Enterprise Server Strategies for the CIOI'm a little weak when it comes to NTFRS, DFS and junction points so hopefully this will not be a mundane question and will perk your interest a little.
For security reasons (and for the sake of experience), I have implemented Microsoft DFS on our network file server. I did this so the file shares that users see on their machines don't show the server name hosting the shared directories. I also did this so an identical DFS set could be hosted on the backup server. Instead of backing up the data directory on the file server over ethernet, I backup the synced DFS Root off the backup server to tape.
Here is my dilemma. Currently the users see the following:
j:domainnameDFSRootshare1 instead of //servername/share
k:domainnameDFSRootshare2 instead of //servername/share
l:domainnameDFSRootshare3 instead of //servername/share
m:domainnameDFSRootsubdirectory1subdirectory2subdirectory3subdirectory4share4 instead of //servername/share
As you can see the first 3 shares are clean and short to the user. The 4th share is way to long and cumbersome in Windows Explorer. I would like to keep only one DFS root for the domain but shorten the share path to the M: drive (without moving the share4 directory to the DFS Root). The only way I can conceive doing this is to create a junction point inside the DFS set. Is this possible? Creating a junction point inside of a logical namespace. Basically I would create a junction point directory off the DFS Root that would point to the directory where share 4 is located.
m:domainnameDFSRootshared junctionpointdirectory that would point to
m:domainnameDFSRootsubdirectory1subdirectory2subdirectory3subdirectory4share4
I'm pretty sure that I am just asking for trouble here but would enjoy any thoughts or responses you might have. Oh yeah -- for your readersadmins out there who use DFS, make sure you have the command prompt locked down. Even if an admin has DFS in place and has prohibited users from loading 3rd party utils/programs, a user can go to a dos prompt and type in c:netstat to figure out what server the share is on.
For security reasons (and for the sake of experience), I have implemented Microsoft DFS on our network file server. I did this so the file shares that users see on their machines don't show the server name hosting the shared directories. I also did this so an identical DFS set could be hosted on the backup server. Instead of backing up the data directory on the file server over ethernet, I backup the synced DFS Root off the backup server to tape.
Here is my dilemma. Currently the users see the following:
j:domainnameDFSRootshare1 instead of //servername/share
k:domainnameDFSRootshare2 instead of //servername/share
l:domainnameDFSRootshare3 instead of //servername/share
m:domainnameDFSRootsubdirectory1subdirectory2subdirectory3subdirectory4share4 instead of //servername/share
As you can see the first 3 shares are clean and short to the user. The 4th share is way to long and cumbersome in Windows Explorer. I would like to keep only one DFS root for the domain but shorten the share path to the M: drive (without moving the share4 directory to the DFS Root). The only way I can conceive doing this is to create a junction point inside the DFS set. Is this possible? Creating a junction point inside of a logical namespace. Basically I would create a junction point directory off the DFS Root that would point to the directory where share 4 is located.
m:domainnameDFSRootshared junctionpointdirectory that would point to
m:domainnameDFSRootsubdirectory1subdirectory2subdirectory3subdirectory4share4
I'm pretty sure that I am just asking for trouble here but would enjoy any thoughts or responses you might have. Oh yeah -- for your readersadmins out there who use DFS, make sure you have the command prompt locked down. Even if an admin has DFS in place and has prohibited users from loading 3rd party utils/programs, a user can go to a dos prompt and type in c:netstat to figure out what server the share is on.
Requires Free Membership to View
Answer: A junction point cannot be created to the DFS share as junction points are created to locally attached devices. LINKD and MOUNTVOL can be used to create the junction points (or reparse points) but they work on local devices and directories only. DFS is in fact the tool to create junction points for network shares. As such, it is possible to create a DFS share that points to a DFS share. Let me build an example to help explain.
We start with a Domain Root DFS on a DC called MyDomainController. The DFS root looks like this:
\MyDomain.LocalMyDFSRoot = \MyDomainControllerDFSRoot = C:DFSRoot
Now I want the users to be able to access a subfolder on the Domain Controller (just keeping it simple for right now) with a physical name:
C:DFSRootSharedDataDepartmentsMarketing
The ONLY share that exists is \MyDomainControllerDFSRoot but that doesn't stop me from creating a DFS link to a subfolder like this:
\MyDomain.LocalMyDFSRootMarketing = \MyDomainControllerDFSRootSharedDataDepartmentsMarketing
The only thing the user has to know is the much smaller \MyDomain.LocalMyDFSRootMarketing.
This can be done to other servers on the network. For example, let's say the Marketing folder was on another machine called MyFileServer. The MyFileServer has only 1 share called CompanyData:
\MyFileServerCompanyData = D:CompanyData
The Marketing data we want is at a downlevel directory like this:
d:CopmanyDataDepartmentsMarketingMrkManagementQ3
We can create a DFS like this:
\MyDomain.locvalMyDFSRootCurrentQMrkMgt = \MyFileServerCompanyDataDepartmentsMarketingMrkManagementQ3
Works just fine! YOu can create multiple DFS Links to the same share and subdirectories. You can even link DFS to another DFS, although I am not sure why you would do this and it would be very easy to create cyclic links that result in errors reporting that the path name is too long.
We start with a Domain Root DFS on a DC called MyDomainController. The DFS root looks like this:
\MyDomain.LocalMyDFSRoot = \MyDomainControllerDFSRoot = C:DFSRoot
Now I want the users to be able to access a subfolder on the Domain Controller (just keeping it simple for right now) with a physical name:
C:DFSRootSharedDataDepartmentsMarketing
The ONLY share that exists is \MyDomainControllerDFSRoot but that doesn't stop me from creating a DFS link to a subfolder like this:
\MyDomain.LocalMyDFSRootMarketing = \MyDomainControllerDFSRootSharedDataDepartmentsMarketing
The only thing the user has to know is the much smaller \MyDomain.LocalMyDFSRootMarketing.
This can be done to other servers on the network. For example, let's say the Marketing folder was on another machine called MyFileServer. The MyFileServer has only 1 share called CompanyData:
\MyFileServerCompanyData = D:CompanyData
The Marketing data we want is at a downlevel directory like this:
d:CopmanyDataDepartmentsMarketingMrkManagementQ3
We can create a DFS like this:
\MyDomain.locvalMyDFSRootCurrentQMrkMgt = \MyFileServerCompanyDataDepartmentsMarketingMrkManagementQ3
Works just fine! YOu can create multiple DFS Links to the same share and subdirectories. You can even link DFS to another DFS, although I am not sure why you would do this and it would be very easy to create cyclic links that result in errors reporting that the path name is too long.
This was first published in February 2004
Join the conversationComment
Share
Comments
Results
Contribute to the conversation