Domain DFS from a non-domain joined client

As I mentioned before I use DFS on my home network to help manage my storage resources.


Almost all of my machines at home are domain joined. You get a lot of management benefits from doing this. You can make Windows Software Update Services (SUS) automatically apply patches to all machines, you can apply Group Policy across machines (e.g. to enforce password complexity requirements, re-directed My Documents, etc…) However, in one case I have choosen not to make a machine domain-joined: The PC in the kitchen that is shared by my wife and kids. The reason for this is we use fast-user-switching which is not supported on Windows XP Pro if the machine is joined to a domain (fast-user-switching is even better when you use a biometric fingerprint login device like the Digital Persona unit we have…just press your thumb and you are at your desktop…great for the wife and kids!).


Recently I noticed that on this machine I was having problems accessing the shares in the DFS namespace (e.g. \\kindel.com\shares\userdata\julie which is where Julie’s My Documents is redirected to). Doing a “net use \\kindel.com\shares” was failing.


I tried to debug it using google but couldn’t find any clues as to what was going on. So I emailed my buddies in the DFS team. After going back and forth, we discovered that I had disabled the DFS service on one of my domain controllers. I had disabled this service because that particular machine is anemic and I wanted to improve performance. That machine was not the host for my DFS root so I figured it didn’t need the service running.


For domain joined machines, the DFS client will go to AD directly to find the DFS root. But for non-domain joined machines here’s what happens:



  • A non-domain joined DFS client, upon “net use \\kindel.com\shares” will resolve the \\kindel.com using DNS. 
  • It will talk to the resulting IP address’s DFS service which is smart enough to talk to AD and figure out that there is a DFS root on kindelsrv2 called shares.
  • If there is no DFS service at the IP address net use will fail.

I was seeing intermittent problems because I have two DNS servers (each DC hosts DNS for redundancy) and the DNS client randomly chooses between the two (I thought it always picked the 1st in the list, using the others only for backup). Sometimes it would resolve kindel.com to 192.168.0.2 (kindeldc) and sometimes it would resolve to 192.168.0.4 (kindeldc2). Since the DFS service on kindeldc was not started whenever it resovled to 192.168.02 the “net use“ would fail.


Hopefully this post will help others until the DFS team can write a KB article about this (which I’ve bugged them to do).


[Update 4/28/04]
Here are some links to good DFS documentation (still doesn’t address this  particular issue, but these are good docs):


4 comments


  1. http:// says:

    Thanks for sharing the DFS adventure with us. Now I’m interested in setting up a more elaborate home network. Could you blog a little more about your configuration and pains you’ve gone through? e.g. How hard is it to setup the Digital Persona? What about the initial setup of DFS and your DCs? Is everything wired or are you wireless as well?

    John

  2. J.P. Stewart says:

    Note that you can also use dfscmd for many of your dfs debugging issues. I constantly have problems accessing dfs from non-domain machines. AND especially accessing dfs shares from machines that are not "dfs aware". Using dfscmd.exe however can show you the full dfs map and allow you to net use directly to the location that you are interested in getting to, thus cutting dfs out of the picture.

  3. http:// says:

    cool stuff dude. I also have a DFS installed in my home network. It’s working great. The only problem i have now is Roaming Profile. It doesn’t save the profile for the wallpaper when you roam…

    anyway, cheers for you… btw how much is the biometric device?

  4. http:// says:

    Fred – your issue could be that you have changed your Roamin profile from a ntuser.dat to a ntuser.man so it now will not update it.

    You need to change it to a .dat in order to change anything!!!

    Hope this helps

Debate this topic with me:

This site uses Akismet to reduce spam. Learn how your comment data is processed.