Solved

DFS or Security?

Posted on 2009-04-14
6
402 Views
Last Modified: 2012-05-06
Looking for some clues here.  We had files scattered over several servers (Server 2003 32-bit) linked using domain DFS.  Bought a new server (Server 2008 64-bit) and using DFS replicated all files into one place on the new server.  To avoid problems, initially the new server target was set to disabled in DFS referral.  The old server needs to be decomissioned.

Where I want help is that I thought it would be a simple case of switching the DFS referral on for the new server and off for the old server.  Replication would continue to take place but users would be re-directed to the new server for their files.  

This doesn't appear to be the case, when I do the above users start to email me saying they can't access folders in the DFS.  I can back out the change and it all reverts to normal for XP users, Win2k have to reboot first.  Also had to reboot server 2k3 running rdp.

The share permissions are set for everyone 'read only' on both servers (and now the change is backed out access is as normal).  However Security on the old 2k3 server includes the domain/users group.  I can not find this group to add it in the new 2k8 server.  The 2k3 server IS a DC.  the 2k8 server is just a member server.

Are my problems DFS or permissions related (or both)?
Thanks in advance.
0
Comment
Question by:dchoxford
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 2

Expert Comment

by:FLPeople
ID: 24140374
It looks like your problems are related to permissions.  Since the new server is not a member of the domain  and I'm assuming the users are, the new server will not allow them access.  

Your best option would to be add the server to the domain.  Then add the appropriate user groups to the NTFS security settings on the server.  When you add the server to the domain the domain users group will be added to the local server user account which may be all that your looking for.  

If that is not an option you will have to enable the guest account and allow everyone access on the new server or create all your users as local users on the new server.  
0
 

Author Comment

by:dchoxford
ID: 24142792
The new server is a member of the domain, just not a DC.
0
 
LVL 2

Expert Comment

by:FLPeople
ID: 24147324
Sorry about that.  I read your post as it being a standalone server.  

When you look at the security on the 2k8 server for the DFS structure does it show any groups?  Sid numbers?  Since the NTFS permissions are supposed to replicate with the files I wonder if they are making it or not.  

It looks like you have tried to manually add the groups also, can you find any domain resources when you try to do an add?  

 
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 

Author Comment

by:dchoxford
ID: 24147439
Thanks for the comment FLPeople.  I think I have worked out the security thing.  In Server 2003 you can enter 'users' as a group and this is acceptable.  However on Server 2008 it seems that you have to specify 'domain users'.  I think this will solve my security issue.

However can you tell me if I'm right in my assumptions re DFS?  If I have 2 targets, fully replicated, DFS referral enabled on the original server and disabled on the new server - should I just be able to switch the referrals over and my users non the wiser?  Approx how long should the change over take?

Thanks
0
 
LVL 2

Accepted Solution

by:
FLPeople earned 250 total points
ID: 24148304
Your assumptions are correct on the referrals.  That is how we are using it across sites here.  

The default time to live for a referral is 5 minutes. So if these servers are at the same site you should expect no more than 5 minutes before they are accessing the new server.  If the servers are at separate sites you will have to wait for the domain controllers to replicate the change to dfs, then you are looking at an additional 5 minutes after that.  

Good to hear that you resolved the security issue.  We do not have any production 2k8 boxes in yet.  Had a beta setup in a test domain and didn't see that issue.
0
 

Author Comment

by:dchoxford
ID: 24148354
Hmm, ok guess I'm going to have to bit the bullet again and switch the referral and see what happens.  Pretty certain it was the security issue that locked things up last time.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question