U-G-DL-P on file servers vs. U-L-P
Posted on 2008-11-11
First, this is not so much a question as I need help making an argument. Here is the situation.
We have a file server with standalone DFS which points to shares on the same server (don't ask). There are approximately 250 local groups defined on that server. The NTFS permissions are assigned to those local groups. The local groups contain a mix of Domain users and Domain security groups. There server is home is to about 2 TB's of files (including home directories) and is not clustered or redundant. Note that local users are not used, only local groups on this member server. There are only about 50 folders with unique groups for defining permissions.
Here is my problem.
That server is about 4 and 1/2 years old and needs to be replaced. The architect wants to build a single 2008 file server and continue to use standalone DFS and local groups. I have the following problems with this:
1) standalone DFS provides a single point of failure
2) Local groups with direct user permissions require admin's to log-on to the server to update group membership
3) Local groups restrict my ability to view a user's complete access list across the domain
4) Failure of a single server brings down all home directories and all file shares for the corporate office.
5) Users have tons of shortcuts to //server/share instead of the DFS. These will break when we move servers.
My argument is going to be the following (and here is where I want you guys to poke holes in my theories or ask questions so I can be prepared).
1) No user will be a member of more than 120 security groups across the domain so I don't have XP SAM issues
2) Dual file servers, replicated using DFS, and shared using domain based DFS provide redundant access should a server issue occur
3) The use of active directory groups would allow admins to update without the need to log-on to the server
4) Server migrations in the future become easier since you only have to add in another replicate/DFS root and take the old one off line
5) AD groups would allow unified permissions reporting.
6) In a dual server role one server could be primary for the files while the other is primary for the home directories. They would be secondary to each other's primary roles
7) Shortcuts are to domain dfs shares (\\domain\dfs\share) and do not break in a server change
8) The uses the MS recommended U-G-DL-P model
9) Domain based DFS can replicate Domain based group membership so no double admin duties are needed.