Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 579
  • Last Modified:

How best to setup DFS in our Disaster Recover Environment

Currently we are running Microsoft Windows 2003 DFS in our production environment.  

We have only one DFS root (i.e. mycompany.com\DFS) and I'm pretty sure that the root is a DOMAIN ROOT where the DFS information is stored in AD and copies of the DFS referral information  is stored on local root targets that are not domain controllers.

When we conduct a disaster recover (DR) test we use a VM-hosted clone of a production domain controller in an isolated network environment and we assume that this cloned DC has a copy of the DFS information stored in AD.  Unfortunately, since none of the root targets exist in the isolated environment we're not getting DFS name resolutions for applications in the test that have imbedded references to DFS shares.

Since the servers involved in our DR tests vary from test to test we were wondering if we can change DFS to allow the cloned DC to resolve DFS references or whether it would be best to create a new root target on one of the member server involved in the test?  Granted, neither method exactly mirrors production but allowing the DC to resolve DFS referrals removes the potential of DFS being blamed for a testing failure if the failure involved the server that we turned into a DFS root target.  If we can configure the DC to handle DFS references, what do we need to do to allow this since DFS already has existing root targets that are inaccessible?

Any help would be appreciated.
1 Solution
Check the ADUC on one of the DCs while logged into the DC, you should see there some DFS/infrastructure folders.

The DFS on the DCs has the information for the targets.  IF the target is not available/does not exist, there is nothing the referal goes no where.

You could if the DC itself was also a target for the share.  This way when you are in an isolated environement, there would at least be one target present.

The DFS depends on your setup as well as the version of your win2k3 (R2 has DFS replication which is superior to the NtFRS). Do you have DFS setup as a mesh, weighted or load-balanced?
msgexpertAuthor Commented:
The original question dealt with a question of what was best - making the DC a DFS target or making only member servers root targets.  In our environment management of DFS is delegated to a group that consists of non-domain admins and all DFS root targets are member servers.  We were (are) still under the impresssion that making a domain controller a DFS Root Target will have a impact on the ability of this delegated group to manage DFS once a DC is made a Root Target.  So our choices came down to (1) Make the production DC that gets cloned for the isolated DR test a Root Target so the cloned copy automatically has DFS running (2) Do not make the production DC a Root Target  but make the cloned DC a root target after it has been moved into the isolated environment or (3) Never make a DC a root target but always make some member server a DFS root target.  At this point in time, we feel that making the producition DC Root Target is too risky however option 2 or 3 remain in the table and our choice is to test both ways in the DR environment and see if any issues are detected.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now