Optimize Windows Server 2019 with File Server Best Practices

Windows file servers remain a constant occupant of the data center, despite the fact that many workloads have moved to the cloud.

Advances in recent versions of Windows Server make on-premises file servers an attractive option over comparable cloud services. Organizations using Windows Server 2019 file servers benefit from data deduplication for increased space savings and higher levels of security and performance through enhancements to the Server Message Block (SMB) protocol. When you deploy a new Windows server, Microsoft’s guidelines direct you to the appropriate settings for best protection, as well as reliability to ensure the best possible end-user experience.

Keep the installation slim

When you deploy a Windows Server 2019 file server, you may need to install additional components. However, it’s important to avoid adding roles or features that the server doesn’t need to do its job. For example, a dedicated Windows file server must have the Hyper-V server role.

When you install the File and Storage Services role, it installs only two of the 12 default features. You do not need to install additional features if you plan to use them on the file server.

When you install unnecessary features or multiple roles, it increases the server footprint, which can reduce file server performance. Also, when more code runs on a system, it increases the attack surface to make the server less secure. It is recommended to install only the components necessary for the operation of a file server.

Run a scan to maintain Windows Server 2019 file server best practices

You should periodically run the Best Practices Analyzer tool on your Windows file servers. This tool, which has been part of the operating system since Windows Server 2008 R2, compares your file server configuration to established Microsoft best practices.

There are two main reasons why this routine examination is important. First, as Microsoft’s best practices for Windows servers evolve and the company updates the utility to reflect those changes. Regular scans validate your file server configuration. Not all issues are serious enough to warrant a change, but may indicate an area where an adjustment could improve performance or reliability.

Second, configuration drift often occurs during Windows Server management, especially in environments with a large IT team. The Best Practices Analyzer detects changes to settings that violate best practices.

To run a best practices scan on a Windows Server 2019 file server, open Server Manager and select the File and Storage Services tab. Next, scroll down to Best Practices Analyzer and choose the Start BPA Scan option from the Tasks menu.

Best Practice Analyzer
Use the Best Practices Scanner in Server Manager to scan the file server for any signs of problems.

The Best Practices Analyzer will examine the role of the file server and generate a list with a severity level for each issue that includes information and potential corrective actions.

Consider the required versions of SMB

Determine which version of SMB should be running on the Windows file server. There are three different versions of the SMB protocol, but most organizations will not need to run all three versions.

Microsoft’s Windows Server 2019 file server best practice recommendations may not be accurate. This is when it comes in handy to use your institutional knowledge as a Windows administrator. For example, the Best Practices Analyzer may give you bad advice with SMB configuration. Windows Server 2019 disables SMB 1.0 by default, but Best Practices Analyzer recommends that you enable it, as shown in Figure 3.

SMB 1.0 protocol
The Best Practices Analyzer recommends enabling SMB 1.0 on the file server, which goes against advice from Microsoft’s security and storage teams.

The SMB 1.0 protocol facilitates backward compatibility with older Windows systems, but SMB 1.0 is also very insecure. That being the case, it’s best to ignore Best Practices Analyzer’s advice and leave SMB 1.0 disabled unless you have a compelling reason to use it.

If possible, use resilient file system

Many organizations have historically eschewed the Resilient File System (ReFS) in favor of the NT File System (NTFS), and for good reason. ReFS was developed for data resiliency, but version 1.1 released with Windows Server 2012 was extremely limited in its capabilities compared to NTFS. Many NTFS features did not exist in ReFS, such as the ability to boot the system.

Microsoft continues to develop ReFS and now most NTFS features exist in ReFS. ReFS version 3.4 in Windows Server 2019 is much more feature-rich than version 1.1, but there are still gaps in some areas. For example, ReFS does not support file system compression, encryption, disk quotas, or DOS-compatible 8.3 filenames.

If you can live without these features, ReFS has significant advantages. It is much more scalable than NTFS and supports volumes up to 35PB. ReFS includes several features to protect the integrity of data on the volume. Windows Server 2019 has a proactive error correction feature that periodically scans ReFS volumes and automatically repairs corrupted data.

Use Distributed File System in Large Organizations

The Windows Distributed File System (DFS) allows you to create a single namespace that encompasses multiple file servers. This makes it easier for users to find data without needing to know which server contains the files. DFS can create multiple replicas of data and silently redirect user requests to the file server closest to the user.

A DFS namespace can incorporate more than just Windows file servers. You can add any file server that supports SMB file shares to a DFS namespace, which can be useful in organizations with both Windows file servers and network attached storage devices .

Use File Server Resource Manager to enforce compliance

Finally, you must use the File Server Resource Manager (FSRM) to control the file server. FSRM is a Windows Server role used to enforce quotas on folders on the file server and report on storage usage to name a few features.

FSRM also has the added benefit of a file screening feature that prevents users from storing certain types of files on the file server. You determine how the system responds when a user tries to save a type of file, such as an executable. In the age of ransomware, this is another method available to you to prevent an attacker from encrypting all your files.

Comments are closed.