Windows – SYSVOL replication over DFS-R

A standalone DFS namespace cannot participate in DFS-R (If it is not a member of an AD domain).

Clarification:

DFS can utilize two methods to replicate data:

• DFS-R - newer and used for Win2k8, Win2k8 R2, & Win2k3 R2
• FRS - used for older versions of Windows.

If the server you are setting up the namespace on, and the target servers are members of an AD domain then, Yes you can use DFS replication.

If you do not have Domain Admin rights you will need to be delegated permissions to create replication groups:

Detailed delegation Grant permissions to create a replication group This action is one of the two delegation actions that are available in DFS Management. To manually perform this action in Active Directory Users and Computers, follow these steps:

• Start Active Directory Users and Computers.
• Right-click the Domain\System\DFSR-GlobalSettings node, and then click Properties.
• Click the Security tab, and then click Advanced.
• Grant the desired users or groups the Create All Child objects permission, and then click to select This object only in the Apply onto area.

Or alternatively you could ask to be set to control all Replication groups:

Control of all replication groups To grant a user control of all existing and future replication groups in a domain, follow these steps:

• Start Active Directory Users and Computers.
• Right-click the following node, and then click Properties:
• Domain\System\DFSR-GlobalSettings
• Click the Security tab, and then click Advanced.
• Grant the desired users or groups the Full Control permission, and then click to select This object and all child objects in the Apply onto area.
• Add the users or groups to each member's local Administrators group. Or, grant the Full Control permission for the computer objects of each server in the replication groups.

Steps were taking from KB911604

This thread on technet says SYSTEM needs full control. Not a very official source however, and further testing proves that it is wrong.

DFS Replication Service

I took a look at the DFS services on my Server 2008R2 machine with Process Explorer. dfsrs.exe, the Distributed File System Replication service, runs as "NT Authority\SYSTEM". However, it has SeBackupPrivilege and SeRestorePrivilege:

From Microsoft Privilege Constants:

SeBackupPrivilege - Required to perform backup operations. This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.3

SeRestorePrivilege - Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file.

With those permissions, the DFS Replication Service can ignore any file permissions - it is given permission to read, write, and set permissions on any file it pleases.

Testing

I created a folder in one of my DFS shares with a few files in it, set my account as the owner, and removed all permissions except for my account.

DFS replicated it to all the other servers without issue, and all the replicas had the same permissions.

Thus DFS is not dependant on any file system permissions to replicate.

I suspect in your case simply making any changes to the files would have caused DFS to wake up and see that they needed replicating. No idea what would have caused that situation in the first place though.