Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 408
  • Last Modified:

DFS or Security?

Looking for some clues here.  We had files scattered over several servers (Server 2003 32-bit) linked using domain DFS.  Bought a new server (Server 2008 64-bit) and using DFS replicated all files into one place on the new server.  To avoid problems, initially the new server target was set to disabled in DFS referral.  The old server needs to be decomissioned.

Where I want help is that I thought it would be a simple case of switching the DFS referral on for the new server and off for the old server.  Replication would continue to take place but users would be re-directed to the new server for their files.  

This doesn't appear to be the case, when I do the above users start to email me saying they can't access folders in the DFS.  I can back out the change and it all reverts to normal for XP users, Win2k have to reboot first.  Also had to reboot server 2k3 running rdp.

The share permissions are set for everyone 'read only' on both servers (and now the change is backed out access is as normal).  However Security on the old 2k3 server includes the domain/users group.  I can not find this group to add it in the new 2k8 server.  The 2k3 server IS a DC.  the 2k8 server is just a member server.

Are my problems DFS or permissions related (or both)?
Thanks in advance.
0
dchoxford
Asked:
dchoxford
  • 3
  • 3
1 Solution
 
FLPeopleCommented:
It looks like your problems are related to permissions.  Since the new server is not a member of the domain  and I'm assuming the users are, the new server will not allow them access.  

Your best option would to be add the server to the domain.  Then add the appropriate user groups to the NTFS security settings on the server.  When you add the server to the domain the domain users group will be added to the local server user account which may be all that your looking for.  

If that is not an option you will have to enable the guest account and allow everyone access on the new server or create all your users as local users on the new server.  
0
 
dchoxfordAuthor Commented:
The new server is a member of the domain, just not a DC.
0
 
FLPeopleCommented:
Sorry about that.  I read your post as it being a standalone server.  

When you look at the security on the 2k8 server for the DFS structure does it show any groups?  Sid numbers?  Since the NTFS permissions are supposed to replicate with the files I wonder if they are making it or not.  

It looks like you have tried to manually add the groups also, can you find any domain resources when you try to do an add?  

 
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
dchoxfordAuthor Commented:
Thanks for the comment FLPeople.  I think I have worked out the security thing.  In Server 2003 you can enter 'users' as a group and this is acceptable.  However on Server 2008 it seems that you have to specify 'domain users'.  I think this will solve my security issue.

However can you tell me if I'm right in my assumptions re DFS?  If I have 2 targets, fully replicated, DFS referral enabled on the original server and disabled on the new server - should I just be able to switch the referrals over and my users non the wiser?  Approx how long should the change over take?

Thanks
0
 
FLPeopleCommented:
Your assumptions are correct on the referrals.  That is how we are using it across sites here.  

The default time to live for a referral is 5 minutes. So if these servers are at the same site you should expect no more than 5 minutes before they are accessing the new server.  If the servers are at separate sites you will have to wait for the domain controllers to replicate the change to dfs, then you are looking at an additional 5 minutes after that.  

Good to hear that you resolved the security issue.  We do not have any production 2k8 boxes in yet.  Had a beta setup in a test domain and didn't see that issue.
0
 
dchoxfordAuthor Commented:
Hmm, ok guess I'm going to have to bit the bullet again and switch the referral and see what happens.  Pretty certain it was the security issue that locked things up last time.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now