4

A while back I setup a DFS namespace \\my.dom.com\somecrap.

Its working great, but I've always notice something that confused me and I never asked about it.

When I just browse to \\my.dom.com it appears I connect to a random DC. I can confirm what DC by pinging my.dom.com. The IP that is resolved will be the IP of the DC I connect to.

This makes sense because there is a host record in my domain pointing each domain controller to (same as parent folder) which would be my domain name. Which I believe is how it should be.

But interestingly when I browse to \\my.dom.com (which should be the same as \\DC_currently_resolving_my.dom.com) I find the shared folders on the server are empty- my DFS namespace works as expected though.

So for example: I browse to \\my.dom.com ping my.dom.com and get back 1.1.1.1 browse to \\1.1.1.1 or \\DC's_Hostname I see the same shared folders so I know I'm connected to same server When I look in the shared folders in \\my.dom.com they are empty When I look in the shared folder in \\1.1.1.1 they have files in them

And whats more when I try to create or copy a file to a shared folder in \\my.dom.com I get this error:

enter image description here

What's happening here exactly?

Edit: As per iPath's question below here is the properties boxes of a regular share and a DFS namespace side by side. The regular share is on the left. Interestingly the regular share is also missing the Security tab which IS present when I browse to \Specific_Server vs \my.dom.com enter image description here

red888
  • 4,069
  • 16
  • 58
  • 104
  • Sounds like corruption of the tcp/ip stack or it's subsystems. Can you try to open \\my.dom.com from several other computers in the domain and check the folders? – iPath Apr 09 '15 at 15:49
  • This happens on all computers. – red888 Apr 09 '15 at 15:53
  • If you open the properties of that folder (\\my.dom.com\SomeFolder) do you see a DFS tab? If yes what does it show? – iPath Apr 09 '15 at 15:58
  • Any DFS namespaces work without issue. I can access files, view the DFS tab, connect to a different DFS host etc. But the normal shares on the particular DC \\my.dom.com resolves to are empty. This behavior might be by design as its not really an issue for me I'm just curious whats happening. – red888 Apr 09 '15 at 16:02
  • I didn't express properly: do you see a DFS tab in that "empty" folder's properties? Normal shares should work regardless of configured DFS namespaces. – iPath Apr 09 '15 at 16:09
  • Ah well no the DFS tab is only present for actual DFS namespaces folders the other normal shares have regular properties- I'll post a picture. – red888 Apr 09 '15 at 17:21

3 Answers3

4

You ask very interesting question that may need deeper technical investigation. My opinion is that Windows "thinks" \\my.dom.com\SimpleSharedFolder is a part of some DFS namespace. But it cannot find related AD information to build a list of target servers that offer folder's contents. Explorer just displays it as empty folder.

What happens is (I suppose):

  1. You open \\my.dom.com in Windows Explorer;
  2. It does a simple DNS query for A DNS Records - (same as the parent) ones;
  3. Most suitable DNS record is chosen from the response;
  4. Windows Explorer connects to that SMB server and shows all shared folders;
  5. When you open \\my.dom.com\SimpleSharedFolder DFS Namespace stuff comes into play (the redirector);
  6. The target for this folder is unknown;
  7. Explorer reacts with showing empty grid;

At the same time just think: "\\my.dom.com\SimpleSharedFolder" is meaningless if SimpleSharedFolder is not a part of some namespace - my.dom.com namespace for example. In your case it's not part of any namespace - only one DC has this folder shared. So it's somehow expected to see nothing accessing it via \\my.dom.com call. May be Windows Explorer should be made more robust. May be it's a bug or may be a feature :)

This is just a theory. Feel free to prove it or to consult other AD technicians.

UPDATE:

Theory proven by an experiment - I tried to access \\mydomain.lab\Dev which is simply a shared folder on a DC. Here the SMB traffic:

enter image description here

So DFS comes into play here via the FSCTL_DFS_GET_REFERRALS SMB call:

enter image description here

I think this explains everything. Hope this helps!

iPath
  • 622
  • 4
  • 11
  • Thanks so much for investigating for me! I always forget how a simple wire capture can explain so much confusing behavior- next time I have a question like this I'll remember to run one myself first. I hope this gets more up votes. – red888 Apr 10 '15 at 13:00
3

So I am sure you found the SYSVOL folder (where Group Policy files are stored) at \\my.dom.com. By default that is replicated between all DC's in the domain ('08 uses via DFSR [Distributed File System Replication] & '03 uses FSR [File Replication Service]) so clients can query the domain \\my.dom.com & whichever DC is closet responds

I speculate \\my.dom.com is actually handled (resolved) differently then \\1.1.1.1 & it has something to do with SMB vs DFS/N. I can't give you a direct answer to all of your questions, but I do believe that is a start. Here is another article with some more info

gregg
  • 597
  • 3
  • 9
  • 26
  • Opening \\my.dom.com is resolved by a simple DNS query using the (same as the parent) Host A records. DFS infrastructure/functionality is not involved here. – iPath Apr 09 '15 at 15:56
  • Yes iPath is right. my.dom.com resolves regardless of whether I have DFS namespaces running. Nothing is broken here (at least I don't think so) I just want to understand this behavior. I browse to \\my.dom.com and connect to what ever DC that resolves to, I can access any DFS namespaces without issue, but the other normal shares on that DC are empty. – red888 Apr 09 '15 at 15:59
0

DFS namespaces use some referral magic to find \\my.dom.com\somecrap if it is on any of the domain controllers -- not just the ones where the namespace is specifically hosted. Non-DFS shares do not have this feature.

Normally, you would make each DC a replica for the somecrap namespace by adding them to the Namespace Servers tab on your DFS Management for the namespace. This does not happen automatically when you add a new DC. Otherwise, it will appear to be blank if your computer happens to resolve \my.dom.com to \DC2, if only \DC1 has the namespace shares defined. Your DNS ordering or site setup may be such that it never defaults to the namespace server, so they would always be blank.

GuitarPicker
  • 394
  • 1
  • 8