Access Management of CIFS/SMB Folder Shares

Posted on 2009-02-14
Last Modified: 2013-12-02

We are about to embark on a storage consolidation of both SAN and NAS shares. SAN part would be easy but I am more concerned about the NAS consolidation. Currently we have about 5 windows 2003 servers working as File Servers hosting amongst them about a thousand file shares serving around 2000 users. management of these file shares on daily basis using base Windows 2003 OS for granting permissions/access on daily basis is also a nightmare.

I was reading Microsoft's IPD document ( and realised that DFS is the new way to go. Are there any gotchas? Would the migration be easy? Our new NAS head is a high IOPs hitachi system on which we want to cosolidate everthing.
Question by:fahim
    LVL 5

    Expert Comment

    Why do you want to use DFS?  Just for data migration?  How much data?  Can you schedule downtime to migrate shares?  Do your current file servers use direct attached storage or LUNs from the SAN?

    Personally, I'd look at all your options. Using CIFS directly off of the NAS.  Use DNS aliases for easier migration (less interuption to users). Use AD security groups for share ACLs rather than per user share permissions...that willl alleviate a lot of the frustrations with applying and managing permissions.  You do it once on the share level, and from there on you simply add a user to the appropriate security group in AD.

    While DFS might be an interesting technology, can you do what you need to do and keep in simple?  Will the extra management overhead really be worth it?  If you're condolidating all of your shares to one NAS box you loose a lot of the advantages of DFS replicas, but not the headaches.  The more complex any migration or server setup, the more there is to go wrong.

    Author Comment

    Thanks megs.

    To answer your queries, the sole reason I wanted to use DFS was to make NAS server/filer names transparent to user and not be bind myself to single NAS filer in case I need to utilise some extra space on any other NAS for expanding my shared folder on the first. I must confess, my knowledge of advantages gained by implementing DFS is purely theoretical and borne of reading microsoft documents that pargely state that 'DFS' is the way to go for future NAS implementations, and yes, it does appear to be interesting technology.

    The total data I need to migrate off these 5 filers reaches about 8TB. Out of these five, 4 have local disks while the fifth is a Windows Filer with storage as a SAN LUN of about 5 TB.
    I do agree with the part where you state that if we're looking at condolidating all of our shares to one NAS box we loose a lot of the advantages of DFS replicas.

    What are my options of a smoother, least disruptive consolidation? Pls elaborate a bit more of the aspect of 'using' DNS aliases for easier migration?
    LVL 5

    Accepted Solution

    Sorry, I don't sign in very frequently.

    For starters, I don't believe Hitachi supports DFS on their NAS.  You can find out for sure by calling them or looking in your documentation.  The idea of DFS is so that items are logically consolidated, and easy to find.  If things can truly be consolidated, why bother with the headaches of DFS?  Remember that a NAS is for NFS and CIFS, NOT fiber channel or iSCSI, so you don't need physical servers in front of it, thus saving the company tons of money on cooling, power, and maintenance.  Regardless of how you migrate, you're going to need to point your users to the NAS or the DFS root.  Using DNS alises could make this process more seemless to the end user, I explain below.

    You have a file server named FILES1, and you want to move all of this data to a new server named FILES2. To accomplish this setup FILES2, migrate your data, setup shares, etc., powerdown FILES1, and create a DNS alias for FILES1 to point to FILES2.  I do this for a lot of my resources so I can easily move them from one physical machine to the next, ie. CAD part libraries, etc..  One server might have ten different aliases.  You could the same sort of thing for the NAS filer.

    DFS also won't make permissions any easier...  If you're not already doing it, use AD groups for applying permissions.  I create three groups, one for full control, modify/change, and read access.  I add the users or groups as necessary to each group.

    If this still doesn't give you a better idea as to how to approach the situation, need to know if your migration can be done in steps (ie, server 1 weekend1, server 2 weekend 2, etc.).  Also, will you still have your Windows servers sitting in front of your NAS box or will you use CIFS directly off of the filer (recommended)?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    In a previous article here at Experts Exchange (…
    Online collaboration can help businesses be more efficient, help employees grow their skills and foster a team environment.
    This video is the first in a two-part series that discusses PaperPort's "Send To Bar" feature . This first video tutorial explains the purpose of the Send To Bar, how to use it, and how to hide unwanted items that are automatically created on it whe…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now