Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, June 29, 2016 11:43 AM
Hi,
We have 6 DCs in environment which host as a DFS Namespace servers as well. We have one DFS root and under that almost 60 DFS links.
Problem is when we setup a new DFS link (Target on vFiler with all appropriate NTFS permissions) it does not replicate the folder permission on (C:\DFSRoots\RootFolderName\NewDFSLink) to all namespace servers.
We then have to manually setup the same security permissions to every DC on "C:\DFSRoots\RootFolderName\NewDFSLink"
I just wanted to know if it can be automated by some other method or this is normal behavior of MS.
DCs OS: Win2K8 R2
DFS Mode: Win 2008
NO DFS-R configured
Waseem Khan MCP, MCITP, VCP, VCA, ITIL
All replies (8)
Friday, July 1, 2016 3:01 AM ✅Answered
Hi Waseem,
Organisations that have 50+ domain controllers will likely not be using those domain controllers as file servers, in which case the only DFS replica will be SYSVOL - which they likely (and unlike smaller organisations that often don't employ experts) will not be using as a general file storage area.
Domain controllers are critically important to a business' continuity. Even more so in larger organisations. They won't (or at least shouldn't) be lumbered with miscellaneous functions that accumulate extra workload and require additional patching and performance tuning.
As such, you'd be unlikely to find such a large organisation having to deal with file-level permissions across 50+ domain controllers.
Do you actually need 50+ replica targets? i.e. is the content actually different amongst all 50+ namespace replicas? I would have to at least assume the directory structure is identical or else it simply isn't possible for DFS-R to help you - at least not across the board.
DFS is quite scalable in most instances, in which case depending on your WAN infrastructure and the degree to which content in the same namespace varies, I'd expect there'd have to be a better design that what you're currently managing.
Ultimately though, it's your decision as to how you proceed. The only suggestion I have based on what you've described so far and some assumptions I've made is the one I posted before, where you can try using DFS-R with a filter wildcard such as *.* to see if that helps with replicating the folder structure and permissions but not the content. It's not a normal scenario by a long stretch and I've not tested it myself, but depending on how the wildcard mask is interpreted, it might provide the solution you're chasing.
Cheers,
Lain
Friday, July 8, 2016 5:21 PM ✅Answered
Hi Rocky,
This is a planning issue, not a DFS issue.
When you add a new "folder", you really are creating a new folder with its own set of permissions. Technically, this folder doesn't actually have to exist anywhere else prior, only the target does.
As an example, you could create a new folder named "Foo", and have it point to the same target path of \vfiler1\datahost\marketing. This folder gets created under the DFS root, not on the vfiler, which is why the permissions exist locally and not on what you're treating as the data source.
You've already identified this yourself in point 4 above where you've stated that the permissions you need to modify are located at "C:\DFSRoots\England\Marketing". The important thing to remember here is this is in no way related to the permissions Marketing folder on the vFiler. Indeed, the DFS MMC even indicated this at the time of the folder creation as shown below in the first paragraph.
To achieve what you're actually wanting, you need to re-think the design and bring the structure back up a level. Using your example, you really don't need folder targets in any case. All you would do is:
- Create the namespace and have it reference \vfiler\datahost - which you've already done.
- Optionally, enable ABE as illustrated below in the namespace properties if you want folders to which users do not have access to be removed from the view, but really, this has always been of questionable value as if the NTFS permissions are set correctly, you're only introducing a performance hit that scales with the subfolder complexity for no real security benefit.
Cheers,
Lain
Thursday, June 30, 2016 6:32 AM
Hi Waseem Khan,
Thanks for your post.
NTFS permission should be replicated automatically. See following FAQ:
Does DFS Replication replicate NTFS file permissions, alternate data streams, hard links, and reparse points?
DFS Replication replicates NTFS file permissions and alternate data streams, but not NTFS hard links or reparse points.
Does DFS Replication replicate updated permissions on a file or folder?
Yes. DFS Replication replicates permission changes for files and folders. Only the part of the file associated with the Access Control List (ACL) is replicated, although DFS Replication must still read the entire file into the staging area.
https://technet.microsoft.com/en-us/library/cc773238(v=ws.10).aspx#BKMK_Timestamp
It's strange for your issue, please test if replication still working health. You can try to create a file for the testing. Please check DFSR log and event log to see if there is any issue occurs.
And you could also refer to the similar thread discussed before.
Best Regards,
Mary
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, June 30, 2016 6:36 AM
Hi Waseem,
If you're not using DFS-R, then nothing will replicate, including permissions. It'll be your responsibility to apply the permissions, instead.
How you achieve that is up to you but replication isn't a function of DFS-N.
Cheers,
Lain
Thursday, June 30, 2016 8:36 AM
Thanks for the reply guys.
As far as I know DFS-R we use to replicate data between two File servers.
In our case we have only one vFiler where all data folders (Folder Target) resides.
All six domain controllers are DFS namespace servers. We dont need data to be replicated to anywhere. and just want that permission should replicate under c: DFSRoots\DFroot\DFSlinks on all the domain controllers when we setup a new DFS link. Now my question is do we still need DFSR?
Waseem Khan MCP, MCITP, VCP, VCA, ITIL
Thursday, June 30, 2016 8:57 AM
Hi Waseem,
I'm a little confused. Your first post states you don't use DFS-R but you last post states that you do. If you do, then whichever servers are a member of that DFS-R group ought to have the same permissions.
If you don't need data to be replicated then you shouldn't be using DFS-R. DFS-R isn't designed to be a permissions-only replication tool.
From a technical perspective, you could try using a wildcard file filter to exclude all files from being replicated, however, I've never seen a practical application of this so I don't know how DFS-R would behave in this scenario.
Cheers,
Lain
Thursday, June 30, 2016 11:33 AM
Hi Lain,
I was sharing my knowledge on my last comment (as far as I know.......) I again confirm that we dont use DFSR.
The only concern is how does DFS permissions replicate in organisations where they have 50s+ DCs. They can not do manual permission assignation.
We are tired of assigning manaul permission on DFS links on each DC
Waseem Khan MCP, MCITP, VCP, VCA, ITIL
Friday, July 8, 2016 10:44 AM
Hi Lain,
Thanks for the clarification. Brilliantly answered. I understand that there are better ways to redesign this environment.
But.....(sorry) I still think I am unable to describe you my actual query.
Let me describe you step by step:
1. We have a vFiler for example "\vFiler1\DataHost\Subfolers". All the data is here. That's all.
2. Created a DFS Root (call "England")and namespace server assigned as all 10 Domain Controllers.
3. Created a DFS link under the root and folder target is (\vFiler1\DataHost\Marketing)
4. Now, we see Marketing folder under all the domain controllers "C:\DFSroots\England\Marketing". but NTFS permissions are not same as "\vFiler1\DataHost\Marketing".
5. This is the issue. We need to assign permissions in "C:\DFSroots\England\Marketing" manually same as "\vFiler1\DataHost\Marketing" on all the Domain controllers or it doesn't work for a user.