Hi,

Is there a way to log all the activities in a DFS directory, such as file creation/modification/deletion/etc ?

We are required to keep track of everything that happens in our DFS directory and save them to files (audit).
We would like to deploy DFS for a file sharing purpose between two sites that are geographically apart from each other.

We would at the very least have to log the following activities:
- A file creation in a DFS directory
- A file deletion in a DFS directory
- A file modification in a DFS directory
- A file rename in a DFS directory

We want to save the events to Windows event logs or something along that line.
Does Security Event Log do this or do we have to introduce some third-party software?

Hi,

DFS itself does not have such option. You can Audit the 2 folder targets separately to workaround.

Hi Shaon,

I just did not know that Windows has a 'Auditing' feature that can be set up for each directory.
I assume that what you meant is the Audit feature decribed in the article below.
(It just hit me after seeing 'Audit' with a capital 'A' in your post)

https://technet.microsoft.com/en-us/library/cc771070.aspx

We will look into it to see if it suits our needs.
For now, thanks for the advice.

Wanko

Can I ask a couple more questions on this?

1. Does anyone know for certainty whether or not the Audit feature above is capable of auditing a folder set up as a DFS replication target?
By auditing I mean capturing file operations that I described above, and save those events to logs.
2. It it is capable of doing so, where are the audit logs saved? Are they saved as eveng logs on the Windows server where the actual DFS folder exists?

Regards,
Wanko

• Edited by Wanko 18 hours 23 minutes ago

Can I ask a couple more questions on this?

1. Does anyone know for certainty whether or not the Audit feature above is capable of auditing a folder set up as a DFS replication target?
By auditing I mean capturing file operations that I described above, and save those events to logs.
2. It it is capable of doing so, where are the audit logs saved? Are they saved as eveng logs on the Windows server where the actual DFS folder exists?

Regards,
Wanko

• Edited by Wanko Wednesday, June 24, 2015 12:37 PM

Hi Wanko,

I did not provide Audit steps as I cannot confirm if it is acceptable.

First let me answer your questions:

1. It will not apply to DFS namespace but shared folder. So you will need to set on each of your server separately. 

2. It will save to Event. Please understand that it will generate a lot of event entries if you audit all actions.

You can enabling file auditing is a 2-step process.

[1] Configure "audit object access" in AD Group Policy or on the server's local GPO. This setting is located under Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure auditing for "Audit object access."

[2] Configure an audit entry on the specific folder(s) that you wish to audit. Right-click on the folder-->Properties-->Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit - auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file, or you can just audit for Delete operations.

Hi Shaon,

Thank you so much for giving me the details.

I guess that basic idea is that we enable auditing on two folders which contain the actual files. We should not have any problem doing so.
I will start studying about 'DFS namespace' shortly.

In the meantime, is it possible to allow only some specific users to swith on/off the audting, and to edit the audit settings?
We need to ensure that only the privileged users can change the status or the configurations of the auditing.
For instance, we want to give some users read-only access to certain shared files, and do not want them to change anything about the audit settings on those files.
My prediction is that this can be done on non-DFS folders.
Do you think we can do the same to DFS folders as well?

Regards,
Wanko

Please walk through the below given links which might be helps you to achieve this goal.

Folder Auditing in Windows Server 2012: https://mizitechinfo.wordpress.com/2014/07/01/folder-auditing-in-windows-server-2012-r2/

How to audit new files in Windows File Server (DFS): http://serverfault.com/questions/646131/how-to-audit-new-files-in-windows-file-server-dfs

Hope it helps you

• Proposed as answer by Shaon ShanMicrosoft contingent staff, Moderator 33 minutes ago

Thanks Moreno,

The exchange on the Server Fault forum (the second link) is basically what we are planning to do.
The posts suggest we can enable 'Auditing' just like we do in an ordinary folder, but I still have some questions...

If we have two sets of files under a DFS namespace, and the user edit an audit setting of a file in a DFS folder,
what happens to the settings of actual two files that are behind it?
And if the user does something to the file, how is it audited? Does Windows generate same messages for two actual files, or either one?
(I'm still learning about DFS, but as I understand it, user only sees one copy of files,
and how many copies actually exist is transparent to the user; sorry if what I'm saying doesn't make sense)

Regards,
Wanko

Hi Wanko,

Sorry for the delay in reply.

User will be randomly direct to one of these 2 files (on 2 servers) so only 1 file is edited at a time, and that edit will be replicated to the other server once the file is closed.