Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

publish DFS resource in an external trusted domain

Posted on 2011-09-22
3
Medium Priority
?
3,818 Views
Last Modified: 2012-12-11
Hi,

I'm implementing DFS in a local domain (test laboratory) and I'm working with it without any problem inside this domain, but according to my company setup, I would like that my DFS was reacheable from the corporate domain. My domain has a trust relationship with the corporate one (separate forests). The trust type is External and No transitive (the users from the corporate domain an access to the resources from the local domain).

The question is if there is a way to publish in the corporate domain my DFS service... When I try to get it from any resource in the corporate domain, I get a network error "Windows cannot access \\mydomain\dfsroot"...

Thanks in advanced.
Regards
0
Comment
Question by:ecemibm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 9

Accepted Solution

by:
Lester_Clayton earned 2000 total points
ID: 36583445
I'm afraid you cannot do this - DFS shares are only accessible from the same domain that they're published.

What you CAN however do is create a DFS Namespace in the domain, and then add the folder of the trusted domain's server.

For example:

Domain A:

DFS Namespace: \\contoso.com\Root
DFS Folder \\contoso.com\Root\Folder = \\contoso02.contoso.com\Data$

Domain B:

DFS Namespace: \\microsoft.com\Root
DFS Folder: \\microsoft.com\Root\Folder = \\contoso02.contoso.com\Data$

Now you can access the same location on either domain using the path \\%USERDNSDOMAIN%\Root\Folder
0
 

Author Closing Comment

by:ecemibm
ID: 36583931
That's what I suspect... thanks for the confirmation and the way to do it.
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 38678480
It seems that my other self was incorrect.

It *is* possible to access DFS shares cross domain or cross forest, as long as you have either prepared the DFS Root properly, or if you use one of the workarounds.

The reason why it doesn't work by default is because when creating DFS roots, the referalls are not being created using Fully Qualified Domain Names - they're created using just servernames, which naturally, anybody outside of the domain won't be able to resolve.

Here is the correct way of doing it:

How to configure DFS to use fully qualified domain names in referrals

This will require a recreation of the DFS root.

As far as workarounds are concerned, you have 2 options:

Option 1: DNS Search Scopes.

What you can do is add the target DFS's domain name to the DNS Suffix Search List of all clients in the requesting domain.  Modifying DHCP to add the DNS domain as a DNS Suffix is the easiest way to do this.  

For example, if you have a DNS root which is \\abc.com\blah (which server a01.abc.com is serving), then the referral will be \\a01\blah, and the clients in def.com will try to resolve a01.def.com and then a01.abc.com - thus getting the referral to work.

Option 2 : CNames

Another option is to create a CName in the requesting domain to point to the A record in the target domain.

For example, if you have a DNS root which is \\abc.com\blah (which server a01.abc.com is serving), then the referral will be \\a01\blah.  The clients in def.com will try to resolve a01.def.com, and this will normally fail.  What you do here is create a CNAME for a01 in def.com's zone, and make it resolve to a01.abc.com.  Resolution will now work as will the referrals.

I apologise for my erroneous answer from last year.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question