A distributed file system (DFS) is used to “mask” the location of content that is shared on a server. A DFS allows administrators to alter the actual location of content without having to change the user’s access to the DFS share point. The DFS share point can also have a name that does not represent the actual server and shared folder name of the original content.

Beyond location transparency, a DFS offers storage scalability and simplified maintenance. What a DFS doesn’t offer is security. When setting up DFS shares, the only security comes from the shared folder permissions and NTFS permissions that are on the original content.

Say, for example, that you have a folder named “Data” on Server1. You can share the “Data” folder as a shared folder named “CorpData.” You could then access this share from a computer using the universal naming convention (UNC) path “\\server1\corpdata.”

Check, analyze, and manage Windows folder and file permissions, and enhance NTFS folder security. Try ADManager Plus.

The “CorpData” share could have share permissions set up on it, which, of course, are always best to set to “Everyone – Full Control” (or “Authenticated Users – Full Control,” if you’re concerned about your “Everyone” group). Ideally, NTFS permissions should be used as the primary access control, as share permissions are weak. By using NTFS permissions, you can ensure that the permissions stay intact when the content is moved and you gain granular control over the permissions you need to set.

As you set up a DFS, you will create a DFS share name, such as “DFSCorpData.” Then, you will configure which UNC share point you want the DFS to “mask,” which, in this case, is “\\server1\corpdata.”  The administrator will now use the DFS share, say “\\DFSServer1\DFSCorpData,” for user access to the content, but the original data and content will be located on Server1, under the “Data” folder.

If the administrator wants to move the data to a different server and folder, the DFS share pointer is changed, but the configuration of the user UNC is not. If the change is made, the access security of the content will not be controlled through the DFS configuration, but rather on the original share and NTFS permissions of the content. 

 

NTFS Permissions