4.4.1 Default Domain Configuration

When you install the Service component on a domain controller or member server in an Active Directory environment, the installation sets up the following security features:

This setup requires that the installation is done by a domain user that has local Administrator privileges and Domain Administrator rights.

4.4.2 Dynamic File Services Storage Rights Domain Group

The Dynamic File Services Storage Rights group is an Active Directory domain group that is used to allow Dynamic File Services to manage traffic between the Service running on the server and the remote share. In Active Directory, you must add the group to the primary share and secondary share, and grant it all permissions.

The Dynamic File Services Storage Rights group is created automatically during the installation of the Service component if the computer is a domain controller or a member server in an Active Directory environment. The group scope is Global and the group type is Security.

Members of the Dynamic File Services Storage Rights group include the NDFS-servername proxy users for the Dynamic File Services servers in the same Active Directory domain/forest. The members are automatically added to the group when the Service component is installed on a server in the domain.

A server's NDFS-servername proxy user is automatically removed as a member of the Dynamic File Services Storage Rights group if Dynamic File Services is uninstalled from the server. The group is not deleted by the uninstall unless the server’s proxy user is the only member of the group.

The Dynamic File Services Storage Rights group is a member of the Domain Admins group. This gives the group equivalent rights to the Domain Admins group. Alternatives to the default domain configuration are described in Security Implications of the Default Domain Configuration.

4.4.3 NDFS-servername Domain Proxy User

The NDFS-servername user is an Active Directory domain user that serves as a proxy user in communications between the Service on a server that is running Dynamic File Services and a remote share that is being used as the secondary path in a pair on that server. The user is created automatically during the installation of the Service component if the computer is a domain controller or a member server in an Active Directory environment.

The NDFS-servername proxy user is automatically added as a member of the Dynamic File Services Storage Rights group in the same domain as the server. The user is given the Log on as a service right. As a group member, this user automatically has the same access rights granted to the group.

The password for the NDFS-servername user is created automatically, and can be modified by using the Active Directory tool for modifying user passwords.

4.4.4 Security Implications of the Default Domain Configuration

The default configuration gives the Dynamic File Services Storage Rights domain group equivalent rights to the Domain Admins group. In some situations, this can be undesirable. The following describes two options to tighten security:

Whichever approach you use, ensure that you grant the group or user the same access rights to the primary share and the secondary share.

You can manage domain groups and users by using the Active Directory Users and Computers snap-in the Microsoft Management Console. The specific rights needed are as follows: