Video Screencast Help

Ensuring that Windows 2008 R2 scoping works with SFWHA 5.1 SP2

Created: 29 Jun 2011 • Updated: 21 Feb 2013 | 1 comment
mightman's picture
0 Agree
0 Disagree
0 0 Votes
Login to vote
Status: Alternative Solution

I have a cluster with two cluster resources or two individual Lanman resources (service groups).  The first file share is accessible when you access it via \\LanManA\FileShareA, however the second share, \\LanManB\FileShareB, that I created is not accessible when you map to it via the LANMAN name even if you mount the second cluster resource on another node within the cluster.  This was my original issue, both service groups were validated, however the FileShareB was not accessible via the \\LanManB\FileShareB mapping on either node.  We troubleshooted this issue for awhile, then opened a support incident.

So basically I have a cluster where \\LanManA\FileShareA is accessible from both nodes, but \\LanManB\FileShareB is not accessible on either node.  We received a patch from Symantec support that essentially disables scoping so that the server exhibits legacy Windows 2003 behavior where you can allow all shares to be access by all possible names/IP Addresses. This is the same exact access that Windows 2003 had.  

A concern of ours is that with the patch in place you can now access any fileshare on that server from any Lanman name.  For example, if LanmanA has a FileShareA and LanmanB has a FileShareB, you can access both FileShareA and FileShareB from LanmanA.  Before the patch, we could access FileShareA from LanmanA, but could not see FileShareB from LanmanB (actually, you couldn't see that fileshare on ANY node).  I think we would just like to be able to see FileShareA from LanmanA and FileShareB from LanmanB which I believe is how 2008 FileShare Scoping is supposed to work from what I understand. 
My understanding is that Windows 2008 FileShare Scoping makes access to shares somewhat more secure because you will not have to option to connect to any available shares on a node anymore.  The patch we received seems to more or less disable the scoping functionality, reverting back to previous Windows 2003 functionality. 

Two questions:

  1. Can SFWHA 5.1 SP2 be modified so it works with Windows 2008 R2 scoping without the need for an optional patch to make shares accessible?
  2. Will this patch or any future patches pertaining to Windows 2008 R2 scoping be integrated within any future SFW service packs or will it always just be an optional hot fix?  If you essentially disable Windows scoping, does this negatively effect anything moving forward since it is an inherent Windows 2008 capability?  Does anything else potentially depend upon Windows 2008 scoping?

Comments 1 CommentJump to latest comment

Jeffrey Armorer 2's picture

SFWHA 5.1 SP2 works with Windows 2008 R2 Scoping if the patch is not applied. The purpose of the patch was to enable W2K3 behavior as you note in your comments.

The patch will be optional (not integrated), as it is used to get around native behavior in Win 2008. Customers who want to disable scoping have the option of requesting and installing the patch, but the product will not make this a default.

Login to vote