Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

DFS - Access Deny

Posted on 2011-03-10
25
Medium Priority
?
1,719 Views
Last Modified: 2012-05-11
I have two servers that are running Windows Server 2008.  Server1 is the primary DFS and Server2 is the secondary. I have a shared folder on both servers with the same name and I am using DFS to link them together. For example: \\Server1\departments is linked to \\Server2\departments. So no matter what gets put in one shared folder it also goes to the other.

Server1 went down today and Server2 becomes active. I could see my files working off of Server2 but couldn't make any changes. An error popped up "Access Denied" when trying to make changes. I checked shared and NTFS permissions on both Server1 and Server2 and they are identical. When Server1 is up and running I can work on the files with no problems. When Server2 is active (meaning Server1 is down), then I get an Access Denied.

Anybody have any suggestions?
0
Comment
Question by:Juneaucounty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 11
25 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35097007
It sounds as if you've made the replicated folders read-only.  I don't have any 2008 servers running DFS, so I can't be authoritative on this, but I know it can be done:
http://technet.microsoft.com/en-us/library/ee307957(WS.10).aspx

0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35097014
0
 

Author Comment

by:Juneaucounty
ID: 35109076
Great! Thanks. I looked at the information and it tells me to:

On the Memberships tab, right-click the appropriate replicated folder and member and then click Make read-only, or Make read-write

I right clicked on the replicated folder called departments and I only get the following options:

Delete Member
Disable
Properties
Help

I cannot find where it says make read-write. I also tried running the command prompt and that wasn't working either.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35109127
I would expect you need to select Properties in order to find the permissions.  Also, the article notes you must be using the 2008 R2 DFS utility in order to make these changes.
0
 

Author Comment

by:Juneaucounty
ID: 35110061
Thanks for the information. I clicked on properties and there were no permissions in there. I also looked for DFS utility and couldn't find anything on that. I did find DFS management that the article was talking about. I went into the DFS Management and tried finding permissions. The only thing I found was a Delegation tab. In researching this tab, this is to delegate permissions to create replication folders. Is this correct?

If thats the case, I still need help changing the DFS replcation to read-write instead of read only.

Thanks
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35112353
Hmm.  Okay, let's turn this around.  If you go to the folder that serves as the DFS root, what are the share and NTFS permissisons there?  Are they set so you'd expect to be able to access them?
0
 

Author Comment

by:Juneaucounty
ID: 35139224
I checked both server1 and server2 permissions and they are the same. I did find out when i went into properties and the general tab, the attributes is greyed out and checked with Read only (Only applies to files in folder). I can uncheck it but it goes back to read only after I apply and click ok. I did a little research and tried the following:

open registry
go to HKEY Local machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
New
DWORD
type: UseSystemForSystemFolders
Change value to 1
open cmd
type: attrib -r +s d:\departments

This didn't do anything so I am not sure how to fix the issue

Thanks!
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35139466
Is it possible the permissions/attributes are being inherited from a parent folder?  If you are on the server in question, then navigate to the folder in question, are the files read-only?

Also, have you tried...

Dfsradmin membership set /RGName:<replication_group> /RFName:<replicated_folder> /MemName:<DOMAIN\Server> /RO:false
     
...from the link I provided earlier?
0
 

Author Comment

by:Juneaucounty
ID: 35140177
the parent folder is D:\ and there is no section for read only on hard drives. Everything is read only. Yes I tried using that but it failed.

this is what i typed in:

Dfsradmin membership set /RGName:server1 and server2 /RFName:departments /MemName:Juneaucounty\server2 /RO:false

Heres the error it gave me:

Failed:
A parameter was expected, but and server1 /RFName:departments /MemName:Juneaucounty
\server2 /RO:false was found. The syntax order was not specified correctly.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35140600
The DFSRAdmin command wraps lines - so it's all one command, not two.  Try typing it again.  It should be something like

dfsradmin membership set /rgname:whateveryourreplicationgroupiscalled /rfname:departments /memname:juneaucounty\server2 /ro:false
0
 

Author Comment

by:Juneaucounty
ID: 35141406
I tried it as one line but it gives me the error message. I am running this command on server2 which is part of the DFS.
0
 

Author Comment

by:Juneaucounty
ID: 35147925
FYI:

I went to a different 2008 server that I have and I found that all the folders on the c drive are set to Read only (Only applies to files in folder). Now this server doesn't use DFS so I am convinced that it isn't a DFS issue. When the attribute is checked Read only, it is greyed out. The funny thing is I can still uncheck it even though its greyed out. Once I uncheck the box then its not greyed out. Then I can check the box if I want or I can check the box and make it greyed out again. I am sooo confused.

Any help would be greatly appreciated

Thanks
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35148819
The greyed-out checkbox means some items in the folder are read-only and some items are not.  Just about every folder has some read-only items so I'm not at all surprised you'd see the grey checkbox in just about every folder you bothered to look at.

What was the error message you received when you tried running the DFSRAdmin command the second time?
0
 

Author Comment

by:Juneaucounty
ID: 35149245
Failed:
A parameter was expected, but and server1 /RFName:departments /MemName:Juneaucounty
\server2 /RO:false was found. The syntax order was not specified correctly.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35150063
I don't understand this part:
  "... but and server1..."
0
 

Author Comment

by:Juneaucounty
ID: 35151105
me neither. Maybe the group name cannot have any spaces. My replication group name is: server2 and server1. Is there any other way to run this command?

otherwise maybe I am typing something wrong

Here is what i got:

Server1
Server2

server2 DFS management information:

replication group: server 2 and server1
folder name (its a shared folder):  departments1
domain name: juneaucounty
server name: server2

with the above information I typed into server2 command prompt

dfsradmin membership set /rgname:server2 and server1 /rfname:departments /memname:juneaucounty\server2 /ro:false

I wrote this on one line in cmd on server2 and it gives an error:

Failed:
A parameter was expected, but and moe /RFName:departments1 /MemName:Juneaucount
\Larry /RO:false was found. The syntax order was not specified correctly.

Help:
Usage: Set membership attribute(s)
  DfsrAdmin Membership Set
    <Membership Addressing Attributes>
    [/LocalPath:<value>] -- Local path of the replicated folder
    [/DisableDirectoryVerification] -- Disables the creation of the local path
      for the replicated folder and modification of any existing security
      settings
    [/MembershipEnabled:<true/false>] -- Specifies whether the membership is
      enabled
    [/StagingPath:<value>] -- Path of the staging folder
    [/StagingSize:<value>] -- Size of the staging folder quota
    [/CDSize:<value>] -- Size of the Conflict and Deleted folder
    [/MembershipDFSFolder:<value>] -- Namespace path of the replicated folder
    [/IsPrimary:<true/false>] -- Specifies that this membership will act as
      the primary membership during initial replication phase
    [/MoveDelFiles:<true/false>] -- Move deleted files to conflict and
      deleted folder

  Type 'DfsrAdmin Membership /?' for addressing attributes

  Example:
    DfsrAdmin Membership Set /RgName:UserRG /RfName:Docs
    /MemName:contoso\srvr1 /LocalPath:C:\dc\Docs /MembershipEnabled:true
    /StagingPath:C:\dc\staging /StagingSize:10000 /CDSize:3500
    /MembershipDFSFolder:\\data\docs /IsPrimary:true


0
 

Author Comment

by:Juneaucounty
ID: 35151203
I am trying some different things and tried the following:


Dfsradmin membership set /RGName:"larry and moe" /RFName:departments1 /MemName:Juneaucounty\Larry /LocalPath:D:\departments1

and it gave me command complete (with quotes around name and without /ro:false)

then i tried adding /ro:false to the end of it and it failed again.
0
 

Author Comment

by:Juneaucounty
ID: 35151282
Do you tell if your replication folder is read only? it doesn't say it anywhere
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35151614
I see, yes, and I would have tried wrapping the replication group's name in quotes as well.

As to your other question, no, we don't have a read-only issue, but then we're not using 2008 R2 for DFS so I don't think it applies at all to us.


How about trying the orginal command again, using the quoted replication group name:
dfsradmin membership set /rgname:"server 2 and server1" /rfname:departments1
 /memname:juneaucounty\server2 /ro:false
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 35151627
Better yet, try this unless your server2 actually does have a space between "server" and "2":
dfsradmin membership set /rgname:"server2 and server1" /rfname:departments1
 /memname:juneaucounty\server2 /ro:false
0
 

Author Comment

by:Juneaucounty
ID: 35156259
I get this error now

Failed:
The parameter RO is not recognized.

Help:
Usage: Set membership attribute(s)
  DfsrAdmin Membership Set
    <Membership Addressing Attributes>
    [/LocalPath:<value>] -- Local path of the replicated folder
    [/DisableDirectoryVerification] -- Disables the creation of the local path
      for the replicated folder and modification of any existing security
      settings
    [/MembershipEnabled:<true/false>] -- Specifies whether the membership is
      enabled
    [/StagingPath:<value>] -- Path of the staging folder
    [/StagingSize:<value>] -- Size of the staging folder quota
    [/CDSize:<value>] -- Size of the Conflict and Deleted folder
    [/MembershipDFSFolder:<value>] -- Namespace path of the replicated folder
    [/IsPrimary:<true/false>] -- Specifies that this membership will act as
      the primary membership during initial replication phase
    [/MoveDelFiles:<true/false>] -- Move deleted files to conflict and
      deleted folder

  Type 'DfsrAdmin Membership /?' for addressing attributes

  Example:
    DfsrAdmin Membership Set /RgName:UserRG /RfName:Docs
    /MemName:contoso\srvr1 /LocalPath:C:\dc\Docs /MembershipEnabled:true
    /StagingPath:C:\dc\staging /StagingSize:10000 /CDSize:3500
    /MembershipDFSFolder:\\data\docs /IsPrimary:true

d:\>
0
 

Author Comment

by:Juneaucounty
ID: 35198761
What do you think of this error?
0
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 2000 total points
ID: 35199091
0
 

Author Comment

by:Juneaucounty
ID: 35258784
My AD schema is up-to-date. I found the following command but do not understand it yet.

do you know what this does?

dfsutil property ACL grant \\StandaloneServer\Namespace1\Link1

here is the link i found it on

http://www.doctorvis.com/Portals/0/Media/Downloads/DFSUTIL_Syntax.pdf
0
 

Author Closing Comment

by:Juneaucounty
ID: 35260584
I appreciate the help and you were very very helpful!

Thanks again
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question