Five ways to check your DFS-Namespaces (DFS-N) configuration with the DFSDIAG.EXE tool

Introduction

The Distributed File System Namespaces (DFS-N) service is a role service of the File Service role for Windows Server.
For a basic description of DFS-N, start with  https://blogs.technet.com/josebda/archive/2009/03/10/the-basics-of-the-windows-server-2008-distributed-file-system-dfs.aspx

DFS-N, as the name implies, is a distributed system and it involves a number of components running on a set of computers (Active Directory domain controllers, DFS-N namespace servers, SMB file servers, DFS-N clients).
You can get an idea of the interactions by looking at  https://blogs.technet.com/josebda/archive/2009/04/15/understanding-windows-server-2008-dfs-n-by-analyzing-network-traces.aspx

Because of that, as you can imagine, diagnosing problems with DFS-N can be challenging. To assist with that, Windows Server provides an in-box tool specifically to help with that. It’s called DFSDIAG.EXE.

DFSDIAG was introduced in Windows Server 2008 and it was improved in Windows Server 2008 R2 to provide better messages and help text. DFSDIAG is not available as an in-box tool for Windows Server 2003, but the tests can run on Windows Server 2008 or Windows Server 2008 R2 while targeting namespace servers running Windows Server 2003. The tool will exercise the many components related to DFS-N, so it is recommended to experiment with it in a test lab first to assess its impact, before running it in production.

DFSDIAG can check your configuration in five different ways:

  • Checking domain controller configuration
  • Checking site associations
  • Checking namespace server configuration
  • Checking individual namespace configuration and integrity
  • Checking referral responses

We’ll examine each one of these checks individually, below.

Checking domain controller configuration - DFSDIAG /TestDCs

Checks the configuration of domain controllers by performing the following tests on each domain controller in the specified domain:

  • Verifies that the Distributed File System (DFS) Namespace service is  running and that its Startup Type is set to Automatic.
  • Checks for the support of site-costed referrals for NETLOGON and SYSVOL.
  • Verifies the consistency of the site association by hostname and IP address.

Usage:
DFSDiag /TestDCs [/Domain:<Domain name>]

Parameters:
/Domain:<Domain name>: Domain that you want to check.

Notes:
/Domain is an optional parameter. The default value is the local domain that the local host is joined to.

Example:
DFSDiag /TestDCs /Domain:Contoso.com

Checking site associations - DFSDIAG /TestSites

Checks the configuration of Active Directory Domain Services (AD DS) sites by verifying that servers that act as namespace servers or folder (link) targets have the same site associations on all domain controllers.

Usage:
DFSDiag /TestSites </Machine:<server name>| /DFSPath:<namespace root or DFS folder> [/Recurse]> [/Full]

Parameters:
/Machine:<server name>: The name of the server on which to verify the site association.
/DFSPath:<namespace root or DFS folder>: The namespace root or Distributed File System (DFS) folder (link) with targets for which to verify the site association.
/Recurse: Enumerates and verifies the site associations for all folder targets under the specified namespace root.
/Full:  Verifies that AD DS and the registry of the server contain the same site association information.

Example:
DFSDiag /TestSites /Machine:MyServer
DFSDiag /TestSites /DFSPath:\Contoso.comNamespace1Folder1 /Full
DFSDiag /TestSites /DFSPath:\Contoso.comNamespace2 /Recurse /Full

Checking namespace server configuration - DFSDIAG /TestDFSConfig

Checks the configuration of a Distributed File System (DFS) namespace by performing the following actions:

  • Verifies that the DFS Namespace service is running and that its Startup Type is set to Automatic on all namespace servers.
  • Verifies that the DFS registry configuration is consistent among namespace servers.
  • Validates the following dependencies on clustered namespace servers that are running Windows Server 2008 or later:
    • Namespace root resource dependency on network name resource.
    • Network name resource dependency on IP address resource.
    • Namespace root resource dependency on physical disk resource.

Usage:
DFSDiag /TestDFSConfig /DFSRoot:<namespace>

Parameters:
/DFSRoot:<namespace>: The namespace (DFS root) to diagnose.

Example:
DFSDiag /TestDFSConfig /DFSRoot:\Contoso.comMyNamespace

Checking individual namespace configuration and integrity - DFSDIAG /TestDFSIntegrity

Checks the integrity of the Distributed File System (DFS) namespace by performing the following tests:

  • Checks for DFS metadata corruption or inconsistencies between  domain controllers.
  • Validates the configuration of access-based enumeration to ensure that it  is consistent between DFS metadata and the namespace server share.
  • Detects overlapping DFS folders (links), duplicate folders, and folders  with overlapping folder targets.

Usage:
DFSDiag /TestDFSIntegrity /DFSRoot:<DFS root path> [/Recurse] [/Full]

Parameters:
/DFSRoot:<DFS root path>: The DFS namespace to diagnose.
/Recurse:  Performs the testing including  the namespace interlinks.
/Full: Verifies the consistency of share and NTFS ACLs and client side configuration on all folder targets. It also verifies that the Online property is set.

Example:
DFSDiag /TestDFSIntegrity /DFSRoot:\Contoso.comMyNamespace /Recurse /Full

Checking referral responses - DFSDIAG /TestReferral

Checks Distributed File System (DFS) referrals by performing the following tests:

When you use the DFSPath parameter without arguments, this command validates that the referral list includes all trusted domains.

  • When you specify a domain, the command performs a health check of domain controllers (Dfsdiag /testdcs) and tests the site associations and domain cache of the local host.
  • When you specify a domain and SYSVOL or NETLOGON, in addition to performing the same health checks as when you specify a domain, the command checks that the Time To Live (TTL) of SYSVOL or NETLOGON referrals match the default value of 900 seconds.
  • When you specify a namespace root, in addition to performing the same health checks as when you specify a domain, the command performs a DFS configuration check (Dfsdiag /TestDFSConfig) and a namespace integrity check (Dfsdiag /TestDFSIntegrity).
  • When you specify a DFS folder (link), in addition to performing the same health checks as when you specify a namespace root, the command validates the site configuration for folder targets (Dfsdiag /testsites) and validates the site association of the local host.

Usage:
DFSDiag /TestReferral /DFSPath:<DFS path for getting referrals> [/Full]

Parameters:
/DFSPath:<Path for getting referrals>: This DFS path can be one of the following:

  • (blank): Tests trusted domains.
  • \Domain: Domain controller referrals.
  • \DomainSYSVOL: SYSVOL referrals.
  • \DomainNETLOGON: NETLOGON referrals.
  • \<Domain or server><Namespace Root>:Namespace root referrals.
  • \<Domain or server><Namespace Root><DFS folder>: DFS folder (link) referrals.

/Full:  Applied only to Domain and Root referrals. Verifies the consistency of site association information between the registry and Active Directory Domain Services (AD DS).

Examples:
DFSDiag /TestReferral /DFSPath:\Contoso.comMyNamespace
DFSDiag /TestReferral /DFSPath:

Conclusion

I hope this blog post has helped you understand how to use the DFSDIAG.EXE tool to check your DFS-N configuration.