SteelHead™ Deployment Guide : Proxy File Services Deployments : Domain and Local Workgroup Settings
  
Domain and Local Workgroup Settings
When you configure your PFS SteelHead, set either domain or local workgroup settings. This section includes the following topics:
  • Domain Mode
  • Local Workgroup Mode
    • Domain Mode
    In domain mode, you configure the PFS SteelHead to join a Windows domain (typically, your company domain). When you configure the SteelHead to join a Windows domain, you do not have to manage local accounts in the branch office as you do in Local Workgroup mode.
    Domain mode allows a DC to authenticate users accessing its file shares. The DC can be located at the remote site or over the WAN at the main data center. The SteelHead must be configured as a Member Server in the Windows 2000, or later, ADS domain. Domain users are allowed to access the PFS shares based on the access permission settings provided for each user.
    Data volumes at the data center are configured explicitly on the proxy file server and are served locally by the SteelHead. As part of the configuration, the data volume and ACLs from the origin server are copied to the SteelHead. PFS allocates a portion of the RiOS data store for users to access as a network file system.
    Before you enable domain mode in PFS:
  • configure the SteelHead to use NTP to synchronize the time. For details, see the SteelHead Management Console User’s Guide.
  • configure the DNS server correctly. The configured DNS server must be the same DNS server to which all the Windows client machines point.
  • have a fully qualified domain name for which PFS is configured. This domain name must be the domain name for which all the Windows desktop machines are configured.
  • set the owner of all files and folders in all remote paths to a domain account and not to a local account.
    • When you are in domain mode, PFS does not support local user and group accounts. These accounts reside only on the host where they are created. During an initial copy from the origin file server to the PFS SteelHead, if PFS encounters a file or folder with permissions for both domain and local accounts, the SteelHead preserves only the domain account permissions. If your DC is across the WAN, in the event of a WAN outage, you cannot perform user authentication. To prevent this, you either need a local DC, or you can switch to Local Workgroup mode, which requires you to configure local usernames and passwords or use shares that are open to everyone.
    For details, see Local Workgroup Mode.
    Regarding the user account required to join the SteelHead to the domain:
  • This account does not need to be a domain admin. Any account that has sufficient privileges to join a machine to Active Directory works (that is; if you have created a nondomain Admin account that has permission to add machines accounts, and it works for regular Windows computers).
  • Regardless of what account is entered, RiOS does not store the account on the SteelHead. RiOS uses it for a one-time attempt to join the domain.
  • If you ever need to rejoin the computer (for example, if the account was deleted from the Active Directory), you must reenter your credentials.
    • For information about the how ACLs are propagated from the origin server to a PFS share, refer to the Riverbed Support site at https://support.riverbed.com.
    Local Workgroup Mode
    In Local Workgroup mode you define a workgroup and add individual users that have access to the PFS shares on the SteelHead.
    Use Local Workgroup mode in environments where you do not want the SteelHead to be a part of a Windows domain.
    If you use Local Workgroup mode, you must manage the accounts and permissions for the branch office on the SteelHead. The local workgroup account permissions might not match the permissions on the origin file server.