DFS Replication in Windows Server 2012 R2 :http://blogs.technet.com/b/filecab/archive/2013/08/20/dfs-replication-in-windows-server-2012-r2-if-you-only-knew-the-power-of-the-dark-shell.aspx
DFS Replication Initial Sync in Windows Server 2012 R2:http://blogs.technet.com/b/filecab/archive/2013/08/21/dfs-replication-initial-sync-in-windows-server-2012-r2-attack-of-the-clones.aspx
DFS Replication in Windows Server 2012 R2: Restoring Conflicted, Deleted and PreExisting files with Windows PowerShell: http://blogs.technet.com/b/filecab/archive/2013/08/23/dfs-replication-in-windows-server-2012-r2-restoring-conflicted-deleted-and-preexisting-files-with-windows-powershell.aspx
Understanding DFS (how it works): http://technet.microsoft.com/en-us/library/cc782417(v=WS.10).aspx
=> Several mechanisn are used: routing, DNS, AD sites and subnets topology, WINS, FW ports and rules shoud be open (RPC, SMB…):
NetBIOS Name Service: Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/UDP 137
NetBIOS Datagram Service: Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/138
NetBIOS Session Service: Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/139
LDAP Server: Domain controllers TCP/UDP 389
Remote Procedure Call (RPC) endpoint mapper: Domain controllers TCP/135
Server Message Block (SMB): Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/UDP 445
Extract from the MS technet: “When a client requests a referral from a domain controller, the DFS service on the domain controller uses the site information defined in Active Directory (through the DSAddressToSiteNames API) to determine the site of the client, based on the client s IP address. DFS stores this information in the client site cache”
“DFS clients store root referrals and link referrals in the referral cache (also called the PKT cache). These referrals allow clients to access the root and links within a namespace. You can view the contents of the referral cache by using Dfsutil.exe with the /pktinfo “
“You can view the domain cache on a client computer by using the Dfsutil.exe command-line tool with the /spcinfo parameter”
Implementing DFS-R: http://technet.microsoft.com/en-us/library/cc770925.aspx AND DFS-R FAQ:http://technet.microsoft.com/en-us/library/cc773238.aspx, delegate DFS-R permissions:http://technet.microsoft.com/en-us/library/cc771465.aspx
Implementing DFS Namespace: http://technet.microsoft.com/en-us/library/cc730736.aspx AND DFS-N FAQ: http://technet.microsoft.com/fr-fr/library/ee404780(v=ws.10).aspx
Consolidation of multiple DFS namespaces in a single one :http://blogs.technet.com/b/askds/archive/2013/02/06/distributed-file-system-consolidation-of-a-standalone-namespace-to-a-domain-based-namespace.aspx
DFS 2008 step by step: http://technet.microsoft.com/en-us/library/cc732863(WS.10).aspx
DFS tuning and troubleshooting:
DFS-N et DFS-R en ligne de commande:http://blogcastrepository.com/blogs/benoits/archive/2009/08/22/dfs-n-et-dfs-r-en-ligne-de-commande.aspx
DFSR les commandes les plus utiles: http://www.monbloginfo.com/2011/03/02/dfsr-les-commandes-les-plus-utiles/
Tuning DFS: http://technet.microsoft.com/en-us/library/cc771083.aspx and Tuning DFS Replication performance : http://blogs.technet.com/b/askds/archive/2010/03/31/tuning-replication-performance-in-dfsr-especially-on-win2008-r2.aspx
Performance tuning guidelines for Windows 2008 R2: http://msdn.microsoft.com/en-us/windows/hardware/gg463392.aspx
or DfsrAdmin.exe in conjunction with Scheduled Tasks to regularly generate health reports: http://go.microsoft.com/fwlink/?LinkId=74010
DFS: some notions: A referral is an ordered list of targets that a client computer receives from a domain controller or namespace server when the user accesses a namespace root or folder with targets. After the client receives the referral, the client attempts to access the first target in the list. If the target is not available, the client attempts to access the next target.
tip1) dfsutil domain : Displays all namespaces in the domain ; dfsutil /domain:mydomain.local /view
tip2) You can check the size of an existing DFS namespace by using the following syntax in Dfsutil.exe:
dfsutil /root:mydomain.localrootname /view (for domain-based DFS)
dfsutil /root:dfsserverrootname /view (for stand-alone DFS)
tip3) Enabling the insite setting of a DFS server is useful when: You don’t want the DFS clients to connect outside the site.
You don’t want the DFS client to connect to a site other than the site it is in, and hence avoid using expensive WAN links.
dfsutil /insite:mydomain.localdfsroot /enable
tip4) You want DFS clients to be able to connect outside the internal site, but you want clients to connect to the closest site first, saving the expensive network bandwidth:
ex: dfsutil /root:mydomain.localsales /sitecosting /view or /enable or /disable
If you do not know if a root is site costing aware, you can check its status by substituting the /display parameter for the /sitecosting parameter.
tip5) Enable root scalability mode: You enable root scalability mode by using the /RootScalability parameter in Dfsutil.exe, which you can install from the SupportTools folder on the Windows Server 2003 operating system CD. When root scalability mode is enabled, DFS root servers get updates from the closest domain controller instead of the server acting as the PDC emulator master.
As a result, root scalability mode reduces network traffic to the PDC emulator master at the expense of faster updates to all root servers. (When you make changes to the namespace, the changes are still made on the PDC emulator master, but the root servers no longer poll the PDC emulator master hourly for those changes; instead, they poll the closest domain controller.)
With this mode enabled, you can have as many root targets as you need, as long as the size of the DFS Active Directory object (for each root) is less than 5 MB. Do not use root scalability mode if any of the following conditions exist in your organization:Your namespace changes frequently, and users cannot tolerate having inconsistent views of the namespace. Domain controller replication is slow. This increases the amount of time it takes for the PDC emulator master to replicate DFS changes to other domain controllers, which, in turn, replicate changes to the root servers. Until this replication completes, the namespace will be inconsistent on all root servers.
ex: dfsutil /root:mydomain.localsales /rootscalability /view or /enable or /disable
tip6) Dfsdiag utility: http://blogs.technet.com/b/filecab/archive/2008/10/24/what-does-dfsdiag-do.aspx
/testdcs: With this you can check the configuration of the domain controllers. It performs the following tests:
- Verifies that the DFS Namespace service is running on all the DCs and its Startup Type is set to Automatic.
- Check for the support of site-costed referrals for NETLOGON and SYSVOL.
- Verify the consistency of site association by hostname and IP address on each DC.
To run this command against your domain mydomain.local just type:
DFSDiag /testdcs /domain:mydomain.local
DFSDiag /testdcs > dfsdiag_testdcs.txt
/testsites: Used to check the configuration of Active Directory Domain Services (AD DS) sites by verifying that servers that act as namespace servers or folder (link) targets have the same site associations on all domain controllers.
So for a machine you will be running something like: DFSDiag /testsites /machine:MyDFSServer
For a folder (link): DFSDiag /testsites /dfspath:mydomain.localMyNamespaceMyLink/full
For a root: DFSDiag /testsites /dfspath:mydomain.localMyNamespace /recurse /full
/testdfsconfig: With this you can check the DFS namespace configuration. The tests that perform are:
- Verifies that the DFS Namespace service is running and that its Startup Type is set to Automatic on all namespace servers.
- Verifies that the DFS registry configuration is consistent among namespace servers.
- Validates the following dependencies on clustered namespace servers that are running Windows 2008 (non supported for W2K3 clusters L):
- Namespace root resource dependency on network name resource.
- Network name resource dependency on IP address resource.
- Namespace root resource dependency on physical disk resource.
To run this you just need to type: DFSDiag /testdfsconfig /dfsroot:mydomain.localMyNamespace
/testdfsintegrity: Used to check the namespace integrity. The tests performed are:
- Checks for DFS metadata corruption or inconsistencies between domain controllers
- In Windows 2008 server, validates that the Access Based Enumeration state is consistent between DFS metadata and the namespace server share.
- Detect overlapping DFS folders (links), duplicate folders and folders with overlapping folder targets (link targets).
To check the integrity of your domain mydomain.local:
DFSDiag /testdfsintegrity /dfsroot:mydomain.localMyNamespace
DFSDiag.exe /testdfsintegrity /dfsroot:mydomain.localMyNamespace /recurse /full > dfsdiag_testdfsintegrity.txt
Additionally you can specify /full, /recurse, which in this case, /full verifies the consistency of share and NTFS ACLs in all the folder targets. It also verifies that the Online property is set in all the folder targets. /recurse performs the testing including the namespace interlinks.
/testreferral: Perform specific tests, depending on the type of referral being used.
- For Trusted Domain referrals, validates that the referral list includes all trusted domains.
- For Domain referrals, perform a DC health check as in /testdcs
- For Sysvol and Netlogon referrals perform the validation for Domain referrals and that it’s TTL has the default value (900s).
- For namespace root referrals, perform the validation for Domain referrals, a DFS configuration check (as in /testdfsconfig) and a Namespace integrity check (as in /testdfsintegrity).
- For DFS folder referrals, in addition to performing the same health checks as when you specify a namesapace root, this command validates the site configuration for folder target (DFSDiag /testsites) and validates the site association of the local host
Again for your namespace mydomain.local:
DFSDiag /testreferral /dfspath:mydomain.localMyNamespace
DFSDiag.exe /testreferral /dfspath:mydomain.localMyNamespace /full > dfsdiag_testreferral.txt
There is also the option to use /full as an optional parameter, but this only applies to Domain and Root referrals. In these cases /full verifies the consistency of site association information between the registry and Active Directory.
Evaluate domain controller health, site configurations, FSMO ownerships, and connectivity:
Use Dcdiag.exe to check if domain controllers are functional. Review this for comprehensive details about dcdiag:
Dcdiag /v /f:Dcdiag_verbose_output.txt
Dcdiag /v /test:dns /f:DCDiag_DNS_output.txt
Dcdiag /v /test:topology /f:DCDiag_Topology_output.txt
Active Directory replication
If DCDiag finds any replication failures and you need additional details about them, Ned wrote an excellent article a while back that covers how to use the Repadmin.exe utility to validate the replication health of domain controllers:
Repadmin /replsummary * > repadmin_replsummary.txt
Repadmin /showrepl * > repadmin_showrepl.txt
Always validate the health of the environment prior to utilizing a namespace.
- dfsutil /root:mydomain.localmyroot /view /verbose ; display the content of root dfs (links…)
- dfsutil /pktinfo ;to display the client cache
- dfsutil /spcinfo ; the domain cache on a client computer
- dfsutil /purgemupcache ; cache stores information about which redirector, such as DFS, SMB, or WebDAV, is required for each UNC path
- dfsutil /pktflush ; Dfsutil /PktFlush is a special problem repair command that should only be executed on the client.
The PKT Cache keeps information about referrals for previously accessed DFS paths. If any path is accessed after flushing this cache, the appropriate server(s) will be contacted again to get new referrals. A client benefits from high availability in DFS by getting a list of link target referrals within the same site as well as targets in farther sites. In some cases targets in the closer sites may be inaccessible at the beginning of the client’s use, causing the client to successfully failover to a target at a farther site. Once a closer and less expensive target is available, you would like the client to use it. If you do not want to reboot the client to cause a closer site to be selected, type the following at the command line: This command statement flushes the local partition knowledge table (PKT). This forces the client to get the referral list of the targets from the server again. Some of the entries in the PKT may not get flushed, especially if DFS is in the process of using the referrals. Once the PKT is flushed from the client cache, the client gets a new list of referrals from the server and it surely will try accessing the closer targets.
If your support is asking you to check a problem on root DFS or client computer: ie. mycompany.netrootdfs
The commands I used are:
For mycompany.netrootdfs (from admin wks):
Dfsdiag /testreferral /dfspath:mycompany.netrootdfs => OK
Dfsdiag /testdfsconfig /dfsroot:mycompany.netrootdfs => OK
Dfsdiag /testsites /dfspath:mycompany.netrootdfs => OK
else suspect a problem on the clients (intermittent problem of DNS or WINS or DFS cache):
Check Naming resolution with DNS
Check Naming resolution with WINS
On client PC, if problem occurs, check and flush the cache:
dfsutil /root:mycompany.netrootdfs /view /verbose ; display the content of root dfs (links…)
dfsutil /pktinfo ; to display the client cache
dfsutil /spcinfo ; the domain cache on a client computer
dfsutil /purgemupcache ; this cache stores information about which redirector, such as DFS, SMB, or WebDAV, is required for each UNC path
Dfsutil /pktflush : This command statement flushes the local partition knowledge table (PKT).