Managing File Systems and Drives in Windows Server 2008
- 12/28/2009
- Managing the File Services Role
- Adding Hard Disk Drives
- Working with Basic, Dynamic, and Virtual Disks
- Using Basic Disks and Partitions
- Managing Existing Partitions and Drives
Managing Existing Partitions and Drives
Disk Management provides many ways to manage existing partitions and drives. Use these features to assign drive letters, delete partitions, set the active partition, and more. In addition, Windows Server 2008 R2 provides other utilities to carry out common tasks such as converting a volume to NTFS, checking a drive for errors, and cleaning up unused disk space.
Assigning Drive Letters and Paths
You can assign drives one drive letter and one or more drive paths, provided that the drive paths are mounted on NTFS drives. Drives don’t have to be assigned a drive letter or path. A drive with no designators is considered to be unmounted, and you can mount it by assigning a drive letter or path at a later date. You need to unmount a drive before moving it to another computer.
Windows cannot modify the drive letter of system, boot, or page file volumes. To change the drive letter of a system or boot volume, you need to edit the registry as described in Microsoft Knowledge Base article 223188 (http://support.microsoft.com/kb/223188/en-us). Before you can change the drive letter of a page file volume, you might need to move the page file to a different volume.
To manage drive letters and paths, right-click the drive you want to configure in Disk Management, and then click Change Drive Letter And Paths. This opens the dialog box shown in Figure 12-7. You can now do the following:
Add a drive path Click Add, select Mount In The Following Empty NTFS Folder, and then type the path to an existing folder, or click Browse to search for or create a folder.
Remove a drive path Select the drive path to remove, click Remove, and then click Yes.
Assign a drive letter Click Add, select Assign The Following Drive Letter, and then choose an available letter to assign to the drive.
Change the drive letter Select the current drive letter, and then click Change. Select Assign The Following Drive Letter, and then choose a different letter to assign to the drive.
Remove a drive letter Select the current drive letter, click Remove, and then click Yes.
Figure 12-7. You can change the drive letter and path assignment in the Change Drive Letter And Paths dialog box.
Changing or Deleting the Volume Label
The volume label is a text descriptor for a drive. With FAT32, the volume label can be up to 11 characters and can include spaces. With NTFS, the volume label can be up to 32 characters. Additionally, although FAT32 doesn’t allow you to use some special characters, including * / \ [ ] : ; | = , . + " ? < >, NTFS does allow you to use these special characters.
Because the volume label is displayed when the drive is accessed in various Windows Server 2008 R2 utilities, including Windows Explorer, it can provide information about a drive’s contents. You can change or delete a volume label using Disk Management or Windows Explorer.
Using Disk Management, you can change or delete a label by following these steps:
Right-click the partition, and then click Properties.
On the General tab of the Properties dialog box, type a new label for the volume in the Label text box or delete the existing label. Click OK.
Using Windows Explorer, you can change or delete a label by following these steps:
Right-click the drive icon, and then click Properties.
On the General tab of the Properties dialog box, type a new label for the volume in the Label text box or delete the existing label. Click OK.
Deleting Partitions and Drives
To change the configuration of a drive that’s fully allocated, you might need to delete existing partitions and logical drives. Deleting a partition or a drive removes the associated file system, and all data in the file system is lost. Before you delete a partition or a drive, you should back up any files and directories that the partition or drive contains.
You can delete a primary partition, a volume, or a logical drive by following these steps:
In Disk Management, right-click the partition, volume, or drive you want to delete, and then click Explore. Using Windows Explorer, move all the data to another volume or verify an existing backup to ensure that the data was properly saved.
In Disk Management, right-click the partition, volume, or drive again, and then click Delete Partition, Delete Volume, or Delete Logical Drive as appropriate.
Confirm that you want to delete the selected item by clicking Yes.
The steps for deleting an extended partition differ slightly from those for deleting a primary partition or a logical drive. To delete an extended partition, follow these steps:
Delete all the logical drives on the partition following the steps listed in the previous procedure.
Select the extended partition area itself and delete it.
Converting a Volume to NTFS
Windows Server 2008 R2 provides a utility for converting FAT volumes to NTFS. This utility, Convert (Convert.exe), is located in the %SystemRoot% folder. When you convert a volume using this tool, the file and directory structure is preserved and no data is lost. Keep in mind, however, that Windows Server 2008 R2 doesn’t provide a utility for converting NTFS to FAT. The only way to go from NTFS to FAT is to delete the partition by following the steps listed in the previous section and then to re-create the partition as a FAT volume.
The Convert Utility Syntax
Convert is run at the command prompt. If you want to convert a drive, use the following syntax:
convert volume /FS:NTFS
where volume is the drive letter followed by a colon, drive path, or volume name. For example, if you want to convert the D drive to NTFS, use the following command:
convert D: /FS:NTFS
If the volume has a label, you are prompted to enter the volume label for the drive. You are not prompted for a volume label if the disk doesn’t have a label.
The complete syntax for Convert is shown here:
convert volume /FS:NTFS [/V] [/X] [/CvtArea:filename] [/NoSecurity]
The options and switches for Convert are used as follows:
volume |
Sets the volume to work with |
/FS:NTFS |
Converts to NTFS |
/V |
Sets verbose mode |
/X |
Forces the volume to dismount before the conversion (if necessary) |
/CvtArea: filename |
Sets the name of a contiguous file in the root directory to be a placeholder for NTFS system files |
/NoSecurity |
Removes all security attributes and makes all files and directories accessible to the group Everyone |
convert C: /FS:NTFS /V
The following sample statement uses Convert:
Using the Convert Utility
Before you use the Convert utility, determine whether the partition is being used as the active boot partition or a system partition containing the operating system. You can convert the active boot partition to NTFS. Doing so requires that the system gain exclusive access to this partition, which can be obtained only during startup. Thus, if you try to convert the active boot partition to NTFS, Windows Server 2008 R2 displays a prompt asking if you want to schedule the drive to be converted the next time the system starts. If you click Yes, you can restart the system to begin the conversion process.
Before the Convert utility actually converts a drive to NTFS, the utility checks whether the drive has enough free space to perform the conversion. Generally, Convert needs a block of free space that’s roughly equal to 25 percent of the total space used on the drive. For example, if the drive stores 200 GB of data, Convert needs about 50 GB of free space. If the drive doesn’t have enough free space, Convert aborts and tells you that you need to free up some space. On the other hand, if the drive has enough free space, Convert initiates the conversion. Be patient. The conversion process takes several minutes (longer for large drives). Don’t access files or applications on the drive while the conversion is in progress.
You can use the /CvtArea option to improve performance on the volume so that space for the master file table (MFT) is reserved. This option helps to prevent fragmentation of the MFT. How? Over time, the MFT might grow larger than the space allocated to it. The operating system must then expand the MFT into other areas of the disk. Although the Disk Defragmenter utility can defragment the MFT, it cannot move the first section of the MFT, and it is very unlikely that there will be space after the MFT because this will be filled by file data.
To help prevent fragmentation in some cases, you might want to reserve more space than the default (12.5 percent of the partition or volume size). For example, you might want to increase the MFT size if the volume will have many small or average-size files rather than a few large files. To specify the amount of space to reserve, you can use FSUtil to create a placeholder file equal in size to that of the MFT you want to create. You can then convert the volume to NTFS and specify the name of the placeholder file to use with the /CvtArea option.
In the following example, you use FSUtil to create a 1.5-GB (1,500,000,000 bytes) placeholder file named Temp.txt:
fsutil file createnew c:\temp.txt 1500000000
To use this placeholder file for the MFT when converting drive C to NTFS, you would then type the following command:
convert c: /fs:ntfs /cvtarea:temp.txt
Notice that the placeholder file is created on the partition or volume that is being converted. During the conversion process, the file is overwritten with NTFS metadata and any unused space in the file is reserved for future use by the MFT.
Resizing Partitions and Volumes
Windows Server 2008 R2 doesn’t user Ntldr and Boot.ini to load the operating system. Instead, Windows Server 2008 R2 has a preboot environment in which Windows Boot Manager is used to control startup and load the boot application you’ve selected. Windows Boot Manager also finally frees the Windows operating system from its reliance on MS-DOS so that you can use drives in new ways. With Windows Server 2008 R2, you can extend and shrink both basic and dynamic disks. You can use either Disk Management or DiskPart to extend and shrink volumes. You cannot shrink or extend striped, mirrored, or striped-with-parity volumes.
In extending a volume, you convert areas of unallocated space and add them to the existing volume. For spanned volumes on dynamic disks, the space can come from any available dynamic disk, not only from those on which the volume was originally created. Thus, you can combine areas of free space on multiple dynamic disks and use those areas to increase the size of an existing volume.
You can shrink a simple volume or a spanned volume by following these steps:
In Disk Management, right-click the volume that you want to shrink, and then click Shrink Volume. This option is available only if the volume meets the previously discussed criteria.
In the field provided in the Shrink dialog box, shown in Figure 12-8, enter the amount of space to shrink.
Figure 12-8. Specify the amount of space to shrink from the volume.
The Shrink dialog box provides the following information:
Total Size Before Shrink In MB Lists the total capacity of the volume in megabytes. This is the formatted size of the volume.
Size Of Available Shrink Space In MB Lists the maximum amount by which the volume can be shrunk. This doesn’t represent the total amount of free space on the volume; rather, it represents the amount of space that can be removed, not including any data reserved for the master file table, volume snapshots, page files, and temporary files.
Enter The Amount Of Space To Shrink In MB Lists the total amount of space that will be removed from the volume. The initial value defaults to the maximum amount of space that can be removed from the volume. For optimal drive performance, you’ll want to ensure that the drive has at least 10 percent of free space after the shrink operation.
Total Size After Shrink In MB Lists what the total capacity of the volume will be (in megabytes) after the shrink. This is the new formatted size of the volume.
Click Shrink to shrink the volume.
You can extend a simple volume or a spanned volume by following these steps:
In Disk Management, right-click the volume that you want to extend, and then click Extend Volume. This option is available only if the volume meets the previously discussed criteria and free space is available on one or more of the system’s dynamic disks.
In the Extend Volume Wizard, read the introductory message, and then click Next.
On the Select Disks page, select the disk or disks from which you want to allocate free space. Any disks currently being used by the volume are automatically selected. By default, all remaining free space on those disks is selected for use.
With dynamic disks, you can specify the additional space that you want to use on other disks by performing the following tasks:
Click the disk, and then click Add to add the disk to the Selected list.
Select each disk in the Selected list, and then, in the Select The Amount Of Space In MB list, specify the amount of unallocated space to use on the selected disk.
Click Next, confirm your options, and then click Finish.
Repairing Disk Errors and Inconsistencies
Windows Server 2008 R2 includes feature enhancements that reduce the amount of manual maintenance you must perform on disk drives. The following enhancements have the most impact on the way you work with disks:
Transactional NTFS
Self-healing NTFS
Transactional NTFS allows file operations on an NTFS volume to be performed transactionally. This means programs can use a transaction to group sets of file and registry operations so that all of them succeed or none of them succeed. While a transaction is active, changes are not visible outside the transaction. Changes are committed and written fully to disk only when a transaction is completed successfully. If a transaction fails or is incomplete, the program rolls back the transactional work to restore the file system to the state it was in prior to the transaction.
Transactions that span multiple volumes are coordinated by the Kernel Transaction Manager (KTM). The KTM supports independent recovery of volumes if a transaction fails. The local resource manager for a volume maintains a separate transaction log and is responsible for maintaining threads for transactions separate from threads that perform the file work.
Traditionally, you have had to use the Check Disk tool to fix errors and inconsistencies in NTFS volumes on a disk. Because this process can disrupt the availability of Windows systems, Windows Server 2008 R2 uses self-healing NTFS to protect file systems without requiring you to use separate maintenance tools to fix problems. Because much of the self-healing process is enabled and performed automatically, you might need to perform volume maintenance manually only when you are notified by the operating system that a problem cannot be corrected automatically. If such an error occurs, Windows Server 2008 R2 notifies you about the problem and provides possible solutions.
Self-healing NTFS has many advantages over Check Disk, including the following:
Check Disk must have exclusive access to volumes, which means system and boot volumes can be checked only when the operating system starts up. On the other hand, with self-healing NTFS, the file system is always available and does not need to be corrected offline (in most cases).
Self-healing NTFS attempts to preserve as much data as possible if corruption occurs and reduces failed file system mounting that previously could occur if a volume was known to have errors or inconsistencies. During restart, self-healing NTFS repairs the volume immediately so that it can be mounted.
Self-healing NTFS reports changes made to the volume during repair through existing Chkdsk.exe mechanisms, directory notifications, and update sequence number (USN) journal entries. This feature also allows authorized users and administrators to monitor repair operations through Verification, Waiting For Repair Completion, and Progress Status messages.
Self-healing NTFS can recover a volume if the boot sector is readable but does not identify an NTFS volume. In this case, you must run an offline tool that repairs the boot sector and then allow self-healing NTFS to initiate recovery.
Although self-healing NTFS is a terrific enhancement, at times you may want to (or may have to) manually check the integrity of a disk. In these cases, you can use Check Disk (Chkdsk.exe) to check for and (optionally) repair problems found on FAT, FAT32, and NTFS volumes. Although Check Disk can check for and correct many types of errors, the utility primarily looks for inconsistencies in the file system and its related metadata. One of the ways Check Disk locates errors is by comparing the volume bitmap to the disk sectors assigned to files in the file system. Beyond this, the usefulness of Check Disk is rather limited. For example, Check Disk can’t repair corrupted data within files that appear to be structurally intact.
Running Check Disk from the Command Line
You can run Check Disk from the command prompt or within other utilities. At a command prompt, you can test the integrity of the E drive by typing the following command:
chkdsk E:
To find and repair errors that are on the E drive, use the following command:
chkdsk /f E:
The complete syntax for Check Disk is shown here:
chkdsk [volume[[path]filename]]] [/F] [/V] [/R] [/X] [/I] [/C] [/L[:size]]
The options and switches for Check Disk are used as follows:
volume |
Sets the volume to work with. |
[path]filename |
FAT/FAT32 only: Specifies files to check for fragmentation. |
/F |
Fixes errors on the disk. |
/V |
On FAT/FAT32: Displays the full path and name of every file on the disk. On NTFS: Displays cleanup messages, if any. |
/R |
Locates bad sectors and recovers readable information (implies /F). |
/X |
Forces the volume to dismount first if necessary (implies /F). |
/I |
NTFS only: Performs a minimum check of index entries. |
/C |
NTFS only: Skips checking of cycles within the folder structure. |
/L:size |
NTFS only: Changes the log file siz |
Running Check Disk Interactively
You can run Check Disk interactively by using Windows Explorer or Disk Management. Follow these steps:
Right-click the drive, and then click Properties.
On the Tools tab of the Properties dialog box, click Check Now.
As shown in Figure 12-9, you can now do the following:
Check for errors without repairing them. Click Start without selecting either of the check boxes.
Check for errors and fix them. Make the appropriate selections in the check boxes to fix file system errors, recover bad sectors, or both, and then click Start.
Figure 12-9. Use Check Disk to check a disk for errors and repair them.
Defragmenting Disks
Any time you add files to or remove files from a drive, the data on the drive can become fragmented. When a drive is fragmented, large files can’t be written to a single continuous area on the disk. As a result, the operating system must write the file to several smaller areas on the disk, which means more time is spent reading the file from the disk. To reduce fragmentation, Windows Server 2008 R2 can manually or automatically defragment disks using Disk Defragmenter. The more frequently data is updated on drives, the more often you should run this tool.
You can manually defragment a disk by following these steps:
In Server Manager, select the Storage node and then the Disk Management node. Right-click a drive, and then click Properties.
On the Tools tab, click Defragment Now. In the Disk Defragmenter dialog box, select a disk, and then click Analyze Disk. Disk Defragmenter then analyzes the disk to determine whether it needs to be defragmented. If so, it recommends that you defragment now.
In the Disk Defragmenter dialog box, select a disk, and then click Defragment Disk.
When you enable automatic defragmentation, Windows Server 2008 R2 runs Disk Defragmenter automatically on a specific schedule, such as at 1:00 A.M. every Wednesday. As long as the computer is powered on at the scheduled run time, automatic defragmentation occurs. You can configure and manage automated defragmentation by following these steps:
In Server Manager, select the Storage node and then the Disk Management node. Right-click a drive, and then click Properties.
On the Tools tab, click Defragment Now. This displays the Disk Defragmenter dialog box, shown in Figure 12-10.
Figure 12-10. Disk Defragmenter analyzes and defragments disks efficiently.
To cancel automated defragmentation, click Configure Schedule, clear Run On A Schedule, and then click OK. Click Close, and skip the remaining steps.
To enable automated defragmentation, click Turn On Schedule. In the Modify Schedule dialog box, shown in Figure 12-11, select Run On A Schedule, and then set the run schedule. In the Frequency list, you can choose Daily, Weekly, or Monthly. If you choose a weekly or monthly run schedule, you need to select the run day of the week or month from the Day list. Finally, the Time list lets you set the time of the day that automated defragmentation should occur.
If you want to modify the run schedule, click Configure Schedule. In the Modify Schedule dialog box, shown in Figure 12-11, set the run schedule as discussed in the previous step.
If you want to manage which disks are defragmented, click Select Disks. In the Select Disks For Schedule dialog box, select which disks should be defragmented. By default, all disks installed within or connected to the computer are defragmented, and any new disks are defragmented automatically as well. In the Disks To Include In Schedule list, select the check boxes for disks that should be defragmented automatically and clear the check boxes for disks that should not be defragmented automatically. Click OK.
Click OK, and then click Close to save your settings.
Figure 12-11 . Set the run schedule for automated defragmentation.
Compressing Drives and Data
When you format a drive for NTFS, Windows Server 2008 R2 allows you to turn on the built-in compression feature. With compression, all files and directories stored on a drive are automatically compressed when they’re created. Because this compression is transparent to users, compressed data can be accessed just like regular data. The difference is that you can store more information on a compressed drive than you can on an uncompressed drive.
Compressing Drives
To compress a drive and all its contents, follow these steps:
In Windows Explorer or Disk Management, right-click the drive that you want to compress, and then click Properties.
On the General tab, select Compress Drive To Save Disk Space, and then click OK.
In the Confirm Attribute Changes dialog box, select whether to apply the changes to subfolders and files, and then click OK.
Compressing Directories and Files
If you decide not to compress a drive, Windows Server 2008 R2 lets you selectively compress directories and files. To compress a file or directory, follow these steps:
In Windows Explorer, right-click the file or directory that you want to compress, and then click Properties.
On the General tab of the Properties dialog box, click Advanced. In the Advanced Attributes dialog box, select the Compress Contents To Save Disk Space check box, as shown in Figure 12-12. Click OK twice.
Figure 12-12. With NTFS, you can compress a file or directory by selecting the Compress Contents To Save Disk Space check box in the Advanced Attributes dialog box.
For an individual file, Windows Server 2008 R2 marks the file as compressed and then compresses it. For a directory, Windows Server 2008 R2 marks the directory as compressed and then compresses all the files in it. If the directory contains subfolders, Windows Server 2008 R2 displays a dialog box that allows you to compress all the subfolders associated with the directory. Simply select Apply Changes To This Folder, Subfolders, And Files, and then click OK. Once you compress a directory, any new files added or copied to the directory are compressed automatically.
Expanding Compressed Drives
You can remove compression from a drive by following these steps:
In Windows Explorer or Disk Management, right-click the drive that contains the data you want to expand, and then click Properties.
Clear the Compress Drive To Save Disk Space check box, and then click OK.
In the Confirm Attribute Changes dialog box, select whether to apply the change to subfolders and files, and then click OK.
Expanding Compressed Directories and Files
If you decide that you want to expand a compressed file or directory, follow these steps:
Right-click the file or directory in Windows Explorer, and then click Properties.
On the General tab of the Properties dialog box, click Advanced. Clear the Compress Contents To Save Disk Space check box. Click OK twice.
With files, Windows Server 2008 R2 removes compression and expands the file. With directories, Windows Server 2008 R2 expands all the files within the directory. If the directory contains subfolders, you also have the opportunity to remove compression from the subfolders. To do this, select Apply Changes To This Folder, Subfolders, And Files when prompted, and then click OK.
Encrypting Drives and Data
NTFS has many advantages over other file systems that you can use with Windows Server 2008 R2. One of the major advantages is the capability to automatically encrypt and decrypt data using the Encrypting File System (EFS). When you encrypt data, you add an extra layer of protection to sensitive data, and this extra layer acts as a security blanket blocking all other users from reading the contents of the encrypted files. Indeed, one of the great benefits of encryption is that only the designated user can access the data. This benefit is also a disadvantage in that the user must remove encryption before authorized users can access the data.
Understanding Encryption and the Encrypting File System
File encryption is supported on a per-folder or per-file basis. Any file placed in a folder marked for encryption is automatically encrypted. Files in encrypted format can be read only by the person who encrypted the file. Before other users can read an encrypted file, the user must decrypt the file or grant special access to the file by adding a user’s encryption key to the file.
Every encrypted file has the unique encryption key of the user who created the file or currently has ownership of the file. An encrypted file can be copied, moved, or renamed just like any other file, and in most cases these actions don’t affect the encryption of the data. (For details, see “Working with Encrypted Files and Folders” later in this chapter.) The user who encrypts a file always has access to the file, provided that the user’s public-key certificate is available on the computer that he or she is using. For this user, the encryption and decryption process is handled automatically and is transparent.
EFS is the process that handles encryption and decryption. The default setup for EFS allows users to encrypt files without needing special permission. Files are encrypted using a public/private key that EFS automatically generates on a per-user basis.
Encryption certificates are stored as part of the data in user profiles. If a user works with multiple computers and wants to use encryption, an administrator needs to configure a roaming profile for that user. A roaming profile ensures that the user’s profile data and public-key certificates are accessible from other computers. Without this, users won’t be able to access their encrypted files on another computer.
EFS has a built-in data recovery system to guard against data loss. This recovery system ensures that encrypted data can be recovered in the event that a user’s public-key certificate is lost or deleted. The most common scenario for this is when a user leaves the company and the associated user account is deleted. A manager might have been able to log on to the user’s account, check files, and save important files to other folders, but if the user account has been deleted, encrypted files will be accessible only if the encryption is removed or if the files are moved to a FAT or FAT32 volume (where encryption isn’t supported).
To access encrypted files after the user account has been deleted, you need to use a recovery agent. Recovery agents have access to the file encryption key necessary to unlock data in encrypted files. To protect sensitive data, however, recovery agents don’t have access to a user’s private key or any private key information.
Windows Server 2008 R2 won’t encrypt files without designated EFS recovery agents. Therefore, recovery agents are designated automatically, and the necessary recovery certificates are generated automatically as well. This ensures that encrypted files can always be recovered.
EFS recovery agents are configured at two levels:
Domain The recovery agent for a domain is configured automatically when the first Windows Server 2008 R2 domain controller is installed. By default, the recovery agent is the domain administrator. Through Group Policy, domain administrators can designate additional recovery agents. Domain administrators can also delegate recovery agent privileges to designated security administrators.
Local computer When a computer is part of a workgroup or in a stand-alone configuration, the recovery agent is the administrator of the local computer by default. Additional recovery agents can be designated. Further, if you want local recovery agents in a domain environment rather than domain-level recovery agents, you must delete the recovery policy from Group Policy for the domain.
You can delete recovery agents if you don’t want them to be used. However, if you delete all recovery agents, EFS will no longer encrypt files. One or more recovery agents must be configured for EFS to function.
Encrypting Directories and Files
With NTFS volumes, Windows Server 2008 R2 lets you select files and folders for encryption. When a file is encrypted, the file data is converted to an encrypted format that can be read only by the person who encrypted the file. Users can encrypt files only if they have the proper access permissions. When you encrypt folders, the folder is marked as encrypted, but only the files within it are actually encrypted. All files that are created in or added to a folder marked as encrypted are encrypted automatically.
To encrypt a file or directory, follow these steps:
Right-click the file or directory that you want to encrypt, and then click Properties.
On the General tab of the Properties dialog box, click Advanced, and then select the Encrypt Contents To Secure Data check box. Click OK twice.
For an individual file, Windows Server 2008 R2 marks the file as encrypted and then encrypts it. For a directory, Windows Server 2008 R2 marks the directory as encrypted and then encrypts all the files in it. If the directory contains subfolders, Windows Server 2008 R2 displays a dialog box that allows you to encrypt all the subfolders associated with the directory. Simply select Apply Changes To This Folder, Subfolders, And Files, and then click OK.
You can grant special access to an encrypted file or folder by right-clicking the file or folder in Windows Explorer and then selecting Properties. On the General tab of the Properties dialog box, click Advanced. In the Advanced Attributes dialog box, click Details. In the Encryption Details For dialog box, users who have access to the encrypted file are listed by name. To allow another user access to the file, click Add. If a user certificate is available for the user, select the user’s name in the list provided, and then click OK. Otherwise, click Find User to locate the certificate for the user.
Working with Encrypted Files and Folders
Previously, I said that you can copy, move, and rename encrypted files and folders just like any other files. This is true, but I qualified this by saying “in most cases.” When you work with encrypted files, you’ll have few problems as long as you work with NTFS volumes on the same computer. When you work with other file systems or other computers, you might run into problems. Two of the most common scenarios are the following:
Copying between volumes on the same computer When you copy or move an encrypted file or folder from one NTFS volume to another NTFS volume on the same computer, the files remain encrypted. However, if you copy or move encrypted files to a FAT or FAT32 volume, the files are decrypted before transfer and then transferred as standard files. FAT and FAT32 don’t support encryption.
Copying between volumes on a different computer When you copy or move an encrypted file or folder from one NTFS volume to another NTFS volume on a different computer, the files remain encrypted as long as the destination computer allows you to encrypt files and the remote computer is trusted for delegation. Otherwise, the files are decrypted and then transferred as standard files. The same is true when you copy or move encrypted files to a FAT or FAT32 volume on another computer. FAT and FAT32 don’t support encryption.
After you transfer a sensitive file that has been encrypted, you might want to confirm that the encryption is still applied. Right-click the file and then select Properties. On the General tab of the Properties dialog box, click Advanced. The Encrypt Contents To Secure Data option should be selected.
Configuring Recovery Policy
Recovery policies are configured automatically for domain controllers and workstations. By default, domain administrators are the designated recovery agents for domains, and the local administrator is the designated recovery agent for a stand-alone workstation.
Through the Group Policy console, you can view, assign, and delete recovery agents. To do that, follow these steps:
Open the Group Policy console for the local computer, site, domain, or organizational unit you want to work with. For details on working with Group Policy, see "Understanding Group Policies" in Chapter 5. "Automating Administrative Tasks, Policies, and Procedures".
Open the Encrypted Data Recovery Agents node in Group Policy. To do this, expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies, and then select Encrypting File System.
The pane at the right lists the recovery certificates currently assigned. Recovery certificates are listed according to who issued them, who they are issued to, expiration data, purpose, and more.
To designate an additional recovery agent, right-click Encrypting File System, and then click Add Data Recovery Agent. This starts the Add Recovery Agent Wizard, which you can use to select a previously generated certificate that has been assigned to a user and mark it as a designated recovery certificate. Click Next.
On the Select Recovery Agents page, you can select certificates published in Active Directory or use certificate files. If you want to use a published certificate, click Browse Directory, and then, in the Find Users, Contacts, And Groups dialog box, select the user you want to work with. You’ll then be able to use the published certificate of that user. If you want to use a certificate file, click Browse Folders. In the Open dialog box, use the options provided to select and open the certificate file you want to use.
To delete a recovery agent, select the recovery agent’s certificate in the right pane, and then press Delete. When prompted to confirm the action, click Yes to permanently and irrevocably delete the certificate. If the recovery policy is empty (meaning that it has no other designated recovery agents), EFS will be turned off so that files can no longer be encrypted.
Decrypting Files and Directories
If you want to decrypt a file or directory, follow these steps:
In Windows Explorer, right-click the file or directory, and then click Properties.
On the General tab of the Properties dialog box, click Advanced. Clear the Encrypt Contents To Secure Data check box. Click OK twice.
With files, Windows Server 2008 R2 decrypts the file and restores it to its original format. With directories, Windows Server 2008 R2 decrypts all the files within the directory. If the directory contains subfolders, you also have the option to remove encryption from the subfolders. To do this, select Apply Changes To This Folder, Subfolders, And Files when prompted, and then click OK.