Platform: Windows Server 2008 Enterprise x64 English SP2
DFS Namespace type: Domain-based
In my current file-server environment I’m using the Access-based enumeration on all global file shares. ABE allows filtering folders visible to a user based on his NTFS access rights.
Additionally I’m using the Distributed File System (DFS), so I tried to join these both features.
Windows Server 2008 has the ABE feature already integrated. Everything you need to do is to activate it within the share’s properties (Server Manager –> Roles –> File Services –> Share and Storage Management –> your share –> properties):
On Windows Server 2003 you have to install the Windows Server 2003 Access-based Enumeration interface to be able to activate the ABE. After the installation you will find a new tab named “Access-based Enumeration” in your folder’s properties (if the folder is already shared):
(now first the wrong way to setup the DFS with ABE)
In my domain forest the fileservers are distributed in several sub domains. So I created a namespace in the root domain (on all root DC’s) to have one global entry point for all of the company file-data. The namespace is called “\\myrootdomain.local\DATA”. Inside of the namespace I created folder-links to several file-servers. In the next step I turned on the ABE for the DATA file share on every namespace-holder (DC). Additionally I configured the NTFS Security for all links on each node manually. First all links were visible for all users because of the inherited object security from the root drive. So I turned it off on each link separately, copied the permission entries, deleted the domain user entries and added the universal security groups (appropriate to the domain) for DFS with read only access to the links.
First tests were successful, but a few days later the links would lose the custom settings. The NTFS inherited security was enabled again – probably activated by the Windows Dfs Service. In some cases the ABE settings was changed as well.
…so I searched for the solution…and here is the right way:
First I checked the ABE support with DFS, and it’s really supported by the Windows Server 2008, but the namespace must be running in Windows Server 2008 mode. Slow-clickers (I’m not :)) would read it while creating the namespace:
Also you have to set this checkbox while creating the namespace for this feature to be supported. Otherwise the namespace would run in Windows 2000 Server mode, like here:
If you have already created the namespace you will have to recreate it. During the recreation you will possibly not be able to check the “2008 mode”, it could be grayed out. The reason for that is the requirement to have the Active Directory running in Windows Server 2008 domain functional level (not the whole forest). This against requires all DC’s in this domain (not forest) to run Windows Server 2008.
Again, the Windows Server 2008 domain functional level is only required in the domain where the namespace servers are located.
Raising the domain functional level to “Windows Server 2008”:
- Check all DC’s running Windows Server 2008 and be sure that you are not planning to add a Windows 2000 or 2003 DC in the future to this domain.
- Raise the domain functional level to “Windows Server 2008” (Active Directory Users and Computers –> right click on your domain –> Raise domain functional level…)
- Wait for AD replication or replicate manually
Now restart the Windows Dfs Service on all Namespace nodes and you will be able to create and run the namespace in 2008 mode, like here:
Next: ABE and NTFS security configuration
Before you begin to configure these settings (ABE, NTFS) manually – please don’t do it on the conventional way (folder/share properties) – this way is not supported, the settings would not be replicated. Windows Server 2008 supports only the command-line administration of these features. The Administration within the GUI will not be supported until Windows Server 2008 R2.
The following steps must be done once only. The settings will be pushed to the other servers!
1. Enable the ABE (ABDE - Access Based Directory Enumeration) for the namespace using the dfsutil.exe:
| dfsutil.exe Property ABDE Enable \\yourdomain.local\NamespaceName |
Check the state with the following command:
| dfsutil.exe Property ABDE \\yourdomain.local\NamespaceName |
2. Set the NTFS Security like the following:
Remove all security settings:
| dfsutil.exe Property ACL Reset \\yourdomain.local\DATA\Link1 |
Disable object inheritance:
| dfsutil.exe Property ACL Control \\yourdomain.local\DATA\Link1 Protect |
Set access rights for the Domain Admins (Full) and the DFS security group (more than read-only is not necessary here):
dfsutil.exe Property ACL Grant \\yourdomain.local\DATA\Link1 "yourdomain.local\Domain Admins":F
dfsutil.exe Property ACL Grant \\yourdomain.local\DATA\Link1 yourdomain.local\dfs-group_company1:R |
And here the sample for the other links:
| dfsutil.exe Property ACL Reset \\yourdomain.local\DATA\Link2
dfsutil.exe Property ACL Control \\yourdomain.local\DATA\Link2 Protect
dfsutil.exe Property ACL Grant \\yourdomain.local\DATA\Link2 "yourdomain.local\Domain Admins":F
dfsutil.exe Property ACL Grant \\yourdomain.local\DATA\Link2 subdom1.yourdomain.local\dfs-group_company2:R dfsutil.exe Property ACL Reset \\yourdomain.local\DATA\Link3
dfsutil.exe Property ACL Control \\yourdomain.local\DATA\Link3 Protect
dfsutil.exe Property ACL Grant \\yourdomain.local\DATA\Link3 "yourdomain.local\Domain Admins":F
dfsutil.exe Property ACL Grant \\yourdomain.local\DATA\Link3 subdom2.yourdomain.local\dfs-group_company3:R |
You can verify the results within the windows folder properties security tab but always set the NTFS security with the dfsutil.exe.
The used security groups should also be used to set the root-folder security on the linked file-servers shares. Additionally check if the ABE is enabled there also (How-to? See top of the blog).
In most cases the share on your file-server holds folders named according to company’s departments. Best practice is to create a universal security group for every folder in the root of this share and set the permissions on them. Better you create one group for write- and another one for read-access and set the NTFS settings for these groups, one with modify and the other one with read permissions. Then make all of these folder access groups as member of the company’s DFS security group to have automatically access to the share and the DFS.
Now, users (better whole department (global) security groups) have only to be a member of the selected folder security group’s (R or RW) to have access through all DFS levels. The NTFS permissions must be never touched again - the administration can completely be done via the Active Directory.
Finally map a network drive to “\\yourdomain.local\DATA” - one for the whole domain forest! ;)
Platform: Windows Server 2008 Enterprise x64 English SP2
Namespace type: Domain-based
In my last post about the DFS (DFS Namespace Management: The namespace cannot be queried. The RPC server is unavailable.) I have explained how to delete a corrupted namespace from the Active Directory. Anyway the recreation of the same namespace would not work on hosts which have already hosted this namespace.
Thereby you would probably get the following error: “The server you specified already hosts a namespace with this name. Please select another namespace name or another server to host the namespace.”
Additionally to the namespace deletion in the domain follow the following steps to manually remove the remaining namespace parts on your DFS host:
- Run “dfsutil.exe diag viewdfsdirs c: RemoveReparse” to remove all DFS folders from this host (it’s not possible to remove only a part of them, so be sure). If your DFSRoot was not placed on the c: drive, replace the parameter “c:” with the proper drive letter.
- Delete the following three registry keys/values:
- HKLM\SOFTWARE\Microsoft\Dfs\Roots\Domain\YourOldNamespace
- HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\YourOldNamespaceShare
- HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares\Security\YourOldNamespaceShare
- Reboot your Windows Server. The restart of the both services Dfs (DFS Namespace) and LanmanServer (Server) is not sufficient enough.
- Delete the namespace folder in the DFSRoot.
So far there was no simple way to compare search results of the big three.
Blind Search allows you to send your search query to all of them at the same time. The result will be returned in three (random ordered and neutral formatted) columns with no search engine assignment. As next you compare the results and vote for the “column” with the best result to get the assignment. Exciting & very cool!
Link: http://blindsearch.fejus.com/
Result of my three (not really representative) searches:
2 –> bing (Wow!)
1 –> Yahoo!
0 –> Google
Please comment your results! ;)
ps: You will wonder if the results are not always the same like the search results on your search engine directly. Cause is the fixed US localization of Blind Search. Your client localization is not being passed through.
Platform: Windows Server 2008 Enterprise x64 English SP2
Namespace type: Domain-based
See also (recently published): DFS Namespace Management: Error - The server you specified already hosts a namespace with this name
Problem:
You are trying to manage or delete a domain-based DFS namespace once hosted on an old (or crashed) machine. In doing so you get the following error: “The namespace cannot be queried. The RPC server is unavailable.”
Error when trying to delete the namespace (right-click before connecting):
Error when trying to connect:
Resolution:
Delete the namespace using ADSI Edit and dfsutil.exe.
Steps:
- DFS Server: Remove the affected namespace from the DFS Management display.
- DC: Use ADSI Edit to connect to the “Default naming context” of the affected domain, browse to CN=System, CN=Dfs-Configuration and delete the namespace entry.
- DC: Wait for AD replication or replicate the changes manually.
- DFS Server: Use dfsutil to flush all DFS caches. To do this start cmd.exe as Administrator and run the following three commands:
- dfsutil cache domain flush
- dfsutil cache referral flush
- dfsutil cache provider flush
Now the namespace should not be listed when you run the “Add Namespaces to Display…” action and you should be able to create a new namespace with the old name.