Link to home
Start Free TrialLog in
Avatar of Juneaucounty
JuneaucountyFlag for United States of America

asked on

DFS - Access Deny

I have two servers that are running Windows Server 2008.  Server1 is the primary DFS and Server2 is the secondary. I have a shared folder on both servers with the same name and I am using DFS to link them together. For example: \\Server1\departments is linked to \\Server2\departments. So no matter what gets put in one shared folder it also goes to the other.

Server1 went down today and Server2 becomes active. I could see my files working off of Server2 but couldn't make any changes. An error popped up "Access Denied" when trying to make changes. I checked shared and NTFS permissions on both Server1 and Server2 and they are identical. When Server1 is up and running I can work on the files with no problems. When Server2 is active (meaning Server1 is down), then I get an Access Denied.

Anybody have any suggestions?
Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image

It sounds as if you've made the replicated folders read-only.  I don't have any 2008 servers running DFS, so I can't be authoritative on this, but I know it can be done:
http://technet.microsoft.com/en-us/library/ee307957(WS.10).aspx

Avatar of Juneaucounty

ASKER

Great! Thanks. I looked at the information and it tells me to:

On the Memberships tab, right-click the appropriate replicated folder and member and then click Make read-only, or Make read-write

I right clicked on the replicated folder called departments and I only get the following options:

Delete Member
Disable
Properties
Help

I cannot find where it says make read-write. I also tried running the command prompt and that wasn't working either.
I would expect you need to select Properties in order to find the permissions.  Also, the article notes you must be using the 2008 R2 DFS utility in order to make these changes.
Thanks for the information. I clicked on properties and there were no permissions in there. I also looked for DFS utility and couldn't find anything on that. I did find DFS management that the article was talking about. I went into the DFS Management and tried finding permissions. The only thing I found was a Delegation tab. In researching this tab, this is to delegate permissions to create replication folders. Is this correct?

If thats the case, I still need help changing the DFS replcation to read-write instead of read only.

Thanks
Hmm.  Okay, let's turn this around.  If you go to the folder that serves as the DFS root, what are the share and NTFS permissisons there?  Are they set so you'd expect to be able to access them?
I checked both server1 and server2 permissions and they are the same. I did find out when i went into properties and the general tab, the attributes is greyed out and checked with Read only (Only applies to files in folder). I can uncheck it but it goes back to read only after I apply and click ok. I did a little research and tried the following:

open registry
go to HKEY Local machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
New
DWORD
type: UseSystemForSystemFolders
Change value to 1
open cmd
type: attrib -r +s d:\departments

This didn't do anything so I am not sure how to fix the issue

Thanks!
Is it possible the permissions/attributes are being inherited from a parent folder?  If you are on the server in question, then navigate to the folder in question, are the files read-only?

Also, have you tried...

Dfsradmin membership set /RGName:<replication_group> /RFName:<replicated_folder> /MemName:<DOMAIN\Server> /RO:false
     
...from the link I provided earlier?
the parent folder is D:\ and there is no section for read only on hard drives. Everything is read only. Yes I tried using that but it failed.

this is what i typed in:

Dfsradmin membership set /RGName:server1 and server2 /RFName:departments /MemName:Juneaucounty\server2 /RO:false

Heres the error it gave me:

Failed:
A parameter was expected, but and server1 /RFName:departments /MemName:Juneaucounty
\server2 /RO:false was found. The syntax order was not specified correctly.
The DFSRAdmin command wraps lines - so it's all one command, not two.  Try typing it again.  It should be something like

dfsradmin membership set /rgname:whateveryourreplicationgroupiscalled /rfname:departments /memname:juneaucounty\server2 /ro:false
I tried it as one line but it gives me the error message. I am running this command on server2 which is part of the DFS.
FYI:

I went to a different 2008 server that I have and I found that all the folders on the c drive are set to Read only (Only applies to files in folder). Now this server doesn't use DFS so I am convinced that it isn't a DFS issue. When the attribute is checked Read only, it is greyed out. The funny thing is I can still uncheck it even though its greyed out. Once I uncheck the box then its not greyed out. Then I can check the box if I want or I can check the box and make it greyed out again. I am sooo confused.

Any help would be greatly appreciated

Thanks
The greyed-out checkbox means some items in the folder are read-only and some items are not.  Just about every folder has some read-only items so I'm not at all surprised you'd see the grey checkbox in just about every folder you bothered to look at.

What was the error message you received when you tried running the DFSRAdmin command the second time?
Failed:
A parameter was expected, but and server1 /RFName:departments /MemName:Juneaucounty
\server2 /RO:false was found. The syntax order was not specified correctly.
I don't understand this part:
  "... but and server1..."
me neither. Maybe the group name cannot have any spaces. My replication group name is: server2 and server1. Is there any other way to run this command?

otherwise maybe I am typing something wrong

Here is what i got:

Server1
Server2

server2 DFS management information:

replication group: server 2 and server1
folder name (its a shared folder):  departments1
domain name: juneaucounty
server name: server2

with the above information I typed into server2 command prompt

dfsradmin membership set /rgname:server2 and server1 /rfname:departments /memname:juneaucounty\server2 /ro:false

I wrote this on one line in cmd on server2 and it gives an error:

Failed:
A parameter was expected, but and moe /RFName:departments1 /MemName:Juneaucount
\Larry /RO:false was found. The syntax order was not specified correctly.

Help:
Usage: Set membership attribute(s)
  DfsrAdmin Membership Set
    <Membership Addressing Attributes>
    [/LocalPath:<value>] -- Local path of the replicated folder
    [/DisableDirectoryVerification] -- Disables the creation of the local path
      for the replicated folder and modification of any existing security
      settings
    [/MembershipEnabled:<true/false>] -- Specifies whether the membership is
      enabled
    [/StagingPath:<value>] -- Path of the staging folder
    [/StagingSize:<value>] -- Size of the staging folder quota
    [/CDSize:<value>] -- Size of the Conflict and Deleted folder
    [/MembershipDFSFolder:<value>] -- Namespace path of the replicated folder
    [/IsPrimary:<true/false>] -- Specifies that this membership will act as
      the primary membership during initial replication phase
    [/MoveDelFiles:<true/false>] -- Move deleted files to conflict and
      deleted folder

  Type 'DfsrAdmin Membership /?' for addressing attributes

  Example:
    DfsrAdmin Membership Set /RgName:UserRG /RfName:Docs
    /MemName:contoso\srvr1 /LocalPath:C:\dc\Docs /MembershipEnabled:true
    /StagingPath:C:\dc\staging /StagingSize:10000 /CDSize:3500
    /MembershipDFSFolder:\\data\docs /IsPrimary:true


I am trying some different things and tried the following:


Dfsradmin membership set /RGName:"larry and moe" /RFName:departments1 /MemName:Juneaucounty\Larry /LocalPath:D:\departments1

and it gave me command complete (with quotes around name and without /ro:false)

then i tried adding /ro:false to the end of it and it failed again.
Do you tell if your replication folder is read only? it doesn't say it anywhere
I see, yes, and I would have tried wrapping the replication group's name in quotes as well.

As to your other question, no, we don't have a read-only issue, but then we're not using 2008 R2 for DFS so I don't think it applies at all to us.


How about trying the orginal command again, using the quoted replication group name:
dfsradmin membership set /rgname:"server 2 and server1" /rfname:departments1
 /memname:juneaucounty\server2 /ro:false
Better yet, try this unless your server2 actually does have a space between "server" and "2":
dfsradmin membership set /rgname:"server2 and server1" /rfname:departments1
 /memname:juneaucounty\server2 /ro:false
I get this error now

Failed:
The parameter RO is not recognized.

Help:
Usage: Set membership attribute(s)
  DfsrAdmin Membership Set
    <Membership Addressing Attributes>
    [/LocalPath:<value>] -- Local path of the replicated folder
    [/DisableDirectoryVerification] -- Disables the creation of the local path
      for the replicated folder and modification of any existing security
      settings
    [/MembershipEnabled:<true/false>] -- Specifies whether the membership is
      enabled
    [/StagingPath:<value>] -- Path of the staging folder
    [/StagingSize:<value>] -- Size of the staging folder quota
    [/CDSize:<value>] -- Size of the Conflict and Deleted folder
    [/MembershipDFSFolder:<value>] -- Namespace path of the replicated folder
    [/IsPrimary:<true/false>] -- Specifies that this membership will act as
      the primary membership during initial replication phase
    [/MoveDelFiles:<true/false>] -- Move deleted files to conflict and
      deleted folder

  Type 'DfsrAdmin Membership /?' for addressing attributes

  Example:
    DfsrAdmin Membership Set /RgName:UserRG /RfName:Docs
    /MemName:contoso\srvr1 /LocalPath:C:\dc\Docs /MembershipEnabled:true
    /StagingPath:C:\dc\staging /StagingSize:10000 /CDSize:3500
    /MembershipDFSFolder:\\data\docs /IsPrimary:true

d:\>
What do you think of this error?
ASKER CERTIFIED SOLUTION
Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
My AD schema is up-to-date. I found the following command but do not understand it yet.

do you know what this does?

dfsutil property ACL grant \\StandaloneServer\Namespace1\Link1

here is the link i found it on

http://www.doctorvis.com/Portals/0/Media/Downloads/DFSUTIL_Syntax.pdf
I appreciate the help and you were very very helpful!

Thanks again