Windows Server 2008 R2 DFS Replication across two locations
If the domain controller is offline what happens?
Are users still able to access the DFS namespace? Does replication still occur?
Asked
Active
Viewed 4,072 times
0
-
1I would hope you have more than one domain controller in place. – DKNUCKLES Dec 12 '12 at 20:21
-
1doesn't answer my question :) – Michael Dec 12 '12 at 20:23
-
I would guess replication would still happen until the kerberos tickets expired. Of course once tickets start to expire everything is going to be broken. If the DC is gone, I suspect clients with an **active connection** would lose their ability to find the DFS members would lose their connection in ~10 minutes depending on how you have set your DFS timeouts. I am almost certain no new connections would be possible. What you are asking is so unusual and unthinkable, I suspect you are going to have to test it and research it on your own. Or follow the best practice, and bring up another DC. – Zoredache Dec 12 '12 at 20:51
-
@Zoredache actually, we have this situation come up from time to time at some of our remote sites that only have one DC. DFS seems to remain accessible for a lot longer than 10 minutes, but our priority tends to be kicking the DC and/or WAN connection back into functioning rather than testing timeout periods for science (or whatever). New connections do get an authentication failure, so I'm fairly certain you're right about that part. – HopelessN00b Dec 12 '12 at 20:59
3 Answers
4
Depends entirely on how this is setup and what's cached. Anything from "nothing will happen" to "it will break completely" are possible.
Basically, the Domain Controller here is needed for authentication to access the shares, and name resolution to translate your server names to IP addresses. If you have a client that has the DNS entry for its DFS server cached, and has its authentication cached by the DFS server(s), then it will be able to access DFS just fine, until the cached values expire (or are flushed). Likewise, if your DFS servers have each other's DNS entries cached, they should be able to replicate.
Anyone who doesn't have the DNS entries for these servers cached will be unable to access them by name, and anyone whose authentication isn't cached by the DFS servers will get a logon failure, because the DFS server will attempt to validate the logon attempt against the Domain Controller it can't reach (which generates an authentication failure).
Oh, and having only one Domain Controller is a problem, and a Bad Idea. Get another one.
HopelessN00b
- 53,795
- 33
- 135
- 209
-
How about replication? I have multiple DCs. This was more of a question on how much DFS relied on DC to function. Thank you for your answer. – Michael Dec 12 '12 at 21:42
-
@Michael The servers will need the DNS entries to replicate to each other, which can be cached, as well as authentication, which can be cached, albeit for a shorter time period, in most cases. The only time we run into this issue, it's because something's rotten with the inter-site connections, so replication won't work for other reasons... meaning I don't have a meaningful answer except to say replication will fail when the cached authentications expire, which you'd expect to have a much shorter validity period than a DNS cache. – HopelessN00b Dec 12 '12 at 21:54
1
If your domain controller goes offline (assuming you only have one) you have bigger problems than users not being able to access the DFS namespace. A myriad of complications arise, the most notable is the fact that authentication doesn't take place.
With that said, users will not be able to access the namespace and replication will not occur.
DKNUCKLES
- 4,028
- 9
- 47
- 60
-
1-1, as you don't have to set your DC as a namespace server. If you have two DCs and one is down, and your Namespace server is on a third server, then your namespace is still available. – HostBits Dec 12 '12 at 20:27
-
-
So make it clearer in your answer that this is only the case if they have ONE domain controller. – HostBits Dec 12 '12 at 20:34
-
Three servers: 1 DC, DFS A, DFS B. DFS replicates to A and B. DC1 goes offline you're saying users won't be able to access DFS A or B? – Michael Dec 12 '12 at 20:37
-
@Cheekaleak I thought the *If your domain controller goes offline (assuming you only have one)* line was quite clear. – DKNUCKLES Dec 12 '12 at 20:38
-
Yes that's what I'm saying @Michael. DFS requires Active Directory to function – DKNUCKLES Dec 12 '12 at 20:50
-
-
@DKNUCKLES DFS DOES NOT require AD to function...You can use DFS without AD, just certain features aren't available. – HostBits Dec 12 '12 at 21:19
-
1
The default TTL for DFS Link referrals is 30 minutes and the default TTL for DFS Root referrals is 5 minutes.
I would assume that for a Domain based DFS namespace that the DFS links would still be accessible after the DC has gone down for clients that already have the Link referral cached, for the remaining life of the referral.
joeqwerty
- 109,901
- 6
- 81
- 172