IN THIS ARTICLE
Outlines the process of creating new DFS Namespaces with Qumulo SMB Shares as Folder Targets.
- Cluster running Qumulo Core
- Windows Server with DFS Namespace Role enabled
- DFS - Distributed File System, the name of a Microsoft Windows Server service for the dynamic referral of SMB clients to multiple SMB Shares under the same resource name
- DFS-N - The DFS Namespace referral service
- DFS-R - The DFS Replication service
- Namespace - The overall collection of Namespace Root, Folders and Folder Targets
- Namespace Root - The starting path of a DFS Share which can contain multiple Folders, which in turn contain Folder Targets.
- Namespace Server - A Windows Server hosting the Namespace
- Namespace Path - The UNC formatted path clients will use to access SMB resources stored in DFS Folders
- Folder - Named collections of Folder Targets inside of a Namespace. The name of the Folder will form part of the path used to reach the SMB Share.
- Folder Target - The path to an SMB Share in UNC format.
- Site - A logical division of an Active Directory Domain based on subnets, usually denoting a physical geographical region.
DFS Management is a Microsoft Windows Server role that allows the Administrator to collect one or more separate SMB Shared resources hosted in separate servers under one or more logically structured namespaces. For instance, you could use DFS to collect 3 separate Qumulo servers (on-prem or Cloud) under a single UNC path name, simplifying how your users access resources. Additionally, DFS also allows for the automated failover between multiple SMB Servers hosting Folder Targets under the same DFS Folder.
Note: The installation of the DFS Server Role in Windows Servers is beyond the scope of this document, please refer to Microsoft's DFS Namespaces overview for the installation procedures.
Access DFS-N via Macintosh or Linux SMB clients
Mac and Linux SMB clients can mount DFS-N Shares in the same manner as any other non-DFS-N SMB Share, including authentication via Kerberos SSO or with username/password pairs via NTLMv2.
Windows Server Choice for DFS Namespace hosting
While the DFS role can be enabled in any Windows Server in a Domain, it should be considered a best practice to not use Domain Controllers as DFS Namespace Servers to prevent the listing of the “SYSVOL” and “NETLOGON” Windows directories to users browsing the DFS Namespace Root.
Examples: Below is an example of the DFS Namespace hosted in a Domain Controller (Windows Server “DC1”) - Note the presence of NETLOGON and SYSVOL directories on the list of available Shares. The presence of these Domain-specific internal special Windows directories in the UNC path cannot be suppressed if the DFS Namespace is being hosted in a Domain Controller.
Now here’s an example of DFS Namespace hosted in a non-Domain Controller Windows Server (Server “DFS”):
Difference between DFS-N and DFS-R
DFS contains two similarly named, but functionally distinct services called DFS-N and DFS-R (also often referred to as DFSN and DFSR).
DFS-N is the DFS Namespaces path referral system we will be covering in this article while DFS-R refers to Microsoft’s DFS Replication services.
DFS-R leverages Windows Servers and direct access by DFS Host Servers to the Windows NTFS Change Journal to track changes to files and provide a “Last Write Wins” file replication service across grouped DFS Folder Targets.
Qumulo is not currently compatible with DFS-R.
Create a new DFS Namespace
The following example will create a DFS-N Namespace containing the following:
- A Namespace Server dfs.qumulotest.local (Short Name “dfs”)
- Three Folders:
- These three Folders will have one UNC Path for each Folder’s associated Folder Targets:
- \\production.qumulotest.local\Library for Folder Library
- \\qq.qumulotest.local\Incoming for Folder Incoming
- \\dc1.qumulotest.local\Legacy for Folder Legacy
This will allow our users to access all 3 separate SMB Shares via the single “\\dfs\Production” UNC path.
- Launch the DFS Management Console (dfsmgmt.msc) and right-click on Namespaces to launch the New Namespace Wizard.
- Select the Windows Server in your environment which will host the DFS Namespace. We are using the server dfs.qumulotest.local in the example below.
- Enter a name for the new Namespace keeping in mind that this name will be part of the UNC path for the Namespace. In this example, we will be using the name “Production” which will then create the DFS-N “\\dfs\Production” UNC path.
- At this point, we have the option to apply some security settings via the “Edit Settings” button. These options will allow you to set the security of the shared folder that will be created in the Windows Server that will be hosting the DFS Namespace. It is important to note that:
- These security settings are independent of Qumulo’s own SMB Share permissions
- These security settings only determine the level of access to the shared directory hosting the Target Folders inside of the newly created DFS Namespace and not the actual level of access inside of these Target Folders once they are mounted by clients
- These security settings are being applied to a folder located at “C:\DFSRoots\#NamespaceName#” of the server hosting the DFS Namespace and will not be editable from another WIndows Server running the DFS MMC console
- Choose the type Namespace to be created.
- Leave the “Enable Windows Server 2008 mode” box checked.
- Choose a stand-alone namespace if any of the following conditions apply to your environment:
- Your organization does not use Active Directory Domain Services (AD DS).
- You want to increase the availability of the namespace by using a failover cluster.
- You need to create a single namespace with more than 5,000 DFS folders
Choose a domain-based namespace if any of the following conditions apply to your environment:
- You want to ensure the availability of the namespace by using multiple namespace servers.
- You want to hide the name of the namespace server from users. This makes it easier to replace the namespace server or migrate the namespace to another server.
- Notice that if this option is selected that the Namespace UNC path will be based on the name of your AD Domain
- Also note that when selecting the domain-based option that it will not be possible to hide the NETLOGON and SYSVOL special directories, even if the DFS host server is not a Domain Controller.
- Create Namespace by clicking “Next” and then “Create”
For more information on Namespace types, please refer to Choose a namespace type for additional details.
Add Folder Targets to the new DFS Namespace
- Using DFS Management (dfsmgmt.msc), right click on the newly created Namespace \\DFS\Production and select “New Folder”.
- Give the newly created folder a name. Note that it is not necessary for the name to match the name of the SMB Share to be used as a target.
- Click “Add” and enter the path to the Qumulo server hosting the SMB Share for “Library”, in this case “\\qq\Library”, then click “OK”.
- Repeat the process for the remaining servers:
- Verify that you have a DFS Namespace with 3 Folders, each with a Target SMB Share.
When an SMB client now browses the UNC Path “\\DFS\Production” that user will be presented with the 3 Folders we’ve created which provide a direct path for mounting the 3 separate SMB Shares.
Access Based Enumeration
Access Based Enumeration allows the hiding of Share Targets on the UNC Path Browser based on the access level of the user account performing the browse.
Please note that these settings are independent of any SMB Share permissions or Access Based Enumeration settings applied locally at the Qumulo cluster. Additional, note that DFS Access Based Enumeration will take into account any Share or NTFS permissions locally applied in the C:\DFSRoots directory of the DFS Namespace host server.
Enable DFS Access Based Enumeration
- Enable Access Based Enumeration at the DFS Namespace Root by navigating to Properties > Advanced > Enable access-based enumeration for this namespace.
- Choose Properties > Advanced > Set explicit view permissions on the DFS folder and then click Configure view permissions.
- Select the users who will be allowed or denied listing the Targets contained in this folder. Note that absence of rights for a user or group will equal the denial of view rights. If there are no entries in the list then the system will return to the default “Use inherited permissions from the local file system” option.
For additional info on DFS Access Based Enumeration, check out the Enable access-based enumeration on a namespace Microsoft documentation for details.
You should now be able to create new DFS Namespaces with Qumulo SMB Shares as Folder Targets.
Like what you see? Share this article with your network!