Pete Hinchley: Create a Highly Available File Share with DFS-N and DFS-R from the Command Line

In this article I will demonstrate how to use the command line to create a highly available file share with DFS-N and DFS-R. In particular, I will describe the configuration required for creating a "users" share suitable for hosting user home drives.

From an elevated command prompt, let's start by creating the required folder structure:

mkdir C:\Shares
mkdir C:\Shares\Users

Now, let's share the Users folder, granting the Everyone group Full Control:

net share Users=C:\Shares\Users /Grant:Everyone,Full

The next step is to remove all inherited permissions on C:\Shares, and to explicitly grant Administrators and System Full Control:

icacls C:\Shares /inheritance:r
icacls C:\Shares /grant Administrators:(OI)(CI)F
icacls C:\Shares /grant System:(OI)(CI)F

We then grant Authenticated Users the Create folders / append data permission on C:\Shares\Users, limiting the permission to This folder only. This is necessary to facilitate the auto-creation of a user home drive when a new user logs onto a domain-member workstation for the first time (assuming group policy is configured to enable this behaviour). We also grant Creator Owner the Modify permission on Subfolders and files only, thereby ensuring that users are able to add/remove content within their home drive folder once it is created.

icacls C:\Shares\Users /grant "Creator Owner":(OI)(CI)(IO)M
icacls C:\Shares\Users /grant "Authenticated Users":(S,AD)

Having completed the configuration of the file system, we will now install the DFS-N and DFS-R features. We also explicitly configure the DFS namespace server to use fully qualified name referrals. From an elevated PowerShell prompt run:

Install-WindowsFeature FS-DFS-Namespace, FS-DFS-Replication
Set-DfsnServerConfiguration . -UseFqdn:$true
Stop-Service dfs; Start-Service dfs

This completes the basic configuration on the first server; the exact same procedure should now be completed on the second filer server.

The next step is to create a DFS namespace named "Users" that points to the share on the first file server:

New-DfsnRoot -TargetPath "\\\users" -Type DomainV2 -Path "\\\users"

And then add a second DFS-N target, which points to the second file server:

New-DfsnRootTarget -TargetPath "\\\users" -Path "\\\users"

That's it. DFS-N is done. Now let's move onto DFS-R.

The PowerShell cmdlets required to configure DFS-R are installed via the DFS Management Tools feature (RSAT-DFS-Mgmt-Con). Unfortunately, this feature has a dependency on the Graphical Management Tools and Infrastructure feature (Server-Gui-Mgmt-Infra). Hence, if you want to avoid installing any GUI components on your file server, and you want to configure DFS-R using PowerShell, you will need to do so from a remote server that includes the requisite tools.

Assuming you've got this covered, the following commands will create a DFS-R replication group named "LAN", consisting of "server1" and "server 2", and replicating a folder named "Users", referencing the folder path C:\Shares\Users:

New-DfsReplicationGroup -GroupName LAN | New-DfsReplicatedFolder -FolderName Users | Add-DfsrMember -ComputerName,
Set-DfsrMembership -GroupName "LAN" -FolderName "Users" -ContentPath C:\Shares\Users -ComputerName, -confirm:$false -Force

The next two commands will create a bi-directional connection between the members of the replication group, and configure "server1" as the primary node:

Add-DfsrConnection -GroupName LAN -SourceComputerName -DestinationComputerName
Set-DfsrMembership -GroupName LAN -FolderName Users -ComputerName -PrimaryMember $true -Force

Finally, we will create a link between the DFS-N namespace we previously created, and the new DFS-R replicated folder:

$Object = [adsi]"LDAP://CN=Users,CN=Content,CN=LAN,CN=DFSR-GlobalSettings,CN=System,DC=lab,DC=hinchley,DC=net"
$Object.put("msDFSR-DfsPath", "\\\Users")

Let's repeat the process, but this time we will create a "group" share, and as an added bonus, we will only use PowerShell. There are a couple of steps that don't need to be repeated; the creation of the top-level "shares" folder, and the creation of the DFS-R replication group (we will reuse the LAN group).

This code should be executed on both file servers:

# Set the folder path.
$folder = "C:\Shares\Groups"

# Create the folder.
New-Item -Type Directory $folder

# Create the share.
New-SmbShare –Name Groups –Path $folder -FullAccess Everyone

# Grant "Authenticated Users" the "Modify" permission to the folder.
$acl = Get-Acl $folder
$rule = New-Object  System.Security.AccessControl.FileSystemAccessRule("Authenticated Users", "Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
Set-Acl $folder $acl 

This code should be executed from a server with access to both the DFS-N and DFS-R cmdlets:

# Create the DFS-N namespace.
New-DfsnRoot -TargetPath "\\\groups" -Type DomainV2 -Path "\\\groups"
New-DfsnRootTarget -TargetPath "\\\groups" -Path "\\\groups"

# Configure DFS-R replication.
Get-DfsReplicationGroup -GroupName LAN | New-DfsReplicatedFolder -FolderName Groups

Set-DfsrMembership -GroupName LAN -FolderName Groups -ContentPath C:\Shares\Groups -ComputerName, -Force

Set-DfsrMembership -GroupName LAN -FolderName Groups -ComputerName -PrimaryMember $true

# Link DFS-R and DFS-N.
$Object = [adsi]"LDAP://CN=Groups,CN=Content,CN=LAN,CN=DFSR-GlobalSettings,CN=System,DC=lab,DC=hinchley,DC=net"

$Object.put("msDFSR-DfsPath", "\\\Groups")


That's it.