none
DFS Namespace Resolution

    Question

  • Hello,

    Can you point me to a possible reason why our DFS namespace resolution breaks?  Here's some more info:

    - Namespace sometimes doesn't resolve only at one of our sites; it resolves fine in all other sites
    - DFSDiag commands reports that all referrals, registry entries, configuration, and metadata are consistent among all DCs and DFS targets
    - Namespace resolution sometimes fails for both FQDNs and NetBIOS calls
    - Issue is difficult to reproduce
    - Removing the target server from the namespace and reintroducing it brought some stability
    - Have to reboot domain controllers when name resolution isn't working
    - DFSUtil cache domain command shows that one DC is responsible for NetBIOS names and another DC is responsible for FQDN names
    - Whenever the name resolution issue shows up, we often receive "Element not found" messages when querying the properties of the namespace. 
    - Have tried using the DFSUtil /clean command per KB977511 but didn't have any luck

    I'd like to get some advice on how to troubleshoot this problem further if/when the issue pops up again. 

    Thanks! 


    MCITP Windows 7 MCTS Windows Server 2008
    Tuesday, September 13, 2011 2:37 PM

Answers

  • FYI...this issue resurfaced again a few months later.

    Issue with DFS has been fixed by disabling IPv6 on the domain controllers.

    I was able to isolate the issue by using the following commands to note that one DC gave a good referral while others errored out:

    From that point, looking at the event viewer on DC06 led to the following message:

    • The name "netbiosdomainname :1d" could not be registered on the interface with IP address <x.x.x.x>. The computer with the IP address x.x.x.y did not allow the name to be claimed by this computer.

    The 1d the end of netbiosdomainname clued me to IPv6. From that point, I noticed that one DC had IPv6 disabled and the others did not. So from that point, I disabled IPv6 on the other DCs by taking the following two actions per KB929852:

    1. Create a 32-bit dword called DisabledComponents in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters and set its value to 0xffffffff
    2. Unchecked IPv6 in the network connections properties and rebooted the machine


    MCITP Windows 7 MCTS Windows Server 2008
    Tuesday, January 03, 2012 4:19 PM

All replies

  • Hello, did your improperly deleted a namespace and re add it before experiencing this issue?
    Isaac Oben MCITP:EA, MCSE,MCC View my MCP Certifications
    Tuesday, September 13, 2011 9:17 PM
  • Hi,

    Please check the following things.

    When the issue occurs, please test if all referral targets can be accessed with \\computername or \\ipaddress. You can run a DFSUtil /pktinfo and paste in reply.

    Specifically check if the "in active" target is accessable, with both computername and ipaddress.

    Also check whether the DNS server of the site in problem is working fine or not.

     


    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.
    Thursday, September 15, 2011 7:41 AM
  • This has been a tough issue to figure out, and I'm almost certain the problem points back to DNS.  Problem's still not resolved.  Here's some more info:

    1. I receive an error code 0x80070035 when accessing the namespace via NetBIOS and FQDN from the client

    2. I cannot reproduce the issue on the server that hosts the target.  In other words, the target server can resolve without issue.

    3.  I can access the paths via IP and via the target name (i.e \\computername\share)

    4.  The following commands do not help:

    • dfsutil cache provider flush
    • dfsutil cache domain flush
    • dfsutil cache referral flush
    • dfsutil /pktflush
    • dfsutil /spcflush
    • dfsutil /purgemupcache

    5. The command dfsdiag /testreferral /dfspath:\\<Domain>\<Namespace Root> shows that the namespace is not reachable from the client; however, the same command ran from the target server works as expected but produces an interesting result:

    Validating the site associations on every domain controller of the following: DC07
    Warning: The server has IP addresses with conflicting site associations
    Host name: DC07
    Ste: Austin
    Domain controller: DC10
    -------------------------------------------------------------------------------
    Host IP address                         Subnet-SiteMapping in AD
    -------------------------------------------------------------------------------
    fec0::b:447:11fd:9d39:86a5%1            No mapping exists
    2002:6401:277:b:447:11fd:9d39:86a5      No mapping exists
    2002:6401:279:b:447:11fd:9d39:86a5      No mapping exists
    -------------------------------------------------------------------------------

     Not sure what this means.  Sites and services shows that DC07 has an IP address that specifically belongs to the Austin site. 

    6.  The command dfsdiag /testsites /dfspath:\\<Domain>\<Namespace Root> /full shows that there is an issue with the target server.  Specifically, the error message is

    DFSDIAG_WARNING - APPL - SiteName from IP - fec0::b:b00b:befe:5995:3cec of DFS in DC - DC10 is NULL while in ADSite it is Austin,
    this can lead to different referral ordering.

     It's been a tough issue to resolve.  Any help is much appreciated!  =)

     


    MCITP Windows 7 MCTS Windows Server 2008
    Tuesday, October 18, 2011 8:05 PM
  • Getting back to the basics of troubleshooting, I was able to isolate the issue to the computer account of the target machine.  I introduced another target on the same subnet and was not able to reproduce.  I then disjoined the machine from the domain, deleted the computer account, and rejoined the machine to the domain.  Of course, you need to remove all associations with DFS namespace and replication before disjoining.  After creating a new computer account and relinking the namespace to it, I was able to resolve both NETBios and FQDN names. 

    Still waiting for this to bake in.  But I have not had the issue reoccur within the past few days.  So I'm close to calling this problem fixed

     

    :-)


    MCITP Windows 7 MCTS Windows Server 2008
    Friday, October 21, 2011 3:13 PM
  • FYI...this issue resurfaced again a few months later.

    Issue with DFS has been fixed by disabling IPv6 on the domain controllers.

    I was able to isolate the issue by using the following commands to note that one DC gave a good referral while others errored out:

    From that point, looking at the event viewer on DC06 led to the following message:

    • The name "netbiosdomainname :1d" could not be registered on the interface with IP address <x.x.x.x>. The computer with the IP address x.x.x.y did not allow the name to be claimed by this computer.

    The 1d the end of netbiosdomainname clued me to IPv6. From that point, I noticed that one DC had IPv6 disabled and the others did not. So from that point, I disabled IPv6 on the other DCs by taking the following two actions per KB929852:

    1. Create a 32-bit dword called DisabledComponents in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters and set its value to 0xffffffff
    2. Unchecked IPv6 in the network connections properties and rebooted the machine


    MCITP Windows 7 MCTS Windows Server 2008
    Tuesday, January 03, 2012 4:19 PM
  • Greg i haven't  tried this fix yet but i have been having this problem for 7 months now.  At first i thought it was because DFS required wins by default and  unless you configure your domain controllers to use dns it will try to use wins for referals. Does Microsoft direct Access have a negative affect on DFS. this makes me want to go back to using the server names instead of dfs name space. I have requested  many outages for this but no luck. At this point i am looking to move to sharepoint but before we do we would like to fix this issue

    Do you know where i can get the DFSUtils for windows 7. and is this a fix or temp solution.

    Thursday, September 27, 2012 10:02 PM
  • Hey Another_Tech,

    DirectAcess doesn't have any negative effect on DFS; however, if using DA from Windows Server 2008 R2 you may need to configure TMG rules to allow DFS namespace traffic across the boundary to get things to work.  I'm not a DA expert though.  I just remember a similar discussion came up when my team did the implementation.

    As far as the DFSUtils command goes, you need to introduce the DFS Tools from Remote Server Administration Tools | Role Administration Tools | File Services Tools.  Or in Windows 7, install RSAT and go to Programs and Features | Add Windows Features and use the same path as above.

    We have not had any issues since I reported the fix above, and that's been ten months going (knock on wood).  Try disabling IPv6 on either the DFS target or DCs on the affected sites and see if that helps.  I don't like turning off IPv6, but in this case - for whatever reason - this fixed the issue.  And that's good enough for us right now. 

    Good luck!


    MCITP Windows 7 MCTS Windows Server 2008

    Monday, October 08, 2012 3:27 PM