RE: [ActiveDir] Securing DFS

[Grillenmeier, Guido]

changing the permissions to read only on the DFS roots is no issue at all (doesn't matter what type of server the root is hosted on - DC or member). I'd actually replace everyone with Auth. Users at the same time.   as for Kevin's other comment on using Win2000 for DFS vs. Win2003 or R2 - totally agree that especially R2 has extensive improvements in the DFS service itself and especially in the file-replication engine (DFS-R). But if Bryan is not using file-replication in this Win2000 environment and "only" needs to build a hierarchy of shares, he can already get quite far with Win2000 DFS roots.  Ofcourse there have been advancement such as multiple DFS roots per server in 2003 and further cool stuff for the basic DFS service in R2, such as sub-folder hierarchy for the DFS links, but Bryan may not need them.   Fully agree though, if file replication is involved, DFS-R in R2 is much preferred over FRS in Win2000 and Win2003 (RTM). Really depends on your situation if you need it.   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Monday, July 24, 2006 11:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Securing DFS I have never had any problems caused by changing permissions on a DFS root.  One thing to consider before you move too far down the road of configuration though is if you really want to invest in a 2000 DFS structure when the 2003 R2 DFS structure is so much more robust and reliable.  I have had and heard of countless problems with 2000 DFS.  I have not had any problems with 2003 R2 DFS at all.  If you decide to move forward with 2000 DFS, be aware that they will probably stop replicating occasionally.  You will then spend hours troubleshooting.  Seriously it is worth building this on 2003 R2 servers even if you don’t currently have any, if you are doing anything with DFS.  I know that is not what you are asking, sorry.  Anyone disagree? Kevin Brunson   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Monday, July 24, 2006 4:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Securing DFS   We built a DFS Root on a windows 2000 domain controller and the root of the share has “Everyone” Full Control.  E.g. if I go to \\domain.com, right click on the dfs root’s properties, the security tab.   Can I simply take FC away?  I’m a bit hesitant because it lives on the DC and came this way by default.   Bryan Lucas Server Administrator Texas Christian University