Solved

DFS or Security?

Posted on 2009-04-14
6
400 Views
Last Modified: 2012-05-06
Looking for some clues here.  We had files scattered over several servers (Server 2003 32-bit) linked using domain DFS.  Bought a new server (Server 2008 64-bit) and using DFS replicated all files into one place on the new server.  To avoid problems, initially the new server target was set to disabled in DFS referral.  The old server needs to be decomissioned.

Where I want help is that I thought it would be a simple case of switching the DFS referral on for the new server and off for the old server.  Replication would continue to take place but users would be re-directed to the new server for their files.  

This doesn't appear to be the case, when I do the above users start to email me saying they can't access folders in the DFS.  I can back out the change and it all reverts to normal for XP users, Win2k have to reboot first.  Also had to reboot server 2k3 running rdp.

The share permissions are set for everyone 'read only' on both servers (and now the change is backed out access is as normal).  However Security on the old 2k3 server includes the domain/users group.  I can not find this group to add it in the new 2k8 server.  The 2k3 server IS a DC.  the 2k8 server is just a member server.

Are my problems DFS or permissions related (or both)?
Thanks in advance.
0
Comment
Question by:dchoxford
  • 3
  • 3
6 Comments
 
LVL 2

Expert Comment

by:FLPeople
ID: 24140374
It looks like your problems are related to permissions.  Since the new server is not a member of the domain  and I'm assuming the users are, the new server will not allow them access.  

Your best option would to be add the server to the domain.  Then add the appropriate user groups to the NTFS security settings on the server.  When you add the server to the domain the domain users group will be added to the local server user account which may be all that your looking for.  

If that is not an option you will have to enable the guest account and allow everyone access on the new server or create all your users as local users on the new server.  
0
 

Author Comment

by:dchoxford
ID: 24142792
The new server is a member of the domain, just not a DC.
0
 
LVL 2

Expert Comment

by:FLPeople
ID: 24147324
Sorry about that.  I read your post as it being a standalone server.  

When you look at the security on the 2k8 server for the DFS structure does it show any groups?  Sid numbers?  Since the NTFS permissions are supposed to replicate with the files I wonder if they are making it or not.  

It looks like you have tried to manually add the groups also, can you find any domain resources when you try to do an add?  

 
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:dchoxford
ID: 24147439
Thanks for the comment FLPeople.  I think I have worked out the security thing.  In Server 2003 you can enter 'users' as a group and this is acceptable.  However on Server 2008 it seems that you have to specify 'domain users'.  I think this will solve my security issue.

However can you tell me if I'm right in my assumptions re DFS?  If I have 2 targets, fully replicated, DFS referral enabled on the original server and disabled on the new server - should I just be able to switch the referrals over and my users non the wiser?  Approx how long should the change over take?

Thanks
0
 
LVL 2

Accepted Solution

by:
FLPeople earned 250 total points
ID: 24148304
Your assumptions are correct on the referrals.  That is how we are using it across sites here.  

The default time to live for a referral is 5 minutes. So if these servers are at the same site you should expect no more than 5 minutes before they are accessing the new server.  If the servers are at separate sites you will have to wait for the domain controllers to replicate the change to dfs, then you are looking at an additional 5 minutes after that.  

Good to hear that you resolved the security issue.  We do not have any production 2k8 boxes in yet.  Had a beta setup in a test domain and didn't see that issue.
0
 

Author Comment

by:dchoxford
ID: 24148354
Hmm, ok guess I'm going to have to bit the bullet again and switch the referral and see what happens.  Pretty certain it was the security issue that locked things up last time.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question