DFS technology is used to “mask” the location of content that is shared on a server. DFS allows administrators to alter the actual location of the content without having to change the user’s access to the DFS share point. The DFS share point can also have a name that does not represent the actual server and shared folder name of the original content.

Beyond location transparency, DFS offers storage scalability and simplified maintenance. What DFS doesn’t offer is security. When setting up DFS shares, the only security comes from the shared folder permissions and NTFS permissions that are on the original content.

Say, for example, that you have a folder named “Data” on Server1. You can share the “Data” folder as a shared folder named “CorpData.” You could then access this share from a computer using the universal naming convention (UNC) path “\\server1\corpdata.”

Check, analyze, and manage Windows folder/ file permissions and enhance NTFS folder security. Try ADManager Plus

The “CorpData” share could have share permissions set up on it, which, of course, are always best to set to “Everyone – Full Control” (or “Authenticated Users – Full Control,” if you are concerned about your “Everyone” group). Ideally, NTFS permissions should be used as the primary access control, as share permissions are weak and fragile. By using NTFS permissions, you can ensure that the permissions stay intact when the content is moved and you gain granular control over the permissions you need to set.

As you set up DFS, you will create a DFS share name, such as “DFSCorpData.” Then, you will configure which UNC share point you want DFS to “mask,” which, in this case, is “\\server1\corpdata.”  The administrator will now use the DFS share, say “\\DFSServer1\DFSCorpData,” for user access to the content, but the original data and content will be located on Server1, under the “Data” folder.

If the administrator wants to move the data to a different server and folder name, the DFS share pointer is changed, but the configuration of the user UNC is not. If the change is made, the access security of thecontent will not be controlled through the DFS configuration, but rather on the original contents’ share and NTFS permissions. 


Related posts: