Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, November 30, 2011 1:49 PM
I'm having an issue with DFS on server 2008R2. DFS worked fine until recently, now when I try to add or remove folders from the namespace I get access is denied. I gave myself explict full control on the drive that hosts the file. Has anyone ran into this issue before that may be able to give some troubleshooting tips?
All replies (9)
Friday, December 16, 2011 2:29 PM âś…Answered | 3 votes
Hello and Thanks for the help,
I should have been more attentive to adding info to this post. All of the suggested fixes here were the first and most obvious things I looked at to address the issue. Permissions on the server were set correctly on DFS folders and the actual shares. I finally broke down and contacted Microsoft for help fixing the issue. After several days working with a support engineer we finally found the problem. I can't explain how it happened but here is the fix. In ADSI Edit on the DC we opened the default Naming context for the DFS server. Navigate to DC="your Domain prefix", DC=com ==> CN=System ==> ==> CN=Dfs-Configuration ==> CN=Share. The permissions set here were set to allow for Domain Admins to have full control. For whatever reason that did not apply to my domain admin account. Right click on CN=Share and go to properties then to Security and Advanced. We had to add the domain admin accounts to the share individualy as well as leave the domain admin set to full contorl.. We gave the individual accounts full control and set to not inherited, the "apply to field" was set to this object and all descendent objects. Check the box to include inheritable permissions from this object's parent checkbox then apply. Problem resolved. I'm not sure what it is about the domain admin group on server 2008R2 but I have found that sometimes it does not apply properly. I've had to add my domain admin account to other shares with explicit permissions to make it apply in the past. Hope this helps someone in the future and thank you very much for the replies here.
Wednesday, November 30, 2011 3:27 PM
Hello,
This is more likely a security access issue. Make sure you have been added to both the Share and the NTFS permision on the foldername share
Isaac Oben MCITP:EA, MCSE,MCC View my MCP Certifications
Friday, December 2, 2011 3:19 AM
Hi,
As Isaac mentioned, please have a check on folder referrals for permission settings.
Meanwhile, try to reboot the server to see if issue still exists.
TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected].
Thursday, September 27, 2012 4:28 PM | 2 votes
I had this same issue and found that permissions were not set right in Active Directory on the DFS Configuration branch.
Navigate to DC="your Domain prefix", DC=com ==> CN=System ==> ==> CN=Dfs-Configuration ==> CN=Share. The permissions set here were set to allow for Domain Admins to have full control but I noticed a difference between another namespace I could create a folder and this one. The servername$ computer user was missing from the permissions on the namespace getting the error. I added the computer account with read all properties, write all properties on the object tab and allow all on the properties tab. This got rid of the access denied error and allowed me to create new folders under that namespace.
Tuesday, November 11, 2014 9:41 PM
Had the same situation here; this solved it without having to add explicit ACEs for user accounts.
Tuesday, August 8, 2017 10:41 AM
I suspect you have now found out why this is, but thought I would add some additional details. Your initial work-around helped me with an issue, so thought I would elaborate on what I eventually used as a solution.
This is probably due to UAC being a pain and needing elevation before you can continue, I found this article here: http://clintboessen.blogspot.co.uk/2013/05/you-dont-currently-have-permission-to.html
From what I can tell Microsoft are ok with you disabling UAC as long as you are aware that it is an exception: https://support.microsoft.com/en-gb/help/2526083/disabling-user-account-control-uac-on-windows-server
This worked for me anyway, hope it helps others as using individual accounts with explicit permissions is a pain
Tuesday, January 30, 2018 2:54 PM
For me the problem was the corresponding Replication Group for the member I was trying to add was tet to "Read only"
After I set that target to Read/Write I was able to add the server to the namespace
Monday, July 23, 2018 9:01 AM
Thanks very much. I was facing same issue and after providing share permission, was able to add folder target.
Mukesh S MCITP Exchange 2007
Wednesday, January 15, 2020 6:16 PM
I'm having the same issue here trying to offload shares from a current DFS share and move to a new one, or simply deleting the current dfs target.... and I've tried everything you guys have listed. When I try to delete it using power shell or the DF management GUI, I still get an "access denied" or a "permissiondenied" when I try to remove the target.