It’ll only say it was about time. Took them 12 months to file the Submission to SVVP:
So – here’s another rambing about Dynamic Access Control. It looks like this is becoming one of my favorite topics these days. Or it’s just that I think it needs the attention. You decide yourself.
Today, I’d like to introduce the process of ACL evaluation on files and folders when DAC is used with them. Things change a little and I thought it’s worth writing about it so you know what to expect when designing your access control with DAC.
So how are ACLs evaluated when DAC is enabled? Essentially, an Access Control List comprises of a number of Access Control Entries (ACEs). An ACE describes the kind of access a security principal gets on a particular object, in our case on File Resources, like in these two examples:
ALLOW READ ACCESS for members of security group CONTOSO\finance [for this folder and all subfolders]
ALLOW READ, WRITE ACCESS for members of security group CONTOSO\finance-admins [for subfolders only]
This is a question from the Forums. It was two questions in one thread, but I thought I’d tackle this first:
“I have a forest with two domains, domain.com and work.domain.com. Both domains have two Domain Controllers. When I open Active Directory Sites and Services on a Domain Controller in either domain, I can see all four Domain Controllers represented in there. Why is that? What’s wrong?”
Nothing’s wrong. This is the way Active Directory does store Site information. Site information is not stored per domain, but per forest. All Sites and Subnets, as well as the assignment of Domain Controllers to Sites is stored in the Configuration Naming Context (Config NC) that is stored and replicated on/to all Domain Controllers in the forest.
This is required to ensure that all DCs in the forest have the same understanding of the physical network and the Site configuration. Domain Controllers require this information to build replication links for partitions that they all share (even cross-domain, per forest):
- The Configuration NC
- The Schema NC
- Application Naming Partition
- The Global Catalog (GC) partition
Also, applicaitons that are not necessarily domain-tied use the Sites and Services configuration to use them for good – Exchange is just one example.
So it is good to see all Domain Controllers of a forest in Sites and Services.