Our current setup uses two DFS servers acting as referral servers for our DFS Namespace. The data is replicated from the Live server to the DR server at our second location. The aim is to have the second server be always live for referrals but the folder targets are only enabled for the LIVE site.
This all works fine when there are no issues during normal conditions, the problem we are running into is that during a test of the link between the two offices going down, the namespace becomes unavailable and we are unable to create a new namespace. After running diagnostics during this event it was found that the DFS Namespace requires access to the primary domain controller in order to interact with the namespace. So now during a "link down" test we transfer the FSMO roles over to the DR domain controllers so the PDC is accessible. Now when we are able to create new namespaces but still unable to interact with the current one.
We have had active directory health tests, an upgrade to a 2012 R2 domain and full cleaning and rebuilds of the DFS system and whenever the link goes down, even with the PDC being available, DFS complains that it cannot see the domain or namespace anymore.
I'm now completely out of ideas, so if anyone has any experience with this and can offer suggestions for testing. The current solution is that during this scenario we basically cannot use the DFS Namespace and instead have to run scripts to move the paths to roaming profiles and folder redirection to the DR servers instead of just moving the folder referrals on the DFS, this just doesn't seem like it should be the case, there must be a way to always be able to use the namespace.
Setup:
AD Domain – Windows 2012 R2. 2 DC's at live, 2 DC's at DR.
Live DFS Server – Windows 2012 R2. Referral server enabled, folder targets enabled. namespace server enabled.
DR DFS Server – Windows 2012 R2. Referral server enabled, folder targets disabled. namespace server enabled.
Data replication method – Bvckup2.
We use roaming profiles and folder redirection within users home drive.
Best Answer
I have figured out the issue, it all stems from the default settings of the DFS Namespace environment.
We are using a DNS only environment so need to recreate the DFS Namespace to DNS Only and to accept FQDN referrals, essentially following this article:
https://support.microsoft.com/en-us/kb/244380
I had planned to do this in the past but found that it was relatively high risk with all the other work that was happening and would have had little impact on our environment, that is until we found this specific corner case of the PDC becoming unavailable (even with a FSMO role transfer).
Hopefully this can help someone else in this very specific situation.