Permission Problems in AD

[Len A]

I setup my AD network, everythign was workign nicely. I have 3 servers so I
setup DFS and mirrored it on another drive, not publishing or using the DFS
share. (The users point to one server I was sharing all files off of) This
too worked nicely with many gigs of data seamlessly copying over.

Since I did the DFS, several days later, it stopped letting me (full domain,
local, etc admin access) to execute anything. The exact message is (whenever
I double click on anything, even a batch file)

---------------------------
\\plato\applications\OWC11.MSI
---------------------------
Windows cannot access the specified device, path, or file. You may not have
the appropriate permissions to access the item.
---------------------------
OK
---------------------------

I have checked permissions on the share, I have full everywhere. Verified
usign the "effective permission" tool. I have also verified permissions on
the folder level under "secuiryt".. I can Create and delete folders, and
delete and create files. Only upon double-click do I get the above message

This container (ou) has no policy assigned to it, and is set to not inherit.

I also created a "test" share, on one of the servers, outside if the DFS
share, and it too did not let me execute as described above.

For a week or so before I setup DFS, I was executing everywhere fine
(installing software on many desktops)

Any ideas?

 

[Herb Martin]

I setup my AD network, everythign was workign nicely. I have 3 servers so I
setup DFS and mirrored it on another drive, not publishing or using the DFS
share. (The users point to one server I was sharing all files off of) This
too worked nicely with many gigs of data seamlessly copying over.

Why are you using DFS then?

Since I did the DFS, several days later, it stopped letting me (full domain,
local, etc admin access) to execute anything. The exact message is (whenever
I double click on anything, even a batch file)
---------------------------
\\plato\applications\OWC11.MSI
---------------------------
Windows cannot access the specified device, path, or file. You may not have
the appropriate permissions to access the item.
---------------------------
OK
---------------------------
I have checked permissions on the share, I have full everywhere. Verified
usign the "effective permission" tool. I have also verified permissions on
the folder level under "secuiryt".. I can Create and delete folders, and
delete and create files. Only upon double-click do I get the above message

What happens when you manually map a drive letter to \\plato\applications
and run the file manually from a commaand prompt?

X:\> OWC11.MSI

This container (ou) has no policy assigned to it, and is set to not

inherit.

OUs have nothing (directly) to do with share or file permissions (unless
you are using GPOs to set NTFS permission which almost no one does
-- certainly without a lot of experience.)

Most likely you have a permission problem if you can read and write
to the share etc. but cannot execute a file.

Have you LOOKED at the Share AND the NTFS permissions for
the actual file? (Windows Explorer properties for the file itself)

I also created a "test" share, on one of the servers, outside if the DFS
share, and it too did not let me execute as described above.

Chances are your permissions on the FILE are messed up. Why?

1) You said you replicated some files
2) You never mentioned the NTFS permissions above
3) You seem to have checked the Share permissions

 

[Len A]

Thanks for the help- I have made some progress down those lines. (looking at
all permissions) I finally got it to work, it seemst that I had to give
access to "domain admins" or possibly "system"- after giving access to both
of these, it started working again.

Thanks for your help.

I am using DFS as a backup, so that I always have 3 copies of my (many)
shared files, on 3 different servers. if one goes down, I can quickly bring
the others back up to full service. It actually works very nicely, and
seamlessly. I even have the mailStore backed up this way.

 

[Herb Martin]

Thanks for the help- I have made some progress down those lines. (looking at
all permissions) I finally got it to work, it seemst that I had to give
access to "domain admins" or possibly "system"- after giving access to both
of these, it started working again.

Thanks for your help.

I am using DFS as a backup, so that I always have 3 copies of my (many)
shared files, on 3 different servers. if one goes down, I can quickly bring
the others back up to full service. It actually works very nicely, and
seamlessly. I even have the mailStore backed up this way.

But if you aren't actually using the DFS for either replicas or replication,
what feature is it providing?

Consider having your backup ONLINE, so that even during unexpected
outages the clients will simply fail over to the working server(s) AND
they can use the multiple online servers for better performance (load
balancing)....

 

[Len A]

I am oinly using replicas and replication, not the distributed file share
capability. The replicas are the backups, then I can run a regular tape or
whatever backup on a copy that is never in use, and the files are never in
use...

I really like what you are saying, real load balancing, but I don;t see how
active directory really does this, other than authentication. (if one DC
goes away, the 2nd will authenticate.) I am also running Exchange to add to
the confusion.

So am I correct in now thinking that if I use the DFS file sharing, and a
server drops out, then the other server will step in seamlessly?? (be
patient with me here, I have never really implemented this stuff myself
before!)

I did find one strange thing, I have two DCs (plato and socrates) that run
DFS, the 3rd (DC) is windows 2000 server and doesn't seem to want to play (I
will upgrade it to 2003 when I get a chance). I put my (roaming user)
profiles on plato, shared that and used it as the location of user profiles
(\\plato\\profile\%username%). All worked fine. Then I caught one computer
looking for \\socrates\\profiles upon logon- I never told it about this,
but I guess the DFS or the DC wanted to use a different server, so I setup a
share on socrates then it all seems to be happy. (the share on socrates is
the folder that is replicated in DFS so the files seem to be current) Why is
this?? I like it, because I would love for each server to provide shares
when it is most appropriate (load balance).

 

[Herb Martin]

I am oinly using replicas and replication, not the distributed file share
capability. The replicas are the backups, then I can run a regular tape or
whatever backup on a copy that is never in use, and the files are never in
use...

I really like what you are saying, real load balancing, but I don;t see how
active directory really does this, other than authentication. (if one DC
goes away, the 2nd will authenticate.) I am also running Exchange to add to
the confusion.

AD doesn't really do the load balancing, but rather maintains the
DFS share info, which the clients learn and use to make it work.
Technically it is the clients who have a list of share replicas and
pick one (same site preferred) and fail over to another replica
if the first goes down.

So am I correct in now thinking that if I use the DFS file sharing, and a
server drops out, then the other server will step in seamlessly?? (be
patient with me here, I have never really implemented this stuff myself
before!)

Almost seemlessly -- if users are currently using files, they must
reconnect (it happens automatically however) to another server.

I did find one strange thing, I have two DCs (plato and socrates) that run
DFS, the 3rd (DC) is windows 2000 server and doesn't seem to want to play (I
will upgrade it to 2003 when I get a chance).

I have never personally mixed DFS this way but Win2000 does
support DFS and so it should work.

I put my (roaming user)
profiles on plato, shared that and used it as the location of user profiles
(\\plato\\profile\%username%). All worked fine. Then I caught one computer
looking for \\socrates\\profiles upon logon- I never told it about this,
but I guess the DFS or the DC wanted to use a different server, so I setup a
share on socrates then it all seems to be happy. (the share on socrates is
the folder that is replicated in DFS so the files seem to be current) Why is
this?? I like it, because I would love for each server to provide shares
when it is most appropriate (load balance).

There is (or was at least in 2000) some strangeness in using DFS for
profiles.