DFS Architecture

Hi,

I am planning to use DFS to make it simpler for some users outside of
certain departments to access really deep folders within departmental
folders.

We use mostly departmental folders to store our files.

Sometimes accounting needs access to a folder deep inside BD. What I
want to do is use DFS to access this easily for them.

Everything is fairly straight forward but one thing bothers me.

I created a root namespace. The problem is that everyone get to see it
is there anyway to secure and hide namespaces if the user does not have
access to the data?

Also is it good practice to create multiple namespaces or should i just
create one overly complex name space.

I have tried to find good practices in large corporate environments but
I am not able to find any suggestions or consideration to take when
building your DFS links.

Thank you,

George.

George,

I am not sure you can hide the namespace, but what you can do is to secure
the folders and files within the namespace using file/folder security
settings.

I will just create a single namespace and then restrict access as necessary.

--
Isaac Oben [MCTIP, MCSE]

I guess you are looking for ABE:

907458 How to implement Windows Server 2003 Access-based Enumeration in a
DFS environment
http://support.microsoft.com/default...b;EN-US;907458

931022 DFS links become invisible to end-users when you enable Access-based
Enumeration on a DFS share
http://support.microsoft.com/default...b;EN-US;931022


There is a limitation on number of Roots you create in Single domain, please
look at below mentioned link for more details:

http://technet.microsoft.com/en-us/l.../cc782417.aspx

I hope above mentioned information would help.

Regards,
ProADGuy


"George Spiro" wrote:

> Hi,
>
> I am planning to use DFS to make it simpler for some users outside of
> certain departments to access really deep folders within departmental
> folders.
>
> We use mostly departmental folders to store our files.
>
> Sometimes accounting needs access to a folder deep inside BD. What I
> want to do is use DFS to access this easily for them.
>
> Everything is fairly straight forward but one thing bothers me.
>
> I created a root namespace. The problem is that everyone get to see it
> is there anyway to secure and hide namespaces if the user does not have
> access to the data?
>
> Also is it good practice to create multiple namespaces or should i just
> create one overly complex name space.
>
> I have tried to find good practices in large corporate environments but
> I am not able to find any suggestions or consideration to take when
> building your DFS links.
>
> Thank you,
>
> George.
>

I was finally able to implement DFS with ABE at a company and so far it is
working great. This is all still very fresh in my head as we are now nearing
the end of the project.

I was never able to find a step by step article that fully explained how
to implement ABE with DFS. Everything out there does not cover it fully and
leaves a lot to figure out as you will see that many admins out there are
suffering trying to make ABE work. The main gotcha and confusing part of if
it is the DFS folder permissions for ABE. Not to confuse the DFS root
folders(icons with arrows) with the actual physical shares and folders. I
was able to use dfsutil to grant\revoke permissions on the dfs folders
themselves to make use of ABE. If you use the sercurity tab on the DFS
folder it will just be overwritten with a DFS service restart or server
reboot.

Granting :R or Read access is all that is needed on the DFS folder to see
the folder.
The main commands I used was:
Dfsutil property ACL grant "\\servername\dfsroot\dfsfolder"
"domain\groupname":R

and to block inheritance from the folder above use:
Dfsutil property ACL control "\\servername\dfsroot\dfsfolder" protect

To initially populate all my DFS namespace I used scripts to create all the
folders using the dnscmd utilitiy. If you use the dfsutil command there it
will make everything lower case. If you use the older dnscmd utility it
does not have the case issues.

Another script shown below to setup ABE perms using the SDDL output form
cacls and then using DFSUtil to set them. DFSUtil has SDDL capabilities
which saved a lot of work

'On Error Resume Next

Const FOR_READING = 1
Const OpenAsDefault = -2
Const FailIfNotExist = 0
strFolder = "F:\SharedVol1"
strDestination = "e:\DFSRoots\Shared"
strDFSPath = "\\bocfs401\shared\"


Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = WScript.CreateObject("WScript.Shell")
Set objFolder = objFSO.GetFolder(strFolder)
WScript.Echo objFolder.Path
Set colSubFolders = objFolder.SubFolders

For Each objFolder In colSubFolders

objShell.Run("cmd /c icacls " & Chr(34)& objFolder & Chr(34) & " /save " &
Chr(34) & ".\ACLs\" & objFolder.Name & ".bin" & Chr(34)& " /L"),1,False
wscript.echo "cmd /k icacls " & Chr(34) & objFolder & Chr(34) & " /save " &
Chr(34) & ".\ACLs\" & objFolder.Name & ".bin" & Chr(34)& " /L"

Next

strPresent = "D:" 'Identifies the read line as a DACL
For Each objFolder In colSubFolders
strBinFile = ".\ACLs\" & ObjFolder.Name & ".bin"
wscript.echo strBinFile

Set objFile = ObjFSO.OpenTextFile(strBinFile , FOR_READING, FailIfNotExist,
OpenAsDefault)

Do Until objFile.AtEndOfStream
strSDDL = objFile.ReadLine
wscript.echo strSDDL
If InStr(Left(strSDDL, 2),strPresent)= 1 Then
objShell.Run("cmd /c dfsutil property ACL set " & Chr(34) & strDFSPath &
objFolder.Name & Chr(34) & " " & strSDDL)
wscript.echo "cmd /c dfsutil property ACL set " & Chr(34) & strDFSPath &
objFolder.Name & Chr(34) & strSDDL
Else
'Wscript.Echo "Line is not needed: " & strSDDL
End If
Loop

objFile.Close
Next


End If
Loop



"George Spiro" <_@_.com> wrote in message
news:%2345n%23%.. .
> Hi,
>
> I am planning to use DFS to make it simpler for some users outside of
> certain departments to access really deep folders within departmental
> folders.
>
> We use mostly departmental folders to store our files.
>
> Sometimes accounting needs access to a folder deep inside BD. What I want
> to do is use DFS to access this easily for them.
>
> Everything is fairly straight forward but one thing bothers me.
>
> I created a root namespace. The problem is that everyone get to see it is
> there anyway to secure and hide namespaces if the user does not have
> access to the data?
>
> Also is it good practice to create multiple namespaces or should i just
> create one overly complex name space.
>
> I have tried to find good practices in large corporate environments but I
> am not able to find any suggestions or consideration to take when building
> your DFS links.
>
> Thank you,
>
> George.