The Microsoft Infrastructure now provides domain-based DFS namespace service. This provides redundant distributed file redirection services, allowing you to easily add and remove file servers without impacting your customers. You can use DFS replication (DFS-R) services, but keep in mind that only a very small part of DFS-R relies on what MI provides (see DFS-R section below).
IMPORTANT: clients accessing the DFS share need to be able to resolve netid.washington.edu. Netid.washington.edu resolves to p172 IPs, so off campus access will require a VPN or alternative.
We provide one central DFS namespace \\netid.washington.edu\dfs\ with a DFS folder targeting other DFS namespaces. Each delegated OU can request their own DFS namespace. We delegate management of your DFS namespace to you, allowing you to create DFS folders and manage the targets.
If you need a guide to DFS terminology, please reference http://technet.microsoft.com/en-us/library/cc730736.aspx.
NOTE: The Microsoft documentation, including the above link, does not follow best practice by fully qualifying hostnames. We have enabled fully qualified DNS names on our DFS referral servers, and you should fully qualify all targets.
All DFS namespaces will have access based enumeration enabled, limiting who can browse the DFS namespace to those who have been granted access. We strongly encourage customers to not use NETID\Domain Users, Authenticated Users, or Everyone when granting access on the target file servers.
Requesting a DFS Namespace
You can request a DFS namespace by submitting this form: DFS Request Form
Your requested DFS namepace must contain this path:
\\netid.washington.edu\<Your delegated OU name>
Delegated Management of the links in your DFS namespace will be given to you via:
u_msinf_delou_<Your Delegated OU Name>_dfsadmins
If you do not currently have a delegated OU, you will need to request one first. Please see https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/ous/.
After your request, you can add DFS folders and targets, specifying a fully qualified UNC path for each target.
Getting Support
MI provides the DFS namespace. MI provides the creation of the DFS folder. You provide the DFS folder target. And if you use DFS-R, then you are providing multiple DFS targets which are capable of DFS-R.
If a client has a problem with accessing a file via DFS, the problem could be at your DFS folder target. We will expect you to verify that you can access the DFS folder target without the DFS namespace in the UNC path before involving us.
If you have a problem, please send email to help@uw.edu with “NETID DFS” in the subject line and make sure to specify the DFS folder involved in the problem and any other details. If your problem is outside normal business hours and urgent, please call 206-221-5000.
Common Problems
We encourage you to not create circular DFS redirections. If you do, customers who “enter” such a loop will not present a denial of service attack to the NETID domain controllers (because DFS referrals are client-side cached), but your customers will not have a nice experience.
You should use fully qualified DNS names for the targets of your DFS folders. If you run your own DFS referral servers, you should ensure that they are configured to use fully qualified DNS names (this isn’t the default configuration). Ask if you need assistance getting them configured.
Some Mac clients require special 3rd party software to support DFS. We do not have a recommendation on what 3rd party software is best, nor do we keep track of what Mac OS versions support what capability.
DFS-R Support
If you want DFS replication services, you’ll need to enable that by adding two or more targets to the same DFS folder and running through the DFSR replication setup in the wizard. You will be asked to create a DFS replication group (note: this is NOT a normal AD security group). As long as you are a OU admin, you should have the permissions to create that DFS replication group. In order for you to get DFS-R setup, we will additionally have to grant two permissions on your delegated OU:
- On OU=<yourOU>,OU=Delegated,DC=netid,DC=washington,DC=edu
Allow u_msinf_delou_<yourOU>_ouadmins: Full control ON descendent msDFSR-LocalSettings objects - On OU=<yourOU>,OU=Delegated,DC=netid,DC=washington,DC=edu
Allow u_msinf_delou_<yourOU>_ouadmins: Full control ON descendent msDFSR-Subscriber objects
To get these permissions setup, you can just send a request to help@uw.edu with “NETID DFS-R Permissions needed for <yourOU>” in the subject line.
An additional permission has already been granted:
- On CN=DFSR-GlobalSettings,CN=System,DC=netid,DC=washington,DC=edu
Allow u_msinf_roles_delou_admins: Create all child objects ON This object only
If there are problems with the DFS replication group, MI will help with that. If there are problems with the replication between the DFS targets, MI will not help with that–you need to troubleshoot that because you own all the involved components.