Brainstorming Domain-based DFS with DISA STIGs

  • 122 Views
  • Last Post 08 April 2016
a-ko posted this 08 April 2016

Hey all, Figured I’d throw this out there to get some open discussion on the best way to tackle this. Typically speaking, most people use their DA accounts to create AD-integrated DFS Shares. However, per the Windows Server 2012/2012R2 Member Server STIG (Release 3, October 23 2015), Domain/Enterprise Admins should be set as “Deny access to this computer from a network.” Unfortunately, Domain Admin rights are typically used and needed when making changes to the AD DFS Container. And when you try to add the folder targets DFS Management Console can’t access them! (Because you’re using your DA Account, and you’ve denied access to this account on that server) So long story short, I said “Okay, I’ll just grant the ability for my server admin account to create AD-integrated DFS Namespaces” So I followed the MSKB here and created a security group to apply the permissions: https://support.microsoft.com/en-us/kb/258992 Easy enough! Threw my account into this new security group (DFS Admins) Done deal. I can now create AD-integrated DFS Namespaces from my Member Server account! Great….. But not so…. So it turns out, there’s a separate configuration in order to be able to create Replication Groups. So I looked around and can’t find exactly how to do this without using my DA account to delegate management to Replication Groups via the DFS Management Console. The problem is, the Replication Group I configured with my server admin account seems to not have inherited the security group permissions I set at the Replication Group Management level to allow my DFS Admins to manage Replication Groups… Any thoughts? Ideas? -Mike Cramer

Order By: Standard | Newest | Votes
barkills posted this 08 April 2016

We ran into this about 18 months ago for our delegated domain-based DFS offering. See the DFS-R Support section at



https://wiki.cac.washington.edu/display/UWWI/Domain-based+DFS+Namespace+Services.

 

I think the third permission noted in that section is the one you are seeking.

 

Of course, our documentation is specific to our groups and AD DIT, but it should be easy enough to translate to your scenario.

 

Brian

 

show

a-ko posted this 08 April 2016

Thanks for the link! I also did some further digging….and found this. My google fu this morning I guess sucked. https://support.microsoft.com/en-us/kb/911604 -Mike 

show

Close