to use the publish security of that user. If you want to use a security file, chatter Browse Folders. In the Open dialogue corner, use the options provided to select and open the certificate file you want to use .
SECURITY ALERT Before you designate additional recovery agents, you should consider setting up a root certificate authority (CA) in the domain. Then you can use the Certificates snap-in to generate a personal certificate that uses the EFS Recovery Agent template. The root CA must then approve the certificate request so that the certificate can be used .
- To delete a recovery agent, select the recovery agent ’ s certificate in the right pane, and then press Delete. When prompted to confirm the action, snap Yes to permanently and irrevocably delete the security. If the convalescence policy is empty ( meaning that it has no other indicate convalescence agents ), EFS will be turned off so that files can no long be encrypted .
Decrypting Files and Directories
If you want to decrypt a file or directory, follow these steps :
- In Windows Explorer, right-click the file or directory, and then click Properties .
- On the General pill of the Properties dialogue box, chink Advanced. Clear the Encrypt Contents To Secure Data check box. Click OK twice.
Read more: Best Free Karaoke Software for Windows
With files, Windows Server 2008 R2 decrypts the file and restores it to its original format. With directories, Windows Server 2008 R2 decrypts all the files within the directory. If the directory contains subfolders, you besides have the choice to remove encoding from the subfolders. To do this, select Apply Changes To This Folder, Subfolders, And Files when prompted, and then click OK .
Windows Server 2008 R2 also provides a command-line utility called Cipher (Cipher.exe) for encrypting and decrypting your data. Typing cipher at a command prompt without additional parameters shows you the encryption status of all folders in the current directory .