DFS Replication 2012 R2

DFS Replication in Windows Server 2012 R2 :http://blogs.technet.com/b/filecab/archive/2013/08/20/dfs-replication-in-windows-server-2012-r2-if-you-only-knew-the-power-of-the-dark-shell.aspx

DFS Replication Initial Sync in Windows Server 2012 R2:http://blogs.technet.com/b/filecab/archive/2013/08/21/dfs-replication-initial-sync-in-windows-server-2012-r2-attack-of-the-clones.aspx

DFS Replication in Windows Server 2012 R2: Restoring Conflicted, Deleted and PreExisting files with Windows PowerShell: http://blogs.technet.com/b/filecab/archive/2013/08/23/dfs-replication-in-windows-server-2012-r2-restoring-conflicted-deleted-and-preexisting-files-with-windows-powershell.aspx

Understanding DFS (how it works): http://technet.microsoft.com/en-us/library/cc782417(v=WS.10).aspx

=> Several mechanisn are used: routing, DNS, AD sites and subnets topology, WINS,  FW ports and rules shoud be open (RPC, SMB…):

NetBIOS Name Service:  Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/UDP 137

NetBIOS Datagram Service: Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/138

NetBIOS Session Service: Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/139

LDAP Server: Domain controllers TCP/UDP 389

Remote Procedure Call (RPC) endpoint mapper: Domain controllers TCP/135

Server Message Block (SMB): Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/UDP 445

Extract from the MS technet: “When a client requests a referral from a domain controller, the DFS service on the domain controller uses the site information defined in Active Directory (through the DSAddressToSiteNames API) to determine the site of the client, based on the client s IP address. DFS stores this information in the client site cache”
“DFS clients store root referrals and link referrals in the referral cache (also called the PKT cache). These referrals allow clients to access the root and links within a namespace. You can view the contents of the referral cache by using Dfsutil.exe with the /pktinfo “
“You can view the domain cache on a client computer by using the Dfsutil.exe command-line tool with the /spcinfo parameter”

Implementing DFS-R: http://technet.microsoft.com/en-us/library/cc770925.aspx AND DFS-R FAQ:http://technet.microsoft.com/en-us/library/cc773238.aspx, delegate DFS-R permissions:http://technet.microsoft.com/en-us/library/cc771465.aspx

Implementing DFS Namespace: http://technet.microsoft.com/en-us/library/cc730736.aspx AND DFS-N FAQ: http://technet.microsoft.com/fr-fr/library/ee404780(v=ws.10).aspx

Consolidation of multiple DFS namespaces in a single one :http://blogs.technet.com/b/askds/archive/2013/02/06/distributed-file-system-consolidation-of-a-standalone-namespace-to-a-domain-based-namespace.aspx

Netmon trace digest: http://blogs.technet.com/b/josebda/archive/2009/04/15/understanding-windows-server-2008-dfs-n-by-analyzing-network-traces.aspx

DFS 2008 step by step: http://technet.microsoft.com/en-us/library/cc732863(WS.10).aspx

DFS tuning and troubleshooting:

DFS-N et DFS-R en ligne de commande:http://blogcastrepository.com/blogs/benoits/archive/2009/08/22/dfs-n-et-dfs-r-en-ligne-de-commande.aspx

DFSR les commandes les plus utiles: http://www.monbloginfo.com/2011/03/02/dfsr-les-commandes-les-plus-utiles/

and http://blogs.technet.com/b/filecab/archive/2009/05/28/dfsrdiag-exe-replicationstate-what-s-dfsr-up-to.aspx

Tuning DFS: http://technet.microsoft.com/en-us/library/cc771083.aspx and Tuning DFS Replication performance : http://blogs.technet.com/b/askds/archive/2010/03/31/tuning-replication-performance-in-dfsr-especially-on-win2008-r2.aspx

DFSutil command line:  http://technet.microsoft.com/fr-fr/library/cc776211(v=ws.10).aspx ANDhttp://technet.microsoft.com/en-us/library/cc779494(v=ws.10).aspx

Performance tuning guidelines for Windows 2008 R2: http://msdn.microsoft.com/en-us/windows/hardware/gg463392.aspx


DFSRMon utility: http://blogs.technet.com/b/domaineetsecurite/archive/2010/04/14/surveillez-en-temps-r-el-la-r-plication-dfsr-gr-ce-dfsrmon.aspx

or  DfsrAdmin.exe in conjunction with Scheduled Tasks to regularly generate health reports: http://go.microsoft.com/fwlink/?LinkId=74010

Server side:

DFS: some notions: A referral is an ordered list of targets that a client computer receives from a domain controller or namespace server when the user accesses a namespace root or folder with targets. After the client receives the referral, the client attempts to access the first target in the list. If the target is not available, the client attempts to access the next target.

tip1) dfsutil domain : Displays all namespaces in the domain ; dfsutil /domain:mydomain.local /view

tip2) You can check the size of an existing DFS namespace by using the following syntax in Dfsutil.exe:

dfsutil /root:\mydomain.localrootname /view (for domain-based DFS)
dfsutil /root:\dfsserverrootname /view (for stand-alone DFS)

tip3) Enabling the insite setting of a DFS server is useful when: You don’t want the DFS clients to connect outside the site.
You don’t want the DFS client to connect to a site other than the site it is in, and hence avoid using expensive WAN links.
dfsutil /insite:\mydomain.localdfsroot /enable

tip4) You want DFS clients to be able to connect outside the internal site, but you want clients to connect to the closest site first, saving the expensive network bandwidth:

ex: dfsutil /root:\mydomain.localsales /sitecosting /view or /enable or /disable

If you do not know if a root is site costing aware, you can check its status by substituting the /display parameter for the /sitecosting parameter.

tip5) Enable root scalability mode: You enable root scalability mode by using the /RootScalability parameter in Dfsutil.exe, which you can install from the SupportTools folder on the Windows Server 2003 operating system CD. When root scalability mode is enabled,  DFS root servers get updates from the closest domain controller instead of the server acting as the PDC emulator master.
As a result, root scalability mode reduces network traffic to the PDC emulator master at the expense of faster updates  to all root servers. (When you make changes to the namespace, the changes are still made on the PDC emulator master,  but the root servers no longer poll the PDC emulator master hourly for those changes; instead, they poll the closest domain controller.)
With this mode enabled, you can have as many root targets as you need, as long as the size of the DFS Active Directory object (for each root)  is less than 5 MB. Do not use root scalability mode if any of the following conditions exist in your organization:Your namespace changes frequently, and users cannot tolerate having inconsistent views of the namespace.  Domain controller replication is slow. This increases the amount of time it takes for the PDC emulator master  to replicate DFS changes to other domain controllers, which, in turn, replicate changes to the root servers.  Until this replication completes, the namespace will be inconsistent on all root servers.

ex: dfsutil /root:\mydomain.localsales /rootscalability /view or /enable or /disable

tip6) Dfsdiag utility: http://blogs.technet.com/b/filecab/archive/2008/10/24/what-does-dfsdiag-do.aspx

/testdcs: With this you can check the configuration of the domain controllers. It performs the following tests:

  • Verifies that the DFS Namespace service is running on all the DCs and its Startup Type is set to Automatic.
  • Check for the support of site-costed referrals for NETLOGON and SYSVOL.
  • Verify the consistency of site association by hostname and IP address on each DC.

To run this command against your domain mydomain.local just type:

DFSDiag /testdcs /domain:mydomain.local

DFSDiag /testdcs > dfsdiag_testdcs.txt

/testsites: Used to check the configuration of Active Directory Domain Services (AD DS) sites by verifying that servers that act as namespace servers or folder (link) targets have the same site associations on all domain controllers.

So for a machine you will be running something like: DFSDiag /testsites /machine:MyDFSServer

For a folder (link): DFSDiag /testsites /dfspath:\mydomain.localMyNamespaceMyLink/full

For a root: DFSDiag /testsites /dfspath:\mydomain.localMyNamespace /recurse /full

/testdfsconfig:  With this you can check the DFS namespace configuration. The tests that perform are:

  • Verifies that the DFS Namespace service is running and that its Startup Type is set to Automatic on all namespace servers.
  • Verifies that the DFS registry configuration is consistent among namespace servers.
  • Validates the following dependencies on clustered namespace servers that are running Windows 2008 (non supported for W2K3 clusters L):
    • Namespace root resource dependency on network name resource.
    • Network name resource dependency on IP address resource.
    • Namespace root resource dependency on physical disk resource.

To run this you just need to type:  DFSDiag /testdfsconfig /dfsroot:\mydomain.localMyNamespace

/testdfsintegrity: Used to check the namespace integrity. The tests performed are:

  • Checks for DFS metadata corruption or inconsistencies between domain controllers
  • In Windows 2008 server, validates that the Access Based Enumeration state is consistent between DFS metadata and the namespace server share.
  • Detect overlapping DFS folders (links), duplicate folders and folders with overlapping folder targets (link targets).

To check the integrity of your domain mydomain.local:

DFSDiag /testdfsintegrity /dfsroot:\mydomain.localMyNamespace

DFSDiag.exe /testdfsintegrity /dfsroot:\mydomain.localMyNamespace /recurse /full > dfsdiag_testdfsintegrity.txt

Additionally you can specify /full, /recurse, which in this case, /full verifies the consistency of share and NTFS ACLs in all the folder targets. It also verifies that the Online property is set in all the folder targets. /recurse performs the testing including the namespace interlinks.

/testreferral: Perform specific tests, depending on the type of referral being used.

  • For Trusted Domain referrals, validates that the referral list includes all trusted domains.
  • For Domain referrals, perform a DC health check as in /testdcs
  • For Sysvol and Netlogon referrals perform the validation for Domain referrals and that it’s TTL has the default value (900s).
  • For namespace root referrals, perform the validation for Domain referrals, a DFS configuration check (as in /testdfsconfig) and a Namespace integrity check (as in /testdfsintegrity).
  • For DFS folder referrals, in addition to performing the same health checks as when you specify a namesapace root, this command validates the site configuration for folder target (DFSDiag /testsites) and validates the site association of the local host

Again for your namespace mydomain.local:

DFSDiag /testreferral /dfspath:\mydomain.localMyNamespace

DFSDiag.exe /testreferral /dfspath:\mydomain.localMyNamespace /full > dfsdiag_testreferral.txt

There is also the option to use /full as an optional parameter, but this only applies to Domain and Root referrals. In these cases /full verifies the consistency of site association information between the registry and Active Directory.

Domain controllers:

Evaluate domain controller health, site configurations, FSMO ownerships, and connectivity:

Use Dcdiag.exe to check if domain controllers are functional. Review this for comprehensive details about dcdiag:

Dcdiag /v /f:Dcdiag_verbose_output.txt

Dcdiag /v /test:dns /f:DCDiag_DNS_output.txt

Dcdiag /v /test:topology /f:DCDiag_Topology_output.txt

Active Directory replication

If DCDiag finds any replication failures and you need additional details about them, Ned wrote an excellent article a while back that covers how to use the Repadmin.exe utility to validate the replication health of domain controllers:

Repadmin /replsummary * > repadmin_replsummary.txt

Repadmin /showrepl * > repadmin_showrepl.txt

Always validate the health of the environment prior to utilizing a namespace.


  • dfsutil /root:\mydomain.localmyroot /view /verbose    ; display the content of root dfs (links…)
  • dfsutil /pktinfo     ;to display the client cache
  • dfsutil /spcinfo     ; the domain cache on a client computer
  • dfsutil /purgemupcache ; cache stores information about which redirector, such as DFS, SMB, or WebDAV, is required for each UNC path
  • dfsutil /pktflush   ; Dfsutil /PktFlush is a special problem repair command that should only be executed on the client.

The PKT Cache keeps information about referrals for previously accessed DFS paths. If any path is accessed after flushing this cache, the appropriate server(s) will be contacted again to get new referrals. A client benefits from high availability in DFS by getting a list of link target referrals within the same site as well as targets in farther sites. In some cases targets in the closer sites may be inaccessible at the beginning of the client’s use, causing the client to successfully failover to a target at a farther site. Once a closer and less expensive target is available, you would like the client to use it. If you do not want to reboot the client to cause a closer site to be selected, type the following at the command line: This command statement flushes the local partition knowledge table (PKT). This forces the client to get the referral list of the targets from the server again.  Some of the entries in the PKT may not get flushed, especially if DFS is in the process of using the referrals. Once the PKT is flushed from the client cache, the client gets a new list of referrals from the server and it surely will try accessing the closer targets.


If your support is asking you to check a problem on  root DFS or client computer: ie. \mycompany.netrootdfs

The commands I used are:

For \mycompany.netrootdfs (from admin wks):
Dfsdiag /testreferral /dfspath:\mycompany.netrootdfs    => OK
Dfsdiag /testdfsconfig /dfsroot:\mycompany.netrootdfs    => OK
Dfsdiag /testsites /dfspath:\mycompany.netrootdfs       => OK

else suspect a problem on the clients (intermittent problem of DNS or WINS or DFS cache):

Check Naming resolution with DNS
Check Naming resolution with WINS

On client PC, if problem occurs, check and flush the cache:

To check:
dfsutil /root:\mycompany.netrootdfs /view /verbose       ; display the content of root dfs (links…)
dfsutil /pktinfo                                                                                ; to display the client cache
dfsutil /spcinfo                                                                                ; the domain cache on a client computer
To flush:
dfsutil /purgemupcache                 ; this cache stores information about which redirector, such as DFS, SMB, or WebDAV, is required for each UNC path
Dfsutil /pktflush                              : This command statement flushes the local partition knowledge table (PKT).



Sunday, April 18, 2010   , , ,

Source: Exit | the | Fast | Lane

Folder redirection has been around since Windows 2000 and has undergone significant changes since then. The core function is the same: take a local directory path and point it somewhere else, without the user knowing or caring that it isn’t local. The advantages of this are that your users can store their important documents “on the network” without having to map drives or instructing them to save in a certain location. You can selectively redirect documents and app data but exclude photos, music, etc if you choose. In this example, I am interested in redirecting My Documents for all users to a secure, redundant, and high performance NetApp Filer. Technologies involved are Windows 7 Enterprise, Server 2008 R2 DFS, and NetApp CIFS shares running on a FAS2020.

First thing, create your CIFS shares on the filer. The way NetApp NAS with the CIFS protocol works is that the filer actually becomes a member of your domain. You can even apply certain GPO settings to it! The stated domain type is incorrect as I’m running in 2008 R2 native mode, but this doesn’t affect anything functionally from what I can tell.


Your CIFS shares are then managed just like a regular Windows server. You can even connect to the filer via the computer management MMC.


Each share you create exists inside a volume and has an associated qtree. All the other NetApp goodies still apply: deduplication, snapshots, auto volume grow, and opportunistic locking. The rest of the options look very much like a regular Windows file server.


I have created a single hidden share called Users$ that sits in a 300GB volume. All of my user’s My Documents will live here. Following best practices, I have granted authenticated users full control to the share as I will control granular access permissions with NTFS. We’re ready to prepare the DFS namespace.

Now in my redirection GPO I could simply point all users to redirect to \<filername>users$<username> but one of the values DFS provides is a consistent domain-based namespace: \domain<dfsRoot><redirection_root><username>. Everything that will exist as a file share in my environment will be accessible via a DFS namespace, much cleaner this way and much easier to change targets should I need to enact my DR plan which I would do via folder targets to my DR filer. I first create a new domain-based namespace in Server 2008 mode called Users (add a $ to the end to make it hidden):


This is simply the DFS root which lives in the local file system space on my namespace server (domain controller). To be able to point to my filer I need to create another folder inside of this DFS root, that can then be targeted to a matching folder on my NAS. So I will create a new folder called “root” on both NAS: \cufas2users$ and DFS: \domain.comUsers. First create the new root folder on NAS then add a folder to DFS with a target that will point to the root folder on the filer. Additional targets can be configured and controlled for redundancy, replication, and DR.


Before we configure the GPO let’s set permissions on the Root folder. This is a critical step and is what will ultimately make or break this configuration. Since this is the root folder for the entire share, remove permission inheritance and set the following permissions:

  • CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only)
  • System – Full Control (Apply onto: This Folder, Subfolders and Files)
  • Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files)
  • Authenticated Users – Create Folder/Append Data (Apply onto: This Folder Only)
  • Authenticated Users – List Folder/Read Data (Apply onto: This Folder Only)
  • Authenticated Users – Read Attributes (Apply onto: This Folder Only)
  • Authenticated Users – Traverse Folder/Execute File (Apply onto: This Folder Only)


This will allow all users to programmatically create their directory folders beneath the root folder as well as be granted full control to them without the ability to see anyone else’s folders. Domain Admins will have full control to all folders. Now we’re ready to set up our folder redirection GPO.

Folder redirection is a user configuration setting so the GPO that contains these settings must be linked to an OU that houses user accounts, or linked high enough in the AD tree so that user-housing OUs will inherit. Redirection can be set in basic or advanced mode, basic redirecting everyone to the same location. Advanced enables the opportunity to redirect users differently based on security group. In either case you can redirect to the user’s home directory, create a folder for each user under the specified root, redirect to a specific location or to the user’s local %userprofile% path. I will be using the “create a folder” option under the advanced mode and the path is the DFS root created earlier: \domain.comusers$root. For now the policy will apply to one group, domain users, but I will have future flexibility should I need to have additional groups redirected differently. The effect of this policy is that each user, once successfully redirected, will automatically have a new folder under the root directory named after their username, with the documents folder beneath it. Any other folders I choose to redirect will also live under this %username% directory.


Additionally, you can grant the user exclusive access to their folder which keeps out even domain admins and creates problems for backups. Since we’ve set very specific permissions on the root we don’t need to worry about this anyway. The other pertinent option is to move the contents of the source to the destination which I have had problems with in my environment. I’ll be leaving both of these unchecked.


Now when a user logs into any machine in the enterprise they will see the exact same documents folder which lives safe and sound on an enterprise storage array. Should the primary array fail, DFS will repoint their redirected documents to a DR filer in another datacenter.


Something else to consider for your laptop users is offline files in conjunction with folder redirection. I have this enabled by default for all laptops and expressly disable them for desktops. This is a good compromise so that laptop users will enjoy the benefits of redirection while in the office but will also be able to access and work on these documents while away. The next time they connect to the corporate network any changes they made to an offline file will sync back up with their redirected folders on the NAS.


  1. Thanks a lot, very useful info for us.


  2. Nice article


  3. Nice article I’m getting ready to configure a root that will be for roaming profiles and folder redirections


  4. Curious about Windows 7 Search functions – my guess is that it is not available since you are using DFS Namespace and a filer / server that is not running Windows Serch Service. Was Search not a requirement for your implementation?


  5. Hi Kevin,

    Correct, integrated search was not a key design consideration at the time. Sharepoint can integrate into 7 search depending on your license level but for this users would have to resort to opening the folder and then searching within it (slow).



  6. Hi I’m not sure if you still monitor this blog, but if you do please reply back! i have some questions regarding the setup. im trying to do the exact same thing on a FAS2040, but there is already shares created for users “home folders” which are mapped drives…. im trying to move to folder redirection.


  7. Are you looking for guidance on what’s possible or need help crafting a plan? Is your DFS namespace setup conducive to user redirection as I outlined here?


  8. i will be doing the same thing you are trying to do, but im not sure about DFS. i have no experience with it but i could just follow your guide and technet. I guess im looking for somee guideness when it comes to the actual filer. i came to an already setup environment where the previous admin created share for each individual user and used a script to map a home drive. one of the hurdles for example is i cant access the filer from my MMC snapin. it says i dont have permissions, and i cant find the settings on the filers to enable the remote administrations, or give my self permissions.


  9. Ah, ok, I think I understand your situation. So those shares that exist currently on the filer should be fine. You’ll just be changing how they’re accessed and presented to the user via DFS/ redirection.

    Re admin access, can’t help you there. Might put a call into netapp.


  10. thanks for your help! i have one more questinos, when you were setting up the NTFS permissions for the share did you encounter a problem when adding “Creator Owner” with full control?
    When I add it it strips it out of all permissions and says access denied ~snapshots or something. I think the snapshots folder inside the share is preventing it. any thoughts? Nepapp support hasnt been helpful to me…


  11. Try this process with a brand new share, do you still get the error?


  12. Hi Weestro, I’m Argie.
    Interesting post. How do you manage replication between “Target Folders” in Filers.
    As far as I know (and I do try), DFS replication is not possible using shares in Filers, because they are not Windows Machines. Even NetApp says not to use DFS replication (see TR-3782).
    Do you have some workaround for this? Mind to Share?


  13. Hi Argie,

    There are a few ways to do this but the best way would be via the native replication tool (snapmirror) and replicate at the volume or qtree level of your root folder path. Now in DFS just add folder targets for the paths on each side of your replication mirror. You could then use site referral ordering or disable the DR target referrals in DFS until you need them, then in a DR test or failover scenario, make your DR targets active and break the snapmirror.




  14. Is there a way to use storage replication like SnapMirror and to use some kind of automatic switching between main and DR site in case of failure?


  15. There is, but you’ll need a way to automate the process. VMware’s SRM tool, for example, does this. Zerto is another. If you’re a scripting master you could probably create something or use automation tools like Puppet, Chef, Salt…



A blog dedicated to Citrix technology

There's More to the Story: a blog about LIFE, chronic illness, and Mental Health

I’m the loud and relentless "patient" voice and advocate they warned you about. I happen to have type 1 diabetes, ADHD, anxiety, OCD, PCOS, endometriosis, thyroid issues, asthma, allergies, lactose intolerance (and more), but there’s more to story.


Sharing knowledge in deploying, troubleshooting and managing Windows

Dirk & Brad's Windows Blog

Microsoft Platform How To's, Best Practices, and other Shenanigans from Highly-qualified Windows Dorks.

Ingmar Verheij

About Citrix, Remote Desktop, Performance, Workspace, Monitoring and more...

Jack's Server blog

Blog about server management


A blog by Jonathan Frappier about virtualization and technology

CloudPundit: Massive-Scale Computing

the business of Internet infrastructure, cloud computing, and data centers


Every Cloud Has a Tin Lining.


See no physical, hear no physical, speak no physical - speakvirtual.com


IT can be easy

Ask the Architect

My workspace journey


The weblog of an IT pro specializing in virtualization, networking, cloud, servers, & Macs


a place under control of his big head

The Neighborhood

The Story within the Story

Yellow Bricks

by Duncan Epping


Enterprise Storage Engineer

My Virtual Vision

My thoughts on application delivery