maandag 10 mei 2010

HOWTO: DFS and ABE in Server 2008 and 2008 R2

This blogpost will be quite alot longer than other blogposts, but that’s not an issue in my opinion. Too many times I encounter a situation in which DFS is misconfigured for use with Access-based Enumeration. Some of the times I even encounter an environment in which the fileservers themselves are configured incorrectly. In this blogpost I will explain the following items:

  1. Installing Distributed File System.
  2. Configure a domain-based DFS Namespace.
  3. Creating a DFS Link (Target/Folder Target).
  4. Configuring Access-based Enumeration on the DFS Namespace and the DFS Links.
  5. Setting the correct (NTFS and Share) permissions on the File Share that the DFS Link points to.
  6. Enabling Access-based Enumeration on the File Share on the File Server.

I’ll assume the following items are running as they should/are available, so I’ll not go into them any further:

  • A correctly working Active Directory infrastructure, running at least Windows Server 2008 Domain Functional Level.
  • Familiarity with creating users, groups and manipulating NTFS permissions.
  • You are logged in as a Domain Administrator.
  • The needed groups are available. This means you’ll need a group per DFS Link (or multiple, but that’s up to your design) and a group per folder that should have permissions set. I suggest you never set permissions deeper than the 4th folder, so that would be A\B\C\D and no deeper.

Now, on with the fun stuff.

1. Install Distributed File System

1) Open Server Manager, click Roles and right-click on Roles. Now click Add Roles.


2) Click Next.


3) Select File Services and click Next.


4) Click Next.


5) Select DFS Namespaces and click Next.


6) Choose Create a namespace later using the DFS Management Snap-in in Server Manager and click Next.


7) Click Install.


8) Click Close and reboot the server.


2. Configure a domain-based DFS Namespace.

Now that DFS is up and running we need to create a DFS namespace. This part of the blogpost will explain how you can install a domain-based DFS namespace and configure it for use with Access-based Enumeration.

1) Open the DFS Management Snap-in. This can be found in Start, All Programs, Administrative Tools.


2) Click on Namespaces. Right-click on Namespaces and choose New Namespace.


3) Fill in the servername. In my case this is FS01 and click Next. This is the server that will be running as namespace server. This means in a domain based DFS infrastructure that the server hosts the namespaces, but all configuration items are also available in Active Directory (in CN=DFS-Configuration, CN=System, DC=contoso, DC=com for example). This is still a single point of failure because no other namespace servers are designated.


4) Fill in the name of your namespace and click Edit Settings.


5) If needed, move the local path of the shared folder. You can do this by clicking Browse and choosing a new path. This path will be in the metadata of the DFS infrastructure, or the empty copy of your file server infrastructure when it’s finished. This directory is 0 bytes and will stay this way when it’s managed correctly. Click Use custom permissions and click Customize.


6) Call me paranoid, but I like to keep my permissions granted to an absoluted minimum. Depending on the environment, I give Domain Admins or fileserveradmins Full Control on the share and Domain Users (also dependant on the environment) Change permissions. This way nobody can mess with the permissions except those that should maintain them. Click OK when done adding the needed groups.


7) Click Next.


8) Choose domain-based namespace and toggle Enable Windows Server 2008 Mode to enabled. Click Next.

Important: Access-based Enumeration will not function unless you have your namespace running in Windows Server 2008 mode.


9) Review all your namespace settings and if everything is correct, click Create.


10) Click Close.


3. Create a DFS Link (Target/Folder Target)

A DFS Link can be seen as a shortcut to another file server on which the files themself are hosted. In this part I will explain how to create a DFS Link.

1) Open DFS Namespaces, expand Namespaces and right-click on the namespace created earlier. Click New Folder.


2) Fill in the name of the folder, for this example I used Legal and click Add.


3) Fill in the path to the shared folder on your fileserver or click Browse. Click OK in the Folder Target dialog box and in the Folder dialog box.



4. Configuring Access-based Enumeration on the DFS Namespace and the DFS Links.

Access-based Enumeration is a method to hide files that users don’t have permissions to. As easy as this sounds, this means the NTFS permissions should be setup correctly, otherwise users will still see all files. In this part I will explain how the DFS namespace and the DFS Links can be configured to have Access-based Enumeration in place. I will assume all needed Active Directory Groups are already in place and filled with the users that need permission to this location. For the sake of demonstration I will use the group name DL-Legal-R for the DFS Link Legal.

NOTE! All commands in this section will give a “Done processing this command” notice when the command executed succesfully.

NOTE! Although it is possible to set permissions on the DFS Link (in C:\DFSRoots\…) this is not supported as the permissions will be overwritten by the next Active Directory or registry poll-cycle of DFS. The following method is the only supported method of configuring Access-based Enumeration.

1) Open up Command Prompt (Start, type cmd).

2) Type dfsutil property abde enable <path to the DFS Namespace (in my case \\\public) and press enter. This will enable abde (Access-based Directory Enumeration) on the namespace.


3) Type dfsutil property acl reset <path to the DFS Link (in my case \\\public\legal) and press enter. This will reset all permissions on the DFS Link to the default.


4) Type dfsutil property acl control <path to the DFS Link (in my case \\\public\legal)> protect and press enter.


5) Type dfsutil property acl grant <path to the DFS Link (in my case \\\public\legal> <AD Groupname>:R) and press enter. Repeat this step for every group that needs access to the DFS Link. Remember, all groups that are added in here will see the DFS Link, the rest won’t know it exists.


6) Type dfsutil property acl <path to the DFS Link (in my case \\\public\legal)> and check if all permissions are set correctly. R stands for Read-only, F stands for Full Control.


5 Setting the correct (NTFS and Share) permissions on the File share the DFS link points to. 

As important as setting the correct permissions on your DFS Links is, it’s nothing compared to setting the correct permissions on your Fileservers. In this example I will explain setting the correct permissions on the fileserver by setting permissions on the root folder (so the folder that your DFS Link points to) and one folder deeper by using Active Directory groups.

1) Go to your fileserver and right-click on the folder that operates as root folder for your DFS Link (this is the same folder as your filled in during step 3.3 in this blogpost. Choose Properties

REMEMBER! The permissions set on this folder should be the same as the permissions set on your DFS Link as set in 4.5 of this blogpost.


2) As you can see, the permissions are still set as they were by default. Click Advanced.


3) Now, click Change Permissions.


4) Untoggle the checkbox at Include inheritable permissions from this object’s parent and click Apply.


5) Click Remove.


6) Click Add.


7) Search for Domain Admins or any other group that will manage the fileserver infrastructure, for example FileServerAdmins and click OK.


8) Toggle Full Control (all other checkboxes will be marked automatically) and click OK.


9) Click OK.


10) Click OK.


11) Click Add.


12) Search for the group you use to give access to the folder.


13) Grant Read & Execute, List Folder Contents and Read permissions to this group and click Advanced.


14) Click Change Permissions.


15) Click Edit.


16) Change Apply To from “This Folder, Subfolders and files” to “This Folder Only” and click OK.


17) As you can see now, the permission is changed from “Read and Execute” to “Special”. Click OK.


18) Click OK again. Now the NTFS permissions for this folder are set up correctly. Repeat the step as needed until all groups that you’ve added in the DFS Link are also added here. Administrative Groups should have “This Folder, Subfolders and Files” set as permission, groups that contain users should have “This Folder Only” permission set.


19) Now we go a folder deeper. For this case I created the folder Legaldocuments with the Active Directory group DL-Legal-Legaldocuments-M and set this as the final folder in my permissions structure. In your case there’ll probably be one or two extra folders before you reach the last one, but in that case you can repeat the earlier steps with new groups. Keep in mind that Domain Admins is already added because we granted inherited permissions to this group.

20) Click Edit.


21) Click Add and add the group you created for this folder, see earlier in this blogpost how this is done. In my case I added the group DL-Legal-Legaldocuments-M and granted Modify permissions. Click OK.


22) Click OK again.


6 Enabling Access-based Enumeration on the File Share on the File Server.

1) Go to Start, Administrative Tools and click on Share and Storage Management.


2) Choose the Share for use with DFS and click Properties on the right-side of the screen (second blue tab at the right).


3) Click Advanced.


4) Toggle Enable access-based enumeration so the checkbox is enabled.


Congratulations, you’ve succesfully setup a simple DFS environment with a file share that has access-based enumeration enabled. It’s up to you to scale this to the enterprise solution you want it to be. Ofcourse, in the case of questions you can always ask them here or by emailing me at stefan<dot>hazenbroek<@>descentes<dot>nl (replace <dot> with . and <@> with @ ofcourse :))

I hope this howto has been of use for you.

Stefan Hazenbroek

5 opmerkingen:

  1. You rule, thanks for helping me with my microsoft cert.

  2. hi stefan,
    just wonder if I want to uses ADBE without DFS, could I enable this feature?

  3. Tuan do,

    Do you mean using ABE without DFS? Yes, it's possible. Open up “Share and Storage Management” in Windows server 2008. Right click the share you want to enable ABE for, choose "Advanced", and you'll see a choice for "Enable access based enumeration on this share". It works like a charm

  4. HI,
    What is the best practice for setting up Permission for Domain Namespace?

    Domain Users Change permissions or Everyone Read ? (\\\Namespace)

    If i add Domain users with change then they can create folders under namespace correct?