RE: [ActiveDir] Securing DFS

[Lucas, Bryan]

Thanks to all for the helpful  feedback so far.   Great, I’ll look at changing the Everyone to down to READ and perhaps pursue the Authenticated Users as well. Yes, we’re currently only replicating the hierarchy of shares and not doing file-replication.  Our few tests of file replication a long time ago did not go very well so we’ve never pursued it since.  I glanced over the improvements in R2 and it certainly makes sense to upgrade.  Is it possible to upgrade/migrate or does it require building a new root.  Here is our we are setup.   We currently have 5 DC’s. DC3 is the sole Win2000 SP4 and houses only DFS root we have:  \\tcu.edu\dfs1  There is no replication of the root structure at the moment. DC4 through DC7 are Win2003 SP1   All of our users and processes reference that root path (e.g. \\tcu.edu\dfs1\sharename) and changing the name would be a nightmare.  Maximum downtime would probably be 48-72 if the new root couldn’t be brought up with the same name simultaneously on another DC.   Upgrading DC3 is potentially an option, however it is much older hardware.   Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, July 25, 2006 9:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Securing DFS   Good call, if not using replication then 2000 does a dfs root just fine   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 25, 2006 1:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Securing DFS   changing the permissions to read only on the DFS roots is no issue at all (doesn't matter what type of server the root is hosted on - DC or member). I'd actually replace everyone with Auth. Users at the same time.   as for Kevin's other comment on using Win2000 for DFS vs. Win2003 or R2 - totally agree that especially R2 has extensive improvements in the DFS service itself and especially in the file-replication engine (DFS-R). But if Bryan is not using file-replication in this Win2000 environment and "only" needs to build a hierarchy of shares, he can already get quite far with Win2000 DFS roots.  Ofcourse there have been advancement such as multiple DFS roots per server in 2003 and further cool stuff for the basic DFS service in R2, such as sub-folder hierarchy for the DFS links, but Bryan may not need them.   Fully agree though, if file replication is involved, DFS-R in R2 is much preferred over FRS in Win2000 and Win2003 (RTM). Really depends on your situation if you need it.   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Monday, July 24, 2006 11:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Securing DFS I have never had any problems caused by changing permissions on a DFS root.  One thing to consider before you move too far down the road of configuration though is if you really want to invest in a 2000 DFS structure when the 2003 R2 DFS structure is so much more robust and reliable.  I have had and heard of countless problems with 2000 DFS.  I have not had any problems with 2003 R2 DFS at all.  If you decide to move forward with 2000 DFS, be aware that they will probably stop replicating occasionally.  You will then spend hours troubleshooting.  Seriously it is worth building this on 2003 R2 servers even if you don’t currently have any, if you are doing anything with DFS.  I know that is not what you are asking, sorry.  Anyone disagree? Kevin Brunson   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Monday, July 24, 2006 4:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Securing DFS   We built a DFS Root on a windows 2000 domain controller and the root of the share has “Everyone” Full Control.  E.g. if I go to \\domain.com, right click on the dfs root’s properties, the security tab.   Can I simply take FC away?  I’m a bit hesitant because it lives on the DC and came this way by default.   Bryan Lucas Server Administrator Texas Christian University