RE: [ActiveDir] Securing DFS
I have never had any problems caused by changing permissions on a DFS root. One thing to consider before you move too far down the road of configuration though is if you really want to invest in a 2000 DFS structure when the 2003 R2 DFS structure is so much more robust and reliable. I have had and heard of countless problems with 2000 DFS. I have not had any problems with 2003 R2 DFS at all. If you decide to move forward with 2000 DFS, be aware that they will probably stop replicating occasionally. You will then spend hours troubleshooting. Seriously it is worth building this on 2003 R2 servers even if you don’t currently have any, if you are doing anything with DFS. I know that is not what you are asking, sorry. Anyone disagree? Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Monday, July 24, 2006 4:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Securing DFS We built a DFS Root on a windows 2000 domain controller and the root of the share has “Everyone” Full Control. E.g. if I go to \\domain.com, right click on the dfs root’s properties, the security tab. Can I simply take FC away? I’m a bit hesitant because it lives on the DC and came this way by default. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Securing DFS
for each DFS root replica the following should be enough e.g. (you will need to do this for EACH DFS root replica MANUALLY) C:\DFSnamespaces---NTFS perms: Auth. Users->Read C:\DFSnamespaces\DFSroot---NTFS perms: Auth. Users->Read Share DFSroot OR DFSroot$ = C:\DFSnamespaces\DFSroot Share perms: Auth. Users->Read I say MANUALLY because normally you will not setup NTFRS/DFS-R replication for the DFS root itself. The root can be considered as a starting point/place holder and if it is a domain based DFS root the info is stored in AD and replicated. Again, in this case the NTFS perms and share perms are not replicated to other DFS root replicas because no file based replication is setup. IMHO, file based replication is ONLY setup for the DFS links below the DFS root Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : From: [EMAIL PROTECTED] on behalf of Lucas, Bryan Sent: Mon 2006-07-24 23:06 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Securing DFS We built a DFS Root on a windows 2000 domain controller and the root of the share has "Everyone" Full Control. E.g. if I go to \\domain.com , right click on the dfs root's properties, the security tab. Can I simply take FC away? I'm a bit hesitant because it lives on the DC and came this way by default. Bryan Lucas Server Administrator Texas Christian University This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. <>
RE: [ActiveDir] Securing DFS
changing the permissions to read only on the DFS roots is no issue at all (doesn't matter what type of server the root is hosted on - DC or member). I'd actually replace everyone with Auth. Users at the same time. as for Kevin's other comment on using Win2000 for DFS vs. Win2003 or R2 - totally agree that especially R2 has extensive improvements in the DFS service itself and especially in the file-replication engine (DFS-R). But if Bryan is not using file-replication in this Win2000 environment and "only" needs to build a hierarchy of shares, he can already get quite far with Win2000 DFS roots. Ofcourse there have been advancement such as multiple DFS roots per server in 2003 and further cool stuff for the basic DFS service in R2, such as sub-folder hierarchy for the DFS links, but Bryan may not need them. Fully agree though, if file replication is involved, DFS-R in R2 is much preferred over FRS in Win2000 and Win2003 (RTM). Really depends on your situation if you need it. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Monday, July 24, 2006 11:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Securing DFS I have never had any problems caused by changing permissions on a DFS root. One thing to consider before you move too far down the road of configuration though is if you really want to invest in a 2000 DFS structure when the 2003 R2 DFS structure is so much more robust and reliable. I have had and heard of countless problems with 2000 DFS. I have not had any problems with 2003 R2 DFS at all. If you decide to move forward with 2000 DFS, be aware that they will probably stop replicating occasionally. You will then spend hours troubleshooting. Seriously it is worth building this on 2003 R2 servers even if you don’t currently have any, if you are doing anything with DFS. I know that is not what you are asking, sorry. Anyone disagree? Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, BryanSent: Monday, July 24, 2006 4:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Securing DFS We built a DFS Root on a windows 2000 domain controller and the root of the share has “Everyone” Full Control. E.g. if I go to \\domain.com, right click on the dfs root’s properties, the security tab. Can I simply take FC away? I’m a bit hesitant because it lives on the DC and came this way by default. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Securing DFS
Good call, if not using replication then 2000 does a dfs root just fine From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 25, 2006 1:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Securing DFS changing the permissions to read only on the DFS roots is no issue at all (doesn't matter what type of server the root is hosted on - DC or member). I'd actually replace everyone with Auth. Users at the same time. as for Kevin's other comment on using Win2000 for DFS vs. Win2003 or R2 - totally agree that especially R2 has extensive improvements in the DFS service itself and especially in the file-replication engine (DFS-R). But if Bryan is not using file-replication in this Win2000 environment and "only" needs to build a hierarchy of shares, he can already get quite far with Win2000 DFS roots. Ofcourse there have been advancement such as multiple DFS roots per server in 2003 and further cool stuff for the basic DFS service in R2, such as sub-folder hierarchy for the DFS links, but Bryan may not need them. Fully agree though, if file replication is involved, DFS-R in R2 is much preferred over FRS in Win2000 and Win2003 (RTM). Really depends on your situation if you need it. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Monday, July 24, 2006 11:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Securing DFS I have never had any problems caused by changing permissions on a DFS root. One thing to consider before you move too far down the road of configuration though is if you really want to invest in a 2000 DFS structure when the 2003 R2 DFS structure is so much more robust and reliable. I have had and heard of countless problems with 2000 DFS. I have not had any problems with 2003 R2 DFS at all. If you decide to move forward with 2000 DFS, be aware that they will probably stop replicating occasionally. You will then spend hours troubleshooting. Seriously it is worth building this on 2003 R2 servers even if you don’t currently have any, if you are doing anything with DFS. I know that is not what you are asking, sorry. Anyone disagree? Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Monday, July 24, 2006 4:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Securing DFS We built a DFS Root on a windows 2000 domain controller and the root of the share has “Everyone” Full Control. E.g. if I go to \\domain.com, right click on the dfs root’s properties, the security tab. Can I simply take FC away? I’m a bit hesitant because it lives on the DC and came this way by default. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Securing DFS
Folks who want multiple Dfs roots on Windows Server 2003 Standard Edition without upgrading to Enterprise or R2 can have them by installing the hotfix available in the following Microsoft Knowledge Base article:"You cannot create more than one domain-based DFS namespace on a computer that is running Windows Server 2003, Standard Edition" <http://support.microsoft.com/kb/903651/> I've been running it on four servers for over six months and have had no problems with it. Cheers,Lowell---Lowell KinzerACS/Microcomputer SupportUniversity of California, San Diego[EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Tuesday, July 25, 2006 7:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Securing DFS Good call, if not using replication then 2000 does a dfs root just fine From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Tuesday, July 25, 2006 1:53 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Securing DFS changing the permissions to read only on the DFS roots is no issue at all (doesn't matter what type of server the root is hosted on - DC or member). I'd actually replace everyone with Auth. Users at the same time. as for Kevin's other comment on using Win2000 for DFS vs. Win2003 or R2 - totally agree that especially R2 has extensive improvements in the DFS service itself and especially in the file-replication engine (DFS-R). But if Bryan is not using file-replication in this Win2000 environment and "only" needs to build a hierarchy of shares, he can already get quite far with Win2000 DFS roots. Ofcourse there have been advancement such as multiple DFS roots per server in 2003 and further cool stuff for the basic DFS service in R2, such as sub-folder hierarchy for the DFS links, but Bryan may not need them. Fully agree though, if file replication is involved, DFS-R in R2 is much preferred over FRS in Win2000 and Win2003 (RTM). Really depends on your situation if you need it. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin BrunsonSent: Monday, July 24, 2006 11:50 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Securing DFS I have never had any problems caused by changing permissions on a DFS root. One thing to consider before you move too far down the road of configuration though is if you really want to invest in a 2000 DFS structure when the 2003 R2 DFS structure is so much more robust and reliable. I have had and heard of countless problems with 2000 DFS. I have not had any problems with 2003 R2 DFS at all. If you decide to move forward with 2000 DFS, be aware that they will probably stop replicating occasionally. You will then spend hours troubleshooting. Seriously it is worth building this on 2003 R2 servers even if you don’t currently have any, if you are doing anything with DFS. I know that is not what you are asking, sorry. Anyone disagree? Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, BryanSent: Monday, July 24, 2006 4:07 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Securing DFS We built a DFS Root on a windows 2000 domain controller and the root of the share has “Everyone” Full Control. E.g. if I go to \\domain.com, right click on the dfs root’s properties, the security tab. Can I simply take FC away? I’m a bit hesitant because it lives on the DC and came this way by default. Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] Securing DFS
Thanks to all for the helpful feedback so far. Great, I’ll look at changing the Everyone to down to READ and perhaps pursue the Authenticated Users as well. Yes, we’re currently only replicating the hierarchy of shares and not doing file-replication. Our few tests of file replication a long time ago did not go very well so we’ve never pursued it since. I glanced over the improvements in R2 and it certainly makes sense to upgrade. Is it possible to upgrade/migrate or does it require building a new root. Here is our we are setup. We currently have 5 DC’s. DC3 is the sole Win2000 SP4 and houses only DFS root we have: \\tcu.edu\dfs1 There is no replication of the root structure at the moment. DC4 through DC7 are Win2003 SP1 All of our users and processes reference that root path (e.g. \\tcu.edu\dfs1\sharename) and changing the name would be a nightmare. Maximum downtime would probably be 48-72 if the new root couldn’t be brought up with the same name simultaneously on another DC. Upgrading DC3 is potentially an option, however it is much older hardware. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, July 25, 2006 9:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Securing DFS Good call, if not using replication then 2000 does a dfs root just fine From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, July 25, 2006 1:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Securing DFS changing the permissions to read only on the DFS roots is no issue at all (doesn't matter what type of server the root is hosted on - DC or member). I'd actually replace everyone with Auth. Users at the same time. as for Kevin's other comment on using Win2000 for DFS vs. Win2003 or R2 - totally agree that especially R2 has extensive improvements in the DFS service itself and especially in the file-replication engine (DFS-R). But if Bryan is not using file-replication in this Win2000 environment and "only" needs to build a hierarchy of shares, he can already get quite far with Win2000 DFS roots. Ofcourse there have been advancement such as multiple DFS roots per server in 2003 and further cool stuff for the basic DFS service in R2, such as sub-folder hierarchy for the DFS links, but Bryan may not need them. Fully agree though, if file replication is involved, DFS-R in R2 is much preferred over FRS in Win2000 and Win2003 (RTM). Really depends on your situation if you need it. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Monday, July 24, 2006 11:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Securing DFS I have never had any problems caused by changing permissions on a DFS root. One thing to consider before you move too far down the road of configuration though is if you really want to invest in a 2000 DFS structure when the 2003 R2 DFS structure is so much more robust and reliable. I have had and heard of countless problems with 2000 DFS. I have not had any problems with 2003 R2 DFS at all. If you decide to move forward with 2000 DFS, be aware that they will probably stop replicating occasionally. You will then spend hours troubleshooting. Seriously it is worth building this on 2003 R2 servers even if you don’t currently have any, if you are doing anything with DFS. I know that is not what you are asking, sorry. Anyone disagree? Kevin Brunson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Monday, July 24, 2006 4:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Securing DFS We built a DFS Root on a windows 2000 domain controller and the root of the share has “Everyone” Full Control. E.g. if I go to \\domain.com, right click on the dfs root’s properties, the security tab. Can I simply take FC away? I’m a bit hesitant because it lives on the DC and came this way by default. Bryan Lucas Server Administrator Texas Christian University
