| Author |
Message |
Asgard Hostmaster
Guest
|
 Posted:
Thu Sep 30, 2004 2:17 am Post subject:
ACLs on FRS files |
|
|
Hi folks,
I've been unable to find anywhere a description of what ACLs, if any, are
required on the shares/folders/files setup for replication. Can anyone
direct me to the appropriate documentation?
thanks,
David |
|
| Back to top |
|
 |
Tim Springston [MS]
Guest
|
|
| Back to top |
|
|
Asgard Hostmaster
Guest
|
| Posted:
Sat Oct 16, 2004 6:45 pm Post subject:
Re: ACLs on FRS files |
|
|
This seems amazing to me?? FRS completely bypasses all system security?
"Tim Springston [MS]" <tspring@online.microsoft.com> skrev i meddelandet
news:uUuzhhUsEHA.1220@TK2MSFTNGP10.phx.gbl...
|
|
| Back to top |
|
|
Tim Springston [MS]
Guest
|
| Posted:
Sun Oct 17, 2004 9:20 pm Post subject:
Re: ACLs on FRS files |
|
|
No. FRS is a system service that monitors changes to files on a server.
Each file has an access control list as part of it's structure in NTFS.
Since it wouldn't do anyone any good if FRS replicated files without
permissions, FRS has been made to monitor those changes as well and
replicate when those changes happen.
Another way to think of this is that FRS is a local service and interacts
with the underlying kernel mode operating system to do the job of monitoring
local changes to it's FRS replica set(s), sending those changes, and
receiving them from other computers in it's replica set.
--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"Asgard Hostmaster" <hostmaster@asgard_remove_.net> wrote in message
news:ORX7sZ4sEHA.3788@TK2MSFTNGP15.phx.gbl...
| Quote: | This seems amazing to me?? FRS completely bypasses all system security?
"Tim Springston [MS]" <tspring@online.microsoft.com> skrev i meddelandet
news:uUuzhhUsEHA.1220@TK2MSFTNGP10.phx.gbl...
No ACLs are required for FRS to be able to replicate a file or directory.
Detailed documentation on how FRS does what it does is available at:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_frs_how.asp
--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Asgard Hostmaster" <hostmaster@_remove_asgard.net> wrote in message
news:ONKXBnmpEHA.516@TK2MSFTNGP09.phx.gbl...
Hi folks,
I've been unable to find anywhere a description of what ACLs, if any,
are required on the shares/folders/files setup for replication. Can
anyone direct me to the appropriate documentation?
thanks,
David
|
|
|
| Back to top |
|
|
Asgard Hostmaster
Guest
|
| Posted:
Mon Oct 18, 2004 4:02 pm Post subject:
Re: ACLs on FRS files |
|
|
yes, but if a share for example has Everyone/System/Network etc etc set to
deny, shouldn't that block FRS from replicating it? FRS *must* have some
kind of security context? The service surely can't just connect and do
anything it wishes and completely ignore security on files/registry/shares
etc etc?
The concept that a service on one computer can connect to another of my
computers and make changes completely outside of the NT security system is
concerning. Sure it would make simple replication easy, but still very
worrisome from an architectural standpoint!
I'm hopeful you've misunderstood the question, which arises because I've
been having problems getting NTFRS replication working properly. One of my
systems was locked down extremely tightly after a successful hack a couple
of years ago. It's my guess that FRS needs certain permissions to function
and it's not finding them. I've found a couple of posts around by users
stating it needs certain permissions on the shares/folders/computers it's
trying to replicate, but I've been unable to get an authoritive answer -
apart from yours, which says FRS needs no permissions at all!
say it ain't so!
"Tim Springston [MS]" <tspring@online.microsoft.com> skrev i meddelandet
news:O6GVyUGtEHA.2516@TK2MSFTNGP11.phx.gbl...
| Quote: | No. FRS is a system service that monitors changes to files on a server.
Each file has an access control list as part of it's structure in NTFS.
Since it wouldn't do anyone any good if FRS replicated files without
permissions, FRS has been made to monitor those changes as well and
replicate when those changes happen.
Another way to think of this is that FRS is a local service and interacts
with the underlying kernel mode operating system to do the job of
monitoring local changes to it's FRS replica set(s), sending those
changes, and receiving them from other computers in it's replica set.
--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Asgard Hostmaster" <hostmaster@asgard_remove_.net> wrote in message
news:ORX7sZ4sEHA.3788@TK2MSFTNGP15.phx.gbl...
This seems amazing to me?? FRS completely bypasses all system security?
"Tim Springston [MS]" <tspring@online.microsoft.com> skrev i meddelandet
news:uUuzhhUsEHA.1220@TK2MSFTNGP10.phx.gbl...
No ACLs are required for FRS to be able to replicate a file or
directory.
Detailed documentation on how FRS does what it does is available at:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_frs_how.asp
--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Asgard Hostmaster" <hostmaster@_remove_asgard.net> wrote in message
news:ONKXBnmpEHA.516@TK2MSFTNGP09.phx.gbl...
Hi folks,
I've been unable to find anywhere a description of what ACLs, if any,
are required on the shares/folders/files setup for replication. Can
anyone direct me to the appropriate documentation?
thanks,
David
|
|
|
| Back to top |
|
|
Jill Zoeller [MSFT]
Guest
|
| Posted:
Tue Oct 19, 2004 1:04 am Post subject:
Re: ACLs on FRS files |
|
|
Hi Asgard, I can confirm Tim's information that FRS does not require any
special permissions on files to replicate them. In fact, reviewing
permissions is not a common avenue for FRS troubleshooting. Have you had a
chance to install Ultrasound? This is the best way to troubleshoot FRS. The
associated Help file also provides troubleshooting steps, including basic
dependency checks (DNS, AD, network) that when configured improperly can
cause FRS to fail.
Ultrasound and related FRS tshooting tools are described here:
http://www.microsoft.com/windowsserver2003/technologies/fileandprint/file/dfs/tshootfrs.mspx
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Asgard Hostmaster" <hostmaster@asgard_remove_.net> wrote in message
news:Ot5hVIQtEHA.2124@TK2MSFTNGP11.phx.gbl...
| Quote: | yes, but if a share for example has Everyone/System/Network etc etc set to
deny, shouldn't that block FRS from replicating it? FRS *must* have some
kind of security context? The service surely can't just connect and do
anything it wishes and completely ignore security on files/registry/shares
etc etc?
The concept that a service on one computer can connect to another of my
computers and make changes completely outside of the NT security system is
concerning. Sure it would make simple replication easy, but still very
worrisome from an architectural standpoint!
I'm hopeful you've misunderstood the question, which arises because I've
been having problems getting NTFRS replication working properly. One of my
systems was locked down extremely tightly after a successful hack a couple
of years ago. It's my guess that FRS needs certain permissions to function
and it's not finding them. I've found a couple of posts around by users
stating it needs certain permissions on the shares/folders/computers it's
trying to replicate, but I've been unable to get an authoritive answer -
apart from yours, which says FRS needs no permissions at all!
say it ain't so!
"Tim Springston [MS]" <tspring@online.microsoft.com> skrev i meddelandet
news:O6GVyUGtEHA.2516@TK2MSFTNGP11.phx.gbl...
No. FRS is a system service that monitors changes to files on a server.
Each file has an access control list as part of it's structure in NTFS.
Since it wouldn't do anyone any good if FRS replicated files without
permissions, FRS has been made to monitor those changes as well and
replicate when those changes happen.
Another way to think of this is that FRS is a local service and interacts
with the underlying kernel mode operating system to do the job of
monitoring local changes to it's FRS replica set(s), sending those
changes, and receiving them from other computers in it's replica set.
--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Asgard Hostmaster" <hostmaster@asgard_remove_.net> wrote in message
news:ORX7sZ4sEHA.3788@TK2MSFTNGP15.phx.gbl...
This seems amazing to me?? FRS completely bypasses all system security?
"Tim Springston [MS]" <tspring@online.microsoft.com> skrev i meddelandet
news:uUuzhhUsEHA.1220@TK2MSFTNGP10.phx.gbl...
No ACLs are required for FRS to be able to replicate a file or
directory.
Detailed documentation on how FRS does what it does is available at:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_frs_how.asp
--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Asgard Hostmaster" <hostmaster@_remove_asgard.net> wrote in message
news:ONKXBnmpEHA.516@TK2MSFTNGP09.phx.gbl...
Hi folks,
I've been unable to find anywhere a description of what ACLs, if any,
are required on the shares/folders/files setup for replication. Can
anyone direct me to the appropriate documentation?
thanks,
David
|
|
|
| Back to top |
|
|
Asgard Hostmaster
Guest
|
| Posted:
Thu Oct 21, 2004 12:15 am Post subject:
Re: ACLs on FRS files |
|
|
Hi Jill,
Yes, I have installed Ultrasound and used it and FRSDiag and posted results
on this forum. No luck so far. Latest results are below. I'm attempting
replication between a w2k domain controller and a w2k3 domain controller on
the same domain in the same data centre but on different subnets.
Current errors on the w2k3 server, SB-3, in NTFRS_0005.log is this repeated
regularly -
************
<FrsDsFindComputer: 2680: 8806: S2: 13:34:59> :DS: Settings reference is
cn=ntds
settings,cn=sb-3,cn=servers,cn=san-antonio,cn=sites,cn=configuration,dc=mydomain,dc=net
<FrsDsGetSubscribers: 2680: 8239: S0: 13:34:59> :DS: No NTFRSSubscriber
object found under cn=dfs volumes,cn=ntfrs subscriptions,cn=sb-3,ou=domain
controllers,dc=mydomain,dc=net!
<FrsDsGetSubscribers: 2680: 8239: S0: 13:34:59> :DS: No NTFRSSubscriber
object found under cn=2076db4e-718a-4a61-ac1d-9ae239578d26,cn=dfs
volumes,cn=ntfrs subscriptions,cn=sb-3,ou=domain
controllers,dc=mydomain,dc=net!
************
Checking with ADSIEdit confirms that there IS an nTFRSSubscriber object in
these places.
Interestingly, when I run FRSDiag on SB-3 and try to connect to SB-2, it
complains -
************
Checking Overall Disk Space and SYSVOL structure (note: integrity is not
checked)...Could not check because could not access system share on SB-2...
************
I can access the \\SB-2\SYSVOL no problems from the command prompt on SB-3.
I installed FRSDIAG on SB-2 and ran it locally. It gives similar errors -
************
<FrsDsFindComputer: 4416: 8737: S2: 14:04:09> :DS: Settings reference is
cn=ntds
settings,cn=sb-2,cn=servers,cn=san-antonio,cn=sites,cn=configuration,dc=mydomain,dc=net
<FrsDsGetSubscribers: 4416: 8169: S0: 14:04:10> :DS: No NTFRSSubscriber
object found under cn=dfs volumes,cn=ntfrs subscriptions,cn=sb-2,ou=domain
controllers,dc=mydomain,dc=net!
<FrsDsGetSubscribers: 4416: 8169: S0: 14:04:11> :DS: No NTFRSSubscriber
object found under cn=2076db4e-718a-4a61-ac1d-9ae239578d26,cn=dfs
volumes,cn=ntfrs subscriptions,cn=sb-2,ou=domain
controllers,dc=mydomain,dc=net!
************
Again, ADSIEdit confirms the entries DO exist.
NTFRS_005.log on SB-2 reports the following repeatedly as well -
************
<SndCsMain: 2432: 874: S0: 13:59:39> ++ ERROR - EXCEPTION (000006d9) :
WStatus: EPT_S_NOT_REGISTERED
<SndCsMain: 2432: 875: S0: 13:59:39> :SR: Cmd 00237200, CxtG 82382b81, WS
EPT_S_NOT_REGISTERED, To sb-3.mydomain.net Len: (356) [SndFail - rpc
exception]
<SndCsMain: 2432: 895: S0: 13:59:39> :SR: Cmd 00237200, CxtG 82382b81, WS
EPT_S_NOT_REGISTERED, To sb-3.mydomain.net Len: (356) [SndFail - Send
Penalty]
************
Any advice?
David
"Jill Zoeller [MSFT]" <jillz@online.microsoft.com> wrote in message
news:OVmPo2UtEHA.3460@TK2MSFTNGP15.phx.gbl...
| Quote: | Hi Asgard, I can confirm Tim's information that FRS does not require any
special permissions on files to replicate them. In fact, reviewing
permissions is not a common avenue for FRS troubleshooting. Have you had a
chance to install Ultrasound? This is the best way to troubleshoot FRS.
The associated Help file also provides troubleshooting steps, including
basic dependency checks (DNS, AD, network) that when configured improperly
can cause FRS to fail.
Ultrasound and related FRS tshooting tools are described here:
http://www.microsoft.com/windowsserver2003/technologies/fileandprint/file/dfs/tshootfrs.mspx
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Asgard Hostmaster" <hostmaster@asgard_remove_.net> wrote in message
news:Ot5hVIQtEHA.2124@TK2MSFTNGP11.phx.gbl...
yes, but if a share for example has Everyone/System/Network etc etc set
to deny, shouldn't that block FRS from replicating it? FRS *must* have
some kind of security context? The service surely can't just connect and
do anything it wishes and completely ignore security on
files/registry/shares etc etc?
The concept that a service on one computer can connect to another of my
computers and make changes completely outside of the NT security system
is concerning. Sure it would make simple replication easy, but still very
worrisome from an architectural standpoint!
I'm hopeful you've misunderstood the question, which arises because I've
been having problems getting NTFRS replication working properly. One of
my systems was locked down extremely tightly after a successful hack a
couple of years ago. It's my guess that FRS needs certain permissions to
function and it's not finding them. I've found a couple of posts around
by users stating it needs certain permissions on the
shares/folders/computers it's trying to replicate, but I've been unable
to get an authoritive answer - apart from yours, which says FRS needs no
permissions at all!
say it ain't so!
"Tim Springston [MS]" <tspring@online.microsoft.com> skrev i meddelandet
news:O6GVyUGtEHA.2516@TK2MSFTNGP11.phx.gbl...
No. FRS is a system service that monitors changes to files on a server.
Each file has an access control list as part of it's structure in NTFS.
Since it wouldn't do anyone any good if FRS replicated files without
permissions, FRS has been made to monitor those changes as well and
replicate when those changes happen.
Another way to think of this is that FRS is a local service and
interacts with the underlying kernel mode operating system to do the job
of monitoring local changes to it's FRS replica set(s), sending those
changes, and receiving them from other computers in it's replica set.
--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Asgard Hostmaster" <hostmaster@asgard_remove_.net> wrote in message
news:ORX7sZ4sEHA.3788@TK2MSFTNGP15.phx.gbl...
This seems amazing to me?? FRS completely bypasses all system security?
"Tim Springston [MS]" <tspring@online.microsoft.com> skrev i
meddelandet news:uUuzhhUsEHA.1220@TK2MSFTNGP10.phx.gbl...
No ACLs are required for FRS to be able to replicate a file or
directory.
Detailed documentation on how FRS does what it does is available at:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_frs_how.asp
--
Tim Springston
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Asgard Hostmaster" <hostmaster@_remove_asgard.net> wrote in message
news:ONKXBnmpEHA.516@TK2MSFTNGP09.phx.gbl...
Hi folks,
I've been unable to find anywhere a description of what ACLs, if any,
are required on the shares/folders/files setup for replication. Can
anyone direct me to the appropriate documentation?
thanks,
David
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in