Discussion:
DFS Replication
(too old to reply)
Bond
2010-01-20 20:47:30 UTC
Permalink
As I understand it, DFS in Windows 2003 does not replicate local NTFS
permissions to another server, and I understand why.

Does anyone know if this is still a limitation in Windows 2008 DFS?



Just to be clear, if I set the NTFS file permissions on the primary DFS
replacation server on Server1 to:
server1\users
foo.bar\domain users

I get the following SID and Domain group on Server2
S-1-5-21-8909890989098909890980980989098-1003
foo.bar\Domain Users
Dave Warren
2010-01-20 21:41:19 UTC
Permalink
Post by Bond
As I understand it, DFS in Windows 2003 does not replicate local NTFS
permissions to another server, and I understand why.
Does anyone know if this is still a limitation in Windows 2008 DFS?
Just to be clear, if I set the NTFS file permissions on the primary DFS
server1\users
foo.bar\domain users
I get the following SID and Domain group on Server2
S-1-5-21-8909890989098909890980980989098-1003
foo.bar\Domain Users
I'm not sure what you're expecting here, the permissions are being
replicated as is shown by your example above.

What are you expecting to happen?
Bond
2010-01-20 23:08:58 UTC
Permalink
Post by Dave Warren
Post by Bond
Just to be clear, if I set the NTFS file permissions on the primary DFS
server1\users
foo.bar\domain users
I get the following SID and Domain group on Server2
S-1-5-21-8909890989098909890980980989098-1003
foo.bar\Domain Users
I'm not sure what you're expecting here, the permissions are being
replicated as is shown by your example above.
What are you expecting to happen?
If JoeUser has an AD group membership of only foo.bar\accounting (no other
groups) and this domain group is a member of Server1\users - JoeUser is able
to access this file from Server1 however, if Server1 is unavailable,
JoeUser will automatically be connected to the replicated file on Server2
but will not have the appropriate permissions.

Or am I not understanding something?
DaveMills
2010-01-21 13:30:09 UTC
Permalink
Post by Bond
Post by Dave Warren
Post by Bond
Just to be clear, if I set the NTFS file permissions on the primary DFS
server1\users
foo.bar\domain users
I get the following SID and Domain group on Server2
S-1-5-21-8909890989098909890980980989098-1003
foo.bar\Domain Users
I'm not sure what you're expecting here, the permissions are being
replicated as is shown by your example above.
What are you expecting to happen?
If JoeUser has an AD group membership of only foo.bar\accounting (no other
groups) and this domain group is a member of Server1\users - JoeUser is able
to access this file from Server1 however, if Server1 is unavailable,
JoeUser will automatically be connected to the replicated file on Server2
but will not have the appropriate permissions.
Or am I not understanding something?
I JoeUser a local account on Server1 or a domain account.
--
Dave Mills
There are 10 types of people, those that understand binary and those that don't.
Bond
2010-01-21 13:42:56 UTC
Permalink
Post by DaveMills
I JoeUser a local account on Server1 or a domain account.
JoeUser is a Domain Account
Dave Warren
2010-01-22 00:34:23 UTC
Permalink
Post by Bond
Post by Dave Warren
Post by Bond
Just to be clear, if I set the NTFS file permissions on the primary DFS
server1\users
foo.bar\domain users
I get the following SID and Domain group on Server2
S-1-5-21-8909890989098909890980980989098-1003
foo.bar\Domain Users
I'm not sure what you're expecting here, the permissions are being
replicated as is shown by your example above.
What are you expecting to happen?
If JoeUser has an AD group membership of only foo.bar\accounting (no other
groups) and this domain group is a member of Server1\users - JoeUser is able
to access this file from Server1 however, if Server1 is unavailable,
JoeUser will automatically be connected to the replicated file on Server2
but will not have the appropriate permissions.
Or am I not understanding something?
The problem is that "server1\users" doesn't mean anything to Server2.
(Well, it's the other way around,
S-1-5-21-8909890989098909890980980989098-1003 only means something on
Server1, but not Server2)

In this case, you need to give permissions to foo.bar\accounting.
Continue reading on narkive:
Loading...