Blog Post

Ask the Directory Services Team
4 MIN READ

The Case of the Random DFS Access Denial

NedPyle's avatar
NedPyle
Former Employee
Apr 04, 2019
First published on TechNet on Jun 04, 2009

Hi, this is Bobby from the Microsoft Directory Services support team. Today we are going to discuss some confusing behavior that I’ve observed regarding inconsistent DFS access. While the root of this is issue is easy to remediate, it can be difficult to find the offending servers.

Symptoms

When first presented with this issue, I was asked to help determine the nature of users getting prompted to connect to a DFS root. DFS roots are defined in “ How DFS Works as

The starting point of the DFS namespace. The root is often used to refer to the namespace as a whole. A root maps to one or more root targets, each of which corresponds to a shared folder on a separate server. The DFS root must reside on an NTFS volume. A DFS root has one of the following formats: \\ ServerName \ RootName or \\ DomainName \ RootName .

The dialog was as follows:

Prior to calling Microsoft support, the customer was able to successfully connect to the NETLOGON and SYSVOL share of the domain without issue (\\contoso.com\sysvol and \\contoso.com\netlogon) Rebooting the client machine or having the client logoff would at times alleviate the problem. After a random period of time, users could access the DFS root, would later lose access, and users who did not work before would start working.

Investigating the issue, it was noticed that the "Distributed File System" MMC would change as time passed. For reference, I have included a picture of what it should look like when all is ok.

Using the "Distributed File System" MMC to check the status of the root would provide differing results at different times.

In this picture, it appears that three of the four root targets are inaccessible. When the MMC was checked later (or the user logged off and then back on) the results changed:

When using the “DFS Management” MMC from 2003 R2, The display is different, but the behavior is the same:

Initial Troubleshooting

When we began troubleshooting the issue, we started to look at the output of “ dir ” and dfsutil /pktinfo . This was to test the access to the DFS root and connectivity to the root shares.

At this point, each target appeared accessible. This was an unexpected result. I would have expected that we would get access denied to all of the targets. If we could reach each target, why were getting random “access is denied” when attempting to get a directory listing of the root?

We used the dfsutil /pktflush command to purge the referral cache thus forcing a request for new referrals. Then we ran the dir commands again that returned different results:

Using Netmon , we took a trace to see what we can find.

The first thing we attempted was to request a DFS referral for \\contoso.com\root

We were returned four targets for the root.

This was represented in the pktinfo as follows:

At this point we attempted to create a connection to the first server returned in the referral.

However we were returned: Status_access_denied.

Normal troubleshooting would be to attempt to connect to the share \\2003-02\root. In this case, we executed dir /b \\2003-02\root .

When we attempt to do this, we received more unexpected results:

I would have actually expected this to get an “access is denied” too.

Looking further in the network trace, we noticed that we received a new referral when we attempted to connect to 2003-02 server directly. To illustrate this, I have several screenshots of the referral network traffic.

The DFS service returned the following (note that ‘TargetPath: Index:1’ is not 2003-02 but another server):

Again the pktinfo:

When connecting to the path \\2003-02\root, we were instead accessing the root share on 2003-01, as detailed in the trace:

Cause and Remediation

When connecting to a root DFS share, the DFS service returns referrals for all of the participants on the root target set. So when we executed the command dir \\2003-dc1\root , the DFS service on 2003-dc1 then responded with a new DFS root referral for the path \\2003-dc1\root.  This behavior accounts for the entries in the referral cache for paths to each root (i.e. \\2003-dc1\root, \\2003-01\root, \\2003-02\root, \\2003-03\root). DFS referrals are retuned in a random order for servers in the site of the client. This will cause differencing results for each time the client requests a referral.

The root cause of the issue was actually incorrect share permissions on the “root” share of 2003-02. This can be observed locally using net share sharename

Comparing this to the same output of 2003-01, we see the problem:

In small environments, connecting to the server and examining the share permissions is an acceptable method, however in large environments this can prove cumbersome. I prefer to use subinacl to verify the permissions remotely. (Subinacl can be downloaded here: http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en )

To fix this we could connect to the server and add the permissions. Or it could be altered remotely with the following:. The syntax is : subinacl /share \\2003-02\root /grant=everyone=r

Note: Read is the default share permission in 2003 and later. Your permissions may be different based upon your business needs.

Using DFSGUI.MSC to check the status of the DFS root targets has been deprecated and is no longer available in 2008. This however does not change the behavior of the referrals that are returned.

Using DFSdiag.exe from Windows 2008 does not return any additional information as to the root cause.

Further reading

For more information about the technologies discussed here, please refer to “How DFS Works” http://technet.microsoft.com/en-us/library/cc782417(WS.10).aspx

- Bobby ‘Bucket Head’ McMillan
Updated Apr 04, 2019
Version 2.0
dfsn

3 Comments

Sort By
  • geoperkins's avatar
    geoperkins
    Copper Contributor
    Jun 19, 2023

    shawnsarnia NedPyle 

     

    Based on your posting I cannot tell if you are experiencing the same issue as I do.  However, I can give you more detailed information which may help you confirm if your symptoms match.  Kindly look at this post:  "DFS Referral Cache Is Invalid and Not Automatically Refreshing" https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/dfs-referral-cache-is-invalid-and-not-automatically-refreshing/m-p/3825405#M9834 

     

    That post clearly showing a problem (bug?) in the DFS-N referral cache for an updated DFS-N target folder. Deletion of the original target folder, and re-creation of the target folder, PLUS updating (or restarting) all clients' cache is the (very ugly) work-around.

     

    Please up-vote [Like] or [Mark as Solution] to gain greater visibility for the community's benefit and Microsoft awareness/action.

  • shawnsarnia's avatar
    shawnsarnia
    Copper Contributor
    Jun 15, 2023

    geoperkins We're experiencing an intermittent Access Denied issue with DFS as well, but it only impacts a single folder referral.

     

    We can access \\domain.com\dfsroot perfectly fine.

    We only have 1 file server that has the DFS root and the file shares (for now).

     

    \\domain.com\dfsroot\whatever works... except for 1 folder that intermittently does not work, and is usually fixed with a client reboot (don't have to do anything on the server).

     

    Unfortunately, it's your Users share, which has user profiles, home folders and desktops on it.

     

    If we access \\domain.com\dfsroot\users we get access denied.  If we access \\actualfileserver\dfsroot\users it works, as does \\actualfileserver\users.  It's only when we use the domain name that it fails.

    Is this the issue you've been experiencing?  If so, did you find a resolution?

    ----UPDATE----

    From this thread: Access Denied on DFS target folder (microsoft.com)

    We followed the registry change/reboot in this comment by Kim Zhou on a computer experiencing this today, and it resolved the issue for that computer.  We do NOT know if this is the actual workaround/fix, as we have to try it on more computers when they experience it.

    1. Click Start, type regedit in the Start Search box, and then press ENTER. If you are prompted for an administrator password or for a confirmation, type the password, or click Continue.

    2. Locate the following registry subkey, and then right-click it:

     

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CSC

     

    3. Point to New, and then click Key.

    4. Type Parameters in the box.

    5. Right-click Parameters, point to New, and then click DWORD (32-bit)Value.

    6. Type FormatDatabase, and then press ENTER.

    7. Right-click FormatDatabase, and then click Modify.

    8. In the Value data box, type 1, and then click OK.

    9. Exit Registry Editor, and then restart the computer.

     

  • geoperkins's avatar
    geoperkins
    Copper Contributor
    Mar 23, 2023

    This article was a top hit in a Google search bounded by recent activity date range, and since it is all about Windows 2003 and dated 2009, that is a puzzler.

     

    I am currently seeing a similar intermittent "Access Denied" problem, that seems repaired when the client is restarted. I used the above article to verify the share permissions on the DFS namespace, which were correct (domain users have READ access, the default). But I had to open an elevated command prompt to see the share permissions on the DFS server. This article, for Win2003, predates UAC and the concept of an elevated command window. So just adding this for the good of the public's understanding.