The Basics of SMB Signing (covering both SMB1 and SMB2)

December 1, 2010, 1:40 pm

≫ Next: Currently available hotfixes for SMB and SMB2 File Server components in Windows Server 2008 and Windows Server 2008 R2

≪ Previous: What version of SMB2 am I using on my Windows file server?

SMB Signing Overview

Server Message Block (SMB) is the file protocol most commonly used by Windows. SMB Signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and “man in the middle” attacks.

SMB signing is available in all currently supported versions of Windows, but it’s only enabled by default on Domain Controllers. This is recommended for Domain Controllers because SMB is the protocol used by clients to download Group Policy information. SMB signing provides a way to ensure that the client is receiving genuine Group Policy.

SMB signing was introduced in Windows 2000 (at the time it was also ported back to Microsoft Windows NT 4.0 and Microsoft Windows 98). With the introduction of SMB2 in Windows Vista and Windows Server 2008, signing was improved by using a new hashing algorithm (HMAC SHA-256 replaced the old MD5). At that time, the settings were updated to simplify configuration and interoperability (you can find details later in the post). Another important improvement in SMB2 signing is performance. In SMB1, enabling signing significantly decreases performance, especially when going across a WAN. In SMB2, there is almost no measurable degradation in performance, although there is still a higher CPU load.

SMB1 Signing Configuration and Defaults

There are two main ways to configure signing for SMB1 clients and SMB1 servers. The easier one is set a Group Policy to configure it. This is, for instance, how domain controllers are configured by default to require signing. The other way to do it is using registry settings. On each side (SMB1 client and SMB1 server), SMB1 Signing can be set to be “Required”, “Enabled” or “Disabled”.

Here’s a summary of the SMB1 Client signing settings:

Setting	Group Policy Setting	Registry Keys
Required	Digitally sign communications (always) – Enabled	RequireSecuritySignature = 1
Enabled*	Digitally sign communications (if server agrees) – Enabled	EnableSecuritySignature = 1, RequireSecuritySignature = 0
Disabled	Digitally sign communications (if server agrees) – Disabled	EnableSecuritySignature = 0, RequireSecuritySignature = 0

Here’s a summary of SMB1 Server signing settings:

Setting	Group Policy Setting	Registry Keys
Required***	Digitally sign communications (always) – Enabled	RequireSecuritySignature = 1
Enabled	Digitally sign communications (if client agrees) – Enabled	EnableSecuritySignature = 1, RequireSecuritySignature = 0
Disabled **	Digitally sign communications (if client agrees) – Disabled	EnableSecuritySignature = 0, RequireSecuritySignature = 0

* The default setting for signing on SMB1 Clients is “Enabled”.
** The default setting for signing on SMB1 Servers is “Disabled”.
*** The default setting for signing on Domain Controllers (defined via Group Policy) is “Required”.

The Group Policy settings are found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
Client registry keys are stored under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters.
Server registry keys are stored under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters.
All registry keys are of type DWORD.

SMB2 Signing Configuration and Defaults

SMB2 simplified this configuration by having only one setting: whether signing was required or not. This can be configured via Group Policy or registry setting, on SMB2 clients and SMB2 servers. On each side, signing can be set to be “Required” or “Not Required”.

Here’s a summary of the SMB2 client and SMB2 server signing settings:

Setting	Group Policy Setting	Registry Key
Required *	Digitally sign communications (always) – Enabled	RequireSecuritySignature = 1
Not Required **	Digitally sign communications (always) – Disabled	RequireSecuritySignature = 0

* The default setting for signing on a Domain Controller (defined via Group Policy) is “Required”.
** The default setting for signing on SMB2 Servers and SMB Clients is “Not Required”.

The Group Policy setting is found under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
Client registry key is stored under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkStation\Parameters.
Server registry key is stored under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters.
All registry keys are of type DWORD.

SMB Signing Effective Behavior

There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used.

Here’s a summary of the effective behavior for SMB2:

	Server – Required	Server – Not Required
Client – Required	Signed*	Signed
Client – Not Required	Signed	Not Signed**

Here’s a summary of the effective behavior for SMB1 in current versions of Windows:

	Server – Required	Server – Enabled	Server – Disabled
Client – Required	Signed	Signed	Signed
Client – Enabled	Signed*	Signed	Not signed**
Client – Disabled	Signed	Not Signed	Not Signed

* Default for Domain Controller SMB traffic.
** Default for all other SMB traffic.

Older SMB1 Signing Behavior

A common source of confusion around SMB1 signing is the fact that older versions of Windows had a different signing behavior. That behavior was changed in 2008 to match the behavior of Windows Server 2008 and Windows Vista as documented at http://support.microsoft.com/kb/950876. Here’s a summary of the effective behavior for early versions of Windows Server 2003 and Windows XP (or older):

	Old Server – Required	Old Server – Enabled	Old Server – Disabled
Old Client – Required	Signed	Signed	Fails to connect
Old Client – Enabled	Signed*	Signed	Not signed**
Old Client – Disabled	Fails to connect	Not Signed	Not Signed

* Default for Domain Controller SMB1 traffic.
** Default for all other SMB1 traffic.

If you have an old SMB1 server or old SMB1 client, you should have it patched or updated to remove the possibility of failures to connect in a misconfigured environment.

Changing the SMB signing behavior

In general, it is recommended that you keep the default SMB signing settings. However, customers sometimes want to reconfigure SMB signing in specific situations. For instance, the customer could have the need to:

Increase SMB performance in Domain Controllers. It’s true that SMB signing will require additional processing for hash calculation, so you could increase a domain controller SMB performance by disabling the “Required” setting on Domain Controllers. However, we strongly discourage changing the default, since it will also expose your Group Policy to tampering and man-in-the-middle attacks.
Allow the use of WAN ‘optimization’ devices to speed up traffic SMB traffic between branch offices and head office by disabling the “Required” setting on Domain Controllers. Again, you’re trading performance for security. Although these these devices could be legitimate, they essentially behave as a broker and would be in the position to relay obsolete group policy settings or even tampered ones (if compromised).
Increase the security for SMB clients or SMB servers that are not Domain Controllers. By enabling the “Required” setting on SMB clients or SMB server, you could force all SMB traffic to be signed. Signing all SMB traffic is not recommended because it will require additional processing (for hash calculation) and will decrease SMB performance.

If you decide that you must change the SMB signing settings, the recommendation is to use the “Digitally sign communications (always)” Group Policy setting. If you cannot do it via Group Policy, you could use the “RequireSecuritySignature” registry setting.

IMPORTANT: We no longer recommend using “Digitally sign communications (if client agrees)” or “Digitally sign communications (if server agrees)” Group Policy settings. We also no longer recommend using the “EnableSecuritySignature” registry settings. These options, which only affect the SMB1 behavior, can be effectively replaced by the “Digitally sign communications (always)” Group Policy setting or the “RequireSecuritySignature” registry setting.

References

Here are a few Knowledge Base articles (support) and TechNet articles that provide additional details on SMB signing. Please be careful interpreting these references, since some of them refer to the older SMB1 behavior.

http://support.microsoft.com/kb/887429 - Overview of Server Message Block signing for older versions of OS
http://support.microsoft.com/kb/916846 - Mismatched SMB signing in Group Policy or in the registry
http://support.microsoft.com/kb/950876 - Windows Server 2003 and Windows XP fix to match Windows Server 2008 or Windows Vista SP1 signing.
http://technet.microsoft.com/en-us/library/cc728025.aspx - Group Policy: Microsoft network client: Digitally sign communications (always)
http://technet.microsoft.com/en-us/library/cc785861.aspx - Group Policy: Microsoft network client: Digitally sign communications (if server agrees)
http://technet.microsoft.com/en-us/library/cc786681.aspx - Group Policy: Microsoft network server: Digitally sign communications (always)
http://technet.microsoft.com/en-us/library/cc759474.aspx - Group Policy: Microsoft network server: Digitally sign communications (if client agrees)
http://technet.microsoft.com/en-us/library/cc512612.aspx - How to Shoot Yourself in the Foot with Security, Part 1

↧

Currently available hotfixes for SMB and SMB2 File Server components in Windows Server 2008 and Windows Server 2008 R2

January 31, 2011, 10:45 pm

≫ Next: FSCT test results detail the performance of Windows Server 2008 R2 File Server configurations - 23,000 users with 192 spindles

≪ Previous: The Basics of SMB Signing (covering both SMB1 and SMB2)

If you’re installing a Windows Server 2008 or Windows Server 2008 R2 file server, we always recommend getting the latest hotfixes from Windows Update. That will include all security updates and updates that are considered important enough to be delivered to all Windows Server users. However, there is a class of hotfixes there not pushed via Windows Update. Typically, you won’t get those hotfixes until in the next Service Pack or if you run into the specific issues they address and call Microsoft Support.

As you can imagine, these hotfixes do undergo a more narrow testing, typically focused on resolving specific issues reported by customers. The Service Pack process includes a much broader test process, focused on the complex interactions between multiple hotfixes from different components.

Although this is not the recommended procedure for someone interested in the most stable version of the components, some users prefer to apply the latest version of the SMB and SMB2 file server bits when installing a a server, especially if they have the opportunity to perform extensive tests before going live with the server. However, there used to be no easy way to tell which are the latest non-critical hotfixes, unless you were tracking each individual hotfix that got published at http://support.microsoft.com.

Well, the good news is that the bright folks in Microsoft Support that work specifically with File Services for Windows Server have put together a Knowledge Base article (or a KB) that gives you the latest hotfixes for the SMB and SMB2 file server components. Not only that, they will be keeping that KB updated as new service packs and hotfixes get publish. You see, they are always on top of all the hotfixes being released for their components.

If you’d rather wait for the Service Pack for the less critical updates, that’s fine. However, if you want to install the latest version of the components related to the SMB and SMB2 file server (including SRV, MRXSMB and RDBSS), you now have a single place to look them up. And, as usual, perform all the proper testing before deploying to production. Find that new KB at http://support.microsoft.com/?id=2473205.

↧

FSCT test results detail the performance of Windows Server 2008 R2 File Server configurations - 23,000 users with 192 spindles

April 8, 2011, 4:36 pm

≫ Next: Using 4k sector and advanced format drives in Windows. HotFix and support info for Windows Server 2008 R2 and Windows 7

≪ Previous: Currently available hotfixes for SMB and SMB2 File Server components in Windows Server 2008 and Windows Server 2008 R2

1. Introduction

The File Server Capacity Tool (FSCT) is a free download from Microsoft that helps you determine the capacity of a specific file server configuration (running Windows or any operating system that implements the SMB or SMB2 protocols). It simulates a specific set of operations (the “Home Folders” workload) being executed by a large number of users against the file server, confirming the ability of that file server to perform the specified operations in a timely fashion. It makes it possible to verify, for instance, if a specific file server configuration can handle 10,000 users. In case you’re not familiar with FSCT’s “Home Folders Workload”, it simulates a standard user’s workload based on Microsoft Office, Windows Explorer, and command-line usage when the file server is the location of the user’s home directory.

We frequently use FSCT internally at Microsoft. In fact, before being released publicly, the tool was used to verify if a specific change to the Windows code has any significant performance impact in a file server scenario. We continue use FSCT for that purpose today.

Recently, the File Server Team released a document (available at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=89a73dd0-ed31-4cc2-aa7d-2fded8a023ab) with results from a series of FSCT tests. These tests were performed in order to quantify the file server performance difference between Windows Storage Server 2008 (based on Windows Server 2008) and Windows Server 2008 R2. It was also an exercise to analyze the capacity (in terms of FSCT “Home Folders” users) of some common File Server configurations using between 24 and 192 disks.

2. Comparing Windows Server 2008 and Windows Server 2008 R2 with 24 spindles

The document includes details about how the tests were performed, what specific hardware configurations were used and what was the CPU, memory, disk and network utilization in each case. It organizes the results by operating system, showing results for all Windows Storage Server 2008 (based on Windows Server 2008) configurations, then the results of all Windows Server 2008 R2. However, I find it even more interesting to compare two identical hardware configurations running the two different versions of Windows. You can clearly see how the software improved over time. For instance, you see below how a 24-spindle configuration went from supporting 4,500 FSCT users to supporting 7,500 FSCT users. Note how Windows Server 2008 R2 was able to squeeze more out of the server, with increased CPU, memory, disk and network utilization:

FSCT Test Results	TESTBED-C [24 HDD – R10]	TESTBED-F [24 HDD – R10]
Max users supported	4,500	7,500
CPU utilization	12%	28%
Memory utilization	34%	65%
Disk utilization	106 MB/sec	193 MB/sec
Network utilization	114 MB/sec	208 MB/sec
Test date	05/02/2010	02/21/2010
Hardware Configuration	TESTBED-C [24 HDD – R10]	TESTBED-F [24 HDD – R10]
Platform	White box Hardware	White box Hardware
Operating system	Windows Server 2008 *	Windows Server 2008 R2
Processor	(1) Intel X5560 (2.8GHz)	(1) Intel X5560 (2.8GHz)
Memory	16GB	16 GB
Disk drives	(24) 72GB SFF SAS 15K	(24) 72GB SFF SAS 15K
LUNs	(2) x 12 HDD (RAID-10)	(2) x 12 HDD (RAID-10)
Disk array	(1) FC array	(1) FC array
Disk controller	(1) Dual port 8Gb FC HBA	(1) Dual port 8Gb FC HBA
Network adapters	(1) 10GbE	(1) 10GbE

* This is actually Windows Storage Server 2008, which is built on Windows Server 2008.

This table provides an interesting snapshot of many items that matter to capacity planning. For instance, you can see how we’re not really hitting bottleneck on CPU, storage or network. My conclusion here is that we’re bound by the random access performance of the individual drives (random IOPs) and we would need to add more spindles to achieve more users per server. If your goal is to provide a “Home Folders” file service to around 5,000 users and want to save money, you could go the other way and decide to tweak TESTBED-F and use a system with less RAM (since we’re not hitting that) or even configure the system with dual 1GbE network interfaces instead of 10GbE (since dual 1GbE can provide you with a around 220MB/sec). However, if you do want to change the configuration, you would need to run the tests again, since there could be other interactions when you change the hardware like that.

3. Comparing Windows Server 2008 and Windows Server 2008 R2 with 96 spindles

In a similar fashion, a 96-spindle configuration went from supporting 9,500 FSCT users to an impressive 16,500 FSCT users. Again, nothing was changed in the hardware to achieve that improvement. It was just a matter of going from Windows Storage Server 2008 (based on Windows Server 2008) to Windows Server 2008 R2 (and effectively using SMB2 version 2.1 instead of SMB2 version 2.0).

FSCT Test Results	TESTBED-A [96 HDD – R10]	TESTBED-E [96 HDD – R10]
Max users supported	9,500	16,500
CPU utilization	16%	48%
Memory utilization	37%	17%
Disk utilization	238 MB/sec	419 MB/sec
Network utilization	260 MB/sec	457 MB/sec
Test date	05/03/2010	02/15/2010
Hardware Configuration	TESTBED-A [96 HDD – R10]	TESTBED-E [96 HDD – R10]
Platform	White box Hardware	White box Hardware
Operating system	Windows Server 2008 *	Windows Server 2008 R2
Processor	(2) Intel X5560 (2.8GHz)	(2) Intel X5560 (2.8GHz)
Memory	32GB	72 GB
Disk drives	(96) 72GB SFF SAS 15K	(96) 72GB SFF SAS 15K
LUNs	(8) x 12 HDD (RAID-10)	(8) x 12 HDD (RAID-10)
Disk array	(1) FC array + (3) enclosures	(1) FC Array + (3) Enclosures
Disk controller	(2) Dual port 8Gb FC HBA	(2) Dual Port 8Gb FC HBA
Network adapters	(1) 10GbE	(1) 10GbE

* This is actually Windows Storage Server 2008, which is built on Windows Server 2008.

Again, you would need to look deep to understand your bottleneck here. While FSCT will provide you with a lot of performance counters, you need a human to figure out what is holding you back. Clearly it’s not memory or CPU. Your network also is not at max capacity yet (in theory, you could hit at least twice what is being used by the TESTBED-E using 10GbE). So, again, the bottleneck here has to be the storage. As I mentioned before, If your goal is to configure a system to provide service to around 10,000 users, you could probably play with TESTBED-E’s configuration a bit (use less memory, use just one processor instead of two, reduce the number of disks) to shrink the overall acquisition cost a little while keeping the performance at a good level for that number of users. Again, you would need to rerun FSCT with that new configuration to be sure.

4. Running Windows Server 2008 R2 with 192 spindles

The document also includes a 192-spindle configuration using Windows Server 2008 R2. This is one of the most impressive FSCT results I have ever seen. In this test, a single file server was able to successfully handle 23,000 FSCT users running the “Home Folders” workload simultaneously. I wonder if you could find a similar NAS appliance configuration out there able to handle this number of FSCT users... Here are the results:

FSCT Test Results	TESTBED-D [192 HDD – R0]
Max users supported	23,000
CPU utilization	63%
Memory utilization	23%
Disk utilization	601 MB/sec
Network utilization	650 MB/sec
Test date	02/14/2010
Hardware Configuration	TESTBED-D [192 HDD – R0]
Platform	White box Hardware
Operating System	Windows Server 2008 R2
Processor	(2) Intel X5560 (2.8GHz)
Memory	72 GB
Disk drives	(192) 72GB SFF SAS 15K
LUNs	(16) x 12 HDD (RAID-0)
Disk array	(2) FC Array + (6) Enclosures
Disk controller	(4) Dual Port 8Gb FC HBA
Network adapter	(2) 10GbE

In this configuration, it is much harder find the bottleneck. We have a good amount of free memory, but we’re hitting a fairly high CPU utilization for a file server workload. Both the storage and the network are fairly busy as well at around 600 MB/sec. Also note that we’re using RAID-0 here, so this configuration is not realistic for a production deployment.

5. Charts and Diagrams

Each of the configurations includes also a chart with the throughput (in FSCT scenarios per second), CPU utilization and total number of FSCT users the configuration can handle, as you can see below. These charts were created using Microsoft Excel and the text results provided by FSCT. For example, here’s the chart for the 192-spindle configuration:

The document also provides information about the hardware used in each of the configurations, including disks, arrays, storage fabric, server, network and clients used to generate the load. There is enough information there to allow you to reproduce the tests in your own environment or lab. For instance, here’s a diagram of the 192-spindle configuration:

6. Table of Contents

This blog post provides just a sample of the information contained in the document. Here is the full table of contents:

Overview
- FSCT Terminology
- Server Tuning Information
- Windows Storage Server 2008
- Windows Server 2008 R2
TESTBED-A (WSS08, Dual Socket, 32GB RAM, (96) SAS 15K HDD, RAID-10)
- FSCT Test Results (9500 users with 16% CPU utilization)
- Hardware Configuration
TESTBED-B [WSS08, Dual Socket, 16GB RAM, (48) SAS 15K HDD, RAID-10]
- FSCT Test Results (6500 users with 11% CPU utilization)
- Hardware Configuration
TESTBED-C [WSS08, Single Socket, 16GB RAM, (24) SAS 15K HDD, RAID-10]
- FSCT Test Results (4500 users with 12% CPU utilization)
- Hardware Configuration
TESTBED-D [W2K8R2, Dual Socket, 72GB RAM, (192) SAS 15K HDD, RAID-0]
- FSCT Test Results (23000 users with 63% CPU utilization)
- Hardware Configuration
TESTBED-E [W2K8R2, Dual Socket, 72GB RAM, (96) SAS 15K HDD, RAID-10]
- FSCT Test Results (16500 users with 48% CPU utilization)
- Hardware Configuration
TESTBED-F [W2K8R2, Single Socket, 16GB RAM, (24) SAS 15K HDD, RAID-10]
- FSCT Test Results (7500 users with 28% CPU utilization)
- Hardware Configuration
Conclusion
References

7. Conclusion

As you can see, the document is rich in detail. If your work is related to planning, sizing or configuring file servers, it could be very useful.

I would highly recommend downloading the full document from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=89a73dd0-ed31-4cc2-aa7d-2fded8a023ab

I would also encourage you to experiment with FSCT yourself. You can start at http://blogs.technet.com/b/josebda/archive/2009/09/16/file-server-capacity-tool-fsct-1-0-available-for-download.aspx

↧

Using 4k sector and advanced format drives in Windows. HotFix and support info for Windows Server 2008 R2 and Windows 7

April 26, 2011, 2:34 pm

≫ Next: TechEd 2011 Session WSV317: Windows Server 2008 R2 File Services Consolidation - Technology Update

≪ Previous: FSCT test results detail the performance of Windows Server 2008 R2 File Server configurations - 23,000 users with 192 spindles

If you work with storage, you probably already heard about the “4K Sector Drives”, “Advanced Format Drives” and “512e drives”. These new “4K sector drives” abandon the traditional use of 512 bytes per sector in favor of a new structure that uses 4096 bytes. The migration to the new formats is eased by the use of 4K drives that simulate the old format, known as “512 Emulation Drives” or “512e Drives” or Advanced Format Drives”.

Native 4K sector drives are currently not supported with Windows. However, 512e drives (or Advanced Format Drives) are supported with recent versions of Windows, provided that you follow the guidance in the following support article: http://support.microsoft.com/kb/2510009. There are specific requirements to be met and specific details for different Microsoft applications like Hyper-V, SQL Server and Exchange Server.

For Windows 7 and Windows Server 2008 R2, the KB article above mentions the requirement to install a specific hotfix described at http://support.microsoft.com/kb/982018. Please note that most of this fix is part of Windows 7 Service Pack 1 (SP1) or Windows Server 2008 R2 SP1, except for updates to the FSUTIL tool.

For you developers, head on over to MSDN to read on the nitty gritty details of this storage transition, and how it may impact your applications. Details are published at http://msdn.microsoft.com/en-us/library/hh182553.aspx.

If you’re interested in these new 4K sector drives, you might also want to look at these other links:

Note: The updated version of FSUTIL is available as a download from the support KB page and, since 4/26/2011, via Windows Update labeled as "Update for Windows 7 (KB982018)".

-----

After I posted this blog, MikeH asked on FileCab: Is there any way I can figure out if the installed drive uses 4K or emulation mode?

Answer: You can recognize "Advanced Format" drives (also known as 512e or 512 emulation) by using FSUTIL FSINFO NTFSINFO <drive> and looking at the "Bytes per Sector" and "Bytes Per Physical Sector". Those drives will show 512 bytes per sector but 4096 (4K) bytes per physical sector. For more details, read the section titled "Issue 6" at http://support.microsoft.com/kb/982018.

↧

TechEd 2011 Session WSV317: Windows Server 2008 R2 File Services Consolidation - Technology Update

May 16, 2011, 4:35 am

≫ Next: Installing Windows Server 2008 on a headless server from a USB disk

≪ Previous: Using 4k sector and advanced format drives in Windows. HotFix and support info for Windows Server 2008 R2 and Windows 7

This week at TechEd 2011 I will be delivering a presentation about “Windows Server 2008 R2 File Services Consolidation - Technology Update”.

If you’re attending the conference in Atlanta-GA, this is session WSV317 on Wednesday at 10:15 AM, plus a repeat on Thursday also at 10:15 AM.

The presentation is divided into 5 main topics:

Overview of the main advances in File Services in Windows Server 2008 R2, compared to Windows Server 2003/2008
Examination of 3 interesting file server configurations with 24, 96 and 192 disks using the File Server Capacity Tool (FSCT)
How to consolidate file server names, a common issue when retiring multiple file servers into a single, beefier one
Leveraging multiple network interfaces on a file server to provide additional bandwidth and network fault tolerance
Implementing High Availability for File Services using Failover Clustering and Virtualization

Here’s a complete outline of the presentation:

Agenda
- Session Objectives
- Scenario Overview
File Server Scalability and Performance
- Improvements since Windows Server 2003
  - SMB2 and SMB 2.1 improvements
  - Make sure you’re running the right version…
  - CHKDSK Improvements
  - 8.3 naming disabling and stripping
  - DFS Namespace Scalability
  - Multi-threaded ROBOCOPY
  - Scalability Improvement Over Time
- Sample Configuration – 24 spindles
- Sample Configuration – 96 spindles
- Sample Configuration – 192 spindles!
File Server Name Consolidation
- The name consolidation problem
- Static DNS Entries
- Alternate Computer Names and Dynamic DNS
- DFS Consolidation Roots
- Virtual Machines
- Failover Clusters
File Server Advanced Networking
- DNS Round Robin
- SMB2 Durability
- Multiple IP addresses per cluster name
- NIC Teaming
- Sample Multi-NIC File Server Configurations
  - Standalone, single switch, single client NIC – 2nd NIC disabled
  - Standalone, single switch, single client NIC – NIC teaming
  - Standalone, single switch, single client NIC – same subnet
  - Standalone, multiple switches, single client NIC
  - Standalone, router, single client NIC
  - Standalone, multiple switches, multiple client NICs
  - Cluster, router, single client NIC
  - Cluster, multiple switches, multiple client NICs
File Server High Availability
- Multi-site DFS and Offline Files
- Single-site DFS
- Cluster - Active/Passive vs. Multi-Active
- File Server Cluster – FC SAN
- File Server Cluster – SAS Array
- File Server Cluster – iSCSI SAN
- Virtual File Server – DFS
- Virtual File Server, Host Cluster
- Virtual File Server, Guest Cluster
Review: Session Objectives

The two demos include SMB2 durability, SQL over SMB2, the Microsoft iSCSI Software Target and a Failover Cluster with Windows Server 2008 R2 SP1 File Services.

Looking forward to seeing you there... And also at the Windows Server booth for File Services (WSV 13).

P.S.: You can now listen to a recording of this presentation at http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WSV317
I also posted information about the demo used in this presentation at http://blogs.technet.com/b/josebda/archive/2011/05/19/teched-2011-demo-install-step-by-step-hyper-v-ad-dns-iscsi-target-file-server-cluster-sql-server-over-smb2.aspx

↧

Installing Windows Server 2008 on a headless server from a USB disk

February 13, 2009, 11:37 am

≫ Next: The Basics of the Windows Server 2008 Distributed File System (DFS)

≪ Previous: TechEd 2011 Session WSV317: Windows Server 2008 R2 File Services Consolidation - Technology Update

I am installing Windows Server 2008 on a new server that has no video card and no DVD drive. It's an interesting challenge to make that one work and I'm relying on using a bootable USB disk and unattend files.

In my case, it turns out the server has a USB interface and using USB to boot is not that hard, assuming your server allows you to boot from USB. Most of them have that option in the BIOS these days. Using a USB stick (also known as flash drive or pen drive in other parts of the world) is usually faster compared to a USB DVD player, with the advantage of being easier to update. Just make sure that, if you're using a USB hub, it's USB 2.0 hub. The older USB 1.x hubs are just too slow...

You need to prepare the USB stick in a certain way for it to boot. In short, to create a bootable USB stick, clean all partitions on it, create a single primary partition, make it active, format it and copy the install DVD files into it. Do all that on Windows Server 2008 to make sure you have the right bootcode after you format (or else you'll have to play around with the bootsect.exe tool to fix it). For Windows Server 2008, you will need about 2.5 GB of space on that USB device (that means you'll likely use at least a 4GB stick).

I found a good reference on how to create a bootable USB device (including the commands for DISKPART) at:
http://blogs.technet.com/jamesone/archive/2006/12/31/bootable-usb-keys.aspx

The other part of it is having the right tools to get the install to start automatically. You will need to work with SYSPREP, IMAGEX and WINPE to create an image with all the the required drivers (if they are not in-box drivers) and get the right setup running with an unattend file. The tools and procedures are included in the Microsoft Deployment Toolkit (MDT), which you can download from
http://www.microsoft.com/downloads/details.aspx?familyid=3bd8561f-77ac-4400-a0c1-fe871c461a89

Another item that can help with the configuration of that box is the Emergency Management Services (EMS), which allows you to interact with a server via its serial interface (mostly likely USB, since most new systems no longer have a classic RS232 interface). Details on EMS at:
http://download.microsoft.com/download/1/6/1/161ba512-40e2-4cc9-843a-923143f3456c/EMS.doc

↧

The Basics of the Windows Server 2008 Distributed File System (DFS)

March 10, 2009, 11:10 pm

≫ Next: New White Paper on Hyper-V and SQL Server Consolidation at Microsoft

≪ Previous: Installing Windows Server 2008 on a headless server from a USB disk

Overview

In this blog post, we’ll cover the basics of the Distributed File System (DFS) in Windows Server 2008, which offers users simplified access to a set of file shares and helps administrators easily maintain the file server infrastructure behind those file shares, including options for load sharing, replication and site awareness.

Many File Servers and File Shares

It’s a common scenario. Over time, a company ends up with a large number of file servers that were created at different times and by different teams. The users are left to figure out where their files are stored, mapping many drives to file shares and learning complex UNC paths like \\server23\ffiles and \\finance.asia.company.com\spreadsheets and even something like \\10.1.23.45\scratch. To complicate things further, when an old file server is replaced, paths are broken and mapped drives stop working. It can be challenging.

You also probably heard the proposition to invest in a complex project to consolidate everything into a large file server or NAS appliance. While those projects will solve the problem for a while, you will need to spend a lot of resources to move the data around and fix users’ mapped drives and paths. All that to have that new server eventually become too small and need replacing again. Or you will need many of those larger servers, starting the cycle over.

It turns out it doesn’t have to be that way. Windows Server already provides a way to manage a large set of file shares as a consolidated list, under common namespaces. From your users’ perspective, each namespace looks like a single file share with many folders. From an administrators’ perspective, you can easily add more file servers or consolidate existing file servers without complex “forklift” migrations. And those are just a few of the benefits of DFS.

Adding the DFS Services

DFS Services are available on all currently supported versions of Windows Server, but there are significant improvements in the Windows Server 2008 editions. The DFS namespace client is available for all currently supported versions of Windows, both client and server. Domain-based DFS namespaces require the use of Active Directory.

To add the DFS Services to Windows Server 2008, you will use the Server Manager tool. First, you need to expand the "Roles" item on the tree to make sure that the File Service role is installed. Then you will right-click on "File Services" and click on option to "Add Role Services". That's where you you will find the option to add DFS:

DFS00

Another way to add the DFS Services is using the ServerManagerCmd.EXE command line tool. You can also use ServerManagerCmd to make sure that the right role and role services are installed. Here's a sample command line:

C:\>servermanagercmd -query | find "[FS"
    [X] File Server  [FS-FileServer]
    [X] Distributed File System  [FS-DFS]
        [X] DFS Namespaces  [FS-DFS-Namespace]
        [X] DFS Replication  [FS-DFS-Replication]
    [ ] File Server Resource Manager  [FS-Resource-Manager]
    [X] Services for Network File System  [FS-NFS-Services]
    [ ] Windows Search Service  [FS-Search-Service]
    [ ] Windows Server 2003 File Services  [FS-Win2003-Services]
        [ ] File Replication Service  [FS-Replication]
        [ ] Indexing Service  [FS-Indexing-Service]

C:\>

DFS Namespaces

A DFS namespace is basically a place where you will have links to all your file shares. From an administrator point of view, you should think of it as a folder structure where you keep the list of target file shares. Your users will see it as a single share with many folders and they will have no idea that they are navigating across a set of servers to get to the subfolders and files.

DFS01

When configuring DFS, you have a choice of using a domain-based or a stand-alone namespace. If you already have Active Directory deployed, you should consider using a domain-based namespace. If you’re not using Active Directory, your only choice is a stand-alone one.

The main advantage of the domain-based namespaces is that your configuration will be stored in Active Directory and you won’t have to rely on a single server to provide the namespace information to your clients. The path users refer to uses the name of the domain and it will not need to change because your namespace server name changed (only if you change your domain name). With a stand-alone DFS, that server name becomes part of the main path to the namespace.

There are also two domain-based DFS modes: Windows Server 2008 mode and Windows Server 2000 mode. Windows Server 2008 mode (which requires Windows Server 2003 forest functional level, Windows Server 2008 domain functional level and Windows Server 2008 running on all namespace servers) includes support for more than 5,000 folders with targets per namespace and access-based enumeration.

Creating a Namespace

After you install the service, your next step is to create the namespace. Here’s are the steps to create a domain-based namespace:

Start “DFS Management” from the “Administrative Tools”. On the tree on the left side, click on “Namespaces”.

DFS02

Click on “New Namespace…” action on the panel on the right to start the “New Namespace Wizard”.

DFS03

Enter the name of the namespace server and click “Next”.

DFS04

Enter the name of the namespace and click “Next”.

DFS06

Select the type of Namespace and click “Next”. In my case, I’m using a domain-based namespace with 2008 mode enabled. On the review screen, click “Create” and then click “Close” when it’s done. You will end up with a brand new namespace with no folders:

DFS06

Note: DFS-N “namespaces” are also sometimes called “namespace roots” or simply “roots”. This naming convention was used in older versions of DFS-N and you will also see it in the command-line tools.

Adding Folders to the Namespace

After your create the namespace, you will add folders to it, specifying the associated folder target. This means pointing to the actual file shares, making each one appear to users as a folder under the namespace. Before you do that, you want to think long and hard about the folder structure you’re creating. A basic goal of DFS is to create a stable infrastructure that will not constantly change on your users.

To start, click on the “New Folder…” action on the panel on the right. In the example below, I will enter the name of the folder which as “Finance”. I will also enter one associated folder target, which will be “\\JOSEBDA-N2\FinanceDocs” (this share was configured beforehand). Here are the results right before I click “OK” to create the new folder:

DFS07

Finally, here’s the end result in the “DFS Management” window:

DFS09

I could also have folders with no targets (just to create a hierarchy in the namespace) or folders with multiple folder targets.

Note: DFS-N “folders” are also sometimes called “links”. DFS-N “folder targets” and also sometimes called “link targets”. These naming conventions were used in older versions of DFS-N and you will also see it in the command-line tools.

Multiple Targets

It’s useful to have multiple copies of the same data stored in different file servers. One reason for that is fault-tolerance (if one server is unavailable, you can still access the other one). The other reason is to choose the copy of the data that is closer to you. If you’re in a branch office and you want to access a very large file, you would rather get a copy from a server in that branch.

It’s actually quite simple to add more folder targets to an existing folder or create the folder with multiple targets initially. All you have to do is make sure that you provide the multiple targets for the same folder in that namespace when you configure it.

DFS09

If you’re using domain-based DFS, the clients will be directed to the target that is closest to them. If there is no target nearby, the clients will be pointed to a remote one. This is similar to what happens when clients are looking for a domain controller. DFS uses the site information in Active Directory to determine which server works best.

Having multiple file servers serving the same data is also useful for maintenance. If you need to apply a security update or add some memory to the server, you can count on the fact that there is at least another server out there that can service client requests while that specific server is down.

DFS Replication

At this point, you’re probably thinking: How does the data get copied across multiple servers?

Well, Windows Server includes a component to replicate data between file servers in case you need that. It’s called DFS-R (Distributed File System Replication). DFS-R was introduced with Windows Server 2003 R2 (replacing the old NTFRS with many advantages). DFS-R can be used for both domain-based and stand-alone DFS.

To replicate files between two (or more) shares, you need to create a replication group and specify a few things like which servers will replicate (members) and what they will replicate (replicated folders). DFS-R is aware of site topology. It also has options to control scheduling and the use of bandwidth (throttling). DFS-R uses Remote Differential Compression (RDC), meaning that only changes in the files are sent over the network, not the entire file.

DFS18

There are specific changes in Windows Server 2008 DFS-R, including improved performance, better network bandwidth utilization, quicker recovery from unexpected shutdowns and support for Read-Only Domain Controllers.

Configuring Replication

When you create multiple folder targets for a folder, the DFS Management tool will offer you to automatically setup the replication group:

DFS10

Assuming you have installed the DFS-R role service on both servers, it will go ahead and setup replication for you. It’s done via the “Replicate Folder Wizard”.

To start, it will ask you the replication group name and the replicated folder name:

DFS11

It will then verify if the server working as folder targets for that DFS folder can be a replication member. Our two servers are eligible:

DFS12

Next, you need to select one of the servers as the primary member. This should be the server that contains the files you want to replicate and will be the authoritative server during the initial replication:

DFS14

You will also need to select a topology. This is important if you have a larger number of servers and need to control how they replicate. For instance, if you have a central server in HQ and several branch servers, you can make sure the branch servers do not try to replicate with each other directly, but always replicate only with the HQ servers. In our case, with only two servers, "Full Mesh" will do:

DFS14

Finally, you need to select the bandwidth and schedule. This will allow you do restrict the amount of bandwidth that DFS-R can use and also specify specific times during the day when replication is allowed. In this case, I will keep it simple, replicating at all hours and using the full bandwidth.

DFS15

After the review screen, the wizard will set up replication for you. Here’s the end result:

DFS16

DFS Tools

As you saw, the most common administration activities related to DFS-N and DFS-R can be performed using the “DFS Management” MMC. This tool will show up under “Administrative Tools” after you add the DFS role service in Server Manager.

You can also add just the MMC for remote management of a DFS namespace server from a server that does not have the actual DFS Services installed. You will find that option in Server Manager, under Add Feature, Remote Server Administration Tools (RSAT), Role Administration Tools, File Services Tools.

DFS17

Another way to manage DFS-N is to use DFSUTIL.EXE, which is a command line tool. There are plenty of options and you can automate pretty much any DFS-related activity, from creating a namespace to adding folders to exporting the entire configuration to troubleshooting. DFSUTIL.EXE is an in-box tool in Windows Server 2008. Here’s a sample screen for DFSUTIL:

C:\>dfsutil

DESCRIPTION:
Manages DFS Namespaces, servers and clients.

NOTES:
* Use the Dfsutil /oldcli command to use of the original Dfsutil syntax.
* Use the /? parameter after any command to display help for the command.
* Dfsutil commands use the original Distributed File System terminology,
  with updated DFS Namespaces terminology provided as explanation for most
  commands.
* If you specify at the end of a command an object (such as a namespace server)
  about which you want information, most commands will display the information
  without requiring further parameters or commands. For example, when using the
  Dfsutil Root command, you can append a namespace root to the command to view
  information about the root.

EXAMPLES:
Dfsutil Root
Dfsutil /oldcli
Dfsutil /?

------ Commands Supported ------
Root                  Displays,creates,removes,imports,exports namespace roots.
Link                  Displays, creates, removes, or moves folders (links).
Target                Displays,creates,modifies folder targets (link targets).
Property              Displays or modifies a folder target or namespace server.
Client                Displays or modifies client information or registry keys.
Server                Displays or modifies namespace configuration on the server.
Diag                  Perform diagnostics or view dfsdirs/dfspath.
Domain                Displays all domain-based namespaces in a domain.
Cache                 Displays or flushes the client cache.

C:\>

Note: DFSCMD is an older version of the DFS-N command-line tool. You should use DFSUTIL instead.

For DFS-R, the command line tool is DFSRADMIN.EXE. Here’s a sample screen:

C:\>dfsradmin

=== Supported Objects ===
You can perform actions on the following objects:
Bulk          Perform several actions by using a single input file
Conn          Perform actions on connections between members of a replication group
Health        Generate a health report for one or more members of a
              replication group
Mem           Perform actions on a member of a replication group
Membership    Perform actions related to a member's participation in a
              replicated folder
PropRep       Generate propagation report for one or more propagation test files
PropTest      Generate and drop a propagation test file on a membership,
              used for testing replication
RF            Perform actions on a folder that is replicated between members
              of a replication group
RG            Perform actions on a group of computers that participates in
              replication
Sub           Perform actions related to a member's subscription in
              replication groups

Type "DfsrAdmin <Object> /?" for detailed help.
Usage: DfsrAdmin <Object> <Action> [<SubObject>] [<SubAction>]
       </Parameter:Value> ... [</Optional-Parameter:Value> ...]
       [/Domain:<value>] [/DC:<value>] [/CSV] [/Force]

=== Optional Parameters Supported For All Commands ===
/Domain: Specify the domain for the replication group
/DC:     Specify the domain controller to connect to in the replication
         group's domain
/Force:  Specify that a failed operation is skipped when an action causes a
         series of operations to be performed

=== Optional Parameter Supported For All List Commands ===
/CSV:    Dumps the list output in CSV format

C:\>

Conclusion

I hope this provided you a good overview of DFS. There’s a lot more to talk about, as you probably guessed. One could write an entire book on this. If you like what you read so far, I suggest you start working with it on a test environment and look at the links below for additional information. You users will thank you…

Links

TechNet on DFS
http://technet.microsoft.com/en-us/library/cc753479.aspx

DFS Step-by-Step Guide for Windows Server 2008
http://technet.microsoft.com/en-us/library/cc732863.aspx

DFSUTIL overview
http://technet.microsoft.com/en-us/library/cc782897.aspx

DFS Step-by-Step Guide for Windows Server 2003 R2
http://technet.microsoft.com/en-us/library/cc737358.aspx

DFS FAQ (from Windows Server 2003 R2)
http://www.microsoft.com/windowsserver2003/techinfo/overview/dfsfaq.mspx

↧

New White Paper on Hyper-V and SQL Server Consolidation at Microsoft

March 11, 2009, 5:43 pm

≫ Next: Understanding Windows Server 2008 DFS-N by analyzing network traces

≪ Previous: The Basics of the Windows Server 2008 Distributed File System (DFS)

A new white paper on how Microsoft IT is combining Hyper-V and SQL Server has just been published. This comes from a team that provides thousands of SQL Server instances for internal applications. It includes a lot of interesting new information, including results of specific tests they performed to evaluate their options. This is something that I first saw on an internal-only presentation a few weeks back and I'm glad they posted it publicly.

Here's are the topics covered in this 26-page white paper:

Executive Overview
Introduction
Considerations for Consolidation and Virtualization

Identification of Underutilized Servers
Server temperature
Consolidation Approaches
Virtualization Platform: WSRM vs. Hyper-V

Implementation of the SQL Utility

Service Offerings
Identification of Candidates for Migration

Attributes of System Quality

Availability and Business Continuity
Environmental Sustainability
Manageability
Performance
Predictability and Repeatability
Reliability
Scalability
Security
Monitoring
Supportability

Conclusion

It also includes lots of interesting diagrams, including details on their specific hardward configuration. While not evident on the outline above, the white paper compares the options to use multiple instances of SQL without Hyper-V with having multiple virtual machines with single instances of SQL Server. Not only it looks at the different pros and cons, but also provides interesting performance information.

Download the white paper from http://technet.microsoft.com/en-us/library/dd557540.aspx

↧

Understanding Windows Server 2008 DFS-N by analyzing network traces

April 15, 2009, 11:00 pm

≫ Next: Using the Windows Server 2008 DFSUTIL.EXE command line to manage DFS-Namespaces

≪ Previous: New White Paper on Hyper-V and SQL Server Consolidation at Microsoft

1 – Overview

This blog post details the behavior of Windows Server 2008 DFS-N (Distributed File System - Namespaces) clients by looking at network traces.
The main goal here is to show the interaction between a DFS-N client, a domain controller, a namespace server and a file server.
These traces were taken using Network Monitor 3.3 beta from a set of isolated computers in a domain.
To understand this post, you need some familiarity with common protocols like ARP, ICMP, TCP and DNS.
At least a basic understanding of some more sophisticated protocols like SMB and Kerberos are also helpful.

2 – The environment

There are 4 computers in this environment, as described below.
# Name FQDN IP Role Details
1 DC DC.josebda.local 10.1.1.1 DNS, Domain Controller DNS Server for zone josebda.local
Only DC for josebda.local domain
2 NS NS.josebda.local 10.1.1.2 File Server, DFS Namespace Server Hosts namespace \\josebda\NS1
Includes a folder \\josebda\NS1\Folder1
Target for that folder is \\fs.josebda.local\Share1
3 FS FS.josebda.local 10.1.1.3 File Server Hosts the share \\fs.josebda.local\Share1
4 CL CL.josebda.local 10.1.1.4 Client Where the command lines are run
Running Network Monitor
All computers in this setup are running Windows Server 2008 Enterprise Edition (with Service Pack 2 RC).
All command lines and traces are from the point of view of the client (CL.josebda.local or 10.1.1.4).

3 – Cleaning up the caches

In order to clean all the related caches before each trace, I used a series of command on the client:
To clear the DFS-N domain cache: DFSUTIL cache domain flush
To clean the DFS-N referral cache: DFSUTIL cache referral flush
To clear the cached Kerberos tickets: KLIST purge
To clear the DNS cache: IPCONFIG /flushdns
To clear the ARP cache: ARP –d *
Note that each of the commands clears a different kind of cache.

4 – Warming up with a ping by DNS name

This first trace shows a ping of the file server by the client, using the file server name.
This is a simple one, just to get you started with the format. It uses the ARP, DNS and ICMP protocols.
This involves the client (CL), the DNS server (DC) and the file server (FS).
First, here is the actual command used (in bold) and its output.
C:\Users\administrator>ping fs.josebda.local
Pinging fs.josebda.local [10.1.1.3] with 32 bytes of data:
Reply from 10.1.1.3: bytes=32 time<1ms TTL=128
Reply from 10.1.1.3: bytes=32 time<1ms TTL=128
Reply from 10.1.1.3: bytes=32 time<1ms TTL=128
Reply from 10.1.1.3: bytes=32 time<1ms TTL=128
Ping statistics for 10.1.1.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Users\administrator>
Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).
From To Protocol Details
4.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
4.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3 (DC queries ARP back to CL)
CL DC DNS DNS:QueryId = 0xFDF5, QUERY (Standard query), Query for fs.josebda.local of type Host Addr on class Internet
DC CL ARP ARP:Request, 10.1.1.1 asks for 10.1.1.4
CL DC ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
DC CL DNS DNS:QueryId = 0xFDF5, QUERY (Standard query), Response - Success, 10.1.1.3
4.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local
CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
4.4. CL pings 10.1.1.3 four times (first time, FS queries ARP back to CL)
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
Last, here is a sample NetMon screenshot. You can see the details of the DNS query response frame:

5 – Querying the file server directly

This trace is more interesting, showing an SMB client enumerating a folder on a file server.
Note that, in this case, we are not actually using a DFS namespace yet.
You will be exposed to a larger set of protocols this time, including SMB and Kerberos.
Now there will be three computers involved: the client (CL), the file server (FS) and the domain controller (DC).
First, here is the actual command used (in bold) and its output.
C:\Users\administrator>dir \\fs.josebda.local\share1
 Volume in drive \\fs.josebda.local\share1 has no label.
 Volume Serial Number is 68CD-6098
Directory of \\fs.josebda.local\share1
04/10/2009  10:06 PM    <DIR>          .
04/10/2009  10:06 PM    <DIR>          ..
04/10/2009  10:06 PM                15 File1.txt
               1 File(s)             15 bytes
               2 Dir(s)  11,459,997,696 bytes free
C:\Users\administrator>
Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).
From To Protocol Details
5.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
5.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3
CL DC DNS DNS:QueryId = 0x5667, QUERY (Standard query), Query for fs.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x5667, QUERY (Standard query), Response - Success, 10.1.1.3
5.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local
CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
5.4. CL negotiates a TCP session with FS on port 445 (SMB)
CL FS TCP TCP:Flags=......S., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892114495, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956516548, Ack=892114496, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL FS TCP TCP:Flags=...A...., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892114496, Ack=1956516549, Win=513 (scale factor 0x8) = 131328
5.5. CL and FS negotiate an SMB session (note that FS offers SMB2 and CL takes it)
CL FS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
FS CL SMB2 SMB2:R NEGOTIATE (0x0), GUID={8E4F0109-0E04-FD9C-434A-05881428984C}, Mid = 0
5.6. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain.
CL DC TCP TCP:Flags=......S., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451346, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134793418, Ack=1788451347, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451347, Ack=4134793419, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=51, Seq=4134794879 - 4134794930, Ack=1788451665, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451665, Ack=4134794930, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451665, Ack=4134794930, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134794930, Ack=1788451666, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134794930, Ack=1788451666, Win=0 (scale factor 0x8) = 0
5.7. CL requests a Kerberos client service authorization ticket for CL to present to FS.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552892024, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290555248, Ack=3552892025, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552892025, Ack=1290555249, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/fs.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290555249, Ack=3552893597, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=118, Seq=1290556709 - 1290556827, Ack=3552893597, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552893597, Ack=1290556827, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552893597, Ack=1290556827, Win=513 (scale factor 0x8) = 131328
5.8. The SMB session is setup (while the last ACKs for the DC are still coming)
CL FS SMB2 SMB2:C SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290556827, Ack=3552893598, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290556827, Ack=3552893598, Win=0 (scale factor 0x8) = 0
FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956516789, Ack=892116277, Win=513 (scale factor 0x8) = 131328
FS CL SMB2 SMB2:R SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
5.9. CL connects to \\fs.josebda.local\IPC$ tree, gets referral for \\fs.josebda.local\share1. Note the code 412, telling us that FS is not a DFS server, just a regular file server.
CL FS SMB2 SMB2:C TREE CONNECT (0x3), Path=\\fs.josebda.local\IPC$, Mid = 2
FS CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x1, Mid = 2
CL FS DFS DFS:Get DFS Referral Request, FileName: \fs.josebda.local\share1, MaxReferralLevel: 4
FS CL SMB2 SMB2:R , Mid = 3 - NT Status: System - Error, Code = (412) STATUS_FS_DRIVER_REQUIRED
5.10. CL connects to \\fs.josebda.local\share1 tree, get all information required by DIR command (note that SMB CREATE is used as “OPEN”)
CL FS SMB2 SMB2:C TREE CONNECT (0x3), Path=\\fs.josebda.local\share1, Mid = 4
FS CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x5, Mid = 4
CL FS SMB2 SMB2:C CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 5
FS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 5
CL FS SMB2 SMB2:C QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 6
FS CL SMB2 SMB2:R QUERY INFORMATION (0x10), Mid = 6
CL FS SMB2 SMB2:C CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 8
FS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 8
CL FS SMB2 SMB2:C CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 11
FS CL SMB2 SMB2:R CLOSE (0x6), Mid = 11
CL FS SMB2 SMB2:C QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Full Size Info, FID=0xFFFFFFFF00000005, Mid = 12
FS CL SMB2 SMB2:R QUERY INFORMATION (0x10), Mid = 12
5.11. CL disconnects from both trees, logs off SMB2, closes the TCP session with FS
CL FS TCP TCP:Flags=...A...., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117764, Ack=1956518678, Win=512 (scale factor 0x8) = 131072
CL FS SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x1, Mid = 13
FS CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 13
CL FS SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x5, Mid = 14
FS CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 14
CL FS SMB2 SMB2:C LOGOFF (0x2), Mid = 15
FS CL SMB2 SMB2:R LOGOFF (0x2), Mid = 15
CL FS TCP TCP:Flags=...A...F, SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117980, Ack=1956518894, Win=511 (scale factor 0x8) = 130816
FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956518894, Ack=892117981, Win=512 (scale factor 0x8) = 131072
CL FS TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117981, Ack=1956518894, Win=0 (scale factor 0x8) = 0
FS CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956518894, Ack=892117981, Win=0

6 – Querying only the DFS namespace

This trace now uses a DFS namespace.
In this case, we’re querying just the namespace itself, not following any links in the namespace.
Now we are working with the client (CL), the domain controller (DC) and the namespace server (NS).
First, here is the actual command used (in bold) and its output.
C:\Users\administrator>dir \\josebda.local\ns1
 Volume in drive \\josebda.local\ns1 has no label.
 Volume Serial Number is 34A5-C4AB
 Directory of \\josebda.local\ns1
04/10/2009  10:08 PM    <DIR>          .
04/10/2009  10:08 PM    <DIR>          ..
04/10/2009  10:08 PM    <DIR>          Folder1
               0 File(s)              0 bytes
               3 Dir(s)  11,448,500,224 bytes free
 
C:\Users\administrator>
Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).
From To Protocol Details
6.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
6.2. CL queries DNS for “dc.josebda.local”, gets 10.1.1.1
CL DC DNS DNS:QueryId = 0x7447, QUERY (Standard query), Query for DC.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x7447, QUERY (Standard query), Response - Success, 10.1.1.1
6.3. CL negotiates a TCP session with DC on port 445 (SMB)
CL DC TCP TCP:Flags=......S., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570594720, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429848417, Ack=1570594721, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570594721, Ack=1429848418, Win=513 (scale factor 0x8) = 131328
6.4. CL and DC negotiate an SMB session (note that DC offers SMB2 and CL takes it)
CL DC SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
DC CL SMB2 SMB2:R NEGOTIATE (0x0), GUID={83C66016-F309-B5A1-42A3-3B37BF0AE071}, Mid = 0
6.5. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain.
CL DC TCP TCP:Flags=......S., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221627845, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225518474, Ack=1221627846, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221627846, Ack=4225518475, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=51, Seq=4225519935 - 4225519986, Ack=1221628164, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221628164, Ack=4225519986, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221628164, Ack=4225519986, Win=513 (scale factor 0x8) = 131328
6.6. CL requests a Kerberos service authorization ticket to present to DC.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290068782, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286883192, Ack=4290068783, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225519986, Ack=1221628165, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225519986, Ack=1221628165, Win=0 (scale factor 0x8) = 0
CL DC TCP TCP:Flags=...A...., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290068783, Ack=3286883193, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/DC.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286883193, Ack=4290070355, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=118, Seq=3286884653 - 3286884771, Ack=4290070355, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290070355, Ack=3286884771, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290070355, Ack=3286884771, Win=513 (scale factor 0x8) = 131328
6.7. CL asks DC for another Kerberos ticket
CL DC TCP TCP:Flags=......S., SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341990730, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502819863, Ack=341990731, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286884771, Ack=4290070356, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286884771, Ack=4290070356, Win=0 (scale factor 0x8) = 0
CL DC TCP TCP:Flags=...A...., SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341990731, Ack=2502819864, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
CL DC TCP TCP:Flags=...A...F, SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341992176, Ack=2502821322, Win=507 (scale factor 0x8) = 129792
6.8. SMB session with DC is setup. (while the last ACKs for the DC are still coming)
CL DC SMB2 SMB2:C SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502821322, Ack=341992177, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429848658, Ack=1570597908, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502821322, Ack=341992177, Win=0 (scale factor 0x8) = 0
DC CL SMB2 SMB2:R SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
6.9. CL connects to tree \\dc.josebda.local\IPC$, asks DFS for a referral for “josebda.local”, then “\josebda.local\ns1”
CL DC SMB2 SMB2:C TREE CONNECT (0x3), Path=\\DC.josebda.local\IPC$, Mid = 2
DC CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x1, Mid = 2
CL DC DFS DFS:Get DFS Referral Request, FileName: josebda.local, MaxReferralLevel: 3
DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 3
CL DC DFS DFS:Get DFS Referral Request, FileName: \josebda.local\ns1, MaxReferralLevel: 4
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849264, Ack=1570598348, Win=511 (scale factor 0x8) = 130816
DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4
6.10. CL now knows that it needs to talk to “ns.josebda.local”. Queries DNS to find it’s “10.1.1.2”, then ARP
CL DC DNS DNS:QueryId = 0xC0C7, QUERY (Standard query), Query for NS.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0xC0C7, QUERY (Standard query), Response - Success, 10.1.1.2
CL NS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.2
NS CL ARP ARP:Response, 10.1.1.2 at 00-15-5D-6C-0D-04
6.11. CL negotiates a TCP session with NS on port 445 (SMB)
CL NS TCP TCP:Flags=......S., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869345207, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
NS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42140879, Ack=869345208, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL NS TCP TCP:Flags=...A...., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869345208, Ack=42140880, Win=513 (scale factor 0x8) = 131328
6.12. CL negotiates an SMB session with DC (selects SMB2 dialect)
CL NS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
NS CL SMB2 SMB2:R NEGOTIATE (0x0), GUID={9832F94A-1CD3-61B4-40A3-F01305CCDB7E}, Mid = 0
6.13. CL requests a Kerberos service authorization ticket to present to NS.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328527949, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914299011, Ack=1328527950, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328527950, Ack=1914299012, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/NS.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914299012, Ack=1328529522, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=118, Seq=1914300472 - 1914300590, Ack=1328529522, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328529522, Ack=1914300590, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328529522, Ack=1914300590, Win=513 (scale factor 0x8) = 131328
6.14. SMB session with NS is setup. (while the last ACKs for the DC are still coming)
CL NS SMB2 SMB2:C SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914300590, Ack=1328529523, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914300590, Ack=1328529523, Win=0 (scale factor 0x8) = 0
NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42141120, Ack=869346989, Win=513 (scale factor 0x8) = 131328
NS CL SMB2 SMB2:R SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
6.15. CL connects to tree \\ns\NS1, opens the \NS\ns1 namespace and links, queries information (note that SMB2 CREATE is also used as “OPEN”)
CL NS SMB2 SMB2:C TREE CONNECT (0x3), Path=\\NS\NS1, Mid = 2
NS CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x1, Mid = 2
CL NS SMB2 SMB2:C CREATE (0x5), Name=josebda.local\ns1@#380, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3
NS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3
CL NS SMB2 SMB2:C QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 4
NS CL SMB2 SMB2:R QUERY INFORMATION (0x10), Mid = 4
CL NS SMB2 SMB2:C CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 6
NS CL SMB2 SMB2:R CLOSE (0x6), Mid = 6
CL NS SMB2 SMB2:C CREATE (0x5), Name=josebda.local\ns1@#386, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 7
NS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 7
CL NS SMB2 SMB2:C CLOSE (0x6), FID=0xFFFFFFFF00000005, Mid = 10
NS CL SMB2 SMB2:R CLOSE (0x6), Mid = 10
CL NS SMB2 SMB2:C CREATE (0x5), Name=josebda.local\ns1@#390, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 11
NS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000009, Mid = 11
CL NS SMB2 SMB2:C CLOSE (0x6), FID=0xFFFFFFFF00000009, Mid = 13
NS CL SMB2 SMB2:R CLOSE (0x6), Mid = 13
6.16. CL disconnects from trees, logs off SMB2 and closes TCP sessions with DC, NS
CL DC TCP TCP:Flags=...A...., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598348, Ack=1429849514, Win=509 (scale factor 0x8) = 130304
CL NS TCP TCP:Flags=...A...., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348640, Ack=42143344, Win=510 (scale factor 0x8) = 130560
CL DC SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x1, Mid = 5
DC CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 5
CL DC SMB2 SMB2:C LOGOFF (0x2), Mid = 6
DC CL SMB2 SMB2:R LOGOFF (0x2), Mid = 6
CL NS SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x1, Mid = 14
CL DC TCP TCP:Flags=...A...F, SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598492, Ack=1429849658, Win=508 (scale factor 0x8) = 130048
NS CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 14
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849658, Ack=1570598493, Win=511 (scale factor 0x8) = 130816
CL NS SMB2 SMB2:C LOGOFF (0x2), Mid = 15
CL DC TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598493, Ack=1429849658, Win=0 (scale factor 0x8) = 0
DC CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849658, Ack=1570598493, Win=0
NS CL SMB2 SMB2:R LOGOFF (0x2), Mid = 15
CL NS TCP TCP:Flags=...A...F, SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348784, Ack=42143488, Win=510 (scale factor 0x8) = 130560
NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42143488, Ack=869348785, Win=512 (scale factor 0x8) = 131072
CL NS TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348785, Ack=42143488, Win=0 (scale factor 0x8) = 0
Last, here is a sample NetMon screenshot. Here we see the detail of the DFS referral response in (the second one in 6.9), with the frame details showing that josebda.local\ns1 is actually handled by \ns\ns1. See also that the referral has a time-to-live (how much time it should be kept in the cache).

7 – Finally, looking at the file server via the DFS namespace

This is the final and most complex of the traces here. We’re listing details about a file inside a link in a namespace.
This time we’re involving the client (CL), the domain controller (DC), the namespace server (NS) and the file server (FS).
First, here is the actual command used (in bold) and its output.
C:\Users\administrator>dir \\josebda.local\ns1\folder1
 Volume in drive \\josebda.local\ns1 has no label.
 Volume Serial Number is 34A5-C4AB
 
 Directory of \\josebda.local\ns1\folder1
 
04/10/2009  10:06 PM    <DIR>          .
04/10/2009  10:06 PM    <DIR>          ..
04/10/2009  10:06 PM                15 File1.txt
               1 File(s)             15 bytes
               2 Dir(s)  11,459,997,696 bytes free
C:\Users\administrator>
Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).
From To Protocol Details
7.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
7.2. CL queries DNS for “dc.josebda.local”, gets 10.1.1.1
CL DC DNS DNS:QueryId = 0x36AE, QUERY (Standard query), Query for DC.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x36AE, QUERY (Standard query), Response - Success, 10.1.1.1
7.3. CL negotiates a TCP session with DC on port 445 (SMB)
CL DC TCP TCP:Flags=......S., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348427785, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806692608, Ack=1348427786, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348427786, Ack=806692609, Win=513 (scale factor 0x8) = 131328
7.4. CL and DC negotiate an SMB session (note that DC offers SMB2 and CL takes it)
CL DC SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
DC CL SMB2 SMB2:R NEGOTIATE (0x0), GUID={83C66016-F309-B5A1-42A3-3B37BF0AE071}, Mid = 0
7.5. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain
CL DC TCP TCP:Flags=......S., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774373, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481525383, Ack=2790774374, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774374, Ack=2481525384, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC CL TCP TCP:[Continuation to #451]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=51, Seq=2481526844 - 2481526895, Ack=2790774692, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774692, Ack=2481526895, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774692, Ack=2481526895, Win=513 (scale factor 0x8) = 131328
7.6. CL requests a Kerberos service authorization ticket to present to DC.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217473064, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51552186, Ack=1217473065, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481526895, Ack=2790774693, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481526895, Ack=2790774693, Win=0 (scale factor 0x8) = 0
CL DC TCP TCP:Flags=...A...., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217473065, Ack=51552187, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/DC.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51552187, Ack=1217474637, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation to #462]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=118, Seq=51553647 - 51553765, Ack=1217474637, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217474637, Ack=51553765, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217474637, Ack=51553765, Win=513 (scale factor 0x8) = 131328
7.7. CL asks DC for another Kerberos ticket
CL DC TCP TCP:Flags=......S., SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381120000, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51553765, Ack=1217474638, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51553765, Ack=1217474638, Win=0 (scale factor 0x8) = 0
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880462364, Ack=2381120001, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381120001, Ack=1880462365, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
CL DC TCP TCP:Flags=...A...F, SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381121446, Ack=1880463823, Win=507 (scale factor 0x8) = 129792
7.8. SMB session with DC is setup. (while the last ACKs for the DC are still coming)
CL DC SMB2 SMB2:C SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880463823, Ack=2381121447, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806692849, Ack=1348430973, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880463823, Ack=2381121447, Win=0 (scale factor 0x8) = 0
DC CL SMB2 SMB2:R SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
7.9. CL connects to tree \\dc.josebda.local\IPC$, asks DFS for a referral for “josebda.local”, then “\josebda.local\ns1”
CL DC SMB2 SMB2:C TREE CONNECT (0x3), Path=\\DC.josebda.local\IPC$, Mid = 2
DC CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x1, Mid = 2
CL DC DFS DFS:Get DFS Referral Request, FileName: josebda.local, MaxReferralLevel: 3
DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 3
CL DC DFS DFS:Get DFS Referral Request, FileName: \josebda.local\ns1, MaxReferralLevel: 4
DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4
7.11. CL now knows that it needs to talk to “ns.josebda.local”. Queries DNS to find it’s “10.1.1.2”, then ARP
CL DC DNS DNS:QueryId = 0xA941, QUERY (Standard query), Query for NS.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0xA941, QUERY (Standard query), Response - Success, 10.1.1.2
CL NS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.2
NS CL ARP ARP:Response, 10.1.1.2 at 00-15-5D-6C-0D-04
7.12. CL negotiates a TCP session with NS on port 445 (SMB)
CL NS TCP TCP:Flags=......S., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616429650, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
NS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802553199, Ack=1616429651, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL NS TCP TCP:Flags=...A...., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616429651, Ack=802553200, Win=513 (scale factor 0x8) = 131328
7.13. CL negotiates an SMB session with NS (selects SMB2 dialect)
CL NS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
NS CL SMB2 SMB2:R NEGOTIATE (0x0), GUID={9832F94A-1CD3-61B4-40A3-F01305CCDB7E}, Mid = 0
7.14. CL requests a Kerberos service authorization ticket to present to NS.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584167390, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711096963, Ack=2584167391, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584167391, Ack=2711096964, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/NS.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711096964, Ack=2584168963, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation to #499]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=118, Seq=2711098424 - 2711098542, Ack=2584168963, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584168963, Ack=2711098542, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584168963, Ack=2711098542, Win=513 (scale factor 0x8) = 131328
7.15. SMB session with NS is setup. (while the last ACKs for the DC are still coming)
CL NS SMB2 SMB2:C SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711098542, Ack=2584168964, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711098542, Ack=2584168964, Win=0 (scale factor 0x8) = 0
NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802553440, Ack=1616431432, Win=513 (scale factor 0x8) = 131328
NS CL SMB2 SMB2:R SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
7.16. CL connects to tree \\ns\NS1, opens and queries information for josebda.local\ns1 and josebda.local\ns1\folder1. Error 599 on the last response indicates we need a referral
CL NS SMB2 SMB2:C TREE CONNECT (0x3), Path=\\NS\NS1, Mid = 2
NS CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x1, Mid = 2
CL NS SMB2 SMB2:C CREATE (0x5), Name=josebda.local\ns1@#510, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3
NS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3
CL NS SMB2 SMB2:C QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 4
NS CL SMB2 SMB2:R QUERY INFORMATION (0x10), Mid = 4
CL NS SMB2 SMB2:C CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 6
NS CL SMB2 SMB2:R CLOSE (0x6), Mid = 6
CL NS SMB2 SMB2:C CREATE (0x5), Name=josebda.local\ns1\folder1@#516, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 7
NS CL SMB2 SMB2:R , Mid = 7 - NT Status: System - Error, Code = (599) STATUS_PATH_NOT_COVERED
7.17. CL connects to tree \\ns\IPC$, asks DFS for a referral for “\NS\ns1\folder1” (note via ARP that NS talks to the DC)
CL NS SMB2 SMB2:C TREE CONNECT (0x3), Path=\\NS\IPC$, Mid = 8
NS CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x5, Mid = 8
CL NS DFS DFS:Get DFS Referral Request, FileName: \NS\ns1\folder1, MaxReferralLevel: 4
NS DC ARP ARP:Request, 10.1.1.2 asks for 10.1.1.1
DC NS ARP ARP:Request, 10.1.1.1 asks for 10.1.1.2
CL DC TCP TCP:Flags=...A...., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431413, Ack=806693705, Win=509 (scale factor 0x8) = 130304
NS CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4
7.18. CL now knows that it needs to talk to “fs.josebda.local”. Queries DNS to find it’s “10.1.1.3”, then ARP
CL DC DNS DNS:QueryId = 0x9848, QUERY (Standard query), Query for FS.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x9848, QUERY (Standard query), Response - Success, 10.1.1.3
CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
7.19. CL negotiates a TCP session with FS on port 445 (SMB). Note the ARP back from FS, since it’s the first time it talks to CL
CL FS TCP TCP:Flags=......S., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441020583, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109428157, Ack=3441020584, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL FS TCP TCP:Flags=...A...., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441020584, Ack=109428158, Win=513 (scale factor 0x8) = 131328
7.20. CL negotiates an SMB session with FS(selects SMB2 dialect)
CL FS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
FS CL SMB2 SMB2:R NEGOTIATE (0x0), GUID={8E4F0109-0E04-FD9C-434A-05881428984C}, Mid = 0
7.21. CL requests a Kerberos service authorization ticket to present to FS.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155214818, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938378401, Ack=4155214819, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155214819, Ack=938378402, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/FS.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938378402, Ack=4155216391, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation to #543]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=118, Seq=938379862 - 938379980, Ack=4155216391, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155216391, Ack=938379980, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155216391, Ack=938379980, Win=513 (scale factor 0x8) = 131328
7.22. SMB session with FS is setup. (while the last ACKs for the DC are still coming)
CL FS SMB2 SMB2:C SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938379980, Ack=4155216392, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938379980, Ack=4155216392, Win=0 (scale factor 0x8) = 0
FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109428398, Ack=3441022365, Win=513 (scale factor 0x8) = 131328
FS CL SMB2 SMB2:R SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
7.23. CL connects to tree \\fs\josebda.local\Share1, opens the folder and file, queries information (note that SMB2 CREATE is also used as “OPEN”)
CL FS SMB2 SMB2:C TREE CONNECT (0x3), Path=\\FS.josebda.local\Share1, Mid = 2
FS CL SMB2 SMB2:R TREE CONNECT (0x3), TID=0x1, Mid = 2
CL FS SMB2 SMB2:C CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3
FS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3
CL FS SMB2 SMB2:C CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 4
FS CL SMB2 SMB2:R CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 4
CL FS SMB2 SMB2:C CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 7
FS CL SMB2 SMB2:R CLOSE (0x6), Mid = 7
CL FS SMB2 SMB2:C QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000005, Mid = 8
FS CL SMB2 SMB2:R QUERY INFORMATION (0x10), Mid = 8
CL FS SMB2 SMB2:C QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Full Size Info, FID=0xFFFFFFFF00000005, Mid = 10
FS CL SMB2 SMB2:R QUERY INFORMATION (0x10), Mid = 10
7.24. CL disconnects from trees, logs off SMB2 and closes TCP sessions with DC, NS, FS
CL NS TCP TCP:Flags=...A...., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432609, Ack=802554785, Win=513 (scale factor 0x8) = 131328
CL FS TCP TCP:Flags=...A...., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441023554, Ack=109430126, Win=511 (scale factor 0x8) = 130816
CL DC SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x1, Mid = 5
DC CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 5
CL DC SMB2 SMB2:C LOGOFF (0x2), Mid = 6
DC CL SMB2 SMB2:R LOGOFF (0x2), Mid = 6
CL NS SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x5, Mid = 10
CL DC TCP TCP:Flags=...A...F, SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431557, Ack=806693849, Win=508 (scale factor 0x8) = 130048
NS CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 10
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806693849, Ack=1348431558, Win=511 (scale factor 0x8) = 130816
CL NS SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x1, Mid = 11
CL DC TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431558, Ack=806693849, Win=0 (scale factor 0x8) = 0
NS CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 11
CL NS SMB2 SMB2:C LOGOFF (0x2), Mid = 12
NS CL SMB2 SMB2:R LOGOFF (0x2), Mid = 12
CL FS SMB2 SMB2:C TREE DISCONNECT (0x4), TID=0x1, Mid = 11
CL NS TCP TCP:Flags=...A...F, SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432825, Ack=802555001, Win=512 (scale factor 0x8) = 131072
NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802555001, Ack=1616432826, Win=507 (scale factor 0x8) = 129792
FS CL SMB2 SMB2:R TREE DISCONNECT (0x4), Mid = 11
CL NS TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432826, Ack=802555001, Win=0 (scale factor 0x8) = 0
NS CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802555001, Ack=1616432826, Win=0
CL FS SMB2 SMB2:C LOGOFF (0x2), Mid = 12
FS CL SMB2 SMB2:R LOGOFF (0x2), Mid = 12
CL FS TCP TCP:Flags=...A...F, SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441023698, Ack=109430270, Win=511 (scale factor 0x8) = 130816
FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109430270, Ack=3441023699, Win=508 (scale factor 0x8) = 130048
FS CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109430270, Ack=3441023699, Win=0 (scale factor 0x8) = 0
Last, here is a sample NetMon screenshot. I'm using this to highlight compound SMB2 requests. What you see above in step 7.23 as simple a CREATE (or OPEN) for the folder is actually a CREATE and a couple of QUERY DIRECTORY. The frame details shows the compound response, which shows that we actually enumerated the entire folder (with just 1 file) with a single request:

8 – Conclusion

I hope this blog post helped you understand the behavior of DFS-N clients and encouraged you to try running Network Monitor and capturing some traces yourself.
For additional information on how DFS-N works, check these two links:
http://technet.microsoft.com/en-us/library/cc782417.aspx
http://www.snia.org/events/storage-developer2008/presentations/wednesday/DanLovingerImplementingDFSN-SDC08-v2.pdf

↧

Using the Windows Server 2008 DFSUTIL.EXE command line to manage DFS-Namespaces

May 1, 2009, 2:24 pm

≫ Next: Windows Storage Server 2008 and the Microsoft iSCSI Software Target 3.2

≪ Previous: Understanding Windows Server 2008 DFS-N by analyzing network traces

The most common administration activities related to DFS-Namespaces can be performed using the “DFS Management” MMC. This will show up under “Administrative Tools” after you add the DFS role service in Server Manager. You can also add just the MMC for remote management of a DFS namespace server. You will find that in Server Manager, under Add Feature, Remote Server Administration Tools (RSAT), Role Administration Tools, File Services Tools.

Another way to manage DFS-N is to use DFSUTIL.EXE, which is a command line tool. There are plenty of options and you can perform pretty much any DFS-related activity, from creating a namespace to adding links to exporting the entire configuration to troubleshooting. This can be very handy for automating tasks by writing scripts or batch files. DFSUTIL.EXE is an in-box tool in Windows Server 2008 (as with the MMC, it is loaded with the DFS-Namespaces role service or with the RSAT for File Services Tools).

Please find below a table with a comprehensive list of the parameters and options available in DFSUTIL.EXE for Windows Server 2008. Please note that DFSUTIL.EXE had a different format for parameters in Windows Server 2003, but that old syntax still works in Windows Server 2008. The old syntax is listed in the last column, prefixed by “OLD:”. There is also an old DFSCMD.EXE, which still works, which is also mentioned prefixed by “OLD:”.

Parameters	Description	Usage and Exampes	Subcommands, notes and old syntax
<None>	Manages DFS Namespaces, servers and clients	Dfsutil Dfsutil /oldcli Dfsutil /?	SUBCOMMANDS: Root - Displays,creates,removes,imports,exports namespace roots. Link - Displays, creates, removes, or moves folders (links). Target - Displays,creates,modifies folder targets (link targets). Property - Displays or modifies a folder target or namespace server. Client - Displays or modifies client information or registry keys. Server - Displays or modifies namespace configuration on the server. Diag - Perform diagnostics or view dfsdirs/dfspath. Domain - Displays all domain-based namespaces in a domain. Cache - Displays or flushes the client cache. NOTES: * Use the Dfsutil /oldcli command to view the original Dfsutil syntax. * Use the /? parameter after any command to display help for the command. * Dfsutil commands use the original Distributed File System terminology, with updated DFS Namespaces terminology provided as explanation for most commands. * If you specify at the end of a command an object (such as a namespace server) about which you want information, most commands will display the information without requiring further parameters or commands. For example, when using the Dfsutil Root command, you can append a namespace root to the command to view information about the root.
Root	Displays information about the namespace root. Dfsutil Root commands support creating, removing, importing or exporting namespace roots.	dfsutil root<\\server\share> [Verbose] PARAMETERS: <\\server\share>: UNC path to the namespace. Verbose: Show additional information while the tool is executing. EXAMPLES: dfsutil root \\contoso.com\DomainNamespace1 dfsutil root \\srv1\StandaloneNameSpace2	SUBCOMMANDS: AddDom - Creates a new domain-based namespace. AddStd - Creates a new stand-alone namespace. Remove - Removes the namespace. Export - Exports the namespace configuration to a file. Import - Imports the namespace from another namespace or a file. ForceSync - Perform a Forced sync on the target of a namespace. OLD: dfsutil /Root:<DfsName> /View [/Verbose]
Root AddDom	Creates a new domain based DFS namespace.	dfsutil root adddom<\\server\share> [<Version>] [<Comment>] PARAMETERS: <\\server\share>: UNC path to the namespace. <Comment>: Specifies an adminstrator comment for the namespace. <Version>: Version of the namespace, possible values are V1 or V2. V1 - Creates a Windows 2000 Server mode namespace. V2 - Creates a Windows Server 2008 mode namespace. EXAMPLES: dfsutil root addDom \\srv1\DomainNameSpace1 "This is V2 namespace" dfsutil root addDom \\srv2\DomainNameSpace2 dfsutil root addDom \\srv3\DomainNameSpace3 V1 "This is V1 Root"	NOTES: 1. To add new root targets, use "dfsutil target add" command. 2. Default setting for creation of new namespace is V2. OLD: dfsutil /AddFtRoot /Server:<ServerName> /Share:<ShareName> /Comment:<Comment>
Root AddStd	Creates a new stand-alone namespace.	dfsutil root addstd <\\server\share> [<Comment>] PARAMETERS: <\\server\share>: UNC Path to the namespace on the namespace server. <Comment>: Specifies an adminstrator comment for the namespace. EXAMPLES: dfsutil root addstd \\srv1\StandaloneNamesapce1 "Standalone Root" dfsutil root addstd \\srv2\StandaloneNamesapce2	OLD: dfsutil /AddStdRoot /Server:<ServerName> /Share:<ShareName> /Comment:<Comment>
Root Remove	Deletes the namespace root.	dfsutil root remove<\\server\share> PARAMETERS: <\\server\share>: UNC path to the namespace on the namespace server. EXAMPLES: dfsutil root remove \\contoso.com\DomainNamespace1 dfsutil root remove \\srv1\StandaloneNamespace2	OLD: dfsutil /RemStdRoot /Server:<ServerName> /Share:<ShareName> OLD: dfsutil /RemFtRoot /Server:<ServerName> /Share:<ShareName> OLD: dfsutil /RemFtRoot:<RootName> /Server:<ServerName> /Share:<ShareName>
Root Export	Exports the namespace configuration information to a file.	dfsutil root export<\\server\share> <filename> [Verbose] [DownLevel] PARAMETERS: <\\server\share>: UNC path to the namespace on the namespace server. <filename>: Name of the file that will store the namespace configuration in XML file format. Verbose: Displays detailed status of the export process. Downlevel: Saves the export file as a text file that is compatible with the version of Dfsutil that is included with the Windows Server 2003 Support Tools. EXAMPLES: dfsutil root export \\contoso.com\DomainNamespace1 C:\dir1\a.txt downlevel dfsutil root export \\srv1\StandaloneNamespace1 C:\dir1\docroot.xml	OLD: dfsutil /Root:<DfsName> /Export:<File> [/Verbose]
Root Import	Imports folders, folder targets and configuration information for a namespace from a file or another namespace.	dfsutil root import	SUBCOMMANDS: Set - Imports and overwrites the existing namespace. Merge - Imports and merges with the existing namespace. Compare - Compares the namespace with another namespace. BlobSize - Displays the approximate AD DS blob size.
Root Import Set	Imports folders, folder targets and configuration information for a namespace from a file or another namespace and overwrites existing folders and folder targets.	dfsutil root import set <\\srcserver\share>\|<filename> <\\destserver\share> [NoBackup] [Verbose] PARAMETERS: <\\srcserver\share>: UNC path to the namespace from which you want to import the configuration. <\\destserver\share> UNC path to the namespace to which you want to import the configuration. <filename>: Name of the xml file from which you want to import the namespace configuration. NoBackup: Does not create backup file to restore overwritten folders and folder targets. Verbose: Displays detailed status of the import process. EXAMPLES: dfsutil root import set \\contoso.com\Namespace1\\contoso.com\Namespace2 NoBackup dfsutil root import set C:\dir1\docroot.txt \\srv1\StandaloneNamespace1	OLD: dfsutil /Root:<DfsName> /Import:<File> /Set\|Merge\|Compare [/Verbose] [/NoBackup]
Root Import Merge	Imports folders, folder targets and configuration information for a namespace from a file and merges existing folders and folder targets.	dfsutil root import merge<filename> <\\destserver\share> [NoBackup] [Verbose] PARAMETERS: <\\destserver\share> : UNC path to the namespace to which you want to import the configuration. <filename> : Name of the xml file from which you want to import the namespace configuration. NoBackup : Does not create backup file to restore overwritten folders and folder targets. Verbose : Displays detailed status of the import process. EXAMPLES: dfsutil root import Merge C:\dir1\docroot.txt \\srv1\StandaloneNamespace1	OLD: dfsutil /Root:<DfsName> /Import:<File> /Set\|Merge\|Compare [/Verbose] [/NoBackup]
Root Import Compare	Compares a namespace on one server with the namespace configuration on another server or in a file.	dfsutil root import compare<\\srcserver\share>\|<filename> <\\destserver\share> [Verbose] PARAMETERS: <\\srcserver\share> : UNC path to the namespace on the first namespace server that you want to compare. <\\destserver\share>: UNC path to the namespace on the second namespace server that you want to compare. <filename> : Name of the XML file that contains the namespace configuration that you want to compare. Verbose : Displays detailed status of the import process. EXAMPLES: dfsutil root import compare \\contoso.com\DomainNamespace1 \\contoso.com\DomainNamespace2 dfsutil root import compare C:\dir1\docroot.txt \\srv1\StandaloneNamespace1	OLD: dfsutil /Root:<DfsName> /ImportRoot:<MasterDfsName> /Mirror\|Compare [/Verbose] [/NoBackup]
Root Import BlobSize	Displays the approximate size of Active Directory Domain Services (AD DS) Blob for the specified namespace import file.	dfsutil root import blobsize <filename> PARAMETERS: <filename> : Name of the XML file that stores the configuration of the namespace you want to analyze. EXAMPLES: dfsutil root import blobsize docroot.xml	OLD: dfsutil /Root:<DfsName> /Import:<File> /BlobSize
Root ForceSync	To initiate a forced DFS metadata resync operation on the DFS root target of a specified domain-based namespace using the Windows Server 2008 mode or standalone DFS namespace ForceSync command can be used .This is not supported on Windows Server 2003 based Namespaces.	dfsutil root forcesync <\\server\share> PARAMETERS: <\\server\share>: Server - Target of the namespace Forcesync will be performed on this target. share - Target share. EXAMPLES: dfsutil root forcesync \\standaloneserver\StandaloneNamespace1 dfsutil root forcesync \\domainnamespaceserver\DomainNamespace2	NOTES: Do not specify <\\domain\root>, use <\\roottarget\share>.
Link	Displays the information about the link(folder) and link(folder) targets. Link commands are used to create a new link, delete a link or move the links.	dfsutil link<DfsPath> PARAMETERS: <DfsPath>: UNC Path of DFS link. EXAMPLES: dfsutil link \\contoso.com\DomainNamespace1\link1 dfsutil link \\srv1\StandaloneNamespace1\link1	SUBCOMMANDS: Add - Creates a new folder. Remove - Removes the specified folder. Move - Moves the folder to another location in the namespace.
Link Add	Adds a folder (link) to the specified namespace.	dfsutil link add <DfsPath> <\\server\sharepath> [Restore] [<Comment>] PARAMETERS: <DfsPath>: UNC Path of DFS link to be created. <\\server\sharepath>: UNC Path to the share on the Target Server. Restore: Option to restore a DFS link. [<Comment>]: Comment for the Link EXAMPLES: dfsutil link add \\contoso.com\DomainNamespace1\link1 \\server\share "This is a new Link" dfsutil link add \\srv1\StandaloneNamespace1\dir\link1 \\server\share	NOTES: 1. Folders can be created with the restore option . In this case, the folder target does not need to be a SMB path. Use this for namespace paths ( \\domain\namespace ), NFS shares or any folder target that you do not want to verify. 2. To add another folder target to an existing folder, use the command "Dfsutil Target Add". OLD: dfsutil /AddLink /Path:<DfsPath> /Server:<LinkTargetServer> /Share:<TargetShare> /Comment:<Comment> OLD: Dfscmd /add \\dfsname\dfsshare\path \\server\share\path [/restore]
Link Remove	Deletes the folder (link) and any associated folder targets (link targets).	dfsutil link remove<DfsPath> PARAMETERS: <DfsPath>: UNC Path of DFS link to remove. EXAMPLES: dfsutil link remove \\contoso.com\DomainNamespace1\link1	OLD: dfsutil /RemoveLink /Path:<DfsPath> /Server:<LinkTargetServer> /Share:<TargetShare> OLD: Dfscmd /remove \\dfsname\dfsshare\path \\server\share\path
Link Move	Moves a folder (link) to another location in the namespace. When you specify a folder that contains other folder, all subfolders are moved as well. If a folder already exists in the new location, you can use the Replace option to delete the existing folder and replace it with the folder you want to move. You cannot move folders between namespaces.	dfsutil link move <OldDfsPath> <NewDfsPath> [Replace] PARAMETERS: <OldDfsPath>: The UNC path of the folder to move. <NewDfsPath>: The UNC path of the new location in the namespace for the folder. Replace: Replaces an existing folder with the folder that you are moving. EXAMPLES: Dfsutil Link Move \\contoso.com/namespace1/programs \\contoso.com\namespace1\tools Dfsutil Link Move \\srv1\namespace1\docs \\srv1\namespace1/public/docs	OLD: Dfscmd /move \\dfsname\dfsshare\path1 \\dfsname\dfsshare\path2 [/force]
Target	Displays information about the folder target (link target) or namespace server (root target). Target commands are used to add, remove or modify the properties of a folder target or namespace server.	dfsutil target [<DfsPath>] <\\server\sharepath> PARAMETERS: <DfsPath>: UNC Path of DFS link. <\\server\sharepath>: UNC Path to the share on the Target Server. EXAMPLES: dfsutil target \\contoso.com\DomainNamespace1\link1 \\mytargetserver\LinkTarget dfsutil target \\mytargetserver\RootTarget	SUBCOMMANDS: Add - Adds a new folder target. Remove - Removes the folder target. NOTES: To view properties of root target do not specify <DfsPath>. OLD: Dfscmd /view \\dfsname\dfsshare [/partial \| /full \| /batch \|\| /batchrestore]
Target Add	Adds a folder target (link target) to an existing folder (link), or a namespace server (root target) to an existing namespace root.	dfsutil target add [<DfsPath>] <\\server\sharepath> [Restore] PARAMETERS: <DfsPath>: UNC Path of DFS Link. <\\server\sharepath>: UNC Path to the share on the Target Server. Restore: Restore option is used when link target is non-SMB path. EXAMPLES: dfsutil target add \\contoso.com\DomainNamespace1\link1 \\mytargetserver\LinkTarget dfsutil target add \\mytargetserver\RootTarget	NOTES: 1. To add new namespace servers to an existing namespace root, omit <DfsPath>. 2. To create new namespace, use the "Dfsutil Root" command with the Adddom or Addstd parameters. 3. Folder targets can be created with the restore option. In this case,the folder target does not need to be a SMB path. Use this for namespace paths ( \\domain\namespace ), NFS shares or any folder target that you do not want to verify. OLD: Dfscmd /map \\dfsname\dfsshare\path \\server\share\path [comment] [/restore]
Target Remove	Deletes a folder target (link target) from a folder (link), or a namespace server (root target) from a namespace.	dfsutil target remove [<DfsPath>] <\\server\sharepath> PARAMETERS: <DfsPath>: DfsPath of a LinkTarget. <\\server\sharepath>: server is Link or Root Target Server and share is Target Share EXAMPLES: Dfsutil Target Remove \\contoso.com\namespace1\programs \\srv2\apps Dfsutil Target Remove \\srv1\namespaceshare	NOTES: 1. To delete a root target (namespace server) do not specify <DfsPath>. If the namespace server is the only namespace server in the namespace, then the namespace will be deleted. 2. To remove all the namespace servers, use the "Dfsutil Root Remove" command. OLD: Dfscmd /unmap \\dfsname\dfsshare\path
Property	Displays or modifies the properties of a folder target (link target) or namespace server (root target).	dfsutil property	SUBCOMMANDS: Sitecosting - Displays or modifies site costing for a namespace. RootScalability - Displays or modifies the namsespace polling mode. ABDE - Enable/Disable/View ABDE property of a Namespace. Insite - Displays or modifies the in-site property. TargetfailBack - Displays or modifies client fail back. ACL - Set/Get Security Information on the folder. State - Displays or modifies a folder target or namespace server. TTL - Displays or changes client referral caching. PriorityRank - Displays or changes the ordering method (priority rank). PriorityClass - Displays or changes the target priority. Comment - Set/View the comment for DFS namesapace or DFS link.
Property Sitecosting	Displays whether site costing is enabled, and enables or disables it on the specified namespace. Enable site costing to force clients to evaluate inter-site link costs and choose the lowest cost folder target. Site costing is disabled by default.	dfsutil property sitecosting<DfsPath> PARAMETERS: <DfsPath>: Displays whether site costing is enabled on the specified namespace. EXAMPLES: dfsutil property sitecosting enable \\contoso.com\DomainNamespace1 dfsutil property sitecosting enable \\srv1\StandaloneNamespace1	SUBCOMMANDS: Enable - Enable this property on the namespace. Disable - Disable this property on the namespace. NOTES: 1) The path specified must be a namespace root, not a folder. 2) This feature is only supported on servers Windows Server 2003 or Windows Server 2008. 3) Domain Controller (DC) site costing is controlled separately on each DC using the following registry key:HKLM\System\CurrentControlSet\Services\Dfs\Parameters\SiteCostedReferrals DWORD 1 or 0 OLD: dfsutil /Root:<DfsName> /SiteCosting /Enable\|Disable\|Display [/Verbose]
Property RootScalability	RootScalability is an expert-only command to increase performance of large deployments of DFS namespaces. When set, network traffic among DFS root servers is kept to a minimum. In addition, there will be less traffic between the primary DC and DFS servers.The drawback is that users may see outdated information from dfs servers at times.	dfsutil property rootscalability<DfsPath> PARAMETERS: <DfsPath>: Path of a root. EXAMPLES: dfsutil property RootScalability \\contoso.com\DomainNamespace1	SUBCOMMANDS: Enable - Enable this property on the namespace. Disable - Disable this property on the namespace. NOTES: 1) The path specified must be a root, not a link. 2) This has no effect on standalone roots. 3) This feature is only supported on Windows Server 2003 and higher. 4) When RootScalability is enabled, it is not uncommon to see an event log message such as, "DFS could not access its private data from the DS...". While this error may still indicate a problem in DS connectivity, typically this occurs because the nearest DC has outdated DFS information (expected behavior when RootScalability is enabled). OLD: dfsutil /Root:<DfsName> /RootScalability /Enable\|Disable\|Display [/Verbose]
Property ABDE	ABDE command is a quick way to check if Access Based Directory Enumeration is enabled or disabled on the NameSpace. This is the property of domain-based namespace using the Windows Server 2008 mode or Standalone Namespaces in Windows Server 2008.	dfsutil property abde<DfsPath> PARAMETERS: <DfsPath>: UNC path to the DFS namesapace. EXAMPLES: dfsutil property ABDE \\contoso.com\DomainNamespace1 dfsutil property ABDE \\srv1\StandaloneNamespace1	SUBCOMMANDS: Enable - Enable this property on the namespace. Disable - Disable this property on the namespace. NOTES: When Access Based Directory Enumeration is enabled, the users can view their directories only if they have permissions. Links will have Security Descriptors associated with them. The users can view the links only for which they have permissions in the Security Descriptor.
Property Insite	Insite can be used to make sure clients access only those replicas that are in the same site as the client. It can also be used to disable such behavior.	dfsutil property insite<DfsPath> PARAMETERS: <DfsPath>: UNC path of a DFS namespace or DFS link. EXAMPLES: dfsutil property Insite \\contoso.com\DomainNamespace1 dfsutil property Insite \\srv1\StandaloneNamespace1	SUBCOMMANDS: Enable - Enable this property on the namespace or link. Disable - Disable this property on the namespace or link. NOTES: 1) The path specified may be a root or a link. 2) Access of Domain Controllers may be site-sensitive as well. That, however, is a DC specific property that must be enabled/disabled in the registry of relevant DC(s): HKLM\System\CurrentControlSet\Services\Dfs\Parameters\InsiteReferrals: DWORD 1 or 0 OLD: dfsutil /Path:<DfsPath> /InSite /Enable\|Disable\|Display [/Verbose]
Property TargetfailBack	Displays TargetfailBack property of root or link TargetFailback is an expert-only command to make sure clients failback to target servers that are closer to them after having failed over to a target that's potentially out of site.	dfsutil property targetfailback<DfsPath> PARAMETERS: <DfsPath>: UNC path of a DFS namesapace or DFS link. EXAMPLES: dfsutil property TargetfailBack \\contoso.com\DomainNamespace1 dfsutil property TargetfailBack \\srv1\StandaloneNamespace1	SUBCOMMANDS: Enable - Enable this property on the namespace or link. Disable - Disable this property on the namespace or link. NOTES: 1) The path specified may be a root or a link. 2) This feature is only supported on Windows Server 2003 SP1 and higher. 3) The clients must be running a newer operating system to take advantage of this feature. 4) You may also enable/disable TargetFailback on SYSVOL/NETLOGON paths. That, however, is a DC specific property that must be set/reset in the registry of relevant DC(s): HKLM\System\CurrentControlSet\Services\Dfs\Parameters\SysvolNetlogonTargetFailback: DWORD 1 or 0 OLD: dfsutil /Path:<DfsPath> /TargetFailback /Enable\|Disable\|Display [/Verbose]
Property ACL	ACL command is a quick way to set or get the ACLs on the link.	dfsutil property acl<DfsPath> [ShowSDDL] PARAMETERS: <DfsPath>: UNC Path of DFS link. ShowSddl: Option to display SDDL. EXAMPLES: dfsutil property ACL \\contoso.com\DomainNamespace1\link1 dfsutil property ACL \\standaloneserver\Namespace1\link1 showsddl	SUBCOMMANDS: Grant - Grant permissions for a user or group(trustee). Deny - Deny Permissions for user or group(trustee). Revoke - Revoke granted permissions for user or group. Set - Set Security Information on the folder from SDDL input. Reset - Remove the Security Descriptor associated with the folder. Control - Set Security control Information on the folder.
Property State	Displays State of Root/RootTarget or Link/Link target	dfsutil property state<DfsPath> [<\\server\share>] PARAMETERS: <DfsPath>: UNC path of a DFS namesapace or DFS link. <\\server\share>: server is Target Server and share is share on Target Server. EXAMPLES: dfsutil property State \\contoso.com\DomainNamespace1\link1 \\server\share dfsutil property State \\namespaceserver\Namespace2	SUBCOMMANDS: Online - Set state of root target or folder target to Online. Offline - Set state of root target or folder target to Offline. NOTES: 1. In case of the Windows Server 2003, the state of the DFS namespace root or root target can not be changed to online or offline. But the state of the link and the link targets can be changed. 2. In Windows 2000 Server and Windows Server 2008 the state of the DFS namespace root and root target can be changed to offline or online. OLD: dfsutil /Path:<DfsPath> /State /Server:<RootOrLinkTargetServer> /Share:<TargetShare>
Property TTL	Displays the Timeout value of root or link.	dfsutil property ttl<DfsPath> PARAMETERS: <DfsPath>: UNC path of a DFS namesapace or DFS link. EXAMPLES: dfsutil property ttl \\contoso.com\DomainNamespace1	SUBCOMMANDS: Set - Set this property of DFS namesapace or DFS link. OLD: dfsutil /Enable\|Disable\|Display [/Verbose] /Path:<DfsPath> {/TTL:<Timeout> /Set}\|{/TTL /Display} [/Verbose]
Property PriorityRank	TargetPriorityRank is a useful way to control client accesses to dfs target servers.	dfsutil property priorityrank<DfsPath> <\\server\share> [Verbose] PARAMETERS: <DfsPath>: UNC path of a DFS namesapace or DFS link. <\\server\share>: server is Target Server and share is share on Target Server. Verbose: Show additional information while the tool is executing EXAMPLES: dfsutil property PriorityRank \\contoso.com\DomainNamespace1 \\srv1\DomainNameSpace1	SUBCOMMANDS: Set - Set this property of the root or link target. OLD: dfsutil /Path:<DfsPath> /TargetPriority /Server:<TargetServerName> /Share:<TargetShare> [/Display] [/Set] [/PriorityRank:<Rank> [/PriorityClass:<SiteCostNormal\|GlobalHigh\|SiteCostHigh\|Site CostLow\|GlobalLow>] [/Verbose]
Property PriorityClass	TargetPriorityClass is a useful way to control client accesses to DFS target servers.	dfsutil property priorityclass<DfsPath> <\\server\share> [Verbose] PARAMETERS: <DfsPath>: UNC path of a DFS namesapace or DFS link. <\\server\share>: server is Target Server and share is share on Target Server. Verbose: Show additional information while the tool is executing EXAMPLES: dfsutil property PriorityClass \\contoso.com\DomainNamespace1 \\srv1\DomainNameSpace1	SUBCOMMANDS: Set - Set this property of the root or link target. NOTES: 1) The Path can be a Domain based or a Standalone DFS path. It must lead to a root or a link. 2) TargetPriority can be used in conjuction with site costing, insite and the like. 3) GlobalPriorityClass will take precedence over the site cost. The default behavior is SiteCostNormalPriorityClass. OLD: dfsutil /Path:<DfsPath> /TargetPriority /Server:<TargetServerName> /Share:<TargetShare> [/Display] [/Set] [/PriorityRank:<Rank> [/PriorityClass:<SiteCostNormal\|GlobalHigh\|SiteCostHigh\|Site CostLow\|GlobalLow>] [/Verbose]
Property Comment	Sets or displays the administrator comment for a namespace or link (folder).	dfsutil property comment<DfsPath> PARAMETERS: <DfsPath>: UNC Path of DFS Root or DFS link EXAMPLES: dfsutil property comment \\contoso.com\DomainNamespace1\link1 dfsutil property comment \\srv1\StandaloneNamespace1	SUBCOMMANDS: Set - Set this property for DFS namesapace or DFS link.
Client	Client commands are used to modify or view the client registry keys or display the siteinformation.	dfsutil client	SUBCOMMANDS: Registry - Set/Reset/View registry keys. SiteInfo - View the Siteinformation. Property - Displays or modifies local machine's cache information.
Client Registry	Registry commands can modify or display client registry keys or display siteinformation.	dfsutil client registry	SUBCOMMANDS: ProviderCacheTimeout - Set/View the ProviderCacheTimeoutInMinutes key. DfsDcNameDelay - Set/Reset/View the DfsDcNameDelay key.
Client Registry ProviderCacheTimeout	ProviderCacheTimeout specifies the length of time that a multiple UNC provider (MUP) cache entry is held until it is reevaluated.	dfsutil client registry providercachetimeout<Client> PARAMETERS: <Client> : client whose registry key ProviderCacheTimeoutInMinutes has to be displayed.	SUBCOMMANDS: Set - Set the ProviderCacheTimeoutInMinutes key. OLD: dfsutil /ProviderCacheTimeoutInMinutes[:<Value>] /Server:<Name> /Display\|/Set
Client Registry DfsDcNameDelay	Display or modify the registry key DfsDcNameDelay in the client.	dfsutil client registry dfsdcnamedelay<Client> PARAMETERS: <Client> : client whose registry key DfsDcNameDelay has to be displayed.	SUBCOMMANDS: Set - Set the DfsDcNameDelay key. Reset - Reset the DfsDcNameDelay key. OLD: dfsutil /DfsDcNameDelay[:<Value>] /Server:<Name> /Display\|/Set
Client SiteInfo	Display the site information assosciated with the client.	dfsutil client siteinfo <MachineName>\|<IpAddress> PARAMETERS: <MachineName>: Machine Name of the client whose site information has to be displayed. <IpAddress>: IpAddress of the client whose site information has to be displayed.	OLD: dfsutil /SiteName:<MachineName or IpAddress>
Client Property	Displays or modifies local machine's cached information.	dfsutil client property	SUBCOMMANDS: State - Set/View state of target for the dfs namespace or link.
Client Property State	Displays or modifies target state of a dfs namespace or link. Only the local machine's cached information is displayed or modified.	dfsutil client property state<dfspath>	SUBCOMMANDS: Active - Set active target for the dfs namespace or link.
Server	Displays all the roots hosted on the server. Server command can also be used to modify the registry keys in the server.	dfsutil server<Server> PARAMETERS: <Server>: Server on which the roots are hosted.	SUBCOMMANDS: Registry Set/Reset/View registry keys of server. OLD: dfsutil /Server:<MachineName> /View
Server Registry	Registry commands can modify or display the registry keys on the server.	dfsutil server registry	SUBCOMMANDS: DfsDnsConfig Set/Reset/View DfsDnsConfig key in server registry. LdapTimeoutValue Set/View LdapTimeoutValueInSeconds key in the registry. SyncInterval Set/View SyncIntervalinSeconds key in server registry. SiteCostedReferrals Set/Reset/View SiteCostedReferrals key in the registry. InsiteReferrals Set/Reset/View InsiteReferrals key in server registry. PreferLogonDC Set/Reset/View PreferLogonDC key in server registry.
Server Registry DfsDnsConfig	Modifies or displays the registry key DfsDnsConfig in the server.	dfsutil server registry dfsdnsconfig <Server> PARAMETERS: <Server> : The server whose registry key DfsDnsConfig has to be displayed.	SUBCOMMANDS: Set Set DfsDnsConfig key in server registry. Reset Reset DfsDnsConfig key in server registry. NOTE: DfsDnsConfig when set to 1, specifies that this server will use fully qualified domain names (FQDN) in referrals. When set to 0 (the default), specifies that this server will use NetBIOS names in referrals. OLD: dfsutil /DfsDnsConfig[:<Value>] /Server:<Name> /Display\|/Set
Server Registry LdapTimeoutValue	Modifies or displays the registry key LdapTimeoutValueInSeconds in the server. This is the time-out value (in seconds) for DFS LDAP calls.	dfsutil server registry ldaptimeoutvalue<Server> PARAMETERS: <Server> : The server whose registry key LdapTimeoutValueInSeconds has to be displayed. <value> : The default value is 30 seconds, the minimum value is 3 seconds and the maximum value is 300 seconds (5 minutes).	SUBCOMMANDS: Set - Set LdapTimeoutValueInSeconds key in server registry. OLD: dfsutil /LdapTimeoutValueInSeconds[:<Value>] /Server:<Name> /Display\|/Set
Server Registry SyncInterval	This key specifies how often domain-based root servers and domain controllers poll the primary domain controller (PDC) emulator master to obtain updated DFS metadata.	dfsutil server registry syncinterval <Server> PARAMETERS: <Server> : The server whose registry key SyncIntervalinSeconds has to be displayed.	SUBCOMMANDS: Set Set SyncIntervalinSeconds key in server registry. OLD: dfsutil /SyncIntervalinSeconds[:<Value>] /Server:<Name> /Display\|/Set
Server Registry SiteCostedReferrals	When set to 0 (the default), SYSVOL and NETLOGON referrals contain domain controllers in the client’s site listed first in random order, followed by a random list of domain controllers. When set to 1, SYSVOL and NETLOGON referrals sort domain controllers in order of lowest cost. Domain controllers in the clients site are at the top of the referral list, followed by domain controllers sorted by lowest cost.	dfsutil server registry sitecostedreferrals <Server> PARAMETERS: <Server> : The server whose registry key SiteCostedReferrals has to be displayed.	SUBCOMMANDS: Set - Set SiteCostedReferrals key in server registry. Reset - Reset SiteCostedReferrals key in server registry. OLD: dfsutil /SiteCostedReferrals[:<Value>] /Server:<Name> /Display\|/Set
Server Registry InsiteReferrals	If this registry key is set, the server the provides referrals which are in the same site as that of the client.	dfsutil server registry insitereferrals <Server>	SUBCOMMANDS: Set - Set InsiteReferrals key in server registry. Reset - Reset InsiteReferrals key in server registry. OLD: dfsutil /InsiteReferrals[:<Value>] /Server:<Name> /Display\|/Set
Server Registry PreferLogonDC	When PreferLogonDc registry key is set, the logon server will be put on the top of the referral list.	dfsutil server registry preferlogondc <Server>	SUBCOMMANDS: Set Set PreferLogonDC key in server registry. Reset Reset PreferLogonDC key in server registry. OLD: dfsutil /PreferLogonDC[:<Value>] /Server:<Name> /Display\|/Set
Diag	Diag is used to perform diagnostics on DFS Namespace.	dfsutil diag	SUBCOMMANDS: UnMapDomRoot - Delete obsolete references to Domain based root target. Clean - Remove reference to obsolete root from host machine. Viewdfsdirs - List/Remove all DFS reparse directories in a volume. Viewdfspath - Resolve a DfsPath to a destination UNC path.
Diag UnMapDomRoot	UnMapDomRoot deletes DFS references to an obsolete domain based root target. This is a special problem repair command.	dfsutil diag unmapdomroot <\\domain\root> <\\rootreplica/share> [Verbose] PARAMETERS: <\\domain\root>: DfsName containing domain name and root name. <\\roottargetserver\RootTargetShare>: RootTargetServer - Name of the root target server to unmap. Should be exactly as it appears in DFS target info. RootTargetShare - Name of the root Target share to unmap Verbose: Show additional information while the tool is executing EXAMPLES: dfsutil diag unmapdomroot \\contoso.com\RootName \\myroottarget\RootTargetShare
Diag Clean	Clean is a special problem repair command to remove a reference to an obsolete root from a host machine. These changes will be done in the given system's registry.	dfsutil diag clean<\\server\share> [Verbose] PARAMETERS: <\\server\share>: server - Name of the system hosting the root to be cleaned share - Name of the Domain based or Standalone root to remove. Verbose: Show additional information while the tool is executing EXAMPLES: dfsutil diag clean \\mytargetserver\ShareName	OLD: dfsutil /Clean /Server:<ServerName> /Share:<ShareName>
Diag Viewdfsdirs	ViewDfsDirs lists all existing DFS reparse directories in a volume. Those directories can also be deleted using the optional argument RemoveReparse.	dfsutil diag viewdfsdirs<drive> [removereparse] [Verbose] PARAMETERS: <drive>: Drive letter of the volume to scan (with colon at the end). RemoveReparse: Remove all reparse directories as they are listed. Verbose: Show additional information while the tool is executing	NOTES: 1 - The volume drive letter must contain a colon at the end. 2 - This command will always enumerate dfs reparse points starting at the root of the volume. It is not possible to specify a directory below the root of the volume as a starting point OLD: dfsutil /ViewDfsDirs:<VolumeName> [/RemoveReparse] [/Verbose]
Diag Viewdfspath	ViewDfsPath can be used to resolve a DfsPath to a destination UNC path. The DfsPath can be a domain based/standalone DFS Namespace or even path to the link. This command is supported only in Windows Vista or above.	dfsutil diag viewdfspath <DfsPath> PARAMETERS: <DfsPath>: Path of DFS root or link to be resolved. EXAMPLES: dfsutil diag ViewDfsPath \\domain\docs (will be resolved as \\servername\share) dfsutil diag ViewDfsPath \\domain\docs\link1 (will be resolved as \\linktarget\share)	OLD: dfsutil /DisplayDfsPath:<DfsPath>
Domain	Domain command is a quick way to view all namespaces in the domain.	dfsutil domain<domain>	OLD: dfsutil /Domain:<DomainName> /View
Cache	Cache commands are used to display or flush the client cache.	dfsutil cache	SUBCOMMANDS: Domain - View/Flush the Domain cache. Referral - View/Flush the Referral cache. Provider - View/Flush the Provider cache.
Cache Domain	Domain commands are used to display or flush the domain cache.	dfsutil cache domain	SUBCOMMANDS: Flush - Flush the Domain cache. OLD: dfsutil /SpcInfo OLD: dfsutil /SpcFlush
Cache Referral	Referral commands are used to display or flush the Referral cache.	dfsutil cache referral [<Level>]	SUBCOMMANDS: Flush - Flush the Referral cache. OLD: dfsutil /PktInfo OLD: dfsutil /PktFlush
Cache Provider	Provider commands are used to display or flush the provider cache.	dfsutil cache provider	SUBCOMMANDS: Flush - Flush the Provider cache. OLD: dfsutil /PurgeMupCache OLD: dfsutil /DisplayMupCache

↧

Windows Storage Server 2008 and the Microsoft iSCSI Software Target 3.2

May 6, 2009, 12:25 am

≫ Next: How many DFS-N namespace servers do you need?

≪ Previous: Using the Windows Server 2008 DFSUTIL.EXE command line to manage DFS-Namespaces

I am glad to share that Windows Storage Server 2008 (WSS 2008) and the Microsoft iSCSI Software Target 3.2 have been released to the Microsoft OEM partners.

This is the successor to Windows Storage Server 2003 (WSS 2003) and Windows Unified Data Storage Server 2003 (WUDSS 2003). I have been working closely with some of the OEM partners for the last few quarters and they will be announcing their Windows Storage Server 2008 appliances over the next several weeks.

In this release, a number of important improvements were introduced including (but not limited to):

Benefits from using Windows Server 2008 as a platform, like the improvements in the TCP/IP stack, SMB2 protocol, Failover Clustering and Server Manager.
New version of Single Instance Store (SIS) file-level deduplication, including support for up to 128 volumes, the ability to un-SIS and improved Failover Clustering support.
New version of the Microsoft iSCSI Software target (3.2), including support for IPv6, updated VSS/VDS providers and improved Failover Cluster support

To learn more, please join the TechNet webcast “Introducing Windows Storage Server 2008” at http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032410705, live on May 7th at 8AM PST or on-demand shortly after that.

For additional information, check these web sites:

Official product web site: http://www.microsoft.com/storageserver
Details on Single Instance Storage (SIS): http://www.microsoft.com/windowsserver2008/en/us/WSS08/SIS.aspx
Details on the Microsoft iSCSI Software Target 3.2: http://www.microsoft.com/windowsserver2008/en/us/WSS08/iSCSI.aspx
Windows Storage Server 2008 partners: http://www.microsoft.com/windowsserver2008/en/us/wss08/partners.aspx
Windows Server blog: http://blogs.technet.com/windowsserver/archive/2009/05/05/windows-storage-server-2008-is-here.aspx
Windows Storage Server blog: http://blogs.technet.com/storageserver/archive/2009/05/06/announcing-windows-storage-server-2008.aspx
Jason Buffington's blog: http://blogs.technet.com/jbuff/archive/2009/05/05/announcing-windows-storage-server-2008-waa-hoo.aspx

↧

How many DFS-N namespace servers do you need?

June 26, 2009, 12:05 pm

≫ Next: Microsoft File Server Migration Toolkit 1.2 available as a free download

≪ Previous: Windows Storage Server 2008 and the Microsoft iSCSI Software Target 3.2

Introduction

Whenever you’re deploying Windows Server DFS-Namespaces, you will need to figure out how many servers will be required.
Since I moved to the role of DFS-N PM, I noticed that the specific information on how many namespace servers you need is something that isn’t clearly posted anywhere.
Although we never really had any problems with performance of the namespace server themselves, the question of where to place them is quite common.
Hopefully, this blog post will help clarify the topic.
Note: We're not discussing here the type of namespace you should be using (standalone, 2008 domain mode, 2000 domain mode).
We assume you already made that call and you're now deciding how many namespaces servers you need and where they should be.

Performance

A single namespace server can typically handle thousands of referrals per second (the exact number will depend on details like the number of targets per link, the server configuration, the network bandwidth).
Since DFS-N clients will cache those referrals, you will be hard-pressed to find a scenario where a single dedicated namespace server would become a significant performance bottleneck.
However, there’s a lot more to this than raw referral performance.

Zero?

The first option for you is not to deploy any additional servers specifically for DFS-N.
If you have a small environment, you can simple enable the DFS-N role on an existing domain controller or file server (you are likely to have some of those already).
In that case, you need zero new servers. Let’s look into the two options: DCs or file servers.

Deploy DFS-N on the DCs

Domain controllers seem like a good candidate to become namespace servers, since they are usually not too busy on small environments.
Domain controllers are likely to also be running other services like DNS.
The typical distribution of domain controllers will also help with your namespace site awareness.
Having a DC nearby will also do wonders for the performance of your domain queries.
On the other hand, domain controllers are sometimes run by dedicated teams that are not too keen on adding unrelated services to their boxes.
You could argue that DFS-N and AD are closely related, since DFS-N domain namespaces use AD for storage. You might lose that argument :-).
Domain controllers are usually heavily secured (for good reasons) and getting permissions to manage a service on those boxes might be a tough one, specially on larger enterprises.
It might also be a little harder to troubleshoot root referrals when the namespace server and DC are collocated (not so easy to get a network trace).

Deploy DFS-N on the file servers

File Servers are also an easy option here. If you already have a few file servers, you could simple add the DFS-N role to a few of them.
The team that manages file servers typically will also be in charge of namespaces, so that helps.
Also, if you have consolidated your file servers, you’re probably OK consolidating your namespace service as well.
This might perpetuate the myth that the file service and the namespace service are the same thing, but that’s just a minor thing :-)
One issue is that the file servers might not be running Windows (they could be some type of NAS appliance), so you could not load DFS-N on them.
As already mentioned, a single namespace server can handle a lot of load, so you will definitely not need this service on every file server. You should aim for two (for high availability).

Two

If you couldn’t talk the owners of either the domain controllers or the file server into hosting the DFS-N service, you can have your own dedicated namespace servers.
If you do decide to install them separately, you would typically not need more than one server, from a referral performance standpoint.
However, due to high availability requirements, it’s strongly recommend to configure two of them.
If you use domain namespaces, they will naturally cover for each other.
If you use standalone namespaces, you should configure them as a failover cluster.

One per site

One reason to have more than two dedicated namespace servers is to resolve referrals within a site.
If you are using domain namespaces, clients will get their referrals from the nearest namespace server and the AD site configuration is used to determine that.
In that case, you should consider having one namespace server per site.
To further improve on that, you could have at least one domain controller per site and enable DFS-N “root scalability”. This will make the namespace server work with the nearest DC.
Keep in mind that, if you enable “root scalability” and you update the namespace root, your users might see outdated information until the site DC gets updated via AD replication.
This also provides fault tolerance, because if the namespace server on your site fails, you can still get referrals by contacting a namespace server on another site.
This is definitely not driven by the load on the server, but by the requirements for site independency and by WAN bandwidth concerns.
Have I mentioned that you could try to talk the people manage the DCs into let you run the DFS-N service on their boxes? :-)

Two per team

You might also end up with multiple namespace servers if multiple teams in an enterprise stand up their own set, typically using standalone namespaces.
Since each team will need to provide high availability by clustering their standalone namespace servers, you will end up with two namespace servers per team.
As you can imagine, this not a good way to go. Keep in mind that DFS-N servers can host multiple namespaces and you can delegate management per namespace.
This makes even less sense for domain namespaces, since by definition you would be trying to consolidate the namespaces.
Again, this would not be driven by the load on the server or any other technical requirements.
In short, if you have one or two namespace servers per team you should probably go back to the drawing board and reconsider your consolidation options.

Conclusion

I hope this helped with your DFS-N design. For additional details on DFS-N, see my other blog posts at http://blogs.technet.com/josebda/archive/tags/DFS/default.aspx

↧

Microsoft File Server Migration Toolkit 1.2 available as a free download

June 30, 2009, 9:22 am

≫ Next: File Server Capacity Tool (FSCT) Release Candidate available for download

≪ Previous: How many DFS-N namespace servers do you need?

Microsoft released the File Server Migration Toolkit version 1.2 (FSMT 1.2), which will help you migrate file shares from computers running Windows NT 4.0 Server, Windows 2000 Server, Windows 2003 Server, Windows Server 2008 and Windows Storage Server 2008 to computers running Windows 2003 Server, Windows Server 2008 and Windows Storage Server 2008. You can use it to consolidate multiple file servers or simply to migrate files between servers.

This is an update to the previous FSMT 1.1 that fixes an issue with Windows Server 2003 clusters. This version has also been tested with the Windows Server 2008 R2 Release Candidate (full support for Windows Server 2008 R2 is expected and will become official after tests with the final release, which should be out later this year).

Here are the main benefits of FSMT:

Simplifies the complex and error-prone migration process of SMB shares and data
Maintains UNC paths and eliminates broken shortcuts and links
Maintains security settings after the migration
Consolidates shared folders with the same names from different servers
Supports server clusters as source and target file servers
Provides roll-back functionality
Support for Windows Server 2008 and Windows Storage Server 2008
Includes both the DFS Consolidation Root Wizard and the Dfsconsolidate.exe command-line tool
Available in 5 languages (English, French, German, Japanese and Spanish)

Here’s a screenshot:

FSMT

Download and test it today from
http://www.microsoft.com/downloads/details.aspx?FamilyID=d00e3eae-930a-42b0-b595-66f462f5d87b&DisplayLang=en

Also, be sure to also visit the FSMT Web Site at
http://go.microsoft.com/fwlink/?LinkId=128527

↧

File Server Capacity Tool (FSCT) Release Candidate available for download

July 8, 2009, 10:11 am

≫ Next: Five ways to check your DFS-Namespaces (DFS-N) configuration with the DFSDIAG.EXE tool

≪ Previous: Microsoft File Server Migration Toolkit 1.2 available as a free download

The File Server Capacity Tool (FSCT) is a capacity planning software for CIFS/SMB/SMB2 file servers. It’s also useful for identifying performance bottlenecks. FSCT results include the maximum number of users for a file server configuration, throughput for that configuration and performance counters for the server and clients used.

This is a command line tool and the target audience is IT Professionals and Storage Solution Providers. It is not a GUI tool for end users. You will also need a few computers in a lab environment to try it. You can see a sample configuration in the diagram below:

FSCT

We have been running a private beta for FSCT since last year and now a Release Candidate is available for public download for the first time. To get it, go to http://connect.microsoft.com, sign in (you will need to register if you’re new to Connect), then click on “Connection Directory” and look for “FSCT RC”. Please read the License Agreement carefully, since there are restrictions on the disclosure of the results you get from the tool.

The download includes an overview presentation and a white paper that provide detailed instructions on how to use the tool. There is a new public forum for discussions about FSCT has just been configured and the product team is keeping an eye on it. That forum can be found at http://social.technet.microsoft.com/Forums/en-US/fsct.

If you want more details before downloading, you can check my previous posts on FSCT at http://blogs.technet.com/josebda/archive/tags/FSCT/default.aspx.

For an in-person conversation with the FSCT team, plan to attend SNIA’s Storage Developers Conference (SDC 2009) in September.
You can find the FSCT talk in the agenda at http://www.snia.org/events/storage-developer2009/agenda2009

I encourage you to download the Release Candidate software, try it on your lab, ask questions on the online forum and join us at SDC for some live Q&A.

↧

Five ways to check your DFS-Namespaces (DFS-N) configuration with the DFSDIAG.EXE tool

July 15, 2009, 11:59 pm

≫ Next: Changes in Roles, Role Services and Features from Windows Server 2008 to Windows Server 2008 R2

≪ Previous: File Server Capacity Tool (FSCT) Release Candidate available for download

Introduction

The Distributed File System Namespaces (DFS-N) service is a role service of the File Service role for Windows Server.
For a basic description of DFS-N, start with http://blogs.technet.com/josebda/archive/2009/03/10/the-basics-of-the-windows-server-2008-distributed-file-system-dfs.aspx
DFS-N, as the name implies, is a distributed system and it involves a number of components running on a set of computers (Active Directory domain controllers, DFS-N namespace servers, SMB file servers, DFS-N clients).
You can get an idea of the interactions by looking at http://blogs.technet.com/josebda/archive/2009/04/15/understanding-windows-server-2008-dfs-n-by-analyzing-network-traces.aspx
Because of that, as you can imagine, diagnosing problems with DFS-N can be challenging. To assist with that, Windows Server provides an in-box tool specifically to help with that. It’s called DFSDIAG.EXE.
DFSDIAG was introduced in Windows Server 2008 and it was improved in Windows Server 2008 R2 to provide better messages and help text. DFSDIAG is not available as an in-box tool for Windows Server 2003, but the tests can run on Windows Server 2008 or Windows Server 2008 R2 while targeting namespace servers running Windows Server 2003. The tool will exercise the many components related to DFS-N, so it is recommended to experiment with it in a test lab first to assess its impact, before running it in production.
DFSDIAG can check your configuration in five different ways:
Checking domain controller configuration
Checking site associations
Checking namespace server configuration
Checking individual namespace configuration and integrity
Checking referral responses
We’ll examine each one of these checks individually, below.

Checking domain controller configuration - DFSDIAG /TestDCs

Checks the configuration of domain controllers by performing the following tests on each domain controller in the specified domain:
Verifies that the Distributed File System (DFS) Namespace service is running and that its Startup Type is set to Automatic.
Checks for the support of site-costed referrals for NETLOGON and SYSVOL.
Verifies the consistency of the site association by hostname and IP address.
Usage:
DFSDiag /TestDCs [/Domain:<Domain name>]
Parameters:
/Domain:<Domain name>: Domain that you want to check.
Notes:
/Domain is an optional parameter. The default value is the local domain that the local host is joined to.
Example:
DFSDiag /TestDCs /Domain:Contoso.com

Checking site associations - DFSDIAG /TestSites

Checks the configuration of Active Directory Domain Services (AD DS) sites by verifying that servers that act as namespace servers or folder (link) targets have the same site associations on all domain controllers.
Usage:
DFSDiag /TestSites </Machine:<server name>| /DFSPath:<namespace root or DFS folder> [/Recurse]> [/Full]
Parameters:
/Machine:<server name>: The name of the server on which to verify the site association.
/DFSPath:<namespace root or DFS folder>: The namespace root or Distributed File System (DFS) folder (link) with targets for which to verify the site association.
/Recurse: Enumerates and verifies the site associations for all folder targets under the specified namespace root.
/Full: Verifies that AD DS and the registry of the server contain the same site association information.
Example:
DFSDiag /TestSites /Machine:MyServer
DFSDiag /TestSites /DFSPath:\\Contoso.com\Namespace1\Folder1 /Full
DFSDiag /TestSites /DFSPath:\\Contoso.com\Namespace2 /Recurse /Full

Checking namespace server configuration - DFSDIAG /TestDFSConfig

Checks the configuration of a Distributed File System (DFS) namespace by performing the following actions:
Verifies that the DFS Namespace service is running and that its Startup Type is set to Automatic on all namespace servers.
Verifies that the DFS registry configuration is consistent among namespace servers.
Validates the following dependencies on clustered namespace servers that are running Windows Server 2008 or later:
Namespace root resource dependency on network name resource.
Network name resource dependency on IP address resource.
Namespace root resource dependency on physical disk resource.
Usage:
DFSDiag /TestDFSConfig /DFSRoot:<namespace>
Parameters:
/DFSRoot:<namespace>: The namespace (DFS root) to diagnose.
Example:
DFSDiag /TestDFSConfig /DFSRoot:\\Contoso.com\MyNamespace

Checking individual namespace configuration and integrity - DFSDIAG /TestDFSIntegrity

Checks the integrity of the Distributed File System (DFS) namespace by performing the following tests:
Checks for DFS metadata corruption or inconsistencies between domain controllers.
Validates the configuration of access-based enumeration to ensure that it is consistent between DFS metadata and the namespace server share.
Detects overlapping DFS folders (links), duplicate folders, and folders with overlapping folder targets.
Usage:
DFSDiag /TestDFSIntegrity /DFSRoot:<DFS root path> [/Recurse] [/Full]
Parameters:
/DFSRoot:<DFS root path>: The DFS namespace to diagnose.
/Recurse: Performs the testing including the namespace interlinks.
/Full: Verifies the consistency of share and NTFS ACLs and client side configuration on all folder targets. It also verifies that the Online property is set.
Example:
DFSDiag /TestDFSIntegrity /DFSRoot:\\Contoso.com\MyNamespace /Recurse /Full

Checking referral responses - DFSDIAG /TestReferral

Checks Distributed File System (DFS) referrals by performing the following tests:
When you use the DFSPath parameter without arguments, this command validates that the referral list includes all trusted domains.
When you specify a domain, the command performs a health check of domain controllers (Dfsdiag /testdcs) and tests the site associations and domain cache of the local host.
When you specify a domain and \SYSVOL or \NETLOGON, in addition to performing the same health checks as when you specify a domain, the command checks that the Time To Live (TTL) of SYSVOL or NETLOGON referrals match the default value of 900 seconds.
When you specify a namespace root, in addition to performing the same health checks as when you specify a domain, the command performs a DFS configuration check (Dfsdiag /TestDFSConfig) and a namespace integrity check (Dfsdiag /TestDFSIntegrity).
When you specify a DFS folder (link), in addition to performing the same health checks as when you specify a namespace root, the command validates the site configuration for folder targets (Dfsdiag /testsites) and validates the site association of the local host.
Usage:
DFSDiag /TestReferral /DFSPath:<DFS path for getting referrals> [/Full]
Parameters:
/DFSPath:<Path for getting referrals>: This DFS path can be one of the following:
(blank): Tests trusted domains.
\\Domain: Domain controller referrals.
\\Domain\SYSVOL: SYSVOL referrals.
\\Domain\NETLOGON: NETLOGON referrals.
\\<Domain or server>\<Namespace Root>:Namespace root referrals.
\\<Domain or server>\<Namespace Root>\<DFS folder>: DFS folder (link) referrals.
/Full: Applied only to Domain and Root referrals. Verifies the consistency of site association information between the registry and Active Directory Domain Services (AD DS).
Examples:
DFSDiag /TestReferral /DFSPath:\\Contoso.com\MyNamespace
DFSDiag /TestReferral /DFSPath:

Conclusion

I hope this blog post has helped you understand how to use the DFSDIAG.EXE tool to check your DFS-N configuration.

↧

Changes in Roles, Role Services and Features from Windows Server 2008 to Windows Server 2008 R2

July 18, 2009, 10:55 pm

≫ Next: Three ways to design your DFS Namespaces

≪ Previous: Five ways to check your DFS-Namespaces (DFS-N) configuration with the DFSDIAG.EXE tool

Introduction

This blog post covers the changes in the list of Roles, Role Services and Features from Windows Server 2008 (with Service Pack 2) to Windows Server 2008 R2 (used the latest RC build available to me). To create the tables and lists below, I installed both operating systems, used the "ServerManagerCmd -query" command and did some editing of the resulting text to provide a side-by-side comparison. Please note that I based the "New", "Renamed" or "Removed" marks based on the output of the commands, nothing else. The ">" in the beginning of the items' names indicates the indentation level.

Obviously, there's much more to Roles, Role Services and Features than their names. Many of the items that exist in both versions were deeply improved in Windows Server 2008 R2, but you will not find that type of change here. If you look at Hyper-V, for instance, the changes are truly impressive, but the lists below do not capture that. For those details, you should look at http://www.microsoft.com/windowsserver2008/en/us/R2.aspx and the Reviewers Guide at http://download.microsoft.com/download/F/2/1/F2146213-4AC0-4C50-B69A-12428FF0B077/Windows_Server_2008_R2_Reviewers_Guide_(RC).doc

Table Comparing Roles and Role Services

Table Comparing Features

Windows Server 2008 Features	Changes	Windows Server 2008 R2 Features
.NET Framework 3.0 Features [NET-Framework]		.NET Framework 3.5.1 Features [NET-Framework]
>.NET Framework 3.0 [NET-Framework-Core]		>.NET Framework 3.5.1 [NET-Framework-Core]
>XPS Viewer [NET-XPS-Viewer]	Renamed	XPS Viewer [XPS-Viewer]
>WCF Activation [NET-Win-CFAC]		>WCF Activation [NET-Win-CFAC]
>>HTTP Activation [NET-HTTP-Activation]		>>HTTP Activation [NET-HTTP-Activation]
>>Non-HTTP Activation [NET-Non-HTTP-Activ]		>>Non-HTTP Activation [NET-Non-HTTP-Activ]
BITS Server Extensions [BITS]		Background Intelligent Transfer Service (BITS) [BITS]
	New	>Compact Server [BITS-Compact-Server]
	New	>IIS Server Extension [BITS-IIS-Ext]
BitLocker Drive Encryption [BitLocker]		BitLocker Drive Encryption [BitLocker]
	New	BranchCache [BranchCache]
Connection Manager Administration Kit [CMAK]		Connection Manager Administration Kit [CMAK]
Desktop Experience [Desktop-Experience]		Desktop Experience [Desktop-Experience]
	New	DirectAccess Management Console [DAMC]
Failover Clustering [Failover-Clustering]		Failover Clustering [Failover-Clustering]
Group Policy Management [GPMC]		Group Policy Management [GPMC]
	New	Ink and Handwriting Services [Ink-Handwriting]
	New	>Ink Support [IH-Ink-Support]
	New	>Handwriting Recognition [IH-Handwriting]
Internet Printing Client [Internet-Print-Client]		Internet Printing Client [Internet-Print-Client]
Internet Storage Name Server [ISNS]		Internet Storage Name Server [ISNS]
LPR Port Monitor [LPR-Port-Monitor]		LPR Port Monitor [LPR-Port-Monitor]
Message Queuing [MSMQ]		Message Queuing [MSMQ]
>Message Queuing Services [MSMQ-Services]		>Message Queuing Services [MSMQ-Services]
>>Message Queuing Server [MSMQ-Server]		>>Message Queuing Server [MSMQ-Server]
>>Directory Service Integration [MSMQ-Directory]		>>Directory Service Integration [MSMQ-Directory]
>>Message Queuing Triggers [MSMQ-Triggers]		>>Message Queuing Triggers [MSMQ-Triggers]
>>HTTP Support [MSMQ-HTTP-Support]		>>HTTP Support [MSMQ-HTTP-Support]
>>Multicasting Support [MSMQ-Multicasting]		>>Multicasting Support [MSMQ-Multicasting]
>>Routing Service [MSMQ-Routing]		>>Routing Service [MSMQ-Routing]
>Windows 2000 Client Support [MSMQ-Win2000]	Removed
>Message Queuing DCOM Proxy [MSMQ-DCOM]		>Message Queuing DCOM Proxy [MSMQ-DCOM]
Multipath I/O [Multipath-IO]		Multipath I/O [Multipath-IO]
Network Load Balancing [NLB]		Network Load Balancing [NLB]
Peer Name Resolution Protocol [PNRP]		Peer Name Resolution Protocol [PNRP]
Quality Windows Audio Video Experience [qWave]		Quality Windows Audio Video Experience [qWave]
Remote Assistance [Remote-Assistance]		Remote Assistance [Remote-Assistance]
Remote Differential Compression [RDC]		Remote Differential Compression [RDC]
Remote Server Administration Tools [RSAT]		Remote Server Administration Tools [RSAT]
>Role Administration Tools [RSAT-Role-Tools]		>Role Administration Tools [RSAT-Role-Tools]
>>Active Directory Certificate Services Tools [RSAT-ADCS]		>>Active Directory Certificate Services Tools [RSAT-ADCS]
>>>Certification Authority Tools [RSAT-ADCS-Mgmt]		>>>Certification Authority Tools [RSAT-ADCS-Mgmt]
>>>Online Responder Tools [RSAT-Online-Responder]		>>>Online Responder Tools [RSAT-Online-Responder]
>>Active Directory Domain Services Tools [RSAT-ADDS]		>>AD DS and AD LDS Tools [RSAT-AD-Tools]
>>>Active Directory Domain Controller Tools [RSAT-ADDC]		>>>AD DS Tools [RSAT-ADDS]
	New	>>>>AD DS Snap-Ins and Command-Line Tools [RSAT-ADDS-Tools]
	New	>>>>Active Directory Administrative Center [RSAT-AD-AdminCenter]
>>>Server for NIS Tools [RSAT-SNIS]		>>>>Server for NIS Tools [RSAT-SNIS]
>>Active Directory Lightweight Directory Services Tools [RSAT-ADLDS]		>>>AD LDS Snap-Ins and Command-Line Tools [RSAT-ADLDS]
	New	>>>Active Directory module for Windows PowerShell [RSAT-AD-PowerShell]
>>Active Directory Rights Management Services Tools [RSAT-RMS]		>>Active Directory Rights Management Services Tools [RSAT-RMS]
>>DHCP Server Tools [RSAT-DHCP]		>>DHCP Server Tools [RSAT-DHCP]
>>DNS Server Tools [RSAT-DNS-Server]		>>DNS Server Tools [RSAT-DNS-Server]
>>Fax Server Tools [RSAT-Fax]		>>Fax Server Tools [RSAT-Fax]
>>File Services Tools [RSAT-File-Services]		>>File Services Tools [RSAT-File-Services]
>>>Distributed File System Tools [RSAT-DFS-Mgmt-Con]		>>>Distributed File System Tools [RSAT-DFS-Mgmt-Con]
>>>File Server Resource Manager Tools [RSAT-FSRM-Mgmt]		>>>File Server Resource Manager Tools [RSAT-FSRM-Mgmt]
>>>Services for Network File System Tools [RSAT-NFS-Admin]		>>>Services for Network File System Tools [RSAT-NFS-Admin]
>>Hyper-V Tools [RSAT-Hyper-V]		>>Hyper-V Tools [RSAT-Hyper-V]
>>Network Policy and Access Services Tools [RSAT-NPAS]		>>Network Policy and Access Services Tools [RSAT-NPAS]
>>Print Services Tools [RSAT-Print-Services]		>>Print and Document Services Tools [RSAT-Print-Services]
>>Terminal Services Tools [RSAT-TS]	Renamed	>>Remote Desktop Services Tools [RSAT-RDS]
>>>Terminal Server Tools [RSAT-TS-RemoteApp]	Renamed	>>>Remote Desktop Session Host Tools [RSAT-RDS-RemoteApp]
>>>TS Gateway Tools [RSAT-TS-Gateway]	Renamed	>>>Remote Desktop Gateway Tools [RSAT-RDS-Gateway]
>>>TS Licensing Tools [RSAT-TS-Licensing]	Renamed	>>>Remote Desktop Licensing Tools [RSAT-RDS-Licensing]
	New	>>>Remote Desktop Connection Broker Tools [RSAT-RDS-Conn-Broker]
>>UDDI Services Tools [RSAT-UDDI]	Removed
>>Web Server (IIS) Tools [RSAT-Web-Server]		>>Web Server (IIS) Tools [RSAT-Web-Server]
>>Windows Deployment Services Tools [RSAT-WDS]		>>Windows Deployment Services Tools [RSAT-WDS]
>Feature Administration Tools [RSAT-Feature-Tools]		>Feature Administration Tools [RSAT-Feature-Tools]
>>BitLocker Drive Encryption Tools [RSAT-BitLocker]		>>BitLocker Drive Encryption Administration Utilities [RSAT-BitLocker]
	New	>>>BitLocker Drive Encryption Tools [RSAT-Bitlocker-DriveEnc]
	New	>>>BitLocker Recovery Password Viewer [RSAT-Bitlocker-RecPwd]
>>BITS Server Extensions Tools [RSAT-Bits-Server]		>>BITS Server Extensions Tools [RSAT-Bits-Server]
>>Failover Clustering Tools [RSAT-Clustering]		>>Failover Clustering Tools [RSAT-Clustering]
>>Network Load Balancing Tools [RSAT-NLB]		>>Network Load Balancing Tools [RSAT-NLB]
>>SMTP Server Tools [RSAT-SMTP]		>>SMTP Server Tools [RSAT-SMTP]
>>WINS Server Tools [RSAT-WINS]		>>WINS Server Tools [RSAT-WINS]
Removable Storage Manager [Removable-Storage]	Removed
RPC over HTTP Proxy [RPC-over-HTTP-Proxy]		RPC over HTTP Proxy [RPC-over-HTTP-Proxy]
Simple TCP/IP Services [Simple-TCPIP]		Simple TCP/IP Services [Simple-TCPIP]
SMTP Server [SMTP-Server]		SMTP Server [SMTP-Server]
SNMP Services [SNMP-Services]		SNMP Services [SNMP-Services]
>SNMP Service [SNMP-Service]		>SNMP Service [SNMP-Service]
>SNMP WMI Provider [SNMP-WMI-Provider]		>SNMP WMI Provider [SNMP-WMI-Provider]
Storage Manager for SANs [Storage-Mgr-SANS]		Storage Manager for SANs [Storage-Mgr-SANS]
Subsystem for UNIX-based Applications [Subsystem-UNIX-Apps]		Subsystem for UNIX-based Applications [Subsystem-UNIX-Apps]
Telnet Client [Telnet-Client]		Telnet Client [Telnet-Client]
Telnet Server [Telnet-Server]		Telnet Server [Telnet-Server]
TFTP Client [TFTP-Client]		TFTP Client [TFTP-Client]
	New	Windows Biometric Framework [Biometric-Framework]
Windows Internal Database [Windows-Internal-DB]		Windows Internal Database [Windows-Internal-DB]
Windows PowerShell [PowerShell]	Integrated
	New	Windows PowerShell Integrated Scripting Environment (ISE) [PowerShell-ISE]
Windows Process Activation Service [WAS]		Windows Process Activation Service [WAS]
>Process Model [WAS-Process-Model]		>Process Model [WAS-Process-Model]
>.NET Environment [WAS-NET-Environment]		>.NET Environment [WAS-NET-Environment]
>Configuration APIs [WAS-Config-APIs]		>Configuration APIs [WAS-Config-APIs]
Windows Server Backup Features [Backup-Features]		Windows Server Backup Features [Backup-Features]
>Windows Server Backup [Backup]		>Windows Server Backup [Backup]
>Command-line Tools [Backup-Tools]		>Command-line Tools [Backup-Tools]
	New	Windows Server Migration Tools [Migration]
Windows System Resource Manager [WSRM]		Windows System Resource Manager [WSRM]
	New	Windows TIFF IFilter [TIFF-IFilter]
	New	WinRM IIS Extension [WinRM-IIS-Ext]
WINS Server [WINS-Server]		WINS Server [WINS-Server]
Wireless LAN Service [Wireless-Networking]		Wireless LAN Service [Wireless-Networking]

Lists Comparing Roles and Role Services

New Roles, Role Services

>Certificate Enrollment Web Service [ADCS-Enroll-Web-Svc]
>Certificate Enrollment Policy Web Service [ADCS-Enroll-Web-Pol]
>BranchCache for network files [FS-BranchCache]
>Distributed Scan Server [Print-Scan-Server]
>Remote Desktop Virtualization Host [RDS-Virtualization]
>>>WebDAV Publishing [Web-DAV-Publishing]
>IIS Hostable Web Core [Web-WHC]

Renamed Roles and Role Services

Remote Desktop Services [Remote-Desktop-Services] (Jose: RDS used to be called Terminal Services)
>Remote Desktop Session Host [RDS-RD-Server]
>Remote Desktop Licensing [RDS-Licensing]
>Remote Desktop Connection Broker [RDS-Connection-Broker]
>Remote Desktop Gateway [RDS-Gateway]
>Remote Desktop Web Access [RDS-Web-Access]

Removed Roles and Role Services

>>File Replication Service [FS-Replication] (Jose: Use DFS-Replication instead. FRS can only be used for specific SYSVOL replication scenarios, see details at http://technet.microsoft.com/en-us/library/cc754297.aspx)
UDDI Services
>UDDI Services Database
>UDDI Services Web Application

Lists Comparing Features

New Features

>Compact Server [BITS-Compact-Server]
>IIS Server Extension [BITS-IIS-Ext]
BranchCache [BranchCache]
DirectAccess Management Console [DAMC]
Ink and Handwriting Services [Ink-Handwriting]
>Ink Support [IH-Ink-Support]
>Handwriting Recognition [IH-Handwriting]
>>>>AD DS Snap-Ins and Command-Line Tools [RSAT-ADDS-Tools]
>>>>Active Directory Administrative Center [RSAT-AD-AdminCenter]
>>>Active Directory module for Windows PowerShell [RSAT-AD-PowerShell]
>>>Remote Desktop Connection Broker Tools [RSAT-RDS-Conn-Broker]
>>>BitLocker Drive Encryption Tools [RSAT-Bitlocker-DriveEnc]
>>>BitLocker Recovery Password Viewer [RSAT-Bitlocker-RecPwd]
Windows Biometric Framework [Biometric-Framework]
Windows PowerShell Integrated Scripting Environment (ISE) [PowerShell-ISE] (Jose: PowerShell itself is now integrated, this new feature is just the ISE)
Windows Server Migration Tools [Migration]
Windows TIFF IFilter [TIFF-IFilter]
WinRM IIS Extension [WinRM-IIS-Ext]

Renamed Features

XPS Viewer [XPS-Viewer] (Jose: Used to be under the .NET group, now is a separate feature)
>>Remote Desktop Services Tools [RSAT-RDS] (Jose: RDS used to be called Terminal Services)
>>>Remote Desktop Session Host Tools [RSAT-RDS-RemoteApp]
>>>Remote Desktop Gateway Tools [RSAT-RDS-Gateway]
>>>Remote Desktop Licensing Tools [RSAT-RDS-Licensing]

Removed Features

>Windows 2000 Client Support [MSMQ-Win2000]
>>UDDI Services Tools [RSAT-UDDI]
Removable Storage Manager [Removable-Storage]

Conclusion

I hope this blog post has helped you better understand the changes in the list of Roles, Role Services and Features between Windows Server 2008 and Windows Server 2008 R2. I encourage your to visit http://www.microsoft.com/windowsserver2008/en/us/R2.aspx to see more details on the changes in Windows Server 2008 R2, which go way beyond the names of the Roles, Role Services and Features.

Starting with Windows Server 2008 R2, the ServerManagerCmd command is deprecated. It still works, but you should use the new PowerShell cmdlets for feature management (Add-WindowsFeature, Remove-WindowsFeature and Get-WindowsFeature). You will need to use "Import-Module ServerManager" before using the Server Manager PowerShell cmdlets. Details at http://technet.microsoft.com/en-us/library/cc732757.aspx

↧

Three ways to design your DFS Namespaces

August 21, 2009, 7:00 pm

≫ Next: Windows Server DFS-Namespaces Performance and Scalability

≪ Previous: Changes in Roles, Role Services and Features from Windows Server 2008 to Windows Server 2008 R2

Introduction

In this blog post, we’ll showcase the flexibility you have with DFS-N by showing three distinct ways that you could design a namespace.
Note: If you’re not familiar with DFS-N, please read this blog post first:
http://blogs.technet.com/josebda/archive/2009/03/10/the-basics-of-the-windows-server-2008-distributed-file-system-dfs.aspx

Scenario

The scenario here is simple: you have three file servers in different locations: S1 is in New York, S2 is in Amsterdam and S3 is in Hong Kong. Each server has a unique set of data (Proposals, Marketing information and Engineering documents for each geography) and you want to expose this under a single namespace. Here’s the structure on each file server:
Server S1 in New York:
F:\AMER\PROPOSAL – Proposals for the AMER (Americas) region
F:\AMER\MARKETING – Marketing information for the AMER region
F:\AMER\ENGINEERING – Engineering documents for the AMER region
Server S2 in Amsterdam:
F:\EMEA\PROPOSAL – Proposals for the EMEA (Europe, Middle East and Africa) region
F:\EMEA\MARKETING – Marketing information for the EMEA region
F:\EMEA\ENGINEERING – Engineering documents for the EMEA region
Server S3 in Hong Kong:
F:\APAC\PROPOSAL – Proposals for the APAC (Asia and Pacific) region
F:\APAC\MARKETING – Marketing information for the APAC region
F:\APAC\ENGINEERING – Engineering documents for the APAC region
Please note that this specific scenario does not include replication. Each server each has completely an independent set of files. For instance, a proposal for an EMEA customer would exist only in the F:\EMEA\PROPOSALS folder in S2 and it would not exist in servers S1 or S3. Replication across these servers could be accomplished using DFS-R, but I am purposely avoiding it in this example to focus specifically on DFS-N design.

Creating the folders and shares

First of all, I am providing the scripts to create the folder structure and the shares. These are 3 distinct scripts and each one needs to be run on a specific server (S1, S2 or S3). We could actually do this all remotely, but I’m keeping it simple.
CREATE-S1.CMD
REM ## RUN THIS SCRIPT in S1, the file server in New York
MD F:\AMER\PROPOSALS
MD F:\AMER\MARKETING
MD F:\AMER\ENGINEERING
NET SHARE AMER=F:\AMER
CREATE-S2.CMD
REM ## RUN THIS SCRIPT in S2, the file server in Amsterdam
MD F:\EMEA\PROPOSALS
MD F:\EMEA\MARKETING
MD F:\EMEA\ENGINEERING
NET SHARE EMEA=F:\EMEA
CREATE-S3.CMD
REM ## RUN THIS SCRIPT in S3, the file server in Hong Kong
MD F:\APAC\PROPOSALS
MD F:\APAC\MARKETING
MD F:\APAC\ENGINEERING
NET SHARE APAC=F:\APAC
Please note that the shares will end up with read-only permissions using the commands above. In your real-world deployment you will need to properly plan your NTFS and file share permissions and implement them properly with CACLS or ICACLS.EXE (for NTFS) and the /GRANT option in NET SHARE (for the file shares). The focus of this post is not on permissions but on the structure of the shares, folders and namespaces.

Namespace option 1 – Simple mapping of shares

The first option I will cover is a simple mapping at the root share on each server. This is simpler because it requires a namespace with only three folders (or links). Assuming we use a fourth server (S4) as the namespace server (or target) and NS1 as the name of the namespace (or root), users would basically use \\S4\NS1 as the UNC path to the entire set of data from all three file servers.
Note 1: You could host the namespace in one of the file servers, see details at http://blogs.technet.com/josebda/archive/2009/06/26/how-many-dfs-n-namespaces-servers-do-you-need.aspx
Note 2: We’re using a standalone namespace here, but you could just as easily use a domain namespace instead.
Note 3: We’re not adding any fault tolerance for the namespace or the file servers in these scenarios. This could be accomplished with Failover Clustering for standalone namespaces or with multiple targets for a domain namespace.
Here’s a script to create the namespace, which should be run on S4:
CREATE-NS1.CMD
REM ## scenario 1 - Simple mapping of shares
REM ## RUN THIS SCRIPT in S4, the namespace server
MD F:\NS1
NET SHARE NS1=F:\NS1
DFSUTIL ROOT ADDSTD \\S4\NS1
DFSUTIL LINK ADD \\S4\NS1\AMER \\S1\AMER
DFSUTIL LINK ADD \\S4\NS1\EMEA \\S2\EMEA
DFSUTIL LINK ADD \\S4\NS1\APAC \\S3\APAC
DIR \\S4\NS1 /S /B
DFSUTIL ROOT EXPORT \\S4\NS1 F:\NS1EXPORT.XML VERBOSE
From an end-user perspective, the folder structure under \\S4\NS1 would look like this:
At the end of this script, an XML export of the namespace is created. Here’s what it looks like:
NS1EXPORT.XML
<?xml version="1.0"?>
<Root xmlns = "http://schemas.microsoft.com/dfs/2007/03/dfsutil" majorVersion = "2" minorVersion = "0" 
    Name="\\S4\NS1" State="OK" Timeout="300" >
    <Target State="ONLINE" >\\S4\NS1</Target>
    <Link Name="AMER" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S1\AMER</Target>
    </Link>
    <Link Name="EMEA" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S2\EMEA</Target>
    </Link>
    <Link Name="APAC" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S3\APAC</Target>
    </Link>
</Root>

Namespace option 2 – Flattening out the tree in the namespace

This second options shows the flexibility of DFS-N by creating a flat list of folders from the three servers and their folder structures. Users might find convenient to see a long list of folders without any nesting of folders. This shows how you can point your folder targets (or link targets) to a folder inside the share, not only the root of the file share. Again we’ll use that fourth server (S4) as the namespace server (or target), but now with NS2 as the name of the namespace (or root). Users would use \\S4\NS2 as the UNC path to the entire set of data from all three file servers.

Here’s a script to create the namespace, which should be run on S4:

CREATE-NS2.CMD

REM ## scenario 2 - Flattening out the tree in the namespace
REM ## RUN THIS SCRIPT in S4, the namespace server
MD F:\NS2
NET SHARE NS2=F:\NS2
DFSUTIL ROOT ADDSTD \\S4\NS2
DFSUTIL LINK ADD \\S4\NS2\AMERPROP \\S1\AMER\PROPOSALS
DFSUTIL LINK ADD \\S4\NS2\AMERMARK \\S1\AMER\MARKETING
DFSUTIL LINK ADD \\S4\NS2\AMERENGI \\S1\AMER\ENGINEERING
DFSUTIL LINK ADD \\S4\NS2\EMEAPROP \\S2\EMEA\PROPOSALS
DFSUTIL LINK ADD \\S4\NS2\EMEAMARK \\S2\EMEA\MARKETING
DFSUTIL LINK ADD \\S4\NS2\EMEAENGI \\S2\EMEA\ENGINEERING
DFSUTIL LINK ADD \\S4\NS2\APACPROP \\S3\APAC\PROPOSALS
DFSUTIL LINK ADD \\S4\NS2\APACMARK \\S3\APAC\MARKETING
DFSUTIL LINK ADD \\S4\NS2\APACENGI \\S3\APAC\ENGINEERING
DIR \\S4\NS2 /S /B
DFSUTIL ROOT EXPORT \\S4\NS2 F:\NS2EXPORT.XML VERBOSE

From an end-user perspective, the folder structure under \\S4\NS2 would be flat, like this:

At the end of this script, an XML export of the namespace is created. Here’s what it looks like:

NS2EXPORT.XML

<?xml version="1.0"?>
<Root xmlns = "http://schemas.microsoft.com/dfs/2007/03/dfsutil" majorVersion = "2" minorVersion = "0" 
    Name="\\S4\NS2" State="OK" Timeout="300" >
    <Target State="ONLINE" >\\S4\NS2</Target>
    <Link Name="EMEAMARK" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S2\EMEA\MARKETING</Target>
    </Link>
    <Link Name="APACENGI" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S3\APAC\ENGINEERING</Target>
    </Link>
    <Link Name="APACMARK" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S3\APAC\MARKETING</Target>
    </Link>
    <Link Name="AMERMARK" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S1\AMER\MARKETING</Target>
    </Link>
    <Link Name="AMERENGI" State="OK" Timeout="300" >
       <Target State="ONLINE" >\\S1\AMER\ENGINEERING</Target>
    </Link>
    <Link Name="AMERPROP" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S1\AMER\PROPOSALS</Target>
    </Link>
    <Link Name="APACPROP" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S3\APAC\PROPOSALS</Target>
    </Link>
    <Link Name="EMEAPROP" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S2\EMEA\PROPOSALS</Target>
    </Link>
    <Link Name="EMEAENGI" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S2\EMEA\ENGINEERING</Target>
    </Link>
</Root>

Namespace option 3 - Namespace reversing the original tree structure on each file server

Last but not least, the most interesting exhibit of the flexibility of DFS-N. In this case we’ll create a namespace showing the collection of folders group by type instead of geography. DFS-N makes it easy, since we can basically restructure the shares as we create the namespace. This shows how you can also use a tree structure on the DFS folder (or link) side of the equation, which can do a lot when you combine with what we did in option 2 above. Again we’ll use that fourth server (S4) as the namespace server (or target), but now with NS3 as the name of the namespace (or root). Users would use \\S4\NS3 as the UNC path to the entire set of data from all three file servers.

Here’s a script to create the namespace, which should be run on S4:

CREATE-NS3.CMD

REM ## scenario 3 –  Namespace reversing the original tree structure on each file server
REM ## RUN THIS SCRIPT in S4, the namespace server
MD F:\NS3
NET SHARE NS3=F:\NS3
DFSUTIL ROOT ADDSTD \\S4\NS3
DFSUTIL LINK ADD \\S4\NS3\PROPOSALS\AMER \\S1\AMER\PROPOSALS
DFSUTIL LINK ADD \\S4\NS3\MARKETING\AMER \\S1\AMER\MARKETING
DFSUTIL LINK ADD \\S4\NS3\ENGINEERING\AMER \\S1\AMER\ENGINEERING
DFSUTIL LINK ADD \\S4\NS3\PROPOSALS\EMEA \\S2\EMEA\PROPOSALS
DFSUTIL LINK ADD \\S4\NS3\MARKETING\EMEA \\S2\EMEA\MARKETING
DFSUTIL LINK ADD \\S4\NS3\ENGINEERING\EMEA \\S2\EMEA\ENGINEERING
DFSUTIL LINK ADD \\S4\NS3\PROPOSALS\APAC \\S3\APAC\PROPOSALS
DFSUTIL LINK ADD \\S4\NS3\MARKETING\APAC \\S3\APAC\MARKETING
DFSUTIL LINK ADD \\S4\NS3\ENGINEERING\APAC \\S3\APAC\ENGINEERING
DIR \\S4\NS3 /S /B
DFSUTIL ROOT EXPORT \\S4\NS3 F:\NS3EXPORT.XML VERBOSE

From an end-user perspective, the folder structure under \\S4\NS3 is shown below. It examplifies how DFS-N can completely mask the physical infrastructure behind the namespace:

Note that \\S4\NS3\ENGINEERING, \\S4\NS3\MARKETING and \\S4\NS3\PROPOSALS don’t actually exist as DFS folders (or links) at all. They are basically abstract constructs shown only in the UI, which don’t map to any specific target. You can confirm this when you look at the export of the namespace:

NS3EXPORT.XML

<?xml version="1.0"?>
<Root xmlns = "http://schemas.microsoft.com/dfs/2007/03/dfsutil" majorVersion = "2" minorVersion = "0" 
    Name="\\S4\NS3" State="OK" Timeout="300" >
    <Target State="ONLINE" >\\S4\NS3</Target>
    <Link Name="MARKETING\APAC" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S3\APAC\MARKETING</Target>
    </Link>
    <Link Name="MARKETING\AMER" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S1\AMER\MARKETING</Target>
    </Link>
    <Link Name="ENGINEERING\EMEA" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S2\EMEA\ENGINEERING</Target>
    </Link>
    <Link Name="MARKETING\EMEA" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S2\EMEA\MARKETING</Target>
    </Link>
    <Link Name="ENGINEERING\AMER" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S1\AMER\ENGINEERING</Target>
    </Link>
    <Link Name="PROPOSALS\AMER" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S1\AMER\PROPOSALS</Target>
    </Link>
    <Link Name="PROPOSALS\APAC" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S3\APAC\PROPOSALS</Target>
    </Link>
    <Link Name="PROPOSALS\EMEA" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S2\EMEA\PROPOSALS</Target>
    </Link>
    <Link Name="ENGINEERING\APAC" State="OK" Timeout="300" >
        <Target State="ONLINE" >\\S3\APAC\ENGINEERING</Target>
    </Link>
</Root>

Conclusion

I hope this helped you understand how DFS-N folder (or links) and folder targets (link targets) work. Please note that we could create this all using the DFS Management graphical user interface (or MMC). We did this in the command line because it’s easier to document that way. Here’s a view from the MMC of all the three namespaces we created:
Please note that you do not want to create all three namespaces simultaneously. I did this just for showing it here. You would choose the option that best fits your purpose. The goal here is to simplify things for the users, not to confuse them :-)
I also did not cover replication here at all. In fact, this example uses only DFS-N and can even be run without the DFS-R role service installed. We could certainly design a namespace that takes replication into account, but that’s a topic for another blog post…

Links

For more information about DFS-Namespaces, see also the following links from TechNet:
DFS Management: http://technet.microsoft.com/en-us/library/cc730736.aspx.
Checklist: Deploy DFS Namespaces: http://technet.microsoft.com/en-us/library/cc725830.aspx
Choose a Namespace Type: http://technet.microsoft.com/en-us/library/cc770287.aspx

↧

Windows Server DFS-Namespaces Performance and Scalability

August 22, 2009, 2:45 pm

≫ Next: File Server Capacity Tool (FSCT) 1.0 available for download

≪ Previous: Three ways to design your DFS Namespaces

The DFS-N test team has completed some extensive Performance and Scalability testing and we wanted to share some of the results.

It includes results on standalone namespaces, "2000 mode" domain namespaces and "2008 mode" domain namespaces, under Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.

Check the post by Marcello Hasegawa at http://blogs.technet.com/filecab/archive/2009/08/22/windows-server-dfs-namespaces-performance-and-scalability.aspx.

↧

File Server Capacity Tool (FSCT) 1.0 available for download

September 16, 2009, 1:57 pm

≫ Next: Windows Server DFS Namespaces (DFS-N) Reference

≪ Previous: Windows Server DFS-Namespaces Performance and Scalability

Version 1.0 of the File Server Capacity Tool (FSCT) was announced yesterday during a presentation by Jian Yan and Bartosz Nyczkowski at SNIA’s Storage Developer Conference in Santa Clara, CA. The presentation covered a number of details about FSCT and included a demo running FSCT with the HomeFolders workload.

If you are not familiar with FSCT, the download page offers this overview: “File server capacity planning and performance troubleshooting are critical aspects of high-level network administration. Central file servers and distributed client workstations are now the norm in most corporate networks. This structure reduces storage capacity requirements, centralizes backup, increases the availability of files, and simplifies the document revision and review process. However, because data storage and access are centralized, performance limitations impact the entire network population. Accurately projecting the number of users that hardware can support under a specific workload, and understanding when and where bottlenecks occur, are critical to making efficient improvements to the server configuration. File server capacity planning tools can be valuable in choosing new hardware for purchase, identifying the capacity of existing hardware, locating existing bottlenecks, and planning for resource expansion in advance of resource exhaustion. The throughput capacity of a file server can be expressed either as the maximum number of operations per second or a maximum number of users supported by the configuration. These values are influenced by several factors, some of which include processor speed, available memory, disk speed, network throughput and latency, and the speed with which SMB requests are processed.”

The final version is available for download in both 32-bit (x86) and 64-bit (x64) versions. It is supported on Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Vista and Windows 7 (with the latest service pack applied).

Downloads are available now:
x64: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b20db7f1-15fd-40ae-9f3a-514968c65643
x86: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=0b212272-1884-4af1-972d-42ef1db9f977

A white paper is also included in the download packages, with detailed description of the tool, step-by-step instructions on how to use it and reference of the command line interface.

For questions about FSCT and how to use it, please use the forum at
http://social.technet.microsoft.com/Forums/en-US/fsct/threads

Also check some details on FSCT on these previous posts (from the release of the beta last year and the release candidate back in July):
http://blogs.technet.com/josebda/archive/2009/07/08/file-server-capacity-tool-fsct-release-candidate-available-for-download.aspx
http://blogs.technet.com/josebda/archive/2008/10/06/fsct-a-cifs-smb-smb2-file-server-tool-for-capacity-planning-and-performance-troubleshooting.aspx

This is a major milestone in the two-year journey to offer this tool publicly, which included efforts from a number of people from different teams at Microsoft, including the File Server Team and the Windows Performance Team.

↧

Windows Server DFS Namespaces (DFS-N) Reference

December 30, 2009, 10:13 am

≫ Next: Multiple names for one computer - Consolidate your SMB file servers without breaking UNC paths

≪ Previous: File Server Capacity Tool (FSCT) 1.0 available for download

I get a number of questions regarding reference information for DFS Namespaces (also known as DFS-N). I gathered here the main links that can get you started on the subject:

Here are my own blog posts on DFS Namespaces (all updated for Windows Server 2008 R2 and including domain V2 namespaces):

Next, here are a couple of public DFS Namespaces Presentations by Microsoft:

Also, here are the main TechNet Reference links on DFS Namespaces for Windows Server 2008 and Windows Server 2008 R2 (includes domain V2 namespaces):

Namespaces

Deploying DFS Namespaces

Tuning DFS Namespaces

Last, here are some TechNet Reference on DFS Namespaces for Windows Server 2003 (does not include domain V2 namespaces):

Planning

High Availability

Reference

I hope those help you with your DFS Namespaces projects.

↧

Windows Server 2008 Roles and Role Services	Changes	Windows Server 2008 R2 Roles and Role Services
Active Directory Certificate Services [AD-Certificate]		Active Directory Certificate Services [AD-Certificate]
>Certification Authority [ADCS-Cert-Authority]		>Certification Authority [ADCS-Cert-Authority]
>Certification Authority Web Enrollment [ADCS-Web-Enrollment]		>Certification Authority Web Enrollment [ADCS-Web-Enrollment]
>Online Responder [ADCS-Online-Cert]		>Online Responder [ADCS-Online-Cert]
>Network Device Enrollment Service [ADCS-Device-Enrollment]		>Network Device Enrollment Service [ADCS-Device-Enrollment]
	New	>Certificate Enrollment Web Service [ADCS-Enroll-Web-Svc]
	New	>Certificate Enrollment Policy Web Service [ADCS-Enroll-Web-Pol]
Active Directory Domain Services		Active Directory Domain Services [AD-Domain-Services]
>Active Directory Domain Controller [ADDS-Domain-Controller]		>Active Directory Domain Controller [ADDS-Domain-Controller]
>Identity Management for UNIX [ADDS-Identity-Mgmt]		>Identity Management for UNIX [ADDS-Identity-Mgmt]
>>Server for Network Information Services [ADDS-NIS]		>>Server for Network Information Services [ADDS-NIS]
>>Password Synchronization [ADDS-Password-Sync]		>>Password Synchronization [ADDS-Password-Sync]
>>Administration Tools [ADDS-IDMU-Tools]		>>Administration Tools [ADDS-IDMU-Tools]
Active Directory Federation Services		Active Directory Federation Services [AD-Federation-Services]
>Federation Service [ADFS-Federation]		>Federation Service [ADFS-Federation]
>Federation Service Proxy [ADFS-Proxy]		>Federation Service Proxy [ADFS-Proxy]
>AD FS Web Agents [ADFS-Web-Agents]		>AD FS Web Agents [ADFS-Web-Agents]
>>Claims-aware Agent [ADFS-Claims]		>>Claims-aware Agent [ADFS-Claims]
>>Windows Token-based Agent [ADFS-Windows-Token]		>>Windows Token-based Agent [ADFS-Windows-Token]
Active Directory Lightweight Directory Services [ADLDS]		Active Directory Lightweight Directory Services [ADLDS]
Active Directory Rights Management Services		Active Directory Rights Management Services [ADRMS]
>Active Directory Rights Management Server		>Active Directory Rights Management Server [ADRMS-Server]
>Identity Federation Support		>Identity Federation Support [ADRMS-Identity]
Application Server [Application-Server]		Application Server [Application-Server]
>Application Server Foundation [AS-AppServer-Foundation]		>.NET Framework 3.5.1 [AS-NET-Framework]
>Web Server (IIS) Support [AS-Web-Support]		>Web Server (IIS) Support [AS-Web-Support]
>COM>Network Access [AS-Ent-Services]		>COM>Network Access [AS-Ent-Services]
>TCP Port Sharing [AS-TCP-Port-Sharing]		>TCP Port Sharing [AS-TCP-Port-Sharing]
>Windows Process Activation Service Support [AS-WAS-Support]		>Windows Process Activation Service Support [AS-WAS-Support]
>>HTTP Activation [AS-HTTP-Activation]		>>HTTP Activation [AS-HTTP-Activation]
>>Message Queuing Activation [AS-MSMQ-Activation]		>>Message Queuing Activation [AS-MSMQ-Activation]
>>TCP Activation [AS-TCP-Activation]		>>TCP Activation [AS-TCP-Activation]
>>Named Pipes Activation [AS-Named-Pipes]		>>Named Pipes Activation [AS-Named-Pipes]
>Distributed Transactions [AS-Dist-Transaction]		>Distributed Transactions [AS-Dist-Transaction]
>>Incoming Remote Transactions [AS-Incoming-Trans]		>>Incoming Remote Transactions [AS-Incoming-Trans]
>>Outgoing Remote Transactions [AS-Outgoing-Trans]		>>Outgoing Remote Transactions [AS-Outgoing-Trans]
>>WS-Atomic Transactions [AS-WS-Atomic]		>>WS-Atomic Transactions [AS-WS-Atomic]
DHCP Server [DHCP]		DHCP Server [DHCP]
DNS Server [DNS]		DNS Server [DNS]