DFS target folder permissions

Discussion in 'File Systems' started by Nick, Dec 15, 2008.

  1. Nick

    Nick Guest

    I am in a dilemma here with permissions in Windows 2008 DFS and need to know
    how to resolve this issue.

    I have a Windows DFS 2008 server with DFS installed in Stand-alone mode.
    I created a namespace ABC using wizard, no problem.

    I created Folder and added target folder located on the same server but
    different drive.
    I used Customize option and added necessary permissions to the folder while
    creating.

    When I try to located the folder through another computer using UNC
    \\server\share\folder
    I get permission denied error message. I even get this error when I am
    remote logged on the DFS server.

    Please advise me how to properly setup permissions in DFS target folders,
    this is very important and any help will be highly appreciated.

    Thanks
     
    Nick, Dec 15, 2008
    #1
    1. Advertisements

  2. Nick

    DaveMills Guest

    Remember that the are two objects, each with their own NTFS permissions.
    First there is the folder within the DFSRoot that becomes the Link. These
    permissions can be seen on the physical folder. Go to X:\DFSRoot and look at the
    security settings on the folder.
    Second are the NTFS Permissions on the target folder. These are the ones usually
    exposed to the user but access via the DFS link also requires read permission on
    the link folder itself.

    Remember too that there may be more than one copy of the physical link if you
    have more than one DFS root server. It is quite possible to get different
    permissions on each copy which means that accessing the same folder via DFS can
    sometimes experience one set of permission and sometimes a different set
    depending upon which DFS Root server does the referral.
     
    DaveMills, Dec 16, 2008
    #2
    1. Advertisements

  3. Nick

    Nick Guest

    Thanks Dave, this explains a lot. So what I am understanding is the DFSroot
    permission are different than target folder permissioms? and in order for
    this to work, both permissions must be set properly? In my case target folder
    is within DFSroot, so should'nt it inherit permissions from parent (DFSroot)
    folder?
     
    Nick, Dec 19, 2008
    #3
  4. Nick

    DaveMills Guest

    I do not have any experience of putting the data folder in the DFSRoot, it is
    not a recommended configuration. Are you saying the you have placed the data
    folder in the DFSRoot and then created a link to it. I would expect the
    permission to be inherited and also the data to replicate with the DFSRoot
    structure. (oops just noticed you have a stand alone so there is no replication
    I believe). Have you also checked the share permissions on the target UNC path?

    I would move the target folder to a physical location on the DFS server that is
    not within the DFSRoot structure and change the link.

    If you have you DFSRoot as D:\DFSROOT
    and you data D:\DSFRoot\Data shared as \\server\data
    and a link in DFSRoot that points to \\server\data

    Then try moving the data folder to D:\Data and sharing it as \\server\data
    Then create/modify the link to point to \\server\data (i.e. same UNC but it is
    in a different physical location, you probably don't need to change it but do
    check it)

    After this your DFSRoot will contain only links. All data will be outside the
    DFSRoot structure (although still on the same had disk). I believe this is more
    in line with the expectations of the DFS designers. If you read the MS document
    "How DFS Works" you will find quite a lot of restrictions on the content of the
    DFSRoot, e.g. Max number of folders etc. This applies to the root but not to the
    link targets. By having the targets outside the root your data will not count
    towards these limits.
     
    DaveMills, Dec 20, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.