NTFS is an extensible and recoverable file system that offers many advantages over FAT and FAT32. Because it is extensible, the file system can be extended over time with various revisions. As you'll learn shortly, the version of NTFS that ships with Windows Server 2003 is in fact a revision of the NTFS version that shipped with Microsoft Windows 2000 Server. Because it is recoverable, volumes formatted with NTFS can be reconstructed if they contain structure errors. Typically, restructuring NTFS volumes is a task performed at startup.
NTFS volumes have a very different structure and feature set than FAT volumes. The first area of the volume is the boot sector, which is located at sector 0 on the volume. The boot sector stores information about the disk layout, and a bootstrap program executes at startup and boots the operating system. A backup boot sector is placed at the end of the volume for redundancy and fault tolerance.
Instead of a file allocation table, NTFS uses a relational database to store information about files. This database is called the master file table (MFT). The MFT stores a file record of each file and folder on the volume, pertinent volume information, and details on the MFT itself. The first 16 records in the MFT store NTFS metadata as summarized in Table 20-3.
Table 20-3. NTFS Metadata
MFT Record | Record Type | File Name | Description |
|---|---|---|---|
0 | MFT | $Mft | Stores the base file record of each file and folder on the volume. As the number of files and folders grows, additional records are used as necessary. |
1 | MFT mirror | $MftMirr | Stores a partial duplicate of the MFT used for failure recovery. Also referred to as MFT2. |
2 | Log file | $LogFile | Stores a persistent history of all changes made to files on the volume, which can be used to recover files. |
3 | Volume | $Volume | Stores volume attributes, including the volume serial number, version, and number of sectors. |
4 | Attribute definitions | $AttrDef | Stores a table of attribute names, numbers, and descriptions. |
5 | Root file name index | $ | Stores the details on the volume's root directory. |
6 | Cluster bitmap | $Bitmap | Stores a table that details the clusters in use. |
7 | Boot sector | $Boot | Stores the bootstrap program on bootable volumes. Also includes the locations of the MFT and MFT mirror. |
8 | Bad cluster file | $BadClus | Stores a table mapping bad clusters. |
9 | Security file | $Secure | Stores the unique security descriptor for all files and folders on the volume. |
10 | Upcase table | $Upcase | Stores a table used to convert lowercase to matching uppercase Unicode characters. |
11 | NTFS extension file | $Extend | Stores information on enabled file system extensions. |
12–15 | To be determined | To be determined | Reserved records for future use. |
The MFT mirror stores a partial duplicate of the MFT that can be used to recover the MFT. If any of the records in the primary mirror become corrupted or are otherwise unreadable and there's a duplicate record in the MFT mirror, NTFS uses the data in the MFT mirror and if possible uses this data to recover the records in the primary MFT. It is also important to note that the NTFS version that ships with Windows Server 2003 (NTFS 5.1) has a slightly different metadata mapping than the version that originally shipped with Windows 2000 (NTFS 5.0). In the current version, the $LogFile and $Bitmap metadata files are located on a different position on disk than they were in Windows 2000. This gives a performance advantage of 5 to 8 percent to disks that are formatted under Windows Server 2003 and comes close to approximating the performance of FAT.
The rest of the records in the MFT store file and folder information. Each of these regular entries includes the file or folder name, security descriptor, and other attributes, including file data or pointers to file data. The MFT record size is set when a volume is formatted and can be 1024 bytes, 2048 bytes, or 4096 bytes, depending on the volume size. If a file is very small, all of its contents might be able to fit in the data field of its record in the MFT. When all of a file's attributes, including its data, can be stored in the MFT record, the attributes are called resident attributes. Figure 20-2 shows an example of a small file with resident attributes.
If a file is larger than a single record, it has what are called nonresident attributes. Here, the file has a base record in the MFT that details where to find the file data. NTFS creates additional areas called runs on the disk to store the additional file data. The size of data runs is dependent on the cluster size of the volume. If the cluster size is 2 KB or less, data runs are 2 KB. If the cluster size is over 2 KB, data runs are 4 KB.
As Figure 20-3 shows, clusters belonging to the file are referenced in the MFT using virtual cluster numbers (VCNs). VCNs are numbered sequentially starting with VCN 0. The Data field in the file's MFT record maps the VCNs to a starting logical cluster number (LCN) on the disk and details the number of clusters to read for that VCN. When these mappings use up all the available space in a record, additional MFT records are created to store the additional mappings.
In addition to the MFT, NTFS reserves a contiguous range of space past the end of the MFT called the MFT zone. By default the MFT zone is approximately 12.5 percent of the total volume space. The MFT zone is used to allow the MFT to grow without becoming fragmented. Typically, the MFT zone shrinks as the MFT grows.
The MFT zone is not used to store user data unless the remainder of the volume becomes full. Fragmentation can and still does occur, however. On volumes with lots of small files, the MFT zone can get used up by the MFT, and as additional files are added, the MFT has to grow into unreserved areas of the volume. On volumes with but a few large files, the unreserved space on a volume can get used up before the MFT, and in this case, the files start using the MFT zone space.
Inside Out: The MFT zone can be optimized
By default, the MFT is optimized for environments that have a mix of large and small files. This setting works well if the average file size is 8 KB or larger. It doesn't work so well if a volume has many very small files, such as when the average size of files is less than 2 KB or between 2 KB and 7 KB. Here, you might want to configure the volume so that it has a larger MFT zone than normal to help prevent the MFT from becoming fragmented. The MFT zone size is set in eighths of the disk.
You can determine the current MFT zone setting by typing the following command at the command prompt: fsutil behavior query mftzone. If this command returns "mftzone is not currently set," the MFT zone is using the default setting. The default setting, 1, specifies that the MFT zone should use one-eighth (12.5 percent) of the total volume space. You can also use a setting of 2, 3, or 4 to set the MFT zone to use two-eighths (25 percent), threeeighths (37.5 percent), or four-eighths (50 percent) of the total volume space.
You can configure the MFT zone by typing the command fsutil behavior set mftzone Value, where Value is the relative size setting to use, such as 2.
Several versions of NTFS are available. NTFS 4 shipped with Microsoft Windows NT 4. NTFS 5 was first implemented in Windows 2000 and made available to Windows NT 4 through Service Pack 4. If you created NTFS volumes in Windows NT 4 and upgraded to Windows 2000 or Windows Server 2003, the volumes aren't upgraded automatically to NTFS 5. You must choose to upgrade the volumes during installation of the operating system or when you install the Active Directory directory service.
You have the following capabilities when you use NTFS 4:
You can use advanced file and folder access permissions.
You can use file sharing and full-control remote access to files and folders.
You can use long file names, meaning file and folder names can contain up to 255 characters.
You can use Unicode characters in file and folder names.
You can use upperand lowercase letters in file and folder names.
You can't use NTFS with floppy disks but can use NTFS with removable disks.
By using NTFS 5, you have all the features of NTFS 4 plus additional features:
You can use Encrypting File System (EFS).
You can use sparse files, disk quotas, and object identifiers.
You can use reparse points, remote storage, and shadow copies.
You can use data streams and change journals.
Note
For NTFS, you typically refer to major version numbers rather than the major version and the revision number. Technically, however, Shadow Copy is a feature of NTFS 5.1 or later. NTFS 5.1 is the version of NTFS that was first included in Windows XP (and is available with Windows 2000 Server Service Pack 4 or later). With NTFS 5.1 you gain some additional enhancements, primarily the ability to use shadow copies.
Table 20-4 provides a comparison of key features of NTFS 4 and NTFS 5.
Table 20-4. Comparison of NTFS 4 and NTFS 5 Features
Feature | NTFS 4 | NTFS 5 |
|---|---|---|
Maximum volume size | 32 GB | 2 TB on basic Master Boot Record (MBR) disks; 256 TB on dynamic MBR disks; 18 (exabytes) EB on GUID Partition Table (GPT) disks. See the section entitled "Configuring Storage" for details on MBR and GPT disks. |
Maximum file size | 32 GB | Only limited by volume size |
Supports object identifiers | No | Yes |
Supports advanced file access permissions | Yes | Yes |
Supports disk quotas | No | Yes |
Supports remote storage | No | Yes |
Supports sparse files | No | Yes |
Supports file-based compression | Yes | Yes |
Supports EFS | No | Yes |
Supports reparse points | No | Yes |
Use on floppy disks | No | No |
Use on removable disks | Yes | Yes |
With NTFS, disk sectors are 512 bytes. Windows Server 2003 automatically sets the size of clusters and the number of sectors per cluster based on the size of the volume. Cluster sizes range from 512 bytes to 4 KB. As with FAT, NTFS has the following characteristics:
Disk geometry also is a factor in determining cluster size because the number of clusters on the volume must fit into the number of bits used by the file system.
The actual amount of data you can store on a single NTFS volume is a factor of the maximum cluster size and the maximum number of clusters you can use per volume.
Thus, although volumes have a specific maximum size, the cluster size used on a volume can be a limiting factor. For example, a dynamic volume with a 4-KB cluster size can have dynamic volumes up to 16 TB, which is different from the maximum allowed dynamic volume size on NTFS.
If you want to examine the structure of a volume formatted using NFTS, you can use the FSUTIL FSINFO command to do this. Type fsutil fsinfo ntfsinfo DriveDesignator at the command prompt, where DriveDesignator is the drive letter of the volume followed by a colon. For example, if you want to obtain information on the C drive, you'd type
fsutil fsinfo ntfsinfo c:
The output would be similar to the following:
NTFS Volume Serial Number : 0x2c64a9b264a97f68 Version : 3.1 Number Sectors : 0x0000000006fcf9c2 Total Clusters : 0x0000000000df9f38 Free Clusters : 0x0000000000c8a5e5 Total Reserved : 0x0000000000000030 Bytes Per Sector : 512 Bytes Per Cluster : 4096 Bytes Per FileRecord Segment : 1024 Clusters Per FileRecord Segment : 0 Mft Valid Data Length : 0x00000000049d9000 Mft Start Lcn : 0x00000000000c0000 Mft2 Start Lcn : 0x00000000006fcf9c Mft Zone Start : 0x00000000002801e0 Mft Zone End : 0x0000000000283c00
As Table 20-5 shows, FSUTIL FSINFO provides detailed information on NTFS volume structure, including space usage and configuration.
Table 20-5. Details from FSUTIL FSINFO
Field | Description |
|---|---|
NTFS Volume Serial Number | The unique serial number of the selectedNTFS volume. |
Version | The internal NTFS version. Here, 3.1 refers to NTFS 5.1. |
Number Sectors | The total number of sectors on the volume in hexadecimal. |
Total Clusters | The total number of clusters on the volume in hexadecimal. |
Free Clusters | The number of unused clusters on the volume in hexadecimal. |
Total Reserved | The total number of clusters reserved for NTFS metadata. |
Bytes Per Sector | The number of bytes per sector. |
Bytes Per Cluster | The number of bytes per cluster. |
Bytes Per FileRecord Segment | The size of MFT file records. |
Clusters Per FileRecord Segment | The number of clusters per file record segment, which is valid only if the file record size is as large as or larger than the volume cluster size. |
Mft Valid Data Length | The current size of the MFT. |
Mft Start Lcn | The location of the first LCN on the disk used by the MFT. |
Mft2 Start Lcn | The location of the first LCN on the disk used by the MFT mirror. |
Mft Zone Start | The cluster number that marks the start of the region on the disk reserved by the MFT. |
Mft Zone End | The cluster number that marks the end of the region on the disk reserved by the MFT. |
Using FSUTIL, you can also obtain detailed statistics on NTFS metadata and user file usage since a system was started. To view this information, type fsutil fsinfo statistics DriveDesignator at the command prompt, where DriveDesignator is the drive letter of the volume followed by a colon. For example, if you want to obtain information on the C drive, you'd type
fsutil fsinfo statistics c:
The output is shown in two sections. The first section of the statistics details user file and disk activity as well as the overall usage of NTFS metadata. As shown in this example, the output shows the number of reads and writes as well as the number of bytes read or written:
File System Type : NTFS UserFileReads : 28737 UserFileReadBytes : 458655232 UserDiskReads : 28518 UserFileWrites : 22402 UserFileWriteBytes : 387661568 UserDiskWrites : 23494 MetaDataReads : 3327 MetaDataReadBytes : 18976768 MetaDataDiskReads : 4553 MetaDataWrites : 11953 MetaDataWriteBytes : 59817984 MetaDataDiskWrites : 19326
The second section of the statistics details usage of individual NTFS metadata files. As shown in this example, the output details the number of reads and writes as well as the number of bytes read or written for each NTFS metadata file:
MftReads : 2757 MftReadBytes : 16642048 MftWrites : 9590 MftWriteBytes : 48275456 Mft2Writes : 0 Mft2WriteBytes : 0 RootIndexReads : 0 RootIndexReadBytes : 0 RootIndexWrites : 0 RootIndexWriteBytes : 0 BitmapReads : 487 BitmapReadBytes : 1994752 BitmapWrites : 2108 BitmapWriteBytes : 10493952 MftBitmapReads : 3 MftBitmapReadBytes : 12288 MftBitmapWrites : 254 MftBitmapWriteBytes : 1044480 UserIndexReads : 1198 UserIndexReadBytes : 4907008 UserIndexWrites : 7332 UserIndexWriteBytes : 32956416 LogFileReads : 6 LogFileReadBytes : 24576 LogFileWrites : 21983 LogFileWriteBytes : 157179904