dfs setup across domains - possible DNS problem?

[mviking]

We currently have a Native 2003 domain with a root domain

called company.com where we house the majority of our

server infrastructure. In addition to our root domain we

have a child domain in the same forest called

branch.company.com where we house our users and

computers.

We created a DFS namespace in the company.com domain

using a domain admin account from the company.com

domain. The host server which is the "hub" for the DFS

link is in the company domain and the remaining targets

which server as the "spokes" are in the

branch.company.com domain. We followed the white papers

for DFS to setting up the "Hub and Spoke" replication and

Staging. We also used the dfsutil.exe to force computers

to only use their own sites to stop remote offices from

spanning the WAN to connect to the namespace. Everything

was appeared to be working perfectly. We were testing

the namespace at the corporate office

(\\company\dfsroot\share)on a computer in AD Site #1

which is the AD site which houses all servers in the

company.com domain.

We noticed the name space not being accessible from

remote offices. The major difference between the

corporate sites and the remote location is the remote

domain controllers sit in the branch.company.com domain

and they have a different AD sites.

If I log onto the domain controller using my

branch.company.com account I will received the following

error message when attempting to connect to the DFS

namespace.

------------Error Message------------------

Error message when attempting to connect to the dfs name

space on a W2K3 domain contoller

"Configuration information could not be read from the

domain controller, either because the machine unavailable

or access has been denied."

-----------------------------------------------

When I attempt to connect to the DFS namespace on a

desktop computer in the remote office I will receive an

error message stating, "Network path not found"

So I have some questions;

1. Can you create a DFS name space with your host

server being in domain A and your targets being in domain

B? If the answer is yes, how is this configured? What

are the permission tweaks that must occur? What types of

permissions need to be available to users in the

branch.company.com domain?

2. I could not find any white papers on DFS setup

across multiple domains. Do these exist?

3. What are some good trouble shooting utilities to

use in DFS.

Thanks,

Brett

[DiscardME]

Mviking~

That is an interesting issue.

For questions 1 & 2:

The only DFS whitepapers I have seen are available from Microsoft or ITpapers.com, there may be more out there, but ITpapers is a good place to start (free registration req). I have not seen domain spanning specific articles, but I also haven't seen anything that would prevent your DFS from spanning parent/child domains.

How is your DNS namespace configured? All vanilla (AD integrated, KCC defined replication, etc.)? Or do you have any custom configurations there as well? Are you able to connect to the server\share from the remote directly (circumvention of the dfs namespace)?

A great way to troubleshoot is to check sysvol for your domain/subddomain. \\company.com\sysvol, \\branch.company.com\sysvol. What user groups do you have setup on your DFS root? Domain Users, Authenticated Users, or a custom group setup? For many issues, the sysvol and the dfs are a great comparison for troubleshooting, since they operate in a very similar manner. Permissions are generally important. I would give the root of the DFS authenticated users and domain users as a troubleshooting step, then work outwards. Establish as general permissions as you can on the dfs root. Make sure your file folder permissions are all in sync as well at every link location.

For question 3:

I would start with Ultrasound for general observation of our your replication structure. I have used it extensively to solve a myriad of issues at my company on both the sysvol and dfs roots.

Then I would hit this page for a number of utils (Ultrasound link is on this page too):

FRS Tools

I hope that helps, I know it is not probably as specific as you would like, but it could offer a starting point.

[/\/\o\/\/]

@Mviking

check your DNS configuration (configure DFS to use fully qualified domain names in referrals) see quote below (if your not use Win9x as client)

this mostly seems the problem

gr /\/\o\/\/

Quote from http://www.microsoft.com/windowsserver2003...iew/dfsfaq.mspx

Domain and Forest Issues

Q. Can I host a domain-based DFS namespace in multiple domains?

A. No. All root targets for a given domain-based DFS root must be in the same domain.

Q. How does DFS work across domains and forests?

A. The DFS client has a list of known domains that is used to determine whether a Universal Naming Convention (UNC) path is a domain-based DFS root. If the first part of the UNC path matches a known domain name that the client has in this list, the path is assumed to be a domain-based DFS path. This list of known domains contains all domains in the client's forest and all domains trusted by the client's domain or forest. The default buffer for the list of known domains is 4 kilobytes (KB) (approximately 2,000 characters).

If the list of trusted domains is too large to fit into the 4-KB cache, the following events take place:

• Clients running Windows 98 cannot access any domain-based DFS namespaces. To notify you of this, DFS writes an entry with the ID 14537 in the system log in Event Viewer on the domain controller of the client domain that enumerates the known domains.

• Computers running Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 automatically increase their cache size to accept the list of known domains, up to a maximum of 56 KB.

If the list of known domains exceeds 56 KB, DFS puts as many domains in the cache as it can until the cache reaches 56 KB. DFS then writes an entry with the ID 14536 in the system event log in Event Viewer to notify you of this issue.

When populating the cache, DFS gives preference to local and explicitly trusted domains by filling the cache with their names first. Consequently, by creating explicit trust relationships with domains that host important DFS namespaces, you can minimize the possibility that those domain names might be dropped from the list that is returned to the client.

Important: To make sure that clients can access link targets in other trusted domains or trusted forests, you must use DNS names for all link targets and configure DFS to use fully qualified domain names in referrals. For more information, see How to Configure DFS to Use Fully Qualified Domain Names in Referrals.

Q. Can I enable FRS replication on a DFS link whose targets are in different domains?

A. Yes, if you are a member of the Enterprise Admins group, you can configure FRS replication on a DFS link whose targets are in different domains in the same forest. If you are not a member of the Enterprise Admins group, permissions must be configured as follows:

• You must have Read and Create All Child Objects permissions for the computer object of each computer that will be part of the replica set.

• You must be a member of the local Administrators group on each computer that will be part of the replica set.

• You must have Read and Create All Child Objects permissions for the File Replication Service container and all its child objects. Although the File Replication Service container can exist in every domain, you must add these permissions to the File Replication Service container that is in the domain where the domain-based root is configured.

If any of these permissions are not configured correctly, you will get an Access Denied message when you try to enable replication by using the Configure Replication Wizard in the Distributed File System snap-in.