|Getting To Know Your New NAS Server|
|Determining Who Will Control Network Addresssing|
|Controlling Access To Network Resources|
|Setting Up Shared Resources|
|Document Your Network|
Since a NAS device is capable of being the center of an entire small business network and not just additional or backup storage, I thought it would make sense to tell you how to build a network with a NAS device as the central server, possibly even eliminating a Windows Server or Small Business Server.
Here is a diagram that illustrates how a NAS device, in this case a Netgear ReadyNAS Pro, can be the central focus of fairly large and complex business network:
Many workgroups and small businesses no longer need the cost, complexity or hassle of a full blown Windows Server (or Novell Server in days gone by), all they need is some central authority to handle network addressing, be a centralized file storage location with NAS RAID data protection and perhaps share a printer.
If you do need to "join" a Microsoft Active Directory network, make sure that the NAS you buy is a business class product and not a consumer or prosumer class unit. In the Netgear ReadyNAS lineup, products like the NVX, Pro and any rackmount NAS will join an AD domain. Products like the Duo, NV+, any with "Pioneer" in the name, Ultra and Ultra Plus cannot become part of an Active Directory schema.
Keep in mind that you do not need the NAS to join the domain just to be accessed on that type of network, just to use AD user & security information to control access to NAS shared resources.
Let’s take a look at the steps of setting up a small business network using a network attached storage server as the ‘hub’ of the network in stages. For our purposes here, we will operate under the assumption that this is our entire network and we are not part of a larger organization.
I cannot cover every NAS server you may end up buying, but I can tell you what things you want to know about it.
To start, you need to be able to access the network storage device’s administration software, possibly a built-in web server administration interface. The difficulty is, how does the manufacturer set the default TCP/IP address on the NAS so that you can access it after plugging it in to your network?
Some vendors always use the same default address, but other vendors change from time to time. If your device has a front LED or similar display that shows the IP address of the device then your job is a bit easier.
The Netgear ReadyNAS product lineup is one of my favorites. One nice feature is that all across their product line from the cheapest Home NAS to the most expensive Enterprise NAS they all use a practically identical user interface that you access through your web browser.
With ReadyNAS "RAIDiator" web interface software, you have the choice of using wizards to help you configure your NAS or going into advanced mode if you understand the basics of the settings you might need to change.
Yet, before you can access the web browser you have to be on the same "network", without an addressing conflict. Netgear provides a software they call "RAIDar" that you install on one PC to "find" the ReadyNAS server even if it’s IP address is not compatible with your IP schema. It then lets you set it to something that is appropriate.
Once you can access the NAS device and have its IP address configured to a compatible and appropriate address for your network – remember, no two devices can be set to the same address – you are ready for the next step, determining who will control network addressing.
Modern networks pass "packets" of data using the TCP/IP protocol (v4, v6 is just starting to show itself), which some device has to determine. In rare occasions, a network administrator will manually assign an address to every device on the network in the form xxx.xxx.xxx.xxx, 4 octets ranging from 0.255 each – with limitations.
You have probably seen this as 192.168.1.1, for instance. A subnet mask, usually 255.255.255.0, will control what other addresses can be "seen". In this case, only those addresses that share the first three octets or 192.168.1.x (with ‘x’ being a number between 1 and 254).
More common is for one device, either a router (typically an internet modem/router) or a server to allocate addresses using DHCP using a range of addresses that an administrator (or vendor default) determines.
Internet modem/router control
If you just have a few computers connected to an internet modem/router then you probably have a network base address determined by the modem/router vendor default with a range of addresses to be handed out by the router using the DHCP protocol.
Along with the actual device address and subnet mask, the router gives out its own address to be used as the ‘gateway’ to all other networks including the internet.
In addition, though, your computer needs a way to convert website URL’s like www.google.com into TCP/IP addresses in the xxx.xxx.xxx.xxx format. Enter DNS or Domain Name Service.
Usually your internet service provider (ISP) will provide you with the DNS service, but you can use OpenDNS servers for additional features and protections. Your modem/router will usually pick up the DNS server addresses from your ISP automatically and in turn hand them out to each workstations as part of the DHCP addressing process.
Once you add a NAS device as the central file storage repository you have a second option, and that is for the NAS to hand out network addresses to each workstation. Naturally, to do this you would have to assign your NAS a ‘static’ IP address for itself. Because of the predominance of 192.168.1.x networks, I usually choose something else (but make sure it is in the "Private" address ranges of the internet) like 10.1.0.x, but that depends on any other networks that may be part of a larger scenario.
In this scenario, you would use the web admin interface of your NAS to turn DHCP on and set the proper values in each of the fields: base address, address range, subnet mask, gateway and DNS servers.
Why would you choose Server control?
The reason I often choose to have the NAS device control network addressing is this, what if your internet modem/router dies or the ISP comes along and issues you a new one for whatever reason?
Keep in mind that the router is probably the MOST likely piece of equipment to get lightning damage (because of the phone line or cable connection extending outside) and it is nice to keep the basic network, file sharing and printing up and running while that is replaced. Further, the modem/router may not be your property and I like to own the devices that have control of my network.
Example – Router as DHCP Server
Let’s say you are just going to add a NAS device as a server on your network and let your internet router continue to take care of the addressing. Well, again, I like static IP’s for my servers and other devices other than workstations, so you need to know what address your network currently is using.
The easiest way to find out is to let your PC tell you. Here is a video that shows you how:
What you may see is something like:
IP Address: 192.168.1.101
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.1 (the internet modem/router)
DHCP Server: 192.168.1.1
DNS Servers: 220.127.116.11, 18.104.22.168 (These happen to be for OpenDNS.org)
What you can see is that the DHCP server is the same as the Gateway which tells us that your internet modem/router is currently controlling network addressing. To make any changes, or to see what the "client" address range is (required to know so you can set a ‘static’ address for the NAS device), you will need to know how to login to your router.
All routers are different, but they have similar settings and hopefully an intuitive web interface. For specific instructions, see your routers manual or contact your ISP. In the case that you have installed a WiFi or other router inside of your ISP’s modem then consult those instructions.
Here is an example video for a very popular Netgear router:
Chances are that in the above example you would find that the "client" address range of the DHCP server is something resembling 192.168.1.101 – 192.168.1.150.
If that were the case and I wanted to select a static address for my NAS I might choose 192.168.1.11. Further, if I had other devices like a network printer, I would probably address them in the 192.168.1.21..29 range.
Important note: Any time you assign a static IP address to a device, do yourself and any future administrator a huge favor and attach a label to the outside of the device in a prominent location!
Example – NAS as DHCP Server
Again, using the above example that your router is 192.168.1.1, you would have to login to your router, usually by opening a web browser and typing 192.168.1.1 into the address bar and logging in.
You would then find the DHCP server control and write down all values, especially making sure you have the DNS settings which can also be found from the workstation as shown in the video.
Then turn off DHCP on your router and save changes. If you do decide to change from the 192.168.x.x format to something else, be sure you understand what you are doing and why or else don’t do it.
Next you would login to your NAS device in the same way, only using the NAS device IP address in the address bar of your browser. If you change the address of the NAS then obviously you will be disconnected and have to reconnect using the new address.
Turn on DHCP services in the NAS and enter the configuration information. For client address range, I normally don’t have this much larger than it needs to be. For instance, if you have 5 PC’s (and maybe even a printer or two – though not if it were mine) that is less than 10 devices total. So I might set a address range of maybe 101 – 110 or 115, but not as large as the vendor default.
Especially if you have a WiFi access point somewhere on the network there is no sense risking too many rogue devices getting the chance to attach.
Everything else stays the same as it was on the router in the DHCP settings page. Save your work and exit.
If you reboot a workstation PC and check for IP address information again you should see the new values displayed for DHCP server.
Addressing Wrap Up
Whew! That seems pretty complicated with all of those paragraphs of type, but it really boils down to a pretty straigthforward process. I just wanted to spell out as much as I could for the benefit of someone who may not be as well versed in network setup.
Bottom line is that you have a choice, just don’t go beyond your abilities and understanding and end up disconnecting all the PC’s from each other, the new NAS server and the internet! When in doubt, ask, there are all kinds of networking videos and other helps available for free online.
For your own benefit, you will want to organize the files on your network storage device according to a couple of factors:
- Do you need to restrict access differently for various data files?
- Are there some files that need to be backed up and others that do not (like workstation backups)?
- Is there a category of files stored that will be accessed by special services like media players?
You want to address these issues early on so that you can create share points on your NAS appropriately to make access control and sharing simple, logical, and straightforward.
Even if you want all users to easily be able to access all data, printers, etc – or "shares" on the server, you still want to segregate data files for other purposes of convenience.
What Is A Share?
All servers, NAS devices included, will talk about "network shares". A share is simply a term to describe something you can access on your network server. A printer that is attached to your NAS and then shared as, say, "Printer1" is a share.
Each share can be controlled for security purposes, but can be "open" for anonymous users with no password if you desire. This probably is not the best idea, but I see it all the time.
Typically in a small business network there will be group of files that pretty much everyone needs to be able to access. Traditionally, this group of files is placed on a share point that is then "mapped" automatically to each workstation as a drive letter – such as drive "F:" (Historically, A: and B: were floppy drives, C: the hard disk, D: the CDRom drive and optionally a Zip drive or second CDRom was E: – hence "F:" was almost always the next universally available drive letter.)
On a NAS device there are typically one or more shares created by default, maybe "backup" and "media". You can use these or not at your discretion. If you do have media files, you may just choose to use the media share provided which often is already further divided into categories of media such as "music", "pictures", "videos".
"backup" may be reserved for backing up workstations, which, in my opinion should not contain company data, but will include preferences and configuration files and just in general be a pain to recreate. Many NAS servers will come with software for backing up workstation to the NAS and using the "backup" share for that make sense. We will talk more about backup later.
If you do have some data that needs to be secured differently, perhaps for management or accounting, then you may consider creating a separate user group for those users, a separate file "share" for those data files, and even map that share to a different drive letter, perhaps "G:". Then you assign access rights for that "share" to members of the user group you created.
Resource Control Summary
To summarize, we control resources not just for security, but also for accessibility and efficiency. Here is what you need to do:
- Determine what resources your NAS server will offer to users, including "system" users like backup software and media players, and what restrictions you need to put on these resources. Remember, too, that some users should only be given "read" access to some company files just so they do not accidentally change, delete or move them. Create the shares.
- Create a user on the NAS server for each user accessing the NAS device.
- Create user groups using logic based on need to grant access, map drives, print, etc.
- Set the access control on each share resource preferably to user groups, not users. The exception would be if you choose to have a "home" directory on the server for each user.
- Test and DOCUMENT what you did.
That’s about it. Do not make it any harder than it has to be, but do be sure to protect your business by protecting your data.
Setting up new shares on a NAS server can be as easy or as complicated as you like. I prefer easy.
What you determined in the step about controlling shares (above) helps you determine what to do here. The easiest and most basic share is created simply by setting the name and including a helpful description. Public access without any user authentication makes it easy, although not secure.
Although Linux, the underlying operating system of most NAS servers is case sensitive, you will probably find that you CANNOT create a share named "Test" and another named "test". That is probably a good thing.
The other thing you might find odd is that, unlike a Windows server, you cannot usually create a share inside the directory structure of another share.
If you come from the Windows world, you may find the security terminology unfamiliar. If you want to access a share from a Windows client, you may see a category called "CIFS" for setting those access permissions. "AFP" is what you would use for Mac clients.
It would be hard to give too much more information on this topic without being specific to one NAS family. Suffice it to say, though, if you do not understand the options you see, seek help before messing around with something you do not know the consequences of. Again, often, the simpler the better.
One option that you want to consider setting on CIFS shares is the recycle bin option, if provided (Netgear ReadyNAS does). This can be real handy and even an improvement over Windows servers. You get to specify how many days deleted files are kept in the recycle bin on the root of the share
Again, some NAS servers under CIFS will allow you to hide the share from "browsing". This means that if a user knows or guesses of its existence they can access it unless you have restricted access, but they will not find it by browsing the server.
USB Printers and Drives
Most NAS devices have a USB port that you can plug in a USB printer to share or a USB external hard drive and create shares for access to that also. Keep in mind, though, before you decide to expand the capacity of your NAS with an USB hard drive that any data kept there will NOT be NAS RAID protected.
I see external USB hard drives on NAS servers as appropriate for read-only data that is backed up somewhere else and for backing up the NAS itself to.
Backup. It’s that thing that most people do not do, at least not regularly.
If you have properly configured your NAS server to include RAID1 or above protection, congratulations!, many do not. But do not make the mistake of thinking that NAS RAID is a backup! – it is not.
NAS RAID protects you from failing hard drives; if you delete or corrupt a file on one hard drive of a mirrored RAID1 set, for instance, it is immediately deleted or corrupted on the other drive as well.
Backing up the data on your NAS allows you to:
- Recover a file accidentally deleted (as will the recycle bin, but only if configured!)
- Restore a file before a data entry mistake
- Restore a file from before a program crash or error corrupted
- Restore your data to a point in time before virus/malware corruption
- Restore data to a previous point in time for analysis, reports, etc. (provided you cycle backups at predetermined periods)
- Restore your data to a new NAS server if your NAS is detroyed in fire or disaster or stolen.
Backups are only good, though, if they can be accessed. Backups kept on site will likely do you no good in the case of fire, flood or many natural disasters. Therefore to give you protection against all ranges of threats to your data you must employ multiple backup methods.
Ways to Backup Your NAS Server
There are many ways to backup the data on your NAS server, such as:
- Backup to an attached external USB hard drive, scheduled through the NAS interface or by way of a "backup button" on the NAS
- Backup to a remote NAS that you own at another location
- Backup to a workstation with an external or other large hard drive
- Backup to Tape Drive or other backup device installed on another server or workstation (getting rare these days)
- Backup to an online backup service, such as the Netgear ReadyNAS vault service (built-in to the NAS itself) or using a workstation based network enabled online backup service such as Mozy Pro.
Online backup services make a great deal of sense because of the geographic separation (in most cases) between your office and the location of the backup servers. Depending on the service, you may even have archival backups that allow you to choose a point in the past to restore from – this is critical if you have a need for a file that was corrupted or deleted for some time before you realized it.
The one inconvenience to online backup is that it may take a day or so to retrieve your data in the case of catastropic loss where you need EVERYTHING. Either downloading or having them send you the data overnight via the media of your choice does have a time factor involved, whereas a local USB hard drive just takes how ever long it takes to copy back to the NAS.
While not needed often by most businesses, I have had clients who, over the years, have asked me to restore a file or set of data files from over 30 days prior.
Certainly an easy and inexpensive way to have a backup of your data is simply to buy a cheap, large external USB hard drive and backup to that. Buy multiple drives and you can have a rotation.
Once you go to all the work to setup, configure and tweak your new NAS based network, do yourself a favor and document what you did.
The best way to do this is to keep a notepad handy as you work and write down what you do.
Start by recording the login instructions for the NAS along with the username and password. If you have no reason to not trust anyone who can physically put their hands on your NAS you might consider putting a label on the front, or underneath if you want to be discreet. This has saved MANY people in the past; just consider it.
Especially if you have several shares and user groups with complex access restrictions, documenting your network will serve you well should you ever have to recreate it. In addition to documenting what you do, maybe make a note or two about WHY you did what you did also; it may not be obvious a year or more down the road.
Enjoy Your NAS Server Based Network!
There is nothing like sitting back and enjoying the fruits of your labor. Now is the time to do just that.
If you have purchased a NAS to replace a Microsoft Windows Server then rejoice in knowing that you can forget about all of those monthly, sometimes weekly, security patches, bug fixes and Blue Screen Of Death system crashes!