Set permissions on 2k3 server per ip address?

[FireAm94]

I planning a network in which the customer has 2 separate companies and does not want company 1 to be able to access the company 2 files. Is there a way to do this without using active directory domain? I do not know of a way to restrict share folder access in a workgroup by ip address.

Thanx
Joe

[rgharper]

I planning a network in which the customer has 2 separate companies and does not want company 1 to be able to access the company 2 files. Is there a way to do this without using active directory domain? I do not know of a way to restrict share folder access in a workgroup by ip address.

Thanx
Joe

I don't know of any way to do it by IP address, and doing it via workgroups would be a nightmare. You really do need to use Active Directory in this case as it will allow you to secure your network and shares appropriately.

If I may ask, why NOT Active Directory?

[FireAm94]

We've had too many problems with reliability related to Active Directory. The problems we had were things like....network pc's not being able to find the domain. There are that many things you could setup differently to cause that problem from what i've seen. Don't get me wrong i'm no expert on domains...I have only setup 2 DNS servers before.

Joe

I don't know of any way to do it by IP address, and doing it via workgroups would be a nightmare. You really do need to use Active Directory in this case as it will allow you to secure your network and shares appropriately.

If I may ask, why NOT Active Directory?

[rgharper]

We've had too many problems with reliability related to Active Directory.

Whenever someone tells me Active Directory is flakey and doesn't work right I immediately suspect that their DNS structure is flawed. If you don't have good DNS on your network you will never get Active Directory working correctly.

In broad brushstrokes I recommend the following:

1. Get a solid DHCP base going. Set up a DHCP server on Windows 2000/2003 Server, set the lease time short (two to three days), then give it at least twice that amount of time to stabilize. Be sure ALL clients - even those that won't be part of Active Directory, like printers and such - have proper addresses or reservations. Be darned sure the servers that will be part of Active Directory have fixed IP addresses (NOT DHCP-served addresses!) with reservations in DHCP to keep someone else from stepping on them.

2. If you currently have a DNS server running, get rid of it.

3. Set up your first Active Directory domain controller. Don't get all carried away with the domain name, keep it short and simple and make sure it's a proper FQDN and will not conflict with an external domain. The best bet is almost always <mycompany>.LOCAL (replacing <mycompany> with the domain name you want). Don't give it a .NET, .COM, .ORG, .GOV or other domain suffix that exists outside your domain.

4. Active Directory will see that you have no DNS controller and offer to set one up. Do so. Accept the defaults for both the AD and DNS setup, don't get fancy.

5. Restart the Active Directory server when indicated, then wait about fifteen minutes for AD to populate itself. Then check DNS to be sure that the proper self-reference records for the domain exist, check the status of the domain by installing the support tools on the Server CD (or Google for one of the several dozen other Active Directory testing tools available, or use the process documented in http://support.microsoft.com/default...b;EN-US;324801). Make sure the first domain controller knows that it holds all the FSMO roles and that it has a copy of the Global Catalog.

6. If it doesn't or if DNS didn't populate corectly, then use DCPROMO to get rid of the domain controller, uninstall DNS, start over. This is ESSENTIAL - if you don't have a decent DNS base and the first server doesn't know it's running the show then the game is already over.

7. Once everything is stable, go back to DHCP and put the Active Directory server's IP address in as the default DNS server for the network. Reboot or release/renew the IP address on each PC and use IPCONFIG /ALL to ensure that it has a good IP address and only the DNS server address for the domain controller for resolving DNS addresses. Check your first domain controller and make sure that its IPCONFIG /ALL output shows that it is looking at only itself for name resolution.

8. Bring up additional Active Directory DCs as needed. I recommend at least one additional DC for redundancy's sake. That DC should also have DNS installed and activated so it can fully take over the Active Directory domain if necessary. But even though it has DNS running, do NOT point it to its own DNS for name resolution, be sure it's pointing to the first domain controller's DNS server for name resolution.

9. NOW you can set up user accounts, ACLs and start joining PCs to the domain.

[corturbra]

Yeah, do what RGHarper said!

I take it that the files will be on 1 server? If so create two partitions/folders and give access to company1/company2 separately blocking them from both.

If 2 servers and the PC's don't need to see the other company's server, then use IP Addressing/subnet masks...

Using AD security though is probably the better option, beware of the inherited rights from parent folder, I've seen this confuse and screw up a lot of installations....

[confus-ed]

You could maybe do it with a firewall, depends what you've got.

[FireAm94]

Thanx for the help guys. I'm not anywhere near new to computers...just been tied up in bench teching if ya know what I mean. I have needed to learn how to properly use active directory for a while and since I have a basic understanding of what can screw it up i'll give it a shot.

Thanx again
Joe