Our domain and forest functional levels are 2008R2 and would like to get started using DFS (2008 mode) to take advantage of Access Based Enumeration so users only see the folders they have access to. I'm new to DFS and have read a lot about it but have a few questions before I create a namespace and start adding folders and targets..
I want to keep it simple but organized and need some advice with design. We have many departments and the goal is each department has access to their stuff and not everyone else's department. There are a several that float between departments and hope that DFS will help reduce the constant changing of NTFS permissions in folder structures. For example... there is an accounting dept. with dozens of folders in the accounting folder (just like all the other departments). Several people outside of accounting need access to only certain folders / files in the accounting dept.
Here are the questions regarding design:
Do I make each department a namespace or just have 1 namespace like "data" and list all the departments under it? If I have just 1 namespace with all dept. under it do I create those folders "without" targets which is essentially the share name, then create those same folder names "with" targets to access the contents inside or is this going to get messy and unorganized?
This is where DFS came to mind... We had an IT meeting about the new file server and my suggestion for design was to make each parent folder a department name and give those groups access to their department folders and let inheritance do it's job. However, this is not how real life works and certain people in departments need to access other departments stuff like they do now. The boss said that with todays technology, when someone has access to a file it should be available to them from their normal data view without having to drill into another dept. folder to find the files they need to modify.
This is the big one I'm hoping to solve with DFS. Lets use the names Ed and Molly, Molly's in accounting and Ed is in HR. So in this new DFS setup there would be an accounting folder that Molly has access to and an HR folder that Ed has access to, but sometimes Ed needs to create / modify certain files buried in the accounting folder structure. I realize that Ed still needs NTFS permissions on those accounting documents to access them but here is where I hope DFS comes to the rescue. Instead of Ed having to go into the accounting folder structure or mapping a drive letter to that folder, we want him to see the accounting stuff he needs access to from the namespace connection which his folder target is HR. Can DFS do this and how? Meaning, when Ed's in his HR folder can he see accounting stuff he needs to get to somehow through folder targets?