0

Our current setup uses two DFS servers acting as referral servers for our DFS Namespace. The data is replicated from the Live server to the DR server at our second location. The aim is to have the second server be always live for referrals but the folder targets are only enabled for the LIVE site.

This all works fine when there are no issues during normal conditions, the problem we are running into is that during a test of the link between the two offices going down, the namespace becomes unavailable and we are unable to create a new namespace. After running diagnostics during this event it was found that the DFS Namespace requires access to the primary domain controller in order to interact with the namespace. So now during a "link down" test we transfer the FSMO roles over to the DR domain controllers so the PDC is accessible. Now when we are able to create new namespaces but still unable to interact with the current one.

We have had active directory health tests, an upgrade to a 2012 R2 domain and full cleaning and rebuilds of the DFS system and whenever the link goes down, even with the PDC being available, DFS complains that it cannot see the domain or namespace anymore.

I'm now completely out of ideas, so if anyone has any experience with this and can offer suggestions for testing. The current solution is that during this scenario we basically cannot use the DFS Namespace and instead have to run scripts to move the paths to roaming profiles and folder redirection to the DR servers instead of just moving the folder referrals on the DFS, this just doesn't seem like it should be the case, there must be a way to always be able to use the namespace.

Setup:
AD Domain - Windows 2012 R2. 2 DC's at live, 2 DC's at DR.
Live DFS Server - Windows 2012 R2. Referral server enabled, folder targets enabled. namespace server enabled.
DR DFS Server - Windows 2012 R2. Referral server enabled, folder targets disabled. namespace server enabled.
Data replication method - Bvckup2.
We use roaming profiles and folder redirection within users home drive.

Stangg
  • 31
  • 2
  • 6
  • Needs more information. For example, your namespace servers for this namespace are...? – HopelessN00b Mar 09 '15 at 15:02
  • Added a little section with the general setup information. – Stangg Mar 09 '15 at 15:10
  • 2
    You still haven't mentioned anything about your namespace servers... not to mention that if you only have one folder target enabled, and that server goes down, of course the namespace isn't accessible. One server is down, the other has its folder targets disabled. – HopelessN00b Mar 09 '15 at 15:22
  • The namespace servers are the DFS servers. When the link goes down the plan is to enable folder targets at DR and disable those at LIVE, but the namespace is completely inaccessible to even make any changes to it in DFS management. The util complains about not being able to see the domain. The namespace servers themselves always have a referral status of enabled, it's only the underlying folders that have referrals disabled so that users cannot access the files on the DR DFS server due to us using one way replication. – Stangg Mar 10 '15 at 08:07
  • Well, so your first problem is figuring out why *the domain* is inaccessible when you do this failover thing, and then the second problem is that you're over-complicating the mess. Enable folder referral on the DR replica, but make it read-only, and set up your referral rules to always send clients to LIVE first. A lot easier to toggle that to read-write in the event of failover than mucking around with enabling referrals and/or folder targets. – HopelessN00b Mar 10 '15 at 08:21
  • Yes that is the problem and I was hoping that someone had seen this issue before because no amount of AD health checks, diagnostics or fiddling can point to why the DFS servers think the domain is unavailable and therefore the namespace when by all accounts the PDC and all it's roles have been moved across to the DR site. It seems as though without both the servers up the namespace won't work. To the second point, we did have this set up before but due to other factors it did not work the way we wanted to and its just as easy to toggle read-write as it is to enable/disable folder targets. – Stangg Mar 10 '15 at 08:26
  • I should add that it is only the namespace that is already set up that thinks the domain is unavailable, I can create new namespaces and everything else works correctly during failover. – Stangg Mar 10 '15 at 08:29

1 Answers1

1

I have figured out the issue, it all stems from the default settings of the DFS Namespace environment.

We are using a DNS only environment so need to recreate the DFS Namespace to DNS Only and to accept FQDN referrals, essentially following this article:

https://support.microsoft.com/en-us/kb/244380

I had planned to do this in the past but found that it was relatively high risk with all the other work that was happening and would have had little impact on our environment, that is until we found this specific corner case of the PDC becoming unavailable (even with a FSMO role transfer).

Hopefully this can help someone else in this very specific situation.

Stangg
  • 31
  • 2
  • 6