As organizations accumulate more and more data, administrators often find that having a single file server does...
not meet their needs. Although adding additional file servers or even network-attached storage (NAS) devices is certainly an option, doing so introduces a degree of complexity into the organization because users' files are no longer being hosted in one single location.
In the past, an administrator had to keep track of which file resources were on which servers, and redirect users accordingly. This was confusing for both users and admins, especially when file resources had to be moved from one server to another to make up for disk space or other server resource shortages.
In Windows 2000 Server, Microsoft introduced a feature called the Distributed File System (DFS). This feature, which is also present in Windows Server 2003 and 2008, allows an administrator to virtualize the file system so the physical location of a user's files no longer matters. DFS creates a consolidated view of folders, even if those folders are spread across multiple file servers. Users access this consolidated view through a DFS root, which gives the illusion of being a normal share on a file server.
This form of file system virtualization is intended to help reduce confusion by presenting users with a unified view of the file systems of multiple file servers. Despite this, users still may not understand why they have to get to their files in a new way, or why they can suddenly see a bunch of files and folders that did not previously exist.
With those types of issues in mind, Microsoft has incorporated a few changes in Windows Server 2008 that make the file system virtualization process a bit less confusing for end users. Of these new features, the most helpful is Access-based Enumeration.
The basic idea behind Access-based Enumeration is that users are only allowed to see the files and folders they have access to. In previous versions of Windows Server, users accessing a virtualized file system through a DFS root could see the entire file structure, even if they didn't have permission to actually open all of the files and folders.
One thing to keep in mind about Access-based Enumeration is that it is not enabled by default (although it is enabled by default for newly created shares in Windows Server 2008). There are a couple of reasons for this. First, it makes the Windows Server 2008 DFS experience consistent with what users had when the DFS root was hosted on earlier versions of Windows Server.
A more important reason why Access-based Enumeration is not enabled by default, however, is that it's not compatible with earlier versions of Windows Server. If you want to use Access-based Enumeration, you must either be using a standalone DFS namespace that's hosted on a server running Windows 2008, or a domain based namespace that is running in Windows Server 2008 mode.
In case you have never heard of Windows Server 2008 mode, it is a new functional level offered by the Windows 2008 version of DFS. Setting Windows to use the Windows Server 2008 mode domain-based namespaces does two things:
- Allows you to use Access-based Enumeration.
- Increases the namespace's scalability.
DFS roots that are running the standard namespace mode (which is now called Windows 2000 Server mode) are limited to hosting about 5000 folders with targets. This is due to an Active Directory limitation found in older versions of Windows Server, which only allows a namespace directory object to grow to 5 MB. DFS roots running in Windows Server 2008 mode are not subject to this limitation. To the best of my knowledge, Microsoft has not released any information about what DFS is now capable of scaling to.
The requirements for using Windows Server 2008 mode are fairly straightforward. The domain must be set to use the Windows Server 2008 domain functional level, and all of your DFS namespace servers must be running Windows Server 2008.
Once you begin using Windows Server 2008 mode, you will have to manually implement Access-based Enumeration. You can do so by entering the following command:
DFSUTIL property abde enable \\<namespace_root>
You will also have to set the appropriate security permissions on each of the DFS folders, which you can do by using this command:
DFSUTIL property ACL grant \\<namespace_root>\<folder><username>:<permission>
Although implementing Access-based Enumeration is somewhat straightforward, it can be a bit complicated once you have DFS in place. Fortunately, Microsoft provides some really good resources that walk you through the process, including a basic overview of DFS in Windows 2008 and details Windows Server 2008 mode.
ABOUT THE AUTHOR
Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities, and was once a network administrator for Fort Knox. You can visit his personal Web site at www.brienposey.com.