DFSR + inherited permissions James 02.07.2007 18:16:03 Hi, I am currently replicating web content between two Win2kSP1R2 servers (One Way Replication). On each server, the local ComputerName\IIS_WPG group has explicit rights to the web content directory. When files and folders are replicated, the ACL of either files or folders do not show the local IIS_WPG groups at all. Only the SID names are enumerated for the local group. The folder permissions for web content are inherited from a parent folder. Even after manaully replacing permissions from parent, new replicated files and folders are not enumerated/or accessible from the web. What can I do to solve this issue? Any help will be greatly appreciated. Thanks,

Re: DFSR + inherited permissions "Ned Pyle [MSFT]" <nedpyle[ at ]online.microsoft.com> 06.07.2007 00:30:18 So, a few things: 1. One-way replication is not supported nor desirable nor going to work for you. 2. Using local groups that are not built-in with well-known SID's as ACL's is not going to work for other servers - the SID's don't match, so there is no way to resolve them or pass them as part of the access mask. What about using a domain-based group instead for the ACL, which will completely solve the issue? If that's not possible, you can try the below (untested!): 1) Check backlog. Make sure it’s zero from non-primary (“read-only”) to primary and primary to read-only. 2) Enable 2-way replication if it isn’t already enabled. Modify the replicated folder root DACL to include the new local IUSR account. Set it to apply to the current folder, all subfolders and files (inheritance enabled). Apply the new ACL to the existing tree (this will re-ACL every file and folder). 3) Let replication settle (backlog zero). 4) On the “primary” machine, verify the ACL is set correctly. Since it is not aware of the new local IUSR account, you should see a raw SID. 5) On the “primary” machine, create a new file in the replicated folder hierarchy. It should inherit the ACE with the raw SID. If it does, make sure that the replicated file on the “read-only” server shows the expected DACL with IUSR. 6) Try whatever content update process you use. Verify the ACLs are inherited as expected. -- Ned Pyle Microsoft Enterprise Platform Support This posting is provided "AS IS" with no warranties, and confers no rights. Please read http://www.microsoft.com/info/cpyright.htm for more information. "James" <James[ at ]discussions.microsoft.com> wrote in message news:D6D8BB78-2271-4028-A667-8D6FCA0B9B08[ at ]microsoft.com... [Quoted Text] > Hi, I am currently replicating web content between two Win2kSP1R2 servers > (One Way Replication). On each server, the local ComputerName\IIS_WPG > group > has explicit rights to the web content directory. When files and folders > are > replicated, the ACL of either files or folders do not show the local > IIS_WPG > groups at all. Only the SID names are enumerated for the local group. > The > folder permissions for > web content are inherited from a parent folder. Even after manaully > replacing permissions from parent, new replicated files and folders are > not > enumerated/or accessible from the web. What can I do to solve this issue? > Any > help will be greatly appreciated. > Thanks,

Re: DFSR + inherited permissions James 06.07.2007 13:24:02 Thank you so much for you help, Ned. We'll see what happens. "Ned Pyle [MSFT]" wrote: [Quoted Text] > So, a few things: > > 1. One-way replication is not supported nor desirable nor going to work for > you. > 2. Using local groups that are not built-in with well-known SID's as ACL's > is not going to work for other servers - the SID's don't match, so there is > no way to resolve them or pass them as part of the access mask. > > What about using a domain-based group instead for the ACL, which will > completely solve the issue? If that's not possible, you can try the below > (untested!): > > 1) Check backlog. Make sure it’s zero from non-primary (“read-only”) to > primary and primary to read-only. > 2) Enable 2-way replication if it isn’t already enabled. Modify the > replicated folder root DACL to include the new local IUSR account. Set it > to apply to the current folder, all subfolders and files (inheritance > enabled). Apply the new ACL to the existing tree (this will re-ACL every > file and folder). > 3) Let replication settle (backlog zero). > 4) On the “primary” machine, verify the ACL is set correctly. Since it is > not aware of the new local IUSR account, you should see a raw SID. > 5) On the “primary” machine, create a new file in the replicated folder > hierarchy. It should inherit the ACE with the raw SID. If it does, make > sure that the replicated file on the “read-only” server shows the expected > DACL with IUSR. > 6) Try whatever content update process you use. Verify the ACLs are > inherited as expected. > > > -- > > Ned Pyle > Microsoft Enterprise Platform Support > This posting is provided "AS IS" with no warranties, and confers no rights. > Please read http://www.microsoft.com/info/cpyright.htm for more information. > > > "James" <James[ at ]discussions.microsoft.com> wrote in message > news:D6D8BB78-2271-4028-A667-8D6FCA0B9B08[ at ]microsoft.com... > > Hi, I am currently replicating web content between two Win2kSP1R2 servers > > (One Way Replication). On each server, the local ComputerName\IIS_WPG > > group > > has explicit rights to the web content directory. When files and folders > > are > > replicated, the ACL of either files or folders do not show the local > > IIS_WPG > > groups at all. Only the SID names are enumerated for the local group. > > The > > folder permissions for > > web content are inherited from a parent folder. Even after manaully > > replacing permissions from parent, new replicated files and folders are > > not > > enumerated/or accessible from the web. What can I do to solve this issue? > > Any > > help will be greatly appreciated. > > Thanks, > >