MCSA/MCSE Self-Paced Training Kit (Exam 70-215): Microsoft® Windows® 2000 Server, Second Edition

Author Microsoft Corporation Pages 1392 Disk 2 Companion CD(s) Level Int/Adv Published 08/14/2002 ISBN 9780735617674 Price $59.99 To see this book's discounted price, select a reseller below.	More Information About the Book Table of Contents Sample Chapter Index Related Series Related Books About the Author Support: Book & CD Rate this book

Chapter 4: Microsoft Windows 2000 File Systems continued

Lesson 3: NT File System (NTFS)

• Describe the Windows 2000 NTFS file system

Estimated lesson time: 45 minutes

Introduction to NTFS

NTFS supports all Windows 2000 operating system features. It provides faster access speed than FAT and minimizes the number of disk accesses required to find a file. In addition, NTFS allows you to set local permissions on files and folders that specify which groups and users have access to them. This includes setting the level of access that is permitted. NTFS file and folder permissions apply both to users working at the computer where the file is stored and to users accessing the file over the network when the file is in a shared folder. With NTFS you can also set share rights that operate on shared folders in combination with file and folder permissions. FAT only supports share rights.

Features of Windows 2000

Reparse Points

Reparse points are new file system objects in NTFS used in Windows 2000. A reparse point is a file or a directory that has user-controlled data stored in the system-administered reparse attribute. The reparse attribute is used by file system filters to enhance the normal behavior of files or directories present in the underlying file system. Thus, a file or a directory that contains a reparse point acquires additional behavior not present in the underlying file system.

Reparse points enable layered file system filters to add user-controlled behavior to a file or to a directory. The underlying mechanism in a reparse point modifies the typical filename parsing process, forcing its restart with a new, user-controlled context. If the reparse point contains private reparse data, this reparse data is returned in an appropriate buffer and made available to all file system filters in the system.

Reparse tags are used to differentiate reparse points. When a file system object with a reparse point attribute is encountered during pathname resolution, it is passed back up the file system driver stack for an I/O reparse. The file system filter handles the I/O reparse, which includes identifying the reparse tag. File system drivers execute specific I/O functionality. These drivers use the reparse tag and a globally unique identifier (GUID) to identify I/O calls they are responsible for. Although the reparse tag itself is unique, the GUID provides additional identification.

When a user accesses a directory that has a directory junction reparse point attribute associated with it, a series of actions occur:

1. A user opens Windows 2000 Explorer and double-clicks on an NTFS directory in a Windows 2000 volume.
2. The call goes from User mode to Kernel mode where it reaches the file system object and encounters the matching reparse point attribute.
3. Each installable file system filter driver in the Windows 2000 I/O stack examines the tag associated with the reparse point. If there is a match, the associated file system filter driver intercepts the call. File system filters examine calls both inbound and outbound.
4. The NTFS directory junction filter driver intercepts the call and executes the enhanced functionality associated with the reparse point. In the case of a directory junction, the driver mounts another namespace.
5. The file system driver returns the call to the calling application. The file system driver mounts another namespace and returns a handle to the calling function.

Windows 2000 allows the relative order of the file system stack to be altered. Using information stored in the registry, a filter can be placed above or below another filter. NTFS is always placed below the file system filters that require NTFS as a service and above the device drivers that are used by NTFS.

The Windows 2000 I/O subsystem builds the appropriate data structures to service requests and orchestrates the calling of the layers in turn. After a function has been processed by the stack, the Windows 2000 I/O subsystem examines the result of the operation and either issues further work requests or fails work requests that have been executing normally.

Two of the file system enhancements that reparse points provide include the following:

• Hierarchical storage management Unused files are automatically archived to less expensive media like tape or removable drive. When a user attempts to access a file that has been archived, the reparse point assists the operating system in locating the file on alternative media. To the user, the file does not appear to be archived.
• Volume mount point Allows the user to view multiple disk volumes as a single drive.

Native Structured Storage

Native Structured Storage (NSS) is a new function of Windows 2000. NSS allows ActiveX documents to be physically stored in the same multistream format that ActiveX uses to logically process structured storage. The NSS file system filter makes a file on the disk look like an OLE-structured storage file. The result is improved efficiency in the physical storage of ActiveX compound documents. Each of the embedded object's data now resides in its own stream within a file. Updating an object means that a new stream is created for the new object and that the original stream for the object is destroyed, causing the file system to reclaim the disk space. The NSS file system filter makes all of this appear transparent to an application. The NSS filter also allows an NSS file to be copied to a floppy, converting the file to the old file format and vice versa.

Windows 2000 requires a reparse point be placed on any file that uses NSS. A reparse point in a file performs the following functions:

• Indicates that the file has multiple streams
• Instructs a file system filter driver to translate the multiple streams into a single stream when the file is migrated to file systems that do not support NSS

Disk Quotas

Administrators can now limit the amount of disk space users can consume on a server. Disk Quotas is a powerful tool used to monitor and constrain disk space usage. Administrators can manage storage growth in distributed environments. Disk quotas, which are implemented in NTFS, are used in Windows 2000 on a per partition basis. Disk quotas are described in more detail in Chapter 13, "Monitoring and Optimization."

Sparse File Support

Sparse files allow programs to create very large files but to consume disk space only as needed. NTFS deallocates sparse data streams and maintains only non-sparse data as allocated. When a program accesses a sparse file, the file system yields allocated data as actual data and deallocated data as zeros.

A user-controlled file system attribute can be set to take advantage of the sparse file function in NTFS. With the sparse file attribute set, the file system can deallocate data from anywhere in the file and, when an application calls, yield the zero data by range instead of storing and returning the actual data. File system APIs allow for the file to be copied or backed as actual bits and sparse stream ranges. The net result is efficiency in file system storage and access.

A sparse file contains an attribute that causes the I/O subsystem to interpret the file's data based on allocated ranges. All meaningful or non-zero data is allocated, whereas all nonmeaningful data (large strings of data composed of zeros) is simply not allocated. When a sparse file is read, allocated data is returned as stored, and nonallocated data is returned, by default, as zeros in accordance with the C2 security requirement specification.

Sparse File Utilization

NTFS includes full sparse file support for both compressed and uncompressed files. Disk allocation is required for specified ranges only. NTFS handles read operations on sparse files by returning allocated data and sparse data defined by file map ranges. It is possible to read a sparse file as allocated data and range data without having to retrieve the entire data set. This is desirable for applications that want to efficiently handle sparse files in their operations. By default, NTFS returns the entire data set.

Data streams with an NTFS sparse attribute set have two allocation definitions. The first is the virtual AllocatedLength, which is rounded up to a cluster boundary greater than or equal to the size of the stream. The second is TotalAllocatedLength, which represents the actual disk clusters allocated to the stream. TotalAllocatedLength will always be less than or equal to the AllocatedLength.

An example of sparse file utilization is a scientific application that might require 1 TB of storage for data used in a matrix. Actual meaningful data in the matrix might account for only 1 MB. With the sparse file attribute set, the file system can deallocate from anywhere in the file and yield the zero data to calling applications by range, instead of storing and returning the actual data. The result is that file access requests are satisfied with the correct bits and disk space is managed efficiently. File system APIs allow the file to be copied or backed up as actual bits and sparse stream ranges. The net result is efficiency in file system storage and access.

Link Tracking and Object Identifiers

Windows 2000 provides a service that enables client applications to track link sources that have been moved locally or within a domain. Clients that subscribe to the link tracking service can maintain the integrity of their references, because the referenced objects can be moved transparently. Link tracking stores a file object identifier as part of its tracking information. This feature allows shortcuts to resolve the correct path of a folder or file after it has been moved.

The distributed link tracking service maintains file links if the link source file is moved from one NTFS version 5.0 volume to another within the same domain. File links are also maintained if the name of the machine that holds the link source is renamed, the network shares on the link source machine are changed, or the volume holding the link source file is moved to another machine within the same domain.

Change Journal

The Change Journal is a sparse stream that creates a persistent log to track file information about additions, deletions, and modifications for each NTFS volume. This is useful for applications that need to know what has occurred on a particular volume. File system indexing, replication managers, remote storage, and incremental backup applications are a few examples of applications that can benefit from the Change Journal.

With the Change Journal, only a small active range of the file uses any disk allocation. The active range initially begins at offset 0 in the stream and moves forward through the file. The Unique Sequence Number (USN) of a particular record represents its virtual offset in the stream. As the active range moves forward through the stream, earlier records are deallocated and become unavailable. The size of the active range in a sparse file can be adjusted.

The Change Journal is much more efficient than time stamps or file notifications for determining changes in a given namespace. A system administrator can view volume changes without resorting to namespace traversal.

Change Journal Awareness

The Change Journal will not affect a storage application unless it is specifically used by that application. The Change Journal operates in a bounded space. It is based on a sparse data stream that allows for deallocation from the front of a file. Therefore, change entries can be removed and any application that depends on these entries must be prepared to deal with this event. The Change Journal records data on a per volume basis. It is applicable only to NTFS used in Windows 2000 volumes.

Unique Sequence Number

The USN Journal provides a persistent log of all changes made to files on the volume. Applications can consult the USN Journal for information about the modifications made to a set of files. The USN Journal is more efficient than checking time stamps or registering for file notifications.

When a user, an administrator, or another domain controller updates a directory object, the directory object's controller assigns that change a USN. Each controller maintains its own update sequence numbers and applies each one incrementally to each directory change made to that controller's directory. In addition, each domain controller maintains a table of USNs it has received from every other controller in the domain.

When the domain controller writes the change into the directory, it also writes the USN of the change with the property. This is an atomic operation (a procedure that is considered one indivisible process), so when the controller writes the property change and the change's USN, it will either succeed completely or fail completely.

CD and DVD Support

Windows 2000 supports CDFS, UDF, and digital video disc (DVD) storage devices.

CD-ROM File System

Windows 2000 continues to provide read-only support for CDFS, which is ISO 9660 compliant. Windows 2000 also supports long filenames as listed in the ISO 9660 level two standards.

When creating a CD-ROM to be used under Windows 2000, the following standards must be followed:

• All directory names and filenames must be less than 32 characters.
• The directory tree cannot exceed eight levels from the root.
• File extensions are not mandatory.

Universal Disk Format

The UDF, which is new for Windows 2000, is a file system designed for interchanging data on DVD and CD. The primary intention of UDF is to support read-only DVD-ROM media. UDF is a standards-based file system that is ISO 13346 compliant.

The following table outlines the restrictions and requirements defined in the UDF specification:

Item	Requirement
Logical/Physical Sector Size	The logical and physical sector size for a specific volume will be the same.
Logical Block Size	The logical block size for a logical volume should be set to the logical sector size of the volume.
Volume Set Physical Sector Size	The physical sector size within all media of the same volume set should have the same physical sector size.

With UDF, multivolume support and multipartition support are optional. Media support is limited to rewrite, overwrite, and write once, read many (WORM) media only. Windows 2000 provides native read-only support for UDF. Rewrite, overwrite, and WORM capability must be provided by third-party applications.

DVD Support

One of the new storage devices that Windows 2000 supports is DVD. DVD has a capacity nearly 20 times that of a regular CD, so a user can store several video demos for a client presentation and still have room for other material.

Support for DVD from Microsoft is not limited to a new device driver to support DVD–ROM drives. Since DVD encompasses such a broad range of uses and technologies, DVD must be viewed in the context of the whole computer. DVD-ROM discs and devices provide cost-effective storage for large data files. In the future, DVD will allow for writeable devices, allowing a larger range of options.

On most PCs that have Microsoft DVD support, DVD will work as a storage device and, if the proper decoding hardware is present, will support full DVD playback.

Some components in the architecture will change based on advances in other hardware technologies, such as the advent of Accelerated Graphics Port (AGP) or improvements in the PCI bus. The only components that will always be present are the DVD-ROM driver, the UDF file system, the Windows Driver Model (WDM) Streaming class driver, and the DVD Splitter/Navigator.

DVD-ROM Class Driver

DVD-ROM has its own industry-defined command set. Support for this command set is provided in Windows 98 by an updated CD-ROM class driver. In Windows 2000, support is provided in a new WDM DVD–ROM device driver. The Windows 2000 driver provides the ability to read data sectors from a DVD-ROM drive.

Support for UDF is provided to ensure support for UDF-formatted DVD discs. Windows 2000 will provide UDF installable file systems similar to FAT16 and FAT32.

Copyright Protection

Copyright protection for DVD is provided by encrypting important sectors on a disc and then decrypting those sectors prior to decoding them. Microsoft will provide support for both software and hardware decrypters by using a software module that will enable authentication between the decoders and the DVD-ROM drives in a PC.

Regionalization

As part of the copyright protection scheme used for DVD, six worldwide regions have been set up by the DVD Consortium. Discs are playable on DVD devices in some or all of the regions according to regional codes set by the creators of the content. Microsoft will provide software that responds to the regional codes as required by the DVD Consortium and as part of the decryption licenses.

Structure of NTFS

NTFS Volume Structure

NTFS uses clusters (also known as allocation units) made up of one or many sectors as the fundamental unit of disk allocation. However, the default cluster size depends on the partition size. In the Disk Management snap-in, a user can specify a cluster size up to 4 KB (4096 bytes). If the Format.com program is used to format the NTFS volume through the Command prompt, a user can specify any of the default cluster sizes shown in the following table.

The cluster sizes in this table are only recommendations. The sizes can be changed if necessary. However, changing disk cluster size requires that a partition be reformatted.

Volume size	Sectors per cluster	Cluster size
512 MB or less	1	512 bytes
513 MB-1024 MB	2	1 KB
1025 MB-2048 MB	4	2 KB
2049 MB-4096 MB	8	4 KB
4097 MB-8192 MB	16	8 KB
8193 MB-16,384 MB	32	16 KB
16,385 MB-32,768 MB	64	32 KB
> 32,768 MB	128	64 KB

Windows 2000 Boot Sector

The first information found on an NTFS volume is the boot sector. The boot sector starts at sector 0 and can be up to 16 sectors long. It consists of two structures:

• The BIOS Parameter Block, which contains information on the volume layout and file system structures.
• Code that describes how to find and load the startup files for the operating system being loaded. For Windows 2000 on x86-based computers, this code loads the file Ntldr.

Windows 2000 Master File Table and Metadata

When a volume is formatted with NTFS, a Master File Table (MFT) and Metadata are created.

NTFS uses MFT entries to define the files they correspond to. All information about a file, including its size, time and date stamps, permissions, and data content, is stored either within MFT entries or in space external to the MFT but described by the MFT entries.

NTFS creates a file record for each file and a directory record for each directory created on an NTFS volume. The MFT includes a separate file record for the MFT itself. These file and directory records are stored on the MFT. NTFS allocates space for each MFT record based on the cluster size of the file. The attributes of the file are written to the allocated space in the MFT. Besides file attributes, each file record contains information about the position of the file record in the MFT.

Each file usually has one file record. However, if a file has a large number of attributes or becomes highly fragmented, it might need more than one file record. If this is the case, the first record for the file (the base file record) stores the location of the other file records required by the file. Small files and directories (typically 1500 bytes or smaller) are contained entirely within the file's MFT record.

Metadata are the files NTFS uses to implement the file system structure. NTFS reserves the first 16 records of the MFT for Metadata (approximately 1 MB). The remaining records of the MFT contain the file and directory records for each file and directory on the partition.

If the first MFT record is corrupted, NTFS reads the second record to find the MFT mirror file. The data segment locations for both $Mft and $MftMirr are recorded in the boot sector. A duplicate of the boot sector is located at the end of the partition.

NTFS File Attributes

Every allocated sector on an NTFS partition belongs to a file. Even the file system Metadata is part of a file. NTFS views each file (or folder) as a set of file attributes. Elements such as the file's name, its security information, and even its data are all file attributes.

An attribute type code and, optionally, an attribute name identify each attribute. When a file's attributes can fit within the MFT file record for that file, they are called resident attributes. Filename and time stamp information is always a resident attribute. When the information for a file is too large to fit in its MFT file record, some of the file attributes are nonresident. Nonresident attributes are allocated one or more clusters of disk space elsewhere in the volume. NTFS creates an Attribute List attribute to describe the location of all the attribute records.

Implementation of NTFS

Upgrading to Windows 2000

An upgrade from Windows NT to Windows 2000 (when not multiple booting) results in the following:

• All volumes formatted with an earlier version of NTFS are upgraded to the NTFS version 5.0.
• All boot/system volumes formatted with FAT16 are converted to NTFS version 5.0.
• All volumes formatted with FAT16 that are not boot/system volumes are not converted.

Windows NT 4.0 Service Pack 4 or Later Conversion

When Windows 2000 is installed on a computer running Windows NT 4.0 with Service Pack (SP) 4 or later, the NTFS volumes are upgraded to NTFS version 5.0 the first time the new operating system is booted. Setup then installs a new NTFS driver so that all volumes can be accessed.

FAT Volume Conversion

Conversions from FAT to NTFS version 5.0 take place only if the user confirms it. Winnt32.exe started in attended mode will display a file system conversion page providing users an option to convert their existing FAT file system to NTFS. Installations or upgrades started with Winnt32.exe in unattended mode will convert or leave the file system alone, based on the value of the FileSystem value name in the answer file. Conversion will occur automatically if FileSystem = ConvertNTFS and will not be converted if FileSystem = LeaveAlone. When installing Windows 2000 Server, the option to convert FAT to NTFS will default to Yes. If the FileSystem value name does not exist, Setup will leave the file system alone.

If a user runs Setup by using Winnt.exe, boot floppies, or CD-ROM boot, the Text mode of the installation process allows the user to choose the file system.

This table outlines file system conversion information:

System	FAT to NTFS	NTFS to NTFS version 5.0
Windows NT 3.51 Workstation	Winnt32.exe will display the wizard page with the No option selected.	All mounted NTFS volumes will be upgraded to NTFS version 5.0. A warning will be displayed, and the user can cancel Setup or proceed.
Windows NT 3.51 Server (stand-alone/domain controller)	Winnt32.exe will display the wizard page with the Yes option selected.	All mounted NTFS volumes will be upgraded to NTFS version 5.0. A warning will be displayed, and the user can cancel Setup or proceed.
Windows NT 4.0 Workstation (pre–SP3)	Winnt32.exe will display the wizard page with the No option selected.	All mounted NTFS volumes will be upgraded to NTFS version 5.0. A warning will be displayed, and the user can cancel Setup or proceed.
Windows NT 4.0 Workstation (SP3)	Winnt32.exe will display the wizard page with the No option selected.	All mounted NTFS volumes will be upgraded to NTFS version 5.0. A warning will be displayed, and the user can cancel Setup or proceed.
Windows NT 4.0 Workstation (SP4 or later)	Winnt32.exe will display the wizard page with the No option selected.	All mounted NTFS volumes will be upgraded to NTFS version 5.0.
Windows NT 4.0 Server (pre-SP3—stand-alone/domain controller)	Winnt32.exe will display the wizard page with the Yes option selected.	All mounted NTFS volumes will be upgraded to NTFS used in Windows 2000. A warning will be displayed, and the user can cancel Setup or proceed.
Windows NT 4.0 Server (SP3—stand-alone/domain controller)	Winnt32.exe will display the wizard page with the Yes option selected.	All mounted NTFS volumes will be upgraded to NTFS version 5.0. A warning will be displayed, and the user can cancel Setup or proceed.
Windows NT 4.0 Server (SP4 or later—stand-alone/domain controller)	Winnt32.exe will display the wizard page with the Yes option selected.	All mounted NTFS volumes will be upgraded to NTFS version 5.0.
Windows 95	No conversion will take place. The file system will be left intact.	N/A
Windows 95 OSR2	No conversion will take place. The file system will be left intact.	N/A
Windows 98	No conversion will take place. The file system will be left intact.	N/A

Multibooting Windows 2000

The ability to access NTFS volumes when a user multiple boots Windows 2000 with earlier versions of Windows NT depends on which version of Windows NT is used. Network accessible NTFS volumes on file or print servers are not converted as a result of client computer upgrades to Windows 2000.

If a user multiple boots Windows 2000 and Windows NT 4.0 SP4, any basic (nondynamic) volumes formatted with NTFS used in Windows 2000 can be read.

If a user multiple boots Windows 2000 and a version of Windows NT that was released before Windows NT 4.0 SP4, the user cannot access the NTFS volumes with the earlier version of Windows NT. Configurations affected by this scenario include the following:

• Volumes on removable media
• Volumes used with multiple boot configurations
• Volumes shared within clustered configurations

NTFS Compatibility

If a user is running Windows NT 4.0 SP4, any basic (nondynamic) volumes formatted with NTFS used in Windows 2000 can be read.

The Windows NT 4.0 SP4 NTFS driver allows Windows NT 4.0 users to mount volumes formatted with NTFS 5.0. However, Windows NT 4.0 users cannot use any of the NTFS 5.0 features.

If another operating system is used in addition to Windows NT, the files on the NTFS volumes can be accessed only from Windows NT. A file system other than NTFS must be used for the system and boot partitions of the other operating system.

Ntfs.sys File System Driver

The new Ntfs.sys Windows NT 4.0 file system driver provides support for mounting volumes and dual-boot systems in mixed Windows NT environments. Because of these compatibility issues, dual booting between Windows NT 4.0 and Windows 2000 is not recommended. The Windows NT 4.0 SP4 NTFS driver is provided only to assist in evaluating and upgrading to Windows 2000.

Mounting Volumes

Windows NT 4.0 systems pre-SP4 are not able to mount NTFS 5.0 volumes. Windows 2000 automatically upgrades NTFS 4.0 volumes to NTFS version 5.0. When mounting an NTFS 5.0 volume under Windows NT 4.0 SP4, NTFS 5.0 features are unavailable.

Dual-Boot Systems

The new NTFS file system driver allows you to dual-boot between Windows NT 4.0 and Windows 2000 systems. To dual-boot Windows NT 4.0 and Windows 2000, install Windows NT 4.0 SP4 on the systems. However, since the on-disk NTFS data structures are different under Windows 2000, the Windows NT 4.0 disk utilities such as CHKDSK and AUTOCHK will not work. These utilities check the version stamp on the file system before performing their tasks. After installing Windows 2000, users must run the Windows 2000 version of the disk utilities.

Although the features are unavailable when mounting an NTFS 5.0 volume under Windows NT 4.0 SP4, most read and write operations can be done as normal if the operations do not make use of any NTFS 5.0 features.

Since files can be read and written on NTFS 5.0 volumes under Windows NT 4.0, Windows 2000 might need to perform clean-up operations on the volume after it was mounted on Windows NT 4.0. These clean-up operations ensure that the NTFS 5.0 data structures are consistent after a Windows NT 4.0 mount operation.

Disk Quotas

When running Windows NT 4.0, Windows 2000 disk quotas are ignored. This means that users can allocate more disk space than is allowed by their Windows 2000 quota.

If users violate their quotas under Windows NT 4.0, Windows 2000 will fail further disk allocations by those users. Users can still read and write data to existing files, but they cannot increase the size of the file. They can, however, delete files and shrink the size of files. This behavior lasts until the users reduce disk consumption below the assigned quotas. Once they are below quota, normal quota behavior resumes.

Encryption

No operations, including open, read, write, copy and delete, can be done on encrypted files under Windows NT 4.0. Since encrypted files cannot be accessed on Windows NT 4.0, no clean-up operations are necessary under Windows 2000.

Sparse files

No operations, including open, read, write, copy and delete, can be done on sparse files under Windows NT 4.0. Since sparse files cannot be accessed on Windows NT 4.0, no clean-up operations are necessary under Windows 2000.

Object IDs

Full access to the object is available under Windows NT 4.0. Objects can be opened, read, written, copied, and deleted. If the user has deleted a file with an object ID on it, Windows 2000 must scan and clean up the orphaned entry in the index.

USN Journal

The USN Journal is ignored under Windows NT 4.0. No entries are logged when files are accessed.

Since the USN Journal is ignored under Windows NT 4.0, not all file changes are logged in the USN Journal. When Windows 2000 boots, the USN Journal parameters are reset to indicate that the Journal history is incomplete. Applications that use the USN Journal must respond appropriately to incomplete Journals. All further accesses under Windows 2000 will be logged, and the Journal can be trusted after the volume is mounted by Windows 2000. Note that a Journal query for valid USN ranges can be performed.

Reparse Points

No operations, including open, read, write, copy and delete, can be done on reparse points under Windows NT 4.0. Since reparse points cannot be accessed on Windows NT 4.0, no clean-up operations are necessary under Windows 2000.

Lesson Summary

Last Updated: August 16, 2002

Top of Page