File System Planning for Active Directory 101
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
Preparing for Active Directory takes a lot of preplanning and this article was designed to help you master the file system planning portion of it before you begin with your deployment.
Verifying your File System
When deploying Active Directory, it’s imperative that you first plan and design the rollout of the base operating system (OS), also seen as NOS, or Network Operating System. Active Directory, if planned properly, is pretty much bullet proof, but if you don’t, then you will have problem after problem – guaranteed. Active Directory is very self-healing, but that’s if it’s perfectly set up. Not deploying the right file system will not only prevent you from deploying Active Directory in the first place, but also stop you from using many features that are important to use on a production server. In this article we look at how to verify your current file system before deploying Active Directory and what to do if you have to convert it prior to Active Directory deployment. When planning Active Directory, the file system of the OS is used to provide security – you cannot have security without using a file system that allows for it. You should consider that the file system is responsible for managing and tracking all the data on your hard disk, including the Active Directory database. Why consider the file system? Well, if you don’t then you won’t be able to install Active Directory, or use a file system that allows you to use other features such as disk quotas, redundancy, encryption, remote storage and remote file access, to name a few. As you can see, planning the file system becomes imperative when planning. Planning ahead of time will ensure your success.
Windows Server 2003 File Systems
Windows Server 2003 allows for the deployment of different file systems. The file systems available are FAT, FAT32 and NTFS. WinFS, a new file system name which is either in a possible Longhorn deployment, of even after that with the next generation of Windows OS. EFS and DFS are different. File systems available with Windows Server 2003 are:
- File Allocation Table (FAT): Rarely used ever. Used mostly in cases (older technology and ideas) where you want to put a small partition on your disk next to NTFS so that you can repair the system or do whatever in DOS, instead of using the Recovery Console, or other tools that are better to use. The fundamental difference between FAT and NTFS partitions is that NTFS allows for file system–level security
- File Allocation Table 32 (FAT32): Rarely used on a Windows Server 2003 system, especially one that is deploying Active Directory. Support for FAT and FAT32 are mainly included in Windows Server 2003 for backward compatibility and multiple boot partitions, especially when using other Windows OS’s such as configuring a single computer to boot into both Windows 98 SE and Windows Server 2003.
- Windows New Technology File System 5 (NTFS 5): not to be confused with the original Windows New Technology File System (NTFS), NTFS 5 is more robust and what you want to deploy whenever planning for Active Directory. Strongly consider using only NTFS partitions on production server machines! NTFS 5 brings new benefits to Windows Server systems, including: disk quotas, file system encryption, dynamic volumes and remote storage capabilities.
NTFS 5 Features
Just so you can get an idea of what NTFS 5 will bring you, let’s look at some of the features a little closer.
Disk quotas are used to restrict the amount of space network and system user are allows to save to disk. Windows Server 2003 supports disk quota restrictions at the volume level by default. When deploying disk quotas, you can restrict the amount of storage space that any user uses on a single disk volume.
You can also plan for file system encryption which allows for systems administrators to use encryption so that it can prevent data from being used in case it is stolen or intercepted by an unauthorized user. The encryption process allows for data to be secured on the volume… as long as you have it set up correctly and are using NTFS 5.
Dynamic volumes are also specific to NTFS 5. Dynamic volumes are used to help add protection for your Windows Server 2003 system, especially in the event of a disk failure. Protecting against disk failures should be a systems administrator’s biggest concern… if your disk stops working, you will have to have a way to recover. Disks are also a lot like light bulbs, they were designed to fail. This is why there is a MTBF associated with most disks… a ‘Mean Time Between Failure’ is when the disk subsystems have outlived their intended usefulness. NTFS 5 and dynamic disks help to alleviate the inherent weaknesses associated with older technology such as NT such as needing to reboot a system to get a new disk to work once replaced. Windows NT 4.0 supported various levels of Redundant Array of Independent (or inexpensive) Disks (RAID) technology, but nothing to the level that is available now with Windows Server 2003.
You can also use the Remote Storage features supported by NTFS 5 to automatically off-load rarely used data to tape or other devices such as a NAS (network attached storage), but the files remain available to users because they haven’t been removed from the machine – it’s seamless. As you can see, NTFS 5 brings a greater level of flexibility, security, data protection, increased scalability, and increased uptime.
Planning for Active Directory
Now that you understand what you need when deploying a production server, you should now consider what is needed for deploying Active Directory. Aside from all the great things that NTFS 5 brings you, we have yet to talk about Active Directory’s needs. Active Directory absolutely needs NTFS to be installed, more specifically, Windows Server 2003 and NTFS 5. Why? The Active Directory database ‘must’ sit on an NTFS partition. Now – although we have discussed NTFS 5 and the reason for selecting it, we have not yet looked at how to verify or install it, if need be. There is more to talk about before we view, install or convert it… we still need to talk about space.
Space on your disks is imperative. You must plan for Active Directory properly. Besides for using a mandatory NTFS formatted partition, you must absolutely ensure you have enough disk space as well. To successfully install AD you must have at least one NTFS formatted partition, because the NTFS partition is required for the SYSVOL folder. The Windows Server 2003 System Volume (SYSVOL) is a collection of folders and reparse points in the file system that exists on each domain controller (DC) in a domain. SYSVOL provides a standard location to store data that must be replicated. The File Replication service (FRS) is used to replicate the SYSVOL data. if the space on your disks does not allow for future growth of the Active Directory database, you could see serious problems in this area - make sure you plan! You need to ensure that enough space is provided to store SYSVOL.
Make sure you consider capacity. You need to make sure that you have allocated adequate disk space for Active Directory (specifically SYSVOL) to function. Make sure that you also consider for future growth… the Active Directory Database grows as you add more and more objects to it. Always consider space as well as performance. If you have too much on a server, too many services, or if you have too much going on in your disk I/O, then you will surely feel it – make sure that you plan your performance as well. Also consider that you want a reliable as well as ‘fast’ disk(s) in use as well. Although you need at least 250 MB of free space on the partition you plan to install AD on, you would be insane to only plan for that amount – 1-2 GB minimum and hopefully if you plan with the management teams in your organization – you may find that Active Directory may grow exponentially year after year – that means you want to ensure that your DC’s have plenty of disk space to handle the future growth.
Modify a Disk
Up to now, you should now understand why its imperative to plan out your file system for Active Directory. In this section of the article we will cover how to verify your current file system and what to do if you need to covert it for Active Directory preparation. To convert a partition to NTFS you will need to use the convert command. Before we look at how to convert anything, let’s see what we first have and talk about safety. This exercise will show you how to use the administrative tools to view and modify disk configuration.
Safety is important. Before you make any disk configuration changes, be sure you completely understand their potential effects, perform the test in a lab environment and make sure you have good verifiable backups handy because if you attempt this on a production system without considering the impact, you could make a mistake and extend your day job into the night, quite possibly through it. Changing partition sizes and adding and removing partitions can result in a total loss of all information on one or more partitions so be careful.
To view your current disk configuration, you will want to use the Computer Management MMC (Microsoft Management Console). This can be found in the Administrative Tools folder either in the Control Panel or in the Start Menu.
To view the disk configuration, do the following.
- Open the Computer Management MMC in the Administrative Tools program group.
- Under the Storage branch in the navigation pane, click Disk Management.
- Now you have opened the Disk Management program which shows you the logical and physical disks that are currently configured on your system, you can see the size of your partitions, if they are formatted with FAT, FAT32, or NTFS and so on.
Windows Server 2003 allows you to convert existing FAT or FAT32 partitions to NTFS and this is actually pretty easy to do, but can be very destructive if done without care. Converting a disk to NTFS is also a one way ticket, a one way process, that cannot be reversed. You cannot convert a NTFS partition to any other file system without losing data so you must ensure that you have verifiable backups of your data so that you can redeloy it on your systems. If you want to convert an existing partition from FAT or FAT32 to NTFS, you’ll need to use the convert command-line utility. The following command seen here (in the next line) converts the C: partition from FAT to NTFS:
convert X: /fs:ntfs
(Where X is the letter of the drive you want to covert – such as C, or D, etc)
If you are dual booting, you will want to make sure that you think about that before you convert, you may not be able to access other partitions if dual booting and making a conversion. You also need to make sure that if any system files on your server are part of the conversion process, (such as the Windows paging file), then you will absolutely need to reboot your server for it to take place. If the server is running, it will not hand over control so that they can be converted – it will take a reboot to make it happen. Once you reboot (if you need to), then you can now run dcpromo and begin the Active Directory installation process – only because the file system is verified. There are other things you must also plan for (such as DNS) which will be covered in future articles.
Planning for Active Directory is not easy, but if you plan over time and properly design and plan the deployment, you will see that it will go seamless. In this article we covered Windows Server 2003 File Systems to include NTFS 5, what is necessary for planning Active Directory and how to plan your File System to allow for the installation of Active Directory. Stay tuned for more planning Active Directory articles!
Links and Reference Material
Understanding Active Directory Planning
If you are converting FAT to NTFS, read this article:
Using the Convert Tool
Mean Time Between Failure Information
Back up your System before you Upgrade or Convert