Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Access-Base Enumeration ABE with Distributed File System DFS 2003 not working

Posted on 2010-08-30
31
1,047 Views
Last Modified: 2012-05-10
Hi all, I have a Windows Server 2003 R2 server with DFS and ABE on it. I installed ABE and set the appropriate rights on the DFS share. But when normal domain users logon they can see all the shares. I checked that the users are not member of Domain Admins. I checked that the security is set the right way.

What could be the problem?

thank u
0
Comment
Question by:LeonesIT
  • 14
  • 13
  • 4
31 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556523
Are you sure that folder do not have listed Domain Users group?
Did you enable ABE on share?
0
 

Author Comment

by:LeonesIT
ID: 33556543
Yes: no Domain users are listed on the folder. And ABE is enabled on the share.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556550
So, check in advanced options of security tab in effective permissions for that user if he/she has at least read permissions.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 84

Expert Comment

by:oBdA
ID: 33556597
Follow this article to hide the DFS links:
How to implement Windows Server 2003 Access-based Enumeration in a DFS environment
http://support.microsoft.com/kb/907458
0
 

Author Comment

by:LeonesIT
ID: 33556606
nope, no read permissions for the users/group in the folder(s).
0
 

Author Comment

by:LeonesIT
ID: 33556609
it seems that ABE is not working at all.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556616
OK, please describe me which steps did you do.
0
 

Author Comment

by:LeonesIT
ID: 33556649
Ok. I've got 2 DFS servers: DFS01 and DFS02. The DFS01 was the main DFS server. And DFS02 is the DFS server where all data is copied to. Because of performance issues the DFS02 server is now the main server. Everything, ABE, was already installed, configured and working. But all of the sudden not anymore.


0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556656
Try to re-install ABE on DFS02. It should solve your problem. But before check event logs maybe there is something interesting (hints?)
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556660
OK, it looks like ABE was installed only on DFS01? Install it also on DFS02.
0
 

Author Comment

by:LeonesIT
ID: 33556678
It is installed on the DFS02, when the server got installed.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556703
OK, but where those folders are store physically (on which server DFS02)? If so, try to re-install ABE.
0
 

Author Comment

by:LeonesIT
ID: 33556719
Found something out:

when I access the share on the DFS as follows: \\DFS02\[sharename] it works. I cannot see the folders. But when I access it through the Domain based namespace as follows: \\[domain]\[DFSnamespace] it is not working.

It seems it is a combination of DFS and ABE.
0
 

Author Comment

by:LeonesIT
ID: 33556728
yes the folders and files are stored physically on the DFS02
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556729
Check folder content. It should be invisible. ABE hides shares and data within it. DFS namespaces are not affected by ABE at all.
0
 

Author Comment

by:LeonesIT
ID: 33556739
I can see the folders. But I am not able to access them. The problem is that the folders are visible.

0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556758
Folders are visible or DFS links?
0
 

Author Comment

by:LeonesIT
ID: 33556765
The DFS links
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556795
So, that's the problem. You cannot enable ABE on DFS links, only on shares.

I will try to test some configuration and I will let you know in few minutes :) about results
0
 

Author Comment

by:LeonesIT
ID: 33556805
thanks.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556813
OK, you cannot use it for DFS links at all. I wanted to check something but it didn't solve your problem. Only shares can be used in ABE
0
 
LVL 84

Expert Comment

by:oBdA
ID: 33556822
You *can* hide the DFS links, provided you follow the instructions in the link I posted in http:#a33556597
You *will* need to set permissions on the (replicated) DFS *links* (not the DFS share), matching the DFS target, using the command line.
0
 

Author Comment

by:LeonesIT
ID: 33556830
oBdA, your link is not working.
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556840
This link is for home folders and it works fine. Because it is the only one root from one share with many folders. But when you modify permissions on DFS links you will only receive access denied to that link, it won't be hidden :) You need the enable ABE on virtual folder's shares but I don't know how it would work :]
0
 
LVL 84

Expert Comment

by:oBdA
ID: 33556849
I can open the link just fine from this page; what exactly is the error message?
If you can access Google, search for "907458" and "Access Based Enumeration"; should be the first link showing up.
0
 

Author Comment

by:LeonesIT
ID: 33556864
Sorry, I get it. But which CACLs command should be used then for the links?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556933
it looks like it works, but question. Is it worth doing this? A lot of work if something would change in the environment :/

use

cacls <foldername> /t /g:<list of users and their permissions> /c
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33556937
sorry <foldername> I meant <DFS link name>
0
 
LVL 84

Accepted Solution

by:
oBdA earned 500 total points
ID: 33556948
As described in the article: "For example, make the ACL on the link the same as the ACL on the target of the link. Therefore, if \\dfs-share\users\johndoe links to a target named \\server1\share1\johndoe, make the ACL on \\dfs-share\users\johndoe the same as the ACL on \\server1\share1\johndoe."
Try the following: on the DFS root, disable inheritance, remove all non-administrative groups. Then add the group "Users" back with Read permissions, but in the Advanced permissions, change the scope to "Apply to this folder only". This can still be done in the GUI.
Create the links, wait for replication.
Then on each DFS server, run
cacls.exe "T:\he\physical\path\to\the\DFSRoot\SomeDFSLink" /e /g "SomeDomain\SomeGroupWithAccessToTheDFSLink":R
0
 

Author Closing Comment

by:LeonesIT
ID: 33557193
Thanks
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33557526
Remember to document this action for future troubleshooting. You won't remember in few months that you did something like that :)
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question