Archive for January, 2019

Hi folks, here are web resources to implement and  troubleshoot MS DFS and MS DFS-R:

DFS Replication in Windows Server 2012 R2 :

DFS Replication Initial Sync in Windows Server 2012 R2:

DFS Replication in Windows Server 2012 R2: Restoring Conflicted, Deleted and PreExisting files with Windows PowerShell:

Understanding DFS (how it works):

=> Several mechanisn are used: routing, DNS, AD sites and subnets topology, WINS,  FW ports and rules shoud be open (RPC, SMB…):

NetBIOS Name Service:  Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/UDP 137

NetBIOS Datagram Service: Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/138

NetBIOS Session Service: Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/139

LDAP Server: Domain controllers TCP/UDP 389

Remote Procedure Call (RPC) endpoint mapper: Domain controllers TCP/135

Server Message Block (SMB): Domain controllers; root servers that are not domain controllers; servers acting as link targets; client computers acting as link targets: TCP/UDP 445

Extract from the MS technet: “When a client requests a referral from a domain controller, the DFS service on the domain controller uses the site information defined in Active Directory (through the DSAddressToSiteNames API) to determine the site of the client, based on the client s IP address. DFS stores this information in the client site cache”
“DFS clients store root referrals and link referrals in the referral cache (also called the PKT cache). These referrals allow clients to access the root and links within a namespace. You can view the contents of the referral cache by using Dfsutil.exe with the /pktinfo “
“You can view the domain cache on a client computer by using the Dfsutil.exe command-line tool with the /spcinfo parameter”

Implementing DFS-R: AND DFS-R FAQ:, delegate DFS-R permissions:

DFS-R limits:

The following list provides a set of scalability guidelines that have been tested by Microsoft on Windows Server 2012 R2:
• Size of all replicated files on a server: 100 terabytes.
• Number of replicated files on a volume: 70 million.
• Maximum file size: 250 gigabytes.

The following list provides a set of scalability guidelines that have been tested by Microsoft on Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008:
• Size of all replicated files on a server: 10 terabytes.
• Number of replicated files on a volume: 11 million.
• Maximum file size: 64 gigabytes

Implementing DFS Namespace: AND DFS-N FAQ:

Consolidation of multiple DFS namespaces in a single one :

Netmon trace digest:

SMB and Wireshark:

DFS and Wireshark:

DFS 2008 step by step:

DFS tuning and troubleshooting:

How to troubleshoot Distributed File System Namespace access failures in Windows:

FS-N et DFS-R en ligne de commande:

DFSR les commandes les plus utiles:


Tuning DFS: and Tuning DFS Replication performance :

DFSutil command line: AND and

Performance tuning guidelines for Windows 2008 R2:


DFSRMon utility:

or  DfsrAdmin.exe in conjunction with Scheduled Tasks to regularly generate health reports:

Server side:

DFS: some notions: A referral is an ordered list of targets that a client computer receives from a domain controller or namespace server when the user accesses a namespace root or folder with targets. After the client receives the referral, the client attempts to access the first target in the list. If the target is not available, the client attempts to access the next target.

tip1) dfsutil domain : Displays all namespaces in the domain ; dfsutil /domain:mydomain.local /view

tip2) You can check the size of an existing DFS namespace by using the following syntax in Dfsutil.exe:

dfsutil /root:\\mydomain.local\rootname /view (for domain-based DFS)
dfsutil /root:\\dfsserver\rootname /view (for stand-alone DFS)

tip3) Enabling the insite setting of a DFS server is useful when: You don’t want the DFS clients to connect outside the site.
You don’t want the DFS client to connect to a site other than the site it is in, and hence avoid using expensive WAN links.
dfsutil /insite:\\mydomain.local\dfsroot /enable

tip4) You want DFS clients to be able to connect outside the internal site, but you want clients to connect to the closest site first, saving the expensive network bandwidth:

ex: dfsutil /root:\\mydomain.local\sales /sitecosting /view or /enable or /disable

If you do not know if a root is site costing aware, you can check its status by substituting the /display parameter for the /sitecosting parameter.

tip5) Enable root scalability mode: You enable root scalability mode by using the /RootScalability parameter in Dfsutil.exe, which you can install from the \Support\Tools folder on the Windows Server 2003 operating system CD. When root scalability mode is enabled,  DFS root servers get updates from the closest domain controller instead of the server acting as the PDC emulator master.
As a result, root scalability mode reduces network traffic to the PDC emulator master at the expense of faster updates  to all root servers. (When you make changes to the namespace, the changes are still made on the PDC emulator master,  but the root servers no longer poll the PDC emulator master hourly for those changes; instead, they poll the closest domain controller.)
With this mode enabled, you can have as many root targets as you need, as long as the size of the DFS Active Directory object (for each root)  is less than 5 MB. Do not use root scalability mode if any of the following conditions exist in your organization:Your namespace changes frequently, and users cannot tolerate having inconsistent views of the namespace.  Domain controller replication is slow. This increases the amount of time it takes for the PDC emulator master  to replicate DFS changes to other domain controllers, which, in turn, replicate changes to the root servers.  Until this replication completes, the namespace will be inconsistent on all root servers.

ex: dfsutil /root:\\mydomain.local\sales /rootscalability /view or /enable or /disable

tip6) Dfsdiag utility:

/testdcs: With this you can check the configuration of the domain controllers. It performs the following tests:

  • Verifies that the DFS Namespace service is running on all the DCs and its Startup Type is set to Automatic.
  • Check for the support of site-costed referrals for NETLOGON and SYSVOL.
  • Verify the consistency of site association by hostname and IP address on each DC.

To run this command against your domain mydomain.local just type:

DFSDiag /testdcs /domain:mydomain.local

DFSDiag /testdcs > dfsdiag_testdcs.txt

/testsites: Used to check the configuration of Active Directory Domain Services (AD DS) sites by verifying that servers that act as namespace servers or folder (link) targets have the same site associations on all domain controllers.

So for a machine you will be running something like: DFSDiag /testsites /machine:MyDFSServer

For a folder (link): DFSDiag /testsites /dfspath:\\mydomain.local\MyNamespace\MyLink /full

For a root: DFSDiag /testsites /dfspath:\\mydomain.local\MyNamespace /recurse /full

/testdfsconfig:  With this you can check the DFS namespace configuration. The tests that perform are:

  • Verifies that the DFS Namespace service is running and that its Startup Type is set to Automatic on all namespace servers.
  • Verifies that the DFS registry configuration is consistent among namespace servers.
  • Validates the following dependencies on clustered namespace servers that are running Windows 2008 (non supported for W2K3 clusters L):
    • Namespace root resource dependency on network name resource.
    • Network name resource dependency on IP address resource.
    • Namespace root resource dependency on physical disk resource.

To run this you just need to type:  DFSDiag /testdfsconfig /dfsroot:\\mydomain.local\MyNamespace

/testdfsintegrity: Used to check the namespace integrity. The tests performed are:

  • Checks for DFS metadata corruption or inconsistencies between domain controllers
  • In Windows 2008 server, validates that the Access Based Enumeration state is consistent between DFS metadata and the namespace server share.
  • Detect overlapping DFS folders (links), duplicate folders and folders with overlapping folder targets (link targets).

To check the integrity of your domain mydomain.local:

DFSDiag /testdfsintegrity /dfsroot:\\mydomain.local\MyNamespace

DFSDiag.exe /testdfsintegrity /dfsroot:\\mydomain.local\MyNamespace /recurse /full > dfsdiag_testdfsintegrity.txt

Additionally you can specify /full, /recurse, which in this case, /full verifies the consistency of share and NTFS ACLs in all the folder targets. It also verifies that the Online property is set in all the folder targets. /recurse performs the testing including the namespace interlinks.

/testreferral: Perform specific tests, depending on the type of referral being used.

  • For Trusted Domain referrals, validates that the referral list includes all trusted domains.
  • For Domain referrals, perform a DC health check as in /testdcs
  • For Sysvol and Netlogon referrals perform the validation for Domain referrals and that it’s TTL has the default value (900s).
  • For namespace root referrals, perform the validation for Domain referrals, a DFS configuration check (as in /testdfsconfig) and a Namespace integrity check (as in /testdfsintegrity).
  • For DFS folder referrals, in addition to performing the same health checks as when you specify a namesapace root, this command validates the site configuration for folder target (DFSDiag /testsites) and validates the site association of the local host

Again for your namespace mydomain.local:

DFSDiag /testreferral /dfspath:\\mydomain.local\MyNamespace

DFSDiag.exe /testreferral /dfspath:\\mydomain.local\MyNamespace /full > dfsdiag_testreferral.txt

There is also the option to use /full as an optional parameter, but this only applies to Domain and Root referrals. In these cases /full verifies the consistency of site association information between the registry and Active Directory.

Domain controllers:

Evaluate domain controller health, site configurations, FSMO ownerships, and connectivity:

Use Dcdiag.exe to check if domain controllers are functional. Review this for comprehensive details about dcdiag:

    Dcdiag /v /f:Dcdiag_verbose_output.txt

    Dcdiag /v /test:dns /f:DCDiag_DNS_output.txt

    Dcdiag /v /test:topology /f:DCDiag_Topology_output.txt

Active Directory replication

If DCDiag finds any replication failures and you need additional details about them, Ned wrote an excellent article a while back that covers how to use the Repadmin.exe utility to validate the replication health of domain controllers:

    Repadmin /replsummary * > repadmin_replsummary.txt

    Repadmin /showrepl * > repadmin_showrepl.txt

Always validate the health of the environment prior to utilizing a namespace.


  • dfsutil /root:\\mydomain.local\myroot /view /verbose    ; display the content of root dfs (links…)
  • dfsutil /pktinfo     ;to display the client cache
  • dfsutil /spcinfo     ; the domain cache on a client computer
  • dfsutil /purgemupcache ; cache stores information about which redirector, such as DFS, SMB, or WebDAV, is required for each UNC path
  • dfsutil /pktflush   ; Dfsutil /PktFlush is a special problem repair command that should only be executed on the client.
  • dfsutil cache referral flush   ; to flush the client cache
  • dfsdiag /testdfsintegrity /dfsroot:\\mydomain.local\dfsroot /recurse /full > dfsdiag_testdfsintegrity.txt   ; to test root dfs from local client
  • dfsutil client siteinfo <ip> ; to display the remote client AD client site
  • dfsutil /sitename:<ip address>  or nltest /dsgetsite ; to display the local AD client site
  • To display a target dfs (primary/active) from cmd line: dfsutil client property state \\mydomain.local\dfsroot\dfsfolder1
  • To change a target dfs (primary/active) from cmd line: dfsutil client property state active \\mydomain.local\dfsroot\dfsfolder1 \\\share  ; but you need a special hotfix for win7/2008r2 clients:
  • Understanding: DFS override referral ordering:

Dfsutil examples:





Centrifydc.conf optimization:


Centrifydc reference guide:

Microsoft Ignite conference:





Microsoft recommendations:



How to monitor LDAP, NTLM, Kerberos to your domain controllers ?

Troubleshooting high LSASS CPU ?

Root cause:

The root cause of LSASS CPU% peaks could be multiple:

  • Identify circular nested groups in the domain (=> )
  • Removal of Cipher protocols on DCs (=> use IISCrypto from Nartac software to remediate)
  • Malformed LDAP query on Applications (Linux-Unix-Java based)
  • LDAP configuration problems on Applications (Linux/Java based)
  • conf, sssd.conf, … config problems on Linux/Unix
  • Local Antivirus running on the Domain controllers is not well configured to exclude DC folders and files (NTDS, Sysvol…)
  • Centrify configuration settings not optimized on Linux/Unix
  • Centrify ZPA not well configured
  • Vmware Vcenter not well integrated to a windows domain
  • Vmware ESX not well integrated to a windows domain
  • Storage appliances not well integrated to a windows domain

DC fails logons or experiences LDAP timeouts:

Tips and tricks:

  • Identify missing subnets and add them on dssite.msc
  • Add more CPU and RAM on domain controllers
  • Move to 2012 R2 domain controllers
  • Disable Netbios on the DC but this may not be an option for everyone, so the site subnet mapping or DNS name resolution should also fix this kind of an issue.
  • Educate developers to perform the right LDAP queries
  • Configure client applications properly (ldap filters)
  • We have seen the LDAP ATQ threads get depleted at a customer due to high volume of LDAP clients using NTLM for authentication. These were overloading the Netlogon service, ran into MaxConcurrentApi bottleneck.
  • By default there are 4 threads per processor allocated to the LDAP thread pool, we can change that via LDAP policies, specifically MaxPoolThreads: MaxPoolThreads = Maximum number of threads created by the domain controller for query execution (4 per processor). Set to 8 per proc.

Enable LDAP query logging using NTDS diagnostic values:

with PowerShell script:

Basically, you want to set the following registry values:

Path: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\15 Field Engineering
Value: 5

Path: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Expensive Search Results Threshold
Value: 10000  (decimal – default value)

Path: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Inefficient Search Results Threshold
Value: 1000  (decimal – default value)

Path: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Search Time Threshold
Value: 30000  (decimal – defaut value in milliseconds)


Expensive LDAP calls are the searches those visit large number of entries. Default threshold for expensive search is 10,000 which means if an LDAP call visit 10,000 or more entries then it will be consider as an expensive call. Once you find such call in logs, you can figure out possible solutions to optimize it. For example a query (displayName=*John*) on root domain container will visit all objects in the domain those have any value available in displayName attribute and it will be consider an expensive call if there are 10,000 or plus such objects those have displayName attribute populated.

Inefficient LDAP calls are the searches those return less than 10% of visited entries. For example, if a query visit 10,000 entries in active directory but only return 100 entries then it will be consider inefficient query as return entries are less than 10% of total visited entries. Default visited entries threshold limit for inefficient query is 1,000 which means if a query visit less than 1000 entries then it will not be consider inefficient query even though if it return no entry.

Search Time Threshold, is available only if 2012 R2 DC or after you install the KB 2800945 installed on Server 2012, Server 2008 R2 or Server 2008 domain controllers. By default the value is 30000 milliseconds = 30 seconds ! too long and I recommend to set up to 5000 (5 secs)

These registry changes do not require a reboot but are set per server, so implementing for an entire forest/domain would best be done via Group Policy Preferences. Once set you will find the resulting logs in the Directory Service event log on the DC. They are not exactly parse-friendly but can be wrangled with some regex. The best part is it requires no external utilities/code. Because it is very verbose, don’t forget to remove those values after audit phase.

Which Tools to help?

Creating More Efficient Active Directory-Enabled Applications:

Web Resources:  for more on enabling diagnostics logging. : Debugging And Performance Tuning With ETW : creating Data Collector Sets


Using site-to-site VPN gateway can provide better continuity for your work in hybrid cloud setup with Azure. This post will explain how to set up site-to-site VPN Gateway to enable this.


Before start make sure you have following in place.

1) VPN device: A VPN device is needed on-premise to create the VPN connection with Azure. A list of supported list of devices can found here.

2) Static Public IP address: The VPN device should have external public IP address and it shouldn’t be NAT.

3) Valid Azure Subscription


How to:

Key properties of the Azure AD B2B collaboration user



This property indicates the relationship of the user to the host tenancy. This property can have two values:

  • Member: This value indicates an employee of the host organization and a user in the organization’s payroll. For example, this user expects to have access to internal-only sites. This user is not considered an external collaborator.
  • Guest: This value indicates a user who isn’t considered internal to the company, such as an external collaborator, partner, or customer. Such a user isn’t expected to receive a CEO’s internal memo or receive company benefits, for example.


    The UserType has no relation to how the user signs in, the directory role of the user, and so on. This property simply indicates the user’s relationship to the host organization and allows the organization to enforce policies that depend on this property.


This property indicates how the user signs in.

  • Invited User: This user has been invited but has not yet redeemed an invitation.
  • External Active Directory: This user is homed in an external organization and authenticates by using an Azure AD account that belongs to the other organization.
  • Microsoft account: This user is homed in a Microsoft account and authenticates by using a Microsoft account.
  • Windows Server Active Directory: This user is signed in from on-premises Active Directory that belongs to this organization.
  • Azure Active Directory: This user authenticates by using an Azure AD account that belongs to this organization.


    Source and UserType are independent properties. A value of Source does not imply a particular value for UserType.

If your organization has multiple Azure AD (AAD) directories, perhaps due to security requirements, or mergers or acquisitions; it may be a good idea adding guest users from other AAD directories as members.

The main difference between a Guest and a Member is in the lookup rights to the domain. A guest can typically not look up users and groups like a Member user can. A member would need this for self service reasons, and to look up contact information for other users, while you’d typically not want a guest to do that.

In order to convert the user, you currently have to use Powershell. Ypou need to have the AzureAD module installed on your computer.

  1. Log into your Azure AD tenant:
  2. Convert the user

    You may want to search up the user using just the Get-AzureADUser first.

Install .dot net framework

Install .dotnetframework & packages:



NDP47-KB3186497-x86-x64-AllOS-ENU.exe /norestart

Reference articles and help to activate Windows (wks and server editions) in enterprise:

Manage activations:


Download the latest Windows ADK (Assessement and Deployment Kit):