Access based enumeration(ABE):
ABE without DFS
List only the files and folders to which they have access when browsing content on the file server. This eliminates user confusion that can be caused when users connect to a file server and encounter a large number of files and folders that they cannot access.
- When ABE enabled: Users can not view files or folders to which they do not have access.
- When ABE disabled: users can view but deny access when they attempt access, therefore, uses may get confused or annoyed.
Note, this only affect the network share, if you sign in locally with one of the user that can only view one of the folder via network, you can see all the folders locally!!!
Example, all these folders reside on server Fileserver1, path is d:\usershare, Bella is one of the user, you only give her the permission to view her own folder Bellafile under d:\usershare, if you log on the Fileserver1 and browse d:\usershare, you can see all the folders under usershare. If you type UNC of the folder d:\usershare in the browser, you only see your own folder Bellafile.
Configuration:
In this example, we have:
domain: frankfu.com
fileserver: fileserver1(win2012)
Client computer: win8, or win7, or other server. note the problem section below.
We have three domain users (or groups if you like): [email protected], [email protected], [email protected] , three folders FrankFile, BellaFile, PeterFile for each respectively under the folder “usershare”.
Note, make sure Frank, bella, peter are not in the administrators group, or else, they will see all other people’s folder.
Step 1,Don’t share this folder yet. Right click the “usershare” folder, Properties, click the Security tab, click Advanced button, click Disable inheritance, then choose Convert inherited permission into explicit *** , then only leave the Administrator (fileserver1\Administrators), SYSTEM, CREATOR OWNER and give them full control permission, delete all other ACE entries.
Click Add button, on the top of the window, click Select a principal, Enter Authenticated Users, click OK, then after the type choose allow, after Applies to : choose this folder only, then only check the Read$execute, List folder contents,and Read click OK to close all the windows.
Step 2, Open the “usershare” folder, right click the FrankFile folder, Properties, click the Security tab, click Advanced button, click Disable inheritance, then choose Convert inherited permission into explicit *** , then only leave the Administrator (fileserver1\Administrators), SYSTEM and give them full control permission, delete all other ACE entries.
CLick add button, on the top of the window, click Select a principal, Enter [email protected], click OK, then after the type choose allow, click modify. Click OK to close all the windows.
Use the same way to configure folder BellaFile and peterFile folders, different is only keep SYSTEM, Administrator, [email protected] or [email protected] respectively.
Step3, Open the server manager, wait until the inventory been loaded. Then File and storage Services, shares, click the TASKS top in the middle pane, New share.., SMB Share-Quick, choose Fileserver1 on top, select the Type a customer path, then find the “usershare” folder in your harddrive, next, give it a name (here we use “usershare”), remember the Remote path to share (in this example, it is \\fileserver1\usershare), click next to Other Settings, tick the Enable access-based enumeration!!!!, next, keep all default configuration.
Step4, test from client enter,log on by username [email protected], or [email protected] or [email protected] enter \\fileserver1\usershare in the explorer to check if it works.
Note:
ABE is a one level configuration only, it does not apply the 2nd level or even deeper sub folder.
Let’s say you have folder structure E:\Data\Usersshare\[Bellafile] , [Frankfile],[Peterfile] . You enabled the share on folder “Data”, ticked Enable Access-based enumeration, and hope you will hide folder Frankfile from user [email protected], which will not work. It will show the folder but prevent Bella from access it.
Problems:
In my lab, I can log on another server (windows 2012) by any of the three users and only see their own folders under the usershare. So it worked fine in windows 2012 client.
But, in windows 8, the Error message is
“\\fileserver1\usershare is not accessible. You might not have permission to use this network resource. The specified network name is no longer available.”
Or
“Error code: 0x80070035 The network path was not found”
In windows 7 clients, the authentication window pop up but none of the account and password can be authenticated.
Troubleshooting steps:
Potential solution 1:
In the domain controller, edit the GPO of the domain, Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
LAN Manager authentication level – change the authentication level to Send LM & NTLM – use NTLMv2 session security if negotiated.
Did not work.
Potential solution 2:
1) Network and Sharing Center – Change Advanced Sharing Settings
Turn everything to OFF on all profiles and options – Save changes and close
Then
2) Device Manager – Network Adapters – Uninstall Ethernet and Wireless adapters – Action, Scan for Hardware Changes to reinstall these devices and close Device Manger.
Then
3) Network and Sharing Center – Change Advanced Sharing Settings – Turn everything to ON for all profiles and options – Save changes and close.
This solution make the Windows 8 can connect to the Fileserver1, but can not be authenticated.
Potential solution 3:
Try the firewall setting, turned off the firewall, still not working.
Maybe this bug??
https://support.microsoft.com/en-us/kb/2768494
ABE In DFS
Another way to configure
DFS-N( Distributed File Service – Namespaces)
Install DFS-N by Powershell:
install-windowsFeature -name FS-DFS-Namespace,FS-DFS-replication -IncludeManagementTools
Create NFS-namespaces in powershell by New-DfsnRoot cmdlet:
new-DfsnRoot -targetpath \\fileserver1\share `
-path \\frankfu\share `
-Type domainV2 `
-Description “central source for shared files”
To get a full list of the DFS-N cmdlets, use the command: get-command -Module DFSN
To create a new DFS-N folder targets to an existing DFS-N root, use New-DFSNFolder cmdlet:
New-DFSNFolder -Path \\frankfu\videos `
-TargetPath \\fileserver1\videos `
-Description “Corporate Training and Marketing Videos”
Set access-based enumeration for the \\frankfu\share namespace, use this cmdlet:
Set-DfsnRoot -Path \\frankfu\share -EnableAccessBasedEnumeration $true
other properties that you can set:
- Site costing
- in-site referrals
- Access-based enumeration
- Root scalability
- Target failback
- Description
- State
- Time to Live
DFS-R( Distributed File Service – replication)
Get the full list of the DFS-R cmdlets sorted by noun: get-command -module DFSR | sort-object Noun,verb |Format-table verb,noun -auto
Create new NFS-R target:
new-DfsReplicationGroup -GroupName “\\frankfu\share\office” `
| new-DfsReplicatedFolder -folderName “office” `
| Add-DfsrMember -ComputerName fileserver1, Dc1
Add a bidirectional connection between the two servers:
add-dfsrconnection -GroupName “\\Frankfu\share\office” `
-sourceComputerName fileserver `
-DestinationComputerName Dc1
Specify Dc1 as the primary
set-DfsrMembership -groupName “\\Frankfu\share\office”
-FolderName “Office” `
-ContentPath D:\files\office `
-Computername Dc1 `
-PrimaryMember $true
Specify fileserver1 as the member server
set-DfsrMembership -groupName “\\Frankfu\share\office”
-FolderName “Office” `
-ContentPath D:\files\office `
-Computername fileserver1
Set the schedule and bandwidth:
Set the schedule to always or disabled:
set-DfsrgroupSchedule [-groupname] <string> [-domainName] <string> [-useUTC] <boolean> [-scheduleType] {always | Never} [-confirm]
Enable you to set the schedule and bandwidth in 15 minute intervals for each day of the week:
set-DfsrgroupSchedule [-groupname] <string> [-domainName] <string> [-useUTC] <boolean> [-day] <dayofWeek> [-bandwidthdetail] <string>
Configure the Remote Differential Compression (RDC):
By default , RDC is used only on files 64KB or larger. we change it to 128KB by this command:
set-DfsrConnection -GroupName “Test” `
-SourceComputerName “Dc1” `
-DestinationComputerName “fileserver1” `
-MinimumRDCFileSizeInKB 128
To disable the cross-file RDC and regulare RDC:
Set-DfsrConnection -GroupName “Test” `
-SourceComputerName “Dc1” `
-DestinationComputerName “fileserver1” `
-DisableRDC $True `
-DisableCrossFileRDC $true
Configure Staging
To set the path and size to 4GB
Set-DfsrMembership -groupName test’
-ComputerName dc1 `
-StagingPath “c:\DfsRoot\Staging” `
-StagingPathQuotaInMB 4096
Cloning a DFS database
Cloning a DFS-R database can be done only by using windows Powershell.
To clone a DFS database, first create the replication group and folders by steps:
1. Create and populate the folder that will be the source folder
2. Create a replication group with New-DfsReplicationGroup
3. Add a DFS replicated folder with New-DfsReplicated folder.
4. Add the source server as a DFS-R member server with Add-DfsrMember
5. Set the source server as the PrimaryMember with Set-DfsrMembership
After the repilcation folder is successfully initialized , a DFS-R event 4112 is issued, and you can export a clone of the database.
Note: don’t add replication partners
During the initial setup of the replication database, don’t add the replication partners or create a connection to the secondary servers.
Rplicated folders that are in any state other than a Normal, non-initial sync state are ignored during cloning. You can determine the state of replicated folders with this:
Get-wmiobject -namespace “root\microsoft\windows\DFSR” `
-class msft_dfsrReplicatedFolderInfo `
-ComputerName <sourceserver> `
| ft replicatedFolderName, state -auto -wrap
Replicated folders that are ready for cloning will show as state 4 (normal)
After the replicated folders are ready to clone, export the database to a clone directory with the following (H:\DfsrClone is the location that will host the exported clone database):
new-item -path “H:\DfsrClone” -type directory
Export-DfsrClone -volume “H:” -Path “H:\DfsrClone”
After the cloning is complete, a set of robocopy commands are displayed by the Export-DfsrClone cmdlet. It returns ready when the export process is complete. You can monitor the progress of the cloning by using the Get-DfsrCloneState cmdlet. When the cloning is complete, DFS-R issue an Event 2402 in the DFS-R event log.
Use robocopy to move the exported database and preseed the replication folder by using:
robocopy.exe “H:\DfsrClone” “<destination path>” /B
robocopy.exe “<source Path>” “<destination path>” /E /B /COPYALL /R:6 /W:5 /MT:64 /XD DfsPrivate /TEE /LOG+ preseed.log
On the target server, verify that the replication database doesn’t already exist:
get-childItem -path "H:\System Volume Information\dfsr" -hidden
If there is no output, there are no replicated folders on the volume, if there is a listing, you need to do cleanup to remove any residual traces from a previous replication. You can’t clone into an existing DFS-R database and you have to remove traces from any previous DFS-R folders.
You can’t remove residual DFS-R folders or files while the DFS-R service is running. To stop the service, delete all files and folders in the “\system volume information|dfsr” folder and then restart the DFS-R service”
After preseeding with Robocopy is complete, you can import the cloned database and XML configuration with the command:
Import-DfsrClone -volume H: -path "H:\dfsrcone"
When the Get-DfsrCloneState returns ready, or when the DFS-R event log shows an Event 4104, you can complete configuring the replication by adding the target server to the replication group and setting its membership state with this:
$DfsrSourceComputerName=”<sourceserver>”
$DfsrDestinationComputerName=”<destinationserver>”
$DfsrReplicationGroupName=”<DFS-R group>”
#DfsrReplicatedFolderName=”<DFS-R folder>”
$DfsrReplicatedFolderPath=”<DFS-R folder path>”
Add-dfsrMember -GroupName $DfsrReplicationGroupName `
-computerName $DfsrDestinationComputerName
Add-DfsrConnection -groupName $DfsReplicationGroupName `
-SourceComputerName $DfsrSourceComputerName `
-DestinationComputerName $DfsrDestinationComputerName
Set-DfsrMembership -groupName $DfsrReplicationGroupName `
-FolderName $DfsrReplicatedFolderName `
-ContentPath $DfsrReplicatedFolderPath `
-ComputerName $DfsrDestinationComputerName
Use the Get-DfsrPreservedFiles cmdlet to discover any files that had conflicts during the database cloning, and use the *-DfsrPropagationTest cmdlets to validate replication.
Recovering DFS database
You can use database cloning technique to speed up recovery from a corrupted DFS-R database on a server. You should remove the membership of the problem server to prevent DFS-R from attempting to rebuild the database until the cloning is complete.
If the only DFS-R memberships for the server are on the same volume as the corrupted database, use the cmdlet to remove the member:
remove-dfsrmember -groupname <dfsrgroup> -ComputerName <dfsrservername>
Use remove-dfsrmember only when all the server’s memberships are on a single volume, this command affects all memberships of the server.
If there are volumes with uncorrupted DFS-R databases, use the dfsradmin command instead. This command enables you to specify only a single membership.
dfsradmin membership delete /rgname:<dfsrgroup> /rfname:<dfsrfolder> /memname:<dfsrservername>
Optimizing DFS-R
- Windows 2012R2 adds the capability to tune the minimum staging size for files to increase performance when replicating large files.
- The staging folder quota should be large enough that replication can continue even if multiple large files are staged awaiting replication. To improve performance, the staging folders should be as close to the size of the replicated folder as possible.
- Staging folders should be better placed on different physical disks from the folders that are being replicated.
Indexing
By default, windows server does not install the indexing, to optimize the user’s searching experience, you need to install Windows Feature Windows Search Service from Server manager.
Then you can go to the control panel and Configure the location you want to index in Indexing Options. Then click modify and select the shared folder.