Friday, November 29, 2013

Windows Server 2012 - Disk Management

In Windows Server 2012, we can manage disks with three different tools:
  • Server Manager
  • Disk Management (diskmgmt.msc)
  • diskpart.exe (command line)
I'm going to use "Disk Management". When I open the tool, by entering diskmgmt.msc at the command line (or run box in other versions of Windows), this is what I see:



First, we have one physical disk, "Disk 0", divided into two partitions: System Reserved and (C:).

Second, we have a second physical disk that has not yet been configured.

Before configuring this second disk, let's examine the different choices we have for disk configuration in Windows Server 2012. Many of these options will apply to Windows 2008 as well (ReFS is one notable exception).




Disk Configuration options

In Windows Server 2012, physical disks and logical partitions can be configured in a number of different ways:


Partition Style - or Scheme

This can be either the traditional MBR (Master Boot Record) scheme, available since the 1980s, or the more recent GPT (GUID partition table), available as an option since the late 1990s. GPT was first incorporated in Windows Server systems with Windows Server 2003 SP1.

A detailed presentation of these partition schemes is beyond the scope of this post. I'll present below what I believe are the essential points for disk configuration in Windows 2012.

  • MBR supports a maximum of four primary partitions. GPT allows for a maximum of 128 partitions. MBR does allow for the creation of more logical disks in an "extended partition" but this type of partition is apparently more prone to errors.
  • MBR supports a partition size of 2 TB (terabytes). For decades, this was more than sufficient. As hard drive sizes now surpass 2 TB, MBR is becoming obsolete. GPT supports a partition size of 9.4 ZB (zetabytes) or... 9.4 billion TB. In reality, maximum size will be much lower because Windows Server 2012 supports a maximum volume size of "only" 18 EB (exabytes) and hard drives on the market are simply not that large anyway.
  • GPT cannot be used for the boot partition unless the server (in this case) is a "UEFI based system" (as opposed to a traditional "BIOS").
  • UEFI is not a requirement if GPT is used on a simple storage partition (a partition from which the operating system does not boot).

If the terminology used above is not clear (UEFI versus BIOS), please refer to online sources for clarification. Here is one source that I consulted:


Microsoft TechNet or Wikipedia articles could also be used to clarify in greater details "MBR", "GPT", "BIOS", "UEFI" and even "boot partition".

In summary, however, if a Windows server system uses "UEFI", GPT can be used for all partitions, including the boot partition. If not, and unless the server in question has an operating system that precedes Windows 2003 SP1, GPT can be used for storage partitions. GPT for the boot partition also assumes a 64 bit operating system which is a "given" for Windows Server 2012 (as for Windows 2008 R2, there is no 32 bit version).



Disk Type (basic versus dynamic)

The "basic" disk is the default. The "dynamic" disk allows the configuration of different types of volumes such as spanned or striped, or two types of "software RAID", RAID 1 (mirroring) or RAID 5 (striping with parity).


Personally, I see limited advantages in dynamic disks:

  • Spanning volumes may resolve disk space issues but also (like striped volumes) increases the risk of data loss. The failure of any disk comprising the volume results in the loss of data. The more disks comprising the volume, the greater the risk of data loss.
  • If the data is worth protecting, it would be preferable, by far, to use hardware RAID with a high quality controller on the server itself.

Volume Types

We can have the following volume types in Windows Server 2012:
  • Simple
  • Spanned
  • Striped
  • RAID 1 (mirrored)
  • RAID 5 (striped with parity)

I've already commented on what I perceive as the limited usefulness of dynamic disks in a production environment where protection of data is paramount.


File Systems

In Windows Server 2012, we have three options:
  • exFAT
  • NTFS
  • ReFS

Only two - NTFS and ReFS - are serious choices.

ReFS means "Resilient File System" and is designed to be even more robust than NTFS. It is an excellent choice for data storage. However, it does (currently) have some limitations.
  • No EFS encryption (it is compatible with Bitlocker however).
  • No compression
  • No quotas
More importantly, it is (currently) incompatible with Active Directory to the extent that the Active Directory database, log files and SYSVOL folder should not be stored on a ReFS volume.

Furthermore, it has limited compatibility with Hyper-V since CSV must be disabled.

Windows Server 2012: Does ReFS replace NTFS? When should I use it?




Configuration of Disk 1 (the second hard drive)

Now that we are aware of the different options for disk configuration, let's configure the second hard drive of our server.

The second physical disk is offline so the very first step is to bring it online. We can simply right-click on the "Disk 1" icon and select "Online":




Now the disk is "Not initialized". Moreover, disk type is unknown and of course, there is no file system. Let's configure the disk. Right-click and select: "Initialize Disk". Here we must chose between two partition styles: MBR and GPT:



I'll select "GPT".

The status of the disk changes to "Online" but it is still "unallocated".






We'll right-click and select "New Simple Volume".



Spanned and stripped volumes increase risk of data loss and should be used with caution (or not at all). RAID 1 is an option and RAID 5 would be if there was a 3rd disk. Generally, however, "hardware RAID" is preferred to Microsoft's software RAID and the latter would typically be used as a last option.

The New Simple Volume Wizard opens. Click on next.

We specify the volume size. For this example, I'll use the entire physical disk.





Click on Next. This brings us to the "Format Partition" page.





We'll assign drive letter E:

We have to select a file system. The choice is currently between NTFS and ReFS. It would be extremely rare that one would opt for exFAT. I'll select NTFS for this example. We will keep the default "Allocation unit size". This could be changed if required or recommended for a particular application. For an Exchange 2010 DAG (Database Availability Group), the recommended allocation unit size is 64 KB. A quick format is fine for our practice environment (a "long" format would check for bad sectors which might be recommended if the drive will hold important data).

We can click on next and the following summary displays:




Here is the result in Disk Management...



And in Windows Explorer:






Thursday, November 21, 2013

Windows Server 2012 - Print Management: Part 3 - deploying printers with Group Policy Preferences

After deploying printers with what I'll call "simple Group Policy", on a per user or per machine basis, I wanted to see what Group Policy Preferences could offer.
 
Group Policy Preferences (I'll abbreviate with "GPP") were introduced with Windows Server 2008 and still exist in Windows 2012. Compared to "simple Group Policy" they extend the options for configuration of computer and user settings.
 
In theory, GPP can deploy printers.
 
In fact, I found that it simply does not work.
 
First, I'll outline the steps used to configure printer deployment via GPP.
 
Second, I'll present the error messages.
 
 
 
Here are the computers involved:                                                                 
 
- The domain controller is a Windows 2012 server
 
- The printer server, also Windows 2012
 
- Test machine running Windows 7, SP1


All machines are 64 bit.
 
 
 
Note: please keep in mind that printer deployment worked just fine using "simple Group Policy" - please see my previous posts on this subject).




Configuration of printer deployment via Group Policy Preferences


1. Printer Processor settings

Some recommend that the print processor  is set for "winprint" and "RAW".

As shown below, these were the default settings on the printer.

Note: yes, we configure this in the properties of the printer itself, not in the Group Policy.



2. Printer preferences

Create a new GPO (I'll name mine GPP-PRINT) and go to Computer Configuration | Preferences | Control Panel Settings | Printers

Note: here we are (back) on  the domain controller - or accessing the domain controller remotely.




3. Creating a printer

We need to right-click on the printer icon and select "New" and then "TCP/IP Printer".




4. We then enter the information for the printer.

Sources I found said to enter the IP address of the printer (not the print server). Because of problems encountered later on, I tried both IP addresses, but without success. Here (below) I have the IP address of the printer itself:




5.  I disable "Point and Print Restrictions"




6. I link "GPP-PRINT" to the OU containing the test computer (PC1).




7. On PC1, I reboot, I try gpupdate /force". The RSOP tool shows that the policy does apply. This is the part where "Point and Print Restrictions" are disabled.




However, the HP LaserJet 4200 is not installed. Instead, we have warning and error messages in the Event Viewer logs: EventIDs 600, 601 and 4098.

***

EventID 600
The print spooler failed to import the printer driver that was downloaded from \\SVR-004\print$\x64\PCC\ntprint.inf_amd64_33076fad6e030706.cab into the driver store for driver Microsoft enhanced Point and Print compatibility driver. Error code= 800f0247. This can occur if there is a problem with the driver or the digital signature of the driver.

***


EventID 601

The print spooler failed to download and import the printer driver from \\SVR-004 into the driver store for driver Microsoft enhanced Point and Print compatibility driver. Error code= 800f0247.

***



EventID 4098

The computer '10.0.0.18' preference item in the 'GPP-PRINT {32F99E49-5138-4A32-9956-50E8FDA2E402}' Group Policy object did not apply because it failed with error code '0x800703eb Cannot complete this function.' This error was suppressed.


***
 This is puzzling since the same drivers were just fine when we deployed the printers via Group Policy in a pervious blog post.

I'm going to look around and ask around...

Tuesday, November 19, 2013

Windows Server 2012 - Print Management: Part 2 - publishing and deploying printers via Group Policy

There are several options for providing the end-user with access to shared network printers.
 
But first, there is one assumption and one condition I am making for the following exercises:
 
  1. The user accesses the printer via the print server we have configured in the previous post. Printing directly to the network printer is an option but does not allow for centralized management. So in this scenario, we are assuming access via the print server.
  2. The printer must be installed on the printer server - and shared.
 

I would also like to specify the computers used for this exercise:

- 1 Windows 2012 domain controller
- 1 Windows 2012 member server (and print server)
- 1 Windows 7 SP1 client machine.



Manual discovery and installation of the printer by the user

Although not the optimal method, except for small environments perhaps, users, with some guidance and good directions, could add the printer to their computer themselves.

Note: as we shall see, the installation of print drivers by standard users complicates this option.
 
The user goes to "Start" and then "Devices and Printers" just as they would at home for adding a printer connected via USB cable. They select the option "Add a printer" and would proceed as instructed below.
 
 
1. Select the "Add a network, wireless or Bluetooth printer".




2. Consider the following screen... No printer was found. So the user must know where to find the printer. This is probably already creating frustration for the person that "just wants to print" but let's have them click on  "The printer that I want isn't listed".



3. In the "worst case scenario", the printer is not even published in Active Directory. The user will have to enter the printer location manually. They should select the option indicated below and enter the name of the print server (preceded by two back slashes) and then, after another back slash, the name of the printer. For example:



The user could also browse for the print server and then the printer itself.
 
Note: there is a browse button to the right of  "Select a shared printer by name".
 
So the user, in theory, could select SVR-004 (our print server for this exercise)...


And then "Main Office Printer":




This option is not likely to be popular among users. They must know the name of the print server and then the printer.

What can we do to facilitate matters?



Publish the printer to Active Directory

First, we can publish the printer in Active Directory so it appears among the search results. On the print server, we have to right-click on the printer and select the "List in Directory" option.





On the client side, the user selects the "Find a printer in the directory... " option:



And after publication, the user sees this:




Better yet, the printer appears as shown below when the user opens the "Add a printer" tool:








This does facilitate matters but there is one more obstacle (that would exist if the printer was not published in Active Directory as well):

The standard user (by default) cannot install print drivers:







This obstacle can be overcome (supposedly) by modifying security settings with a Group Policy Object.

I'll assume the reader possesses basic knowledge of Group Policy and concentrate on this particular problem.

In theory, we have to configure 3 parameters in our GPO:



Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Devices: Prevent users from installing printer drivers - Disabled


Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

User Account Control: Detect application installations and prompt for elevation - Disabled


Computer Configuration\Policies\Administrative Templates\System\Driver Installation

Allow non-administrators to install drivers for these device setup classes - Enabled


Device class for printers is: {4d36e979-e325-11ce-bfc1-08002be10318}


Source:

http://msdn.microsoft.com/en-us/library/ff553426(v=vs.85).aspx



In reality, this does not work. The standard user is still prompted for an administrator password to install the print driver.


This has no effect (alone or in conjunction with the other settings above):





In this screenshot, RSOP shows that the setting is applied but there is still a prompt for driver installation:



Note: this is the "User Account Control: Detect application installations and prompt for elevation - Disabled" setting.


I tried adding a second GUID, thinking maybe that would better cover the printer classes:

{4658ee7e-f050-11d1-b6bd-00c04fa372a7}


However, when all is said and done, this simply does not work as claimed.

Others have come to the same conclusion, as in this TechNet forum discussion:

Configure GPO to allow user install printer driver without administrative right

 
I was able to use the "Point and Print Restrictions", successfully in appearance. There was no prompt and the drivers installed without a problem. However, this function assumes there is a compatible print driver on the client itself that can be used. As the description of the GPO states: "If a compatible print driver is not available on the client, no connection will be made."

So let's take a look at the option of deploying (rather than publishing) printers with Group Policy..




***




Deploy printers with Group Policy

This option, available since Windows 2008, is preferable since it installs printers, on a per computer or per user basis, without any user intervention.

We proceed as follows...
 
In the Print Management console, among the shared printers (Print Servers | SVR-004 | Printers), we right-click on the one we intend to deploy and select "Deploy with Group Policy" in the resulting drop-down menu.




In the section "Group Policy Object", we select (or browse for) the GPO that will be used to deploy the printer:




Note: it is necessary to create a GPO for this purpose (but not necessary to configure it otherwise).

In this case, we will use the GPO named "PRINT":



Once again, we can deploy the printer on a per user or per computer (or machine) basis. In this example, I'll select the per machine option:


We click on "Add":



If all goes well, we should see this message:





In my test, the printer was added to the computer (after reboot and application of Group Policy) with no problem and no user intervention required.


So, of all the methods examined above, deploying printers via Group Policy seems to be the most efficient.



Friday, November 15, 2013

Windows Server 2012 - Print Management: Part 1 - installation of the role and adding a printer

It had been a while since I looked at the latest print server technology in the Windows Server systems, especially since Windows 2008 R2, so I wanted to see what was new and to what extent managing printers has been simplified since Windows 2003.
 
In particular, I appreciate the deployment features offered by Group Policy which I'll examine in another post (probably the next post).
 
But first, let's start with the basics: installing the Print (and Document) Services role.




Installation of the Print Services role

We start in Server Manager, go to the upper right-hand corner, select "Manage", then "Add Roles and Features".






We click "Next", as needed, to reach the following screen where we select the "Role-based (etc.)" option:




Server Manager allows us to manage any server that we add to the group so I'll select the server that will play the Print Server role: SVR-004:



I select the "Print and Document Services" role:



I'll make sure I select the Management Tools as well:




The admin might want to take note of the difference between Type 3 and Type 4 drivers. The latter can facilitate print service management because standard end-users can install them without administrative rights. Otherwise, adjustments can be made using Group Policy. 
 


For this exercise, I'll only select "Print Server" among the four role services presented:





The following screen summarizes my choices. Restarting the server was not necessary.



The installation of the role begins and...



If we open the Print Management console on SVR-004, we have something like this:




This is where we will configure print services in the sections that follow.




Adding a printer to the print server


Before we can offer print services to the end-user, we need to add a printer to the server and then make it available to the users by sharing it.

We accomplish this by proceeding as follows:




In the Print Management console, we right click on the "Printers" icon (as shown above) and select "Add Printer" in the resulting drop-down menu.
 
I happen to have available a HP LaserJet 4200n printer to which I assigned IP address 10.0.0.18.
 
Note: this printer is not directly connected to the print server. It has its own network interface. Best practice is to store servers in a secure location and place printers close to users, which is not possible if the printer is connected to the server with a USB cable.

So I'll add a "TCP/IP printer" by IP address:



I'll indicate the printer IP address manually and uncheck the automatic detection of the driver. This may work perfectly well (and it does with a common printer model like the HP LaserJet 4200n) but I want to show how one would select the printer driver manually (if necessary, from "disk").



Here is where, if necessary, we could select the driver from "Disk" (or other media) or search for a driver (perhaps updated) on Windows Update:




In this case, I'll just select the driver that the wizard would have selected. I could select the PS (PostScript) driver if preferred.
 
 
I can then give the printer a name, share it, and, if desired, give it a separate shared name, for example, something like "Main Office Printer". The name can be modified later on and that is, in fact, what I did, since the default name (below) is neither descriptive nor concise.



After reviewing the settings (screen not shown), I can click "Next". If all goes well, I should see this:




***

So we have completed two fundamental steps in the implementation of a Print Services solution:

1. Install the Print (and Document) Services role on a server.
2. Add and configure a printer to which users will connect for their printing needs.

The options for connecting to that printer will be the subject of my next post.