Welcome to TechNet Blogs Sign in | Join | Help

Experimenting with PowerShell

Powershell is a command line interface for Windows that offers a very powerful and flexible model.
It is now a feature included with Windows 7 and Windows Server 2008 R2, not an optional download as before.
In this post, I show some sample commands that can help you understand some of the basic features and a few more complex ones. 
If you never played with it before, try running some commands in a PowerShell prompt.

Shows a list of commands: Get-Command
Shows the help overview: Get-Help
Show the help for “Dir”: Get-Help Dir

Let's use the Dir command now (actually an alias for Get-ChildItem) and a number of ways to transform the output using pipeline functions:

Shows Directory: Dir
Shows Directory in list format (two ways): Dir | Format-List
Dir | FL
Shows Directory sorted by file length: Dir | Sort Length
Shows Directory sorted by file length in descending order: Dir | Sort Length –Descending
Shows all the methods and properties for the objects resulting from Dir (files and folders): Dir | Get-Member
Shows a selected list of properties instead of the default list: Dir | Select  Directory, Name, Extension, Length
Shows directory in HTML format (not much use going to the console like this, though): Dir | ConvertTo-Html
Output the Directory listing to a file: Dir | Out-File psfilelist.txt
All together now: Shows selected list of properties, sorted, in HTML, going to a file. You need to open the file yourself: Dir | Select Directory, Name, Extension, Length | Sort Length -Descending | ConvertTo-Html | Out-File psfilelist.htm

Now exploring other “drives” in PowerShell, including the certificate store and the registry.

Get list of PowerShell “drives”: Get-PSDrive
Shows environment variables: Dir ENV:\
Shows the certiticate store: Dir CERT:\
Shows root certificates for the machine: Dir CERT:\LocalMachine\Root | Select FriendlyName, NotAfter
Shows “HK Local Machine” portion of the registry Dir HKLM:
Shows specified part of the registry: Dir HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion

Another easy way to get interesting data is with Get-Process.

List running processes: Get-Process
Shows all the methods and properties for the process objects: Get-Process | Get-Member
Shows selected list of properties of running processes, formatted as table: Get-Process | Select Id, Name, Product, CPU, WorkingSet | Format-Table –autosize

Combining PowerShell with WMI is also very interesting. You can leverage any WMI provider on the box using Get-WmiObject.
You can get a list of WMI Classes from http://msdn.microsoft.com/en-us/library/aa394554(VS.85).aspx

Shows disk partitions: Get-WmiObject Win32_DiskPartition | Select Name, Size, BootPartition
Shows logical disks: Get-WmiObject Win32_LogicalDisk | Select DeviceID, DriveType, Size, FreeSpace
Shows mapped drives (with NET USE command): Get-WmiObject Win32_MappedLogicalDisk | Select Name, ProviderName, FileSystem, Size, FreeSpace | Format-Table

PowerShell also lets you call the .NET Framework, which is a huge library.
You need to use a syntax where the full class name (library.class) is mentioned in [], followed by a :: and the method name.

You can find a reference for it at http://msdn.microsoft.com/en-us/library/ms229335.aspx

Shows network interfaces: [System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces() | Select Name, Speed, OperationalStatus
Shows identity of the current logged user: [System.Security.Principal.WindowsIdentity]::GetCurrent() | Select Name, AuthenticationType, IsAuthenticated, IsSystem
Shows drive information: [System.IO.DriveInfo]::GetDrives() | Select Name, DriveType, IsReady, TotalSize, TotalFreeSpace, RootDirectory | Format-Table -autosize

It’s also interesting to iterate through the list of resulting objects, to perform additional actions.
You use the ForEach keyword, which allows you to run something for each item. The item is referred to as $_.
You can also use the symbol % instead of ForEach.

Change to the user home folder, which is obtained from the environment variables:

Dir Env:\HOMEPATH | ForEach { CD $_.Value }
Dir Env:\HOMEPATH | % { CD $_.Value }

Show all text files enumerated by the Dir command: Dir *.TXT | ForEach { Type $_ }
Dir *.TXT | % { Type $_ }
Show root directory for all drives enumerated by GetDrives: [System.IO.DriveInfo]::GetDrives() | foreach { Dir $_ }
[System.IO.DriveInfo]::GetDrives() | % { Dir $_ }

A similar syntax is used for Where (actually an alias for Where-Object), which can be used to filter objects in the pipeline.

Show selected properties of processes using more than 10MB of memory, in descending order, formatted as table: Get-Process | Select Id, Name, Product, CPU, WorkingSet | Where { $_.WorkingSet -gt 10*1024*1024} | Sort WorkingSet -Descending | Format-Table –autosize
Shows all services that are stopped: Get-Service | Where { $_.Status -eq "Stopped" }

Now let's focus on the DFS-Namespaces service, which is something I’m working on (these will only work if the box is a Windows Server file server with the DFS-N role service installed):

Shows all 2000 mode domain namespaces on the current computer, using the registry: Dir HKLM:\Software\Microsoft\DFS\Roots\Domain
Shows all 2008 mode  domain namespaces on the current computer, using the registry: Dir HKLM:\Software\Microsoft\DFS\Roots\DomainV2
Shows all standalone namespaces on the current computer, using the registry: Dir HKLM:\Software\Microsoft\DFS\Roots\Standalone
Shows all namespaces of all types on the current computer, using the registry: Dir HKLM:\Software\Microsoft\DFS\Roots –Recurse | Select PSChildName, ValueCount, Property
Shows properties of the DFS-N service in the registry: Dir HKLM:\System\CurrentControlSet\Services\Dfs
Starts the DFS-N service (two ways): Get-Service DFS | Start-Service
Get-Service DFS | % { $_.Start }
Shows DFS Targets on the current computer, using WMI: Get-WmiObject Win32_DFSTarget
Shows selected properties of DFS nodes on the current computer, including it's a root and its state, using WMI: Get-WmiObject Win32_DFSNode | Name, Root, State | Format-Table –autosize

I hope that has helped you see how interesting PowerShell can be. Here are a few links for additional information and tutorials:

Posted Friday, July 03, 2009 5:38 PM by josebda | 0 Comments

I am now on Twitter (and more active on Facebook)

It started posting articles electronically back in the BBS days in the late 1980s.
I create a web page with my own domain name in 1998 (back in Brazil with a ".br" domain name that I no longer own).
I moved to a US domain when I moved to the United States in 2000 (it’s still there at http://www.barreto.us and it hasn't changed much in years).
In July 2004 (around five years ago, almost to the day), I started blogging here at http://blogs.technet.com/josebda.
It’s actually kind of fun to go back and re-read that very first post at  http://blogs.technet.com/josebda/archive/2004/07/06/173623.aspx
I stopped posting in both English and Portuguese two years later (too much work to post in two languages, side-by-side), but kept posting in English regularly to this date.
To this date I have posted 270 blogs (not counting this one :-), an average of about 5 per month.

As of this month, I am also starting to use twitter. You can follow me at  http://twitter.com/josebarreto
There were a few things I learned in the last few weeks as I got started.
Obviously you need to visit the site and create the account, hoping no one grabbed your name before you did.
Next, I spent some time getting the lingo: tweets, shortening URLs with bit.ly, retweets, following, replies, @name, #subject, etc.
Then I tried to find interesting people to follow and  watched what they tweet about, how frequently.

I soon figured out that I could retire my RSS reader in favor of a twitter client, which is now how I am getting my basic news.
I am pretty OK now with the number of other twiterers I am following, and it does pretty much match my old list of RSS feeds, plus a few new finds.
I chose to use TweetDeck on the PC and PockeTwit on the phone (any suggestions there?).

I started writing my own tweets a few days ago, mostly one for every blog post I get out the door. I guess I am too tied to old models, huh?
I am also starting to retweet some of the stuff I am following, as my next step into the new model.
If you haven’t already, you should get started. It is a different way of doing things, but it has worked quite well for me so far, especially as it replaced some of my old tools.
I find myself using the twitter clients for most of my news and updates (personal or work-related).

An interesting side effect is that it got me back to Facebook (at http://www.facebook.com/jose.barreto) and I started posting updates there as well.
I created the Facebook account a few years ago, added a few friends over time and even got a “vanity URL” earlier this year, but I never really got into posting frequent updates.
Not that Twitter and Facebook are directly related, but it sounded simple enough to post updates on both.
I learned that there used to be a Facebook app to do that automatically, but apparently that no longer works.
It even got me to load a Facebook application on my Windows phone. How about that?

There’s a lot of hype about Twitter, but it does seem to have an interesting model, a new twist on things.
You’re not likely to find out what I had for breakfast every morning, but you will at least learn of any new blog posts I publish (RSS is so 2000-and-late :-).
As with most things, time will tell if the model does work.  We will find out when I post about it five years from now…

Posted Tuesday, June 30, 2009 6:56 PM by josebda | 0 Comments
Filed under:

Microsoft File Server Migration Toolkit 1.2 available as a free download

Microsoft released the File Server Migration Toolkit version 1.2 (FSMT 1.2), which will help you migrate file shares from computers running Windows NT 4.0 Server, Windows 2000 Server, Windows 2003 Server, Windows Server 2008 and Windows Storage Server 2008 to computers running Windows 2003 Server, Windows Server 2008 and Windows Storage Server 2008. You can use it to consolidate multiple file servers or simply to migrate files between servers.

This is an update to the previous FSMT 1.1 that fixes an issue with Windows Server 2003 clusters. This version has also been tested with the Windows Server 2008 R2 Release Candidate (full support for Windows Server 2008 R2 is expected and will become official after tests with the final release, which should be out later this year).

Here are the main benefits of FSMT:

  • Simplifies the complex and error-prone migration process of SMB shares and data
  • Maintains UNC paths and eliminates broken shortcuts and links
  • Maintains security settings after the migration
  • Consolidates shared folders with the same names from different servers
  • Supports server clusters as source and target file servers
  • Provides roll-back functionality
  • Support for Windows Server 2008 and Windows Storage Server 2008
  • Includes both the DFS Consolidation Root Wizard and the Dfsconsolidate.exe command-line tool
  • Available in 5 languages (English, French, German, Japanese and Spanish)

Here’s a screenshot:

FSMT 

Download and test it today from
http://www.microsoft.com/downloads/details.aspx?FamilyID=d00e3eae-930a-42b0-b595-66f462f5d87b&DisplayLang=en

Also, be sure to also visit the FSMT Web Site at
http://go.microsoft.com/fwlink/?LinkId=128527

Posted Tuesday, June 30, 2009 6:22 AM by josebda | 0 Comments

How many DFS-N namespace servers do you need?

Introduction

Whenever you’re deploying Windows Server DFS-Namespaces, you will need to figure out how many servers will be required.
Since I moved to the role of DFS-N PM, I noticed that the specific information on how many namespace servers you need is something that isn’t clearly posted anywhere.
Although we never really had any problems with performance of the namespace server themselves, the question of where to place them is quite common.
Hopefully, this blog post will help clarify the topic.

Note: We're not discussing here the type of namespace you should be using (standalone, 2008 domain mode, 2000 domain mode).
We assume you already made that call and you're now deciding how many namespaces servers you need and where they should be.

Performance

A single namespace server can typically handle thousands of referrals per second (the exact number will depend on details like the number of targets per link, the server configuration, the network bandwidth).
Since DFS-N clients will cache those referrals, you will be hard-pressed to find a scenario where a single dedicated namespace server would become a significant performance bottleneck.
However, there’s a lot more to this than raw referral performance.

Zero?

The first option for you is not to deploy any additional servers specifically for DFS-N.
If you have a small environment, you can simple enable the DFS-N role on an existing domain controller or file server (you are likely to have some of those already).
In that case, you need zero new servers. Let’s look into the two options: DCs or file servers.

Deploy DFS-N on the DCs

Domain controllers seem like a good candidate to become namespace servers, since they are usually not too busy on small environments.
Domain controllers are likely to also be running other services like DNS.
The typical distribution of domain controllers will also help with your namespace site awareness.
Having a DC nearby will also do wonders for the performance of your domain queries.
On the other hand, domain controllers are sometimes run by dedicated teams that are not too keen on adding unrelated services to their boxes.
You could argue that DFS-N and AD are closely related, since DFS-N domain namespaces use AD for storage. You might lose that argument :-).
Domain controllers are usually heavily secured (for good reasons) and getting permissions to manage a service on those boxes might be a tough one, specially on larger enterprises.
It might also be a little harder to troubleshoot root referrals when the namespace server and DC are collocated (not so easy to get a network trace).

Deploy DFS-N on the file servers

File Servers are also an easy option here. If you already have a few file servers, you could simple add the DFS-N role to a few of them.
The team that manages file servers typically will also be in charge of namespaces, so that helps.
Also, if you have consolidated your file servers, you’re probably OK consolidating your namespace service as well.
This might perpetuate the myth that the file service and the namespace service are the same thing, but that’s just a minor thing :-)
One issue is that the file servers might not be running Windows (they could be some type of NAS appliance), so you could not load DFS-N on them.
As already mentioned, a single namespace server can handle a lot of load, so you will definitely not need this service on every file server. You should aim for two (for high availability).

Two

If you couldn’t talk the owners of either the domain controllers or the file server into hosting the DFS-N service, you can have your own dedicated namespace servers.
If you do decide to install them separately, you would typically not need more than one server, from a referral performance standpoint.
However, due to high availability requirements, it’s strongly recommend to configure two of them.
If you use domain namespaces, they will naturally cover for each other.
If you use standalone namespaces, you should configure them as a failover cluster.

One per site

One reason to have more than two dedicated namespace servers is to resolve referrals within a site.
If you are using domain namespaces, clients will get their referrals from the nearest namespace server and the AD site configuration is used to determine that.
In that case, you should consider having one namespace server per site.
To further improve on that, you could have at least one domain controller per site and enable DFS-N “root scalability”. This will make the namespace server work with the nearest DC.
Keep in mind that, if you enable “root scalability” and you update the namespace root, your users might see outdated information until the site DC gets updated via AD replication.
This also provides fault tolerance, because if the namespace server on your site fails, you can still get referrals by contacting a namespace server on another site.
This is definitely not driven by the load on the server, but by the requirements for site independency and by WAN bandwidth concerns.
Have I mentioned that you could try to talk the people manage the DCs into let you run the DFS-N service on their boxes? :-)

Two per team

You might also end up with multiple namespace servers if multiple teams in an enterprise stand up their own set, typically using standalone namespaces.
Since each team will need to provide high availability by clustering their standalone namespace servers, you will end up with two namespace servers per team.
As you can imagine, this not a good way to go. Keep in mind that DFS-N servers can host multiple namespaces and you can delegate management per namespace.
This makes even less sense for domain namespaces, since by definition you would be trying to consolidate the namespaces.
Again, this would not be driven by the load on the server or any other technical requirements.
In short, if you have one or two namespace servers per team you should probably go back to the drawing board and reconsider your consolidation options.

Conclusion

I hope this helped with your DFS-N design. For additional details on DFS-N, see  my other blog posts at http://blogs.technet.com/josebda/archive/tags/DFS/default.aspx

Posted Friday, June 26, 2009 9:05 AM by josebda | 0 Comments

Windows Storage Server 2008 with the Microsoft iSCSI Software Target 3.2 available to MSDN and TechNet Plus subscribers

Overview

I am glad to share that Windows Storage Server 2008 (WSS 2008) with the Microsoft iSCSI Software Target 3.2 is now available to all MSDN and TechNet Plus subscribers. This Microsoft product is offered typically via our OEM partners, but a version for evaluation (TechNet Plus or MSDN), demonstration (MSDN), development (MSDN) or test (MSDN) is now being provided to MSDN and TechNet Plus subscribers for the first time. This opens the door for a number of interesting scenarios, especially when related to Windows Server Failover Clustering and/or Hyper-V.

Usage Scenarios

Here are a few things you could do:

  • Setup a test environment for Hyper-V (using Windows Server 2008 or Windows Server 2008 R2) using iSCSI shared storage.
  • On a single laptop (with enough resources) create a development environment running a SQL Server cluster (two nodes, plus shared storage).
  • Evaluate Windows Server 2008 R2 Cluster Shared Volumes (CSV) and Hyper-V Live Migration, using only regular Windows Server hardware.
  • Test your software solution with WSS 2008 Single Instance Storage (Microsoft’s solution for file-level deduplication) without the need to acquire a WSS OEM appliance.

You are probably thinking of a few other ways to use this. If they are for evaluation (TechNet Plus or MSDN), demonstration (MSDN), development (MSDN) or test (MSDN), they are probably good scenarios as well.

Selecting an Edition 

When you install Windows Storage Server, you need to select an edition: Basic, Workgroup, Standard or Enterprise. If you're an MSDN or TechNet Plus subscribers, you have access to all editions and you should select the Enterprise Edition (available only as x64), which will provide you with all the WSS features. The only exception would be if your hardware does not include an x64 capable CPU, in which case you should install the Basic Edition (available as both x64 or x86). The Microsoft iSCSI Software Target 3.2 will not install on the Basic Edition.

Find below a screenshot of the page on the MSDN or TechNet Plus site where you download the image and request the product keys:

WSS 2008 Keys

Find below a sample of the step in Windows Storage Server 2008 Setup where you select the edition to install. This screen only shows if you install the x64 image of Windows Storage Server and if you do not provide a product key. If you provide the product key, Setup can will select the edition that matches the key. If you install the x86 image, Setup will automatically select the Basic Edition.

WSS 2008 Editions

Files

You can download the files from MSDN or TechNet Plus right now, along with up to 10 keys for activation for each subscription.

Here are the file names and sizes:

  • Windows Storage Server 2008 Embedded (Basic, Standard, Enterprise, Workgroup) (x64) - DVD (English)
    File Name: en_windows_storage_server_2008_embedded_basic_standard_enterprise_workgroup_dvd_x64_x15-49574.iso
    File Size: 3,306.19 (MB)
    Comment: x64 OS image. This is the best one to use and the only one that will let you install the Microsoft iSCSI Software Target
     
  • Windows Storage Server 2008 Embedded Language Pack (x64) - DVD (English, French, German, Japanese, Spanish)
    File Name: en_fr_de_ja_es_windows_storage_server_2008_embedded_language_pack_dvd_x64_x14-18606.iso
    File Size: 362.07 (MB)
    Comment: Language packs for the image above
     
  • Windows Storage Server 2008 Embedded Basic (x86) - DVD (English)
    File Name: en_windows_storage_server_2008_embedded_basic_dvd_x86_x15-28320.iso
    File Size: 1,988.13 (MB)
    Comment: x86 OS image. This one only installs as Basic and it can’t run the Microsoft iSCSI Software Target
     
  • Windows Storage Server 2008 Embedded Language Pack (x86) - DVD (English, French, German, Japanese, Spanish)
    File Name: en_fr_de_ja_es_windows_storage_server_2008_embedded_language_pack_dvd_x86_x14-18619.iso
    File Size: 325.14 (MB)
    Comment: Language packs for the image above
     
  • Microsoft iSCSI Software Target 3.2 (x86 and x64) - CD (English)
    File Name: en_windows_storage_server_2008_iscsi_cd_x64_x86_x15-49563.iso
    File Size: 5.63 (MB)
    Comment: Microsoft iSCSI Software Target 3.2 for the Workgroup, Standard or Enterprise editions (x64 only)
     
  • Microsoft iSCSI 3.2 Tools (x86 and x64) - CD (English)
    File Name: en_windows_storage_server_2008_iscsi_tools_cd_x64_x86_x15-63368.iso
    File Size: 1.92 (MB)
    Comment: Optional VSS and VDS providers for the Microsoft iSCSI Software Target
     
  • Windows Storage Server 2008 Embedded Tools (x86 and x64) - CD (English)
    File Name: en_windows_storage_server_2008_embedded_tools_cd_x64_x86_x15-62577.iso
    File Size: 5.89 (MB)
    Comment: This includes the documentation for Windows Storage Server 2008
     

Frequently Asked Questions (FAQ)

Q: I tried to install the Microsoft iSCSI Software Target 3.2 on Windows Server 2008 (or Windows Server 2008 R2) and I got an error saying “Installation is not supported on this operating system”. What’s the problem?
A: The Microsoft iSCSI Software Target 3.2 can only be installed on Windows Storage Server 2008 Standard, Enterprise or Workgroup. It cannot be installed on other OS version, like Windows Server 2008 or Windows Server 2008 R2.

Q: I completed the Windows Storage Server 2008 setup but I don't know what username and password should be used to logon after the installation is completed. Where can I find that information?
A: Review the Windows Storage Server 2008 Release Notes (WSS2008_RELNOTES.DOC), which can be found in the “Tools” ISO file, the last one on the file list above.

Q: Should I apply Windows Server 2008 Service Pack 2 (SP2) to Windows Storage Server 2008 as it becomes available?
A: Yes. We also recommend enabling Automatic Updates for Windows Storage Server 2008 if you downloaded it from MSDN or TechNet Plus. If you have an OEM copy of Windows Storage Server 2008, you should contact your OEM for guidance in this area.

Q: I can’t find the x86 version of Windows Storage Server 2008 Standard, Enterprise or Workgroup. Where is it?
A: Windows Storage Server 2008 Standard, Enterprise and Workgroup are provided for x64 only.

Q: I can’t find the documentation for Windows Storage Server 2008. Where is it?
A: The documentation is in the “Tools” ISO file, the last one on the file list above. That includes the Windows Storage Server 2008 Release Notes (WSS2008_RELNOTES.DOC), the Windows Storage Server 2008 Getting Started Guide (WSS2008_GSTART.DOC), the Windows Storage Server 2008 OEM Guide (WSS2008_OEMGUIDE.DOC) and the Windows Storage Server 2008 Extensibility and Branding Developer Documentation (OEM-EXTENSIBILITY\WSS2008_EXTENSIBILITY.DOC).

Q: Can I install my MSDN or TechNet Plus version of Windows Storage Server 2008 with the Microsoft iSCSI Software Target 3.2 in a Hyper-V virtual machine?
A: Yes, if you downloaded it from MSDN or TechNet Plus. Make sure to install the Hyper-V Integration Components when you do so.

Q: I am not an MSDN or TechNet Plus subscriber. How can I download an evaluation version of Windows Storage Server 2008 with the Microsoft iSCSI Software Target 3.2?
A: Evaluation versions of Windows Storage Server 2008 with the Microsoft iSCSI Software Target 3.2 are only being offered to MSDN or TechNet Plus subscribers.

Q: How can I subscribe to MSDN or TechNet Plus?
A: You can learn how to subscribe using http://msdn.microsoft.com/subscriptions for MSDN and http://www.microsoft.com/technet/subscription for TechNet Plus.

Q: Can I use the MSDN or TechNet Plus version of Windows Storage Server 2008 with the Microsoft iSCSI Software Target 3.2 in my production environment?
A: No. As with any software you download from MSDN and TechNet Plus, they can only be used for evaluation (TechNet Plus or MSDN), demonstration (MSDN), development (MSDN) or test (MSDN). Review the details at http://msdn.microsoft.com/en-us/subscriptions/cc150618.aspx for MSDN and at http://technet.microsoft.com/en-us/subscriptions/cc294422.aspx for TechNet Plus.

Q: I am an MSDN or TechNet Plus subscriber. Can I share this MSDN or TechNet Plus software with other people in my company that are not MSDN or TechNet Plus subscribers?
A: No. Each person that needs to install or access the software needs his or her own subscription. Review the details at http://msdn.microsoft.com/en-us/subscriptions/cc150618.aspx for MSDN and at http://technet.microsoft.com/en-us/subscriptions/cc294422.aspx for TechNet Plus.

Q: How can I obtain a copy of Windows Storage Server 2008 with the Microsoft iSCSI Software Target 3.2 for my production environment?
A: You need to acquire an OEM solution that comes pre-installed with Windows Storage Server 2008 with the Microsoft iSCSI Software Target 3.2. To find a list of OEM partners, see the links section below.

Q: Can I license just the Windows Storage Server 2008 software (or the Microsoft iSCSI Software Target 3.2 software) for production use without an OEM hardware?
A: No. This software is only licensed for production use as part of an OEM solution.

Additional Links

Additional information about Windows Storage Server 2008 and the Microsoft iSCSI Software Target 3.2 can be found at:

Other posts on this subject in this blog:

Posted Saturday, May 16, 2009 6:50 AM by josebda | 5 Comments

TechEd 2009 session today on Windows Server 2008 R2 File Classification Infrastructure (FCI)

If you are attending the Microsoft TechEd 2009 conference in Los Angeles and you're looking forward to a deep dive into the new File Classification Infrastructure (FCI) in Windows Server 2008 R2, there will be a session today including a walkthrough of FCI with never-before-seen demos of partner solutions and how you can use PowerShell to extend FCI. Don't miss it!

Session WSV329
Title Windows Server 2008 R2 File Classification Infrastructure: Managing Cost and Mitigating Risk on File Servers
Date/Time 5/14/2009 4:30PM-5:45PM
Location Petree Hall D

For the basics on FCI, check
http://blogs.technet.com/josebda/archive/2009/05/11/windows-server-2008-r2-file-classification-infrastructure-fci-at-teched-2009.aspx

Posted Thursday, May 14, 2009 9:07 AM by josebda | 0 Comments

Windows Server 2008 R2 File Classification Infrastructure (FCI) at TechEd 2009

I wanted to call your attention to four new blog posts this morning from Nir Ben Zvi (Senior Program Manager Lead, Microsoft File Server Team) and Matthias Wollnik (Program Manager, Microsoft File Server Team) introducing the Windows Server 2008 R2 File Classification Infrastructure (FCI). This new Windows feature, highlighted in today's keynote during TechEd 2009, allows you to define classification properties, automatically classify files, automate file management tasks (like file expiration) and generate reports that show the distribution of these properties on the file server. The File Classification Infrastructure also provides a great opportunity for partners to extend these out-of-the-box abilities, including the possibility of seamless integration of multiple partner solutions.

 Check all the details at:

If you are attending TechEd 2009, be sure to pay Nir and Matthias a visit in the File Services booth, attend the session "WSV329 - Managing Cost and Mitigating Risk on File Servers" on Thursday at 4:30 PM and check the hands-on lab "WSV13-HOL - How to Reduce Cost and Risk on File Servers Using the New File Classification Infrastructure".

If you are not attending TechEd 2009, you can still review the keynote by visiting http://www.msteched.com/online.

Posted Monday, May 11, 2009 2:00 PM by josebda | 2 Comments

Windows Storage Server 2008 and the Microsoft iSCSI Software Target 3.2

I am glad to share that Windows Storage Server 2008 (WSS 2008) and the Microsoft iSCSI Software Target 3.2 have been released to the Microsoft OEM partners.

This is the successor to Windows Storage Server 2003 (WSS 2003) and Windows Unified Data Storage Server 2003 (WUDSS 2003). I have been working closely with some of the OEM partners for the last few quarters and they will be announcing their Windows Storage Server 2008 appliances over the next several weeks.

In this release, a number of important improvements were introduced including (but not limited to):

  • Benefits from using Windows Server 2008 as a platform, like the improvements in the TCP/IP stack, SMB2 protocol, Failover Clustering and Server Manager.
  • New version of Single Instance Store (SIS) file-level deduplication, including support for up to 128 volumes, the ability to un-SIS and improved Failover Clustering support.
  • New version of the Microsoft iSCSI Software target (3.2), including support for IPv6, updated VSS/VDS providers and improved Failover Cluster support

To learn more, please join the TechNet webcast “Introducing Windows Storage Server 2008” at http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032410705, live on May 7th at 8AM PST or on-demand shortly after that.

For additional information, check these web sites:

Posted Tuesday, May 05, 2009 9:25 PM by josebda | 2 Comments

Using the Windows Server 2008 DFSUTIL.EXE command line to manage DFS-Namespaces

The most common administration activities related to DFS-Namespaces can be performed using the “DFS Management” MMC. This will show up under “Administrative Tools” after you add the DFS role service in Server Manager. You can also add just the MMC for remote management of a DFS namespace server. You will find that in Server Manager, under Add Feature, Remote Server Administration Tools (RSAT), Role Administration Tools, File Services Tools.

Another way to manage DFS-N is to use DFSUTIL.EXE, which is a command line tool. There are plenty of options and you can perform pretty much any DFS-related activity, from creating a namespace to adding links to exporting the entire configuration to troubleshooting. This can be very handy for automating tasks by writing scripts or batch files. DFSUTIL.EXE is an in-box tool in Windows Server 2008 (as with the MMC, it is loaded with the DFS-Namespaces role service or with the RSAT for File Services Tools).

Please find below a table with a comprehensive list of the parameters and options available in DFSUTIL.EXE for Windows Server 2008. Please note that DFSUTIL.EXE had a different format for parameters in Windows Server 2003, but that old syntax still works in Windows Server 2008. The old syntax is listed in the last column, prefixed by “OLD:”. There is also an old DFSCMD.EXE, which still works, which is also mentioned prefixed by “OLD:”.

Parameters Description Usage and Exampes Subcommands, notes and old syntax
<None> Manages DFS Namespaces, servers and clients Dfsutil
Dfsutil /oldcli
Dfsutil /?		 SUBCOMMANDS:
Root - Displays,creates,removes,imports,exports namespace roots.
Link - Displays, creates, removes, or moves folders (links).
Target - Displays,creates,modifies folder targets (link targets).
Property - Displays or modifies a folder target or namespace server.
Client - Displays or modifies client information or registry keys.
Server - Displays or modifies namespace configuration on the server.
Diag - Perform diagnostics or view dfsdirs/dfspath.
Domain - Displays all domain-based namespaces in a domain.
Cache - Displays or flushes the client cache.

NOTES:
* Use the Dfsutil /oldcli command to view the original Dfsutil syntax.
* Use the /? parameter after any command to display help for the command.
* Dfsutil commands use the original Distributed File System terminology, with updated DFS Namespaces terminology provided as explanation for most commands.
* If you specify at the end of a command an object (such as a namespace server) about which you want information, most commands will display the information without requiring further parameters or commands. For example, when using the Dfsutil Root command, you can append a namespace root to the command to view information about the root.
Root Displays information about the namespace root. Dfsutil Root commands support creating, removing, importing or exporting namespace roots. dfsutil root <\\server\share> [Verbose]

PARAMETERS:
<\\server\share>: UNC path to the namespace.
Verbose: Show additional information while the tool is executing.

EXAMPLES:
dfsutil root \\contoso.com\DomainNamespace1
dfsutil root \\srv1\StandaloneNameSpace2 		SUBCOMMANDS:
AddDom - Creates a new domain-based namespace.
AddStd - Creates a new stand-alone namespace.
Remove - Removes the namespace.
Export - Exports the namespace configuration to a file.
Import - Imports the namespace from another namespace or a file.
ForceSync - Perform a Forced sync on the target of a namespace.

OLD: dfsutil /Root:<DfsName> /View [/Verbose]
Root
AddDom		 Creates a new domain based DFS namespace.
 dfsutil root adddom <\\server\share> [<Version>] [<Comment>]

PARAMETERS:
<\\server\share>: UNC path to the namespace.
<Comment>: Specifies an adminstrator comment for the namespace.
<Version>: Version of the namespace, possible values are V1 or V2.
V1 - Creates a Windows 2000 Server mode namespace.
 V2 - Creates a Windows Server 2008 mode namespace.

EXAMPLES:
dfsutil root addDom \\srv1\DomainNameSpace1 "This is V2 namespace"
dfsutil root addDom \\srv2\DomainNameSpace2
dfsutil root addDom \\srv3\DomainNameSpace3 V1 "This is V1 Root"		 NOTES:
1. To add new root targets, use "dfsutil target add" command.
2. Default setting for creation of new namespace is V2.

OLD: dfsutil /AddFtRoot /Server:<ServerName> /Share:<ShareName> /Comment:<Comment>
Root
AddStd		 Creates a new stand-alone namespace.
 dfsutil root addstd <\\server\share> [<Comment>]

PARAMETERS:
<\\server\share>: UNC Path to the namespace on the namespace server.
<Comment>: Specifies an adminstrator comment for the namespace.

EXAMPLES:
dfsutil root addstd \\srv1\StandaloneNamesapce1 "Standalone Root"
dfsutil root addstd \\srv2\StandaloneNamesapce2 		OLD: dfsutil /AddStdRoot /Server:<ServerName> /Share:<ShareName> /Comment:<Comment>
Root
Remove		 Deletes the namespace root. dfsutil root remove <\\server\share>

PARAMETERS:
<\\server\share>: UNC path to the namespace on the namespace server.

EXAMPLES:
dfsutil root remove \\contoso.com\DomainNamespace1
dfsutil root remove \\srv1\StandaloneNamespace2 		OLD: dfsutil /RemStdRoot /Server:<ServerName> /Share:<ShareName>
OLD: dfsutil /RemFtRoot /Server:<ServerName> /Share:<ShareName>
OLD: dfsutil /RemFtRoot:<RootName> /Server:<ServerName> /Share:<ShareName>
Root
Export		 Exports the namespace configuration information to a file. dfsutil root export <\\server\share> <filename> [Verbose] [DownLevel]

PARAMETERS:
<\\server\share>: UNC path to the namespace on the namespace server.
<filename>: Name of the file that will store the namespace configuration in XML file format.
Verbose: Displays detailed status of the export process.
Downlevel: Saves the export file as a text file that is compatible with the version of Dfsutil that is included with the Windows Server 2003 Support Tools.

EXAMPLES:
dfsutil root export \\contoso.com\DomainNamespace1 C:\dir1\a.txt downlevel
dfsutil root export \\srv1\StandaloneNamespace1 C:\dir1\docroot.xml		 OLD: dfsutil /Root:<DfsName> /Export:<File> [/Verbose]
Root
Import		 Imports folders, folder targets and configuration information for a namespace from a file or another namespace. dfsutil root import SUBCOMMANDS:
Set - Imports and overwrites the existing namespace.
Merge - Imports and merges with the existing namespace.
Compare - Compares the namespace with another namespace.
BlobSize - Displays the approximate AD DS blob size.
Root
Import
Set		 Imports folders, folder targets and configuration information for a namespace from a file or another namespace and overwrites existing folders and folder targets. dfsutil root import set <\\srcserver\share>|<filename> <\\destserver\share> [NoBackup] [Verbose]

PARAMETERS:
<\\srcserver\share>: UNC path to the namespace from which you want to import the configuration.
<\\destserver\share> UNC path to the namespace to which you want to import the configuration.
<filename>: Name of the xml file from which you want to import the namespace configuration.
NoBackup: Does not create backup file to restore overwritten folders and folder targets.
Verbose: Displays detailed status of the import process.

EXAMPLES:
dfsutil root import set \\contoso.com\Namespace1\\contoso.com\Namespace2 NoBackup
dfsutil root import set C:\dir1\docroot.txt \\srv1\StandaloneNamespace1 		OLD: dfsutil /Root:<DfsName> /Import:<File> /Set|Merge|Compare [/Verbose] [/NoBackup]
Root
Import
Merge		 Imports folders, folder targets and configuration information for a namespace from a file and merges existing folders and folder targets. dfsutil root import merge <filename> <\\destserver\share> [NoBackup] [Verbose]

PARAMETERS:
<\\destserver\share> : UNC path to the namespace to which you want to import the configuration.
<filename> : Name of the xml file from which you want to import the namespace configuration.
NoBackup : Does not create backup file to restore overwritten folders and folder targets.
Verbose : Displays detailed status of the import process.

EXAMPLES:
dfsutil root import Merge C:\dir1\docroot.txt \\srv1\StandaloneNamespace1 		OLD: dfsutil /Root:<DfsName> /Import:<File> /Set|Merge|Compare [/Verbose] [/NoBackup]
Root
Import
Compare		 Compares a namespace on one server with the namespace configuration on another server or in a file. dfsutil root import compare <\\srcserver\share>|<filename> <\\destserver\share> [Verbose]

PARAMETERS:
<\\srcserver\share> : UNC path to the namespace on the first namespace server that you want to compare.
<\\destserver\share>: UNC path to the namespace on the second namespace server that you want to compare.
<filename> : Name of the XML file that contains the namespace configuration that you want to compare.
Verbose : Displays detailed status of the import process.

EXAMPLES:
dfsutil root import compare \\contoso.com\DomainNamespace1 \\contoso.com\DomainNamespace2
dfsutil root import compare C:\dir1\docroot.txt \\srv1\StandaloneNamespace1 		OLD: dfsutil /Root:<DfsName> /ImportRoot:<MasterDfsName> /Mirror|Compare [/Verbose] [/NoBackup]
Root
Import
BlobSize		 Displays the approximate size of Active Directory Domain Services (AD DS) Blob for the specified namespace import file. dfsutil root import blobsize <filename>

PARAMETERS:
<filename> : Name of the XML file that stores the configuration of the namespace you want to analyze.

EXAMPLES:
dfsutil root import blobsize docroot.xml		 OLD: dfsutil /Root:<DfsName> /Import:<File> /BlobSize
Root
ForceSync		 To initiate a forced DFS metadata resync operation on the DFS root target of a specified domain-based namespace using the Windows Server 2008 mode or standalone DFS namespace ForceSync command can be used .This is not supported on Windows Server 2003 based Namespaces. dfsutil root forcesync <\\server\share>

PARAMETERS:
<\\server\share>: Server - Target of the namespace
Forcesync will be performed on this target. share - Target share.

EXAMPLES:
dfsutil root forcesync \\standaloneserver\StandaloneNamespace1
dfsutil root forcesync \\domainnamespaceserver\DomainNamespace2 		NOTES:
Do not specify <\\domain\root>, use <\\roottarget\share>.
Link Displays the information about the link(folder) and link(folder) targets. Link commands are used to create a new link, delete a link or move the links. dfsutil link <DfsPath>

PARAMETERS:
<DfsPath>: UNC Path of DFS link.

EXAMPLES:
dfsutil link \\contoso.com\DomainNamespace1\link1
dfsutil link \\srv1\StandaloneNamespace1\link1 		SUBCOMMANDS:
Add - Creates a new folder.
Remove - Removes the specified folder.
Move - Moves the folder to another location in the namespace.
Link
Add		 Adds a folder (link) to the specified namespace. dfsutil link add <DfsPath> <\\server\sharepath> [Restore] [<Comment>]

PARAMETERS:
<DfsPath>: UNC Path of DFS link to be created.
<\\server\sharepath>: UNC Path to the share on the Target Server.
Restore: Option to restore a DFS link.
[<Comment>]: Comment for the Link

EXAMPLES:
dfsutil link add \\contoso.com\DomainNamespace1\link1 \\server\share "This is a new Link"
dfsutil link add \\srv1\StandaloneNamespace1\dir\link1 \\server\share 		NOTES:
1. Folders can be created with the restore option . In this case, the folder target does not need to be a SMB path. Use this for namespace paths ( \\domain\namespace ), NFS shares or any folder target that you do not want to verify.
2. To add another folder target to an existing folder, use the command "Dfsutil Target Add".

OLD: dfsutil /AddLink /Path:<DfsPath> /Server:<LinkTargetServer> /Share:<TargetShare> /Comment:<Comment>
OLD: Dfscmd /add \\dfsname\dfsshare\path \\server\share\path [/restore]
Link
Remove		 Deletes the folder (link) and any associated folder targets (link targets). dfsutil link remove <DfsPath>

PARAMETERS:
<DfsPath>: UNC Path of DFS link to remove.

EXAMPLES:
dfsutil link remove \\contoso.com\DomainNamespace1\link1 		OLD: dfsutil /RemoveLink /Path:<DfsPath> /Server:<LinkTargetServer> /Share:<TargetShare>
OLD: Dfscmd /remove \\dfsname\dfsshare\path \\server\share\path
Link
Move		 Moves a folder (link) to another location in the namespace. When you specify a folder that contains other folder, all subfolders are moved as well. If a folder already exists in the new location, you can use the Replace option to delete the existing folder and replace it with the folder you want to move. You cannot move folders between namespaces. dfsutil link move <OldDfsPath> <NewDfsPath> [Replace]

PARAMETERS:
<OldDfsPath>: The UNC path of the folder to move.
<NewDfsPath>: The UNC path of the new location in the namespace for the folder.
Replace: Replaces an existing folder with the folder that you are moving.

EXAMPLES:
Dfsutil Link Move \\contoso.com/namespace1/programs \\contoso.com\namespace1\tools
Dfsutil Link Move \\srv1\namespace1\docs \\srv1\namespace1/public/docs 		OLD: Dfscmd /move \\dfsname\dfsshare\path1 \\dfsname\dfsshare\path2 [/force]
Target Displays information about the folder target (link target) or namespace server (root target). Target commands are used to add, remove or modify the properties of a folder target or namespace server. dfsutil target [<DfsPath>] <\\server\sharepath>

PARAMETERS:
<DfsPath>: UNC Path of DFS link.
<\\server\sharepath>: UNC Path to the share on the Target Server.

EXAMPLES:
dfsutil target \\contoso.com\DomainNamespace1\link1 \\mytargetserver\LinkTarget
dfsutil target \\mytargetserver\RootTarget 		SUBCOMMANDS:
Add - Adds a new folder target.
Remove - Removes the folder target.

NOTES:
To view properties of root target do not specify <DfsPath>.

OLD: Dfscmd /view \\dfsname\dfsshare [/partial | /full | /batch || /batchrestore]

Target
Add		 Adds a folder target (link target) to an existing folder (link), or a namespace server (root target) to an existing namespace root. dfsutil target add [<DfsPath>] <\\server\sharepath> [Restore]

PARAMETERS:
<DfsPath>: UNC Path of DFS Link.
<\\server\sharepath>: UNC Path to the share on the Target Server.
Restore: Restore option is used when link target is non-SMB path.

EXAMPLES:
dfsutil target add \\contoso.com\DomainNamespace1\link1 \\mytargetserver\LinkTarget
dfsutil target add \\mytargetserver\RootTarget 		NOTES:
1. To add new namespace servers to an existing namespace root, omit <DfsPath>.
2. To create new namespace, use the "Dfsutil Root" command with the Adddom or Addstd parameters.
3. Folder targets can be created with the restore option. In this case,the folder target does not need to be a SMB path. Use this for namespace paths ( \\domain\namespace ), NFS shares or any folder target that you do not want to verify.

OLD: Dfscmd /map \\dfsname\dfsshare\path \\server\share\path [comment] [/restore]
Target
Remove		 Deletes a folder target (link target) from a folder (link), or a namespace server (root target) from a namespace. dfsutil target remove [<DfsPath>] <\\server\sharepath>

PARAMETERS:
<DfsPath>: DfsPath of a LinkTarget.
<\\server\sharepath>: server is Link or Root Target Server and share is Target Share

EXAMPLES:
Dfsutil Target Remove \\contoso.com\namespace1\programs \\srv2\apps
Dfsutil Target Remove \\srv1\namespaceshare 		NOTES:
1. To delete a root target (namespace server) do not specify <DfsPath>. If the namespace server is the only namespace server in the namespace, then the namespace will be deleted.
2. To remove all the namespace servers, use the "Dfsutil Root Remove" command.

OLD: Dfscmd /unmap \\dfsname\dfsshare\path
Property Displays or modifies the properties of a folder target (link target) or namespace server (root target). dfsutil property SUBCOMMANDS:
Sitecosting - Displays or modifies site costing for a namespace.
RootScalability - Displays or modifies the namsespace polling mode.
ABDE - Enable/Disable/View ABDE property of a Namespace.
Insite - Displays or modifies the in-site property.
TargetfailBack - Displays or modifies client fail back.
ACL - Set/Get Security Information on the folder.
State - Displays or modifies a folder target or namespace server.
TTL - Displays or changes client referral caching.
PriorityRank - Displays or changes the ordering method (priority rank).
PriorityClass - Displays or changes the target priority.
Comment - Set/View the comment for DFS namesapace or DFS link.
Property
Sitecosting		 Displays whether site costing is enabled, and enables or disables it on the specified namespace. Enable site costing to force clients to evaluate inter-site link costs and choose the lowest cost folder target. Site costing is disabled by default. dfsutil property sitecosting <DfsPath>

PARAMETERS:
<DfsPath>: Displays whether site costing is enabled on the specified namespace.

EXAMPLES:
dfsutil property sitecosting enable \\contoso.com\DomainNamespace1
dfsutil property sitecosting enable \\srv1\StandaloneNamespace1 		SUBCOMMANDS:
Enable - Enable this property on the namespace.
Disable - Disable this property on the namespace.

NOTES:
1) The path specified must be a namespace root, not a folder.
2) This feature is only supported on servers Windows Server 2003 or Windows Server 2008.
3) Domain Controller (DC) site costing is controlled separately on each DC using the following registry key:HKLM\System\CurrentControlSet\Services\Dfs\Parameters\SiteCostedReferrals DWORD 1 or 0

OLD: dfsutil /Root:<DfsName> /SiteCosting /Enable|Disable|Display [/Verbose]
Property
RootScalability		 RootScalability is an expert-only command to increase performance of large deployments of DFS namespaces. When set, network traffic among DFS root servers is kept to a minimum. In addition, there will be less traffic between the primary DC and DFS servers.The drawback is that users may see outdated information from dfs servers at times. dfsutil property rootscalability <DfsPath>

PARAMETERS:
<DfsPath>: Path of a root.

EXAMPLES:
dfsutil property RootScalability \\contoso.com\DomainNamespace1 		SUBCOMMANDS:
Enable - Enable this property on the namespace.
Disable - Disable this property on the namespace.

NOTES:
1) The path specified must be a root, not a link.
2) This has no effect on standalone roots.
3) This feature is only supported on Windows Server 2003 and higher.
4) When RootScalability is enabled, it is not uncommon to see an event log message such as, "DFS could not access its private data from the DS...". While this error may still indicate a problem in DS connectivity, typically this occurs because the nearest DC has outdated DFS information (expected behavior when RootScalability is enabled).

OLD: dfsutil /Root:<DfsName> /RootScalability /Enable|Disable|Display [/Verbose]
Property
ABDE		 ABDE command is a quick way to check if Access Based Directory Enumeration is enabled or disabled on the NameSpace. This is the property of domain-based namespace using the Windows Server 2008 mode or Standalone Namespaces in Windows Server 2008. dfsutil property abde <DfsPath>

PARAMETERS:
<DfsPath>: UNC path to the DFS namesapace.

EXAMPLES:
dfsutil property ABDE \\contoso.com\DomainNamespace1
dfsutil property ABDE \\srv1\StandaloneNamespace1 		SUBCOMMANDS:
Enable - Enable this property on the namespace.
Disable - Disable this property on the namespace.

NOTES:
When Access Based Directory Enumeration is enabled, the users can view their directories only if they have permissions. Links will have Security Descriptors associated with them. The users can view the links only for which they have permissions in the Security Descriptor.
Property
Insite		 Insite can be used to make sure clients access only those replicas that are in the same site as the client. It can also be used to disable such behavior. dfsutil property insite <DfsPath>

PARAMETERS:
<DfsPath>: UNC path of a DFS namespace or DFS link.

EXAMPLES:
dfsutil property Insite \\contoso.com\DomainNamespace1
dfsutil property Insite \\srv1\StandaloneNamespace1 		SUBCOMMANDS:
Enable - Enable this property on the namespace or link.
Disable - Disable this property on the namespace or link.

NOTES:
1) The path specified may be a root or a link.
2) Access of Domain Controllers may be site-sensitive as well. That, however, is a DC specific property that must be enabled/disabled in the registry of relevant DC(s): HKLM\System\CurrentControlSet\Services\Dfs\Parameters\InsiteReferrals: DWORD 1 or 0

OLD: dfsutil /Path:<DfsPath> /InSite /Enable|Disable|Display [/Verbose]
Property
TargetfailBack		 Displays TargetfailBack property of root or link TargetFailback is an expert-only command to make sure clients failback to target servers that are closer to them after having failed over to a target that's potentially out of site. dfsutil property targetfailback <DfsPath>

PARAMETERS:
<DfsPath>: UNC path of a DFS namesapace or DFS link.

EXAMPLES:
dfsutil property TargetfailBack \\contoso.com\DomainNamespace1
dfsutil property TargetfailBack \\srv1\StandaloneNamespace1 		SUBCOMMANDS:
Enable - Enable this property on the namespace or link.
Disable - Disable this property on the namespace or link.

NOTES:
1) The path specified may be a root or a link.
2) This feature is only supported on Windows Server 2003 SP1 and higher.
3) The clients must be running a newer operating system to take advantage of this feature.
4) You may also enable/disable TargetFailback on SYSVOL/NETLOGON paths. That, however, is a DC specific property that must be set/reset in the registry of relevant DC(s): HKLM\System\CurrentControlSet\Services\Dfs\Parameters\SysvolNetlogonTargetFailback: DWORD 1 or 0

OLD: dfsutil /Path:<DfsPath> /TargetFailback /Enable|Disable|Display [/Verbose]
Property
ACL		 ACL command is a quick way to set or get the ACLs on the link. dfsutil property acl <DfsPath> [ShowSDDL]

PARAMETERS:
<DfsPath>: UNC Path of DFS link.
ShowSddl: Option to display SDDL.

EXAMPLES:
dfsutil property ACL \\contoso.com\DomainNamespace1\link1
dfsutil property ACL \\standaloneserver\Namespace1\link1 showsddl 		SUBCOMMANDS:
Grant - Grant permissions for a user or group(trustee).
Deny - Deny Permissions for user or group(trustee).
Revoke - Revoke granted permissions for user or group.
Set - Set Security Information on the folder from SDDL input.
Reset - Remove the Security Descriptor associated with the folder.
Control - Set Security control Information on the folder.
Property
State		 Displays State of Root/RootTarget or Link/Link target dfsutil property state <DfsPath> [<\\server\share>]

PARAMETERS:
<DfsPath>: UNC path of a DFS namesapace or DFS link.
<\\server\share>: server is Target Server and share is share on Target Server.

EXAMPLES:
dfsutil property State \\contoso.com\DomainNamespace1\link1 \\server\share
dfsutil property State \\namespaceserver\Namespace2 		SUBCOMMANDS:
Online - Set state of root target or folder target to Online.
Offline - Set state of root target or folder target to Offline.

NOTES:
1. In case of the Windows Server 2003, the state of the DFS namespace root or root target can not be changed to online or offline. But the state of the link and the link targets can be changed.
2. In Windows 2000 Server and Windows Server 2008 the state of the DFS namespace root and root target can be changed to offline or online.

OLD: dfsutil /Path:<DfsPath> /State /Server:<RootOrLinkTargetServer> /Share:<TargetShare>
Property
TTL		 Displays the Timeout value of root or link. dfsutil property ttl <DfsPath>

PARAMETERS:
<DfsPath>: UNC path of a DFS namesapace or DFS link.

EXAMPLES:
dfsutil property ttl \\contoso.com\DomainNamespace1 		SUBCOMMANDS:
Set - Set this property of DFS namesapace or DFS link.

OLD: dfsutil /Enable|Disable|Display [/Verbose] /Path:<DfsPath> {/TTL:<Timeout> /Set}|{/TTL /Display} [/Verbose]
Property
PriorityRank		 TargetPriorityRank is a useful way to control client accesses to dfs target servers. dfsutil property priorityrank <DfsPath> <\\server\share> [Verbose]

PARAMETERS:
<DfsPath>: UNC path of a DFS namesapace or DFS link.
<\\server\share>: server is Target Server and share is share on Target Server.
Verbose: Show additional information while the tool is executing

EXAMPLES:
dfsutil property PriorityRank \\contoso.com\DomainNamespace1 \\srv1\DomainNameSpace1 		SUBCOMMANDS:
Set - Set this property of the root or link target.

OLD: dfsutil /Path:<DfsPath> /TargetPriority /Server:<TargetServerName> /Share:<TargetShare> [/Display] [/Set] [/PriorityRank:<Rank> [/PriorityClass:<SiteCostNormal|GlobalHigh|SiteCostHigh|Site
CostLow|GlobalLow>] [/Verbose]
Property
PriorityClass		 TargetPriorityClass is a useful way to control client accesses to DFS target servers. dfsutil property priorityclass <DfsPath> <\\server\share> [Verbose]

PARAMETERS:
<DfsPath>: UNC path of a DFS namesapace or DFS link.
<\\server\share>: server is Target Server and share is share on Target Server.
Verbose: Show additional information while the tool is executing

EXAMPLES:
dfsutil property PriorityClass \\contoso.com\DomainNamespace1 \\srv1\DomainNameSpace1 		SUBCOMMANDS:
Set - Set this property of the root or link  target.

NOTES:
1) The Path can be a Domain based or a Standalone DFS path. It must lead to
a root or a link.
2) TargetPriority can be used in conjuction with site costing, insite and the like.
3) GlobalPriorityClass will take precedence over the site cost. The default behavior is SiteCostNormalPriorityClass.

OLD: dfsutil /Path:<DfsPath> /TargetPriority /Server:<TargetServerName> /Share:<TargetShare> [/Display] [/Set] [/PriorityRank:<Rank> [/PriorityClass:<SiteCostNormal|GlobalHigh|SiteCostHigh|Site
CostLow|GlobalLow>] [/Verbose]
Property
Comment		 Sets or displays the administrator comment for a namespace or link (folder). dfsutil property comment <DfsPath>

PARAMETERS:
<DfsPath>: UNC Path of DFS Root or DFS link

EXAMPLES:
dfsutil property comment \\contoso.com\DomainNamespace1\link1
dfsutil property comment \\srv1\StandaloneNamespace1 		SUBCOMMANDS:
Set - Set this property for DFS namesapace or DFS link.
Client Client commands are used to modify or view the client registry keys or display the siteinformation. dfsutil client SUBCOMMANDS:
Registry - Set/Reset/View registry keys.
SiteInfo - View the Siteinformation.
Property - Displays or modifies local machine's cache information.
Client
Registry		 Registry commands can modify or display client registry keys or display siteinformation. dfsutil client registry SUBCOMMANDS:
ProviderCacheTimeout - Set/View the ProviderCacheTimeoutInMinutes key.
DfsDcNameDelay - Set/Reset/View the DfsDcNameDelay key.
Client
Registry
ProviderCacheTimeout		 ProviderCacheTimeout specifies the length of time that a multiple UNC provider (MUP) cache entry is held until it is reevaluated. dfsutil client registry providercachetimeout <Client>

PARAMETERS:
<Client> : client whose registry key ProviderCacheTimeoutInMinutes has to be displayed.		 SUBCOMMANDS:
Set - Set the ProviderCacheTimeoutInMinutes key.

OLD: dfsutil /ProviderCacheTimeoutInMinutes[:<Value>] /Server:<Name> /Display|/Set
Client
Registry
DfsDcNameDelay		 Display or modify the registry key DfsDcNameDelay in the client. dfsutil client registry dfsdcnamedelay <Client>

PARAMETERS:
<Client> : client whose registry key DfsDcNameDelay has to be displayed.		 SUBCOMMANDS:
Set - Set the DfsDcNameDelay key.
Reset - Reset the DfsDcNameDelay key.

OLD: dfsutil /DfsDcNameDelay[:<Value>] /Server:<Name> /Display|/Set
Client
SiteInfo		 Display the site information assosciated with the client. dfsutil client siteinfo <MachineName>|<IpAddress>

PARAMETERS:
<MachineName>: Machine Name of the client whose site information has to be displayed.
<IpAddress>: IpAddress of the client whose site information has to be displayed.		 OLD: dfsutil /SiteName:<MachineName or IpAddress>
Client
Property		 Displays or modifies local machine's cached information. dfsutil client property SUBCOMMANDS:
State - Set/View state of target for the dfs namespace or link.
Client
Property
State

Displays or modifies target state of a dfs namespace or link. Only the local machine's cached information is displayed or modified.

 dfsutil client property state <dfspath> SUBCOMMANDS:
Active - Set active target for the dfs namespace or link.
Server Displays all the roots hosted on the server. Server command can also be used to modify the registry keys in the server. dfsutil server <Server>

PARAMETERS:
<Server>: Server on which the roots are hosted.		 SUBCOMMANDS:
Registry Set/Reset/View registry keys of server.

OLD: dfsutil /Server:<MachineName> /View
Server
Registry		 Registry commands can modify or display the registry keys on the server. dfsutil server registry  SUBCOMMANDS:
DfsDnsConfig Set/Reset/View DfsDnsConfig key in server registry.
LdapTimeoutValue Set/View LdapTimeoutValueInSeconds key in the registry.
SyncInterval Set/View SyncIntervalinSeconds key in server registry.
SiteCostedReferrals Set/Reset/View SiteCostedReferrals key in the registry.
InsiteReferrals Set/Reset/View InsiteReferrals key in server registry.
PreferLogonDC Set/Reset/View PreferLogonDC key in server registry.
Server
Registry
DfsDnsConfig		 Modifies or displays the registry key DfsDnsConfig in the server. dfsutil server registry dfsdnsconfig <Server>

PARAMETERS:
<Server> : The server whose registry key DfsDnsConfig has to be displayed.		 SUBCOMMANDS:
Set Set DfsDnsConfig key in server registry.
Reset Reset DfsDnsConfig key in server registry.

NOTE:
DfsDnsConfig when set to 1, specifies that this server will use fully qualified domain
names (FQDN) in referrals. When set to 0 (the default), specifies that this
server will use NetBIOS names in referrals.

OLD: dfsutil /DfsDnsConfig[:<Value>] /Server:<Name> /Display|/Set
Server
Registry
LdapTimeoutValue		 Modifies or displays the registry key LdapTimeoutValueInSeconds in the server. This is the time-out value (in seconds) for DFS LDAP calls. dfsutil server registry ldaptimeoutvalue <Server>

PARAMETERS:
<Server> : The server whose registry key LdapTimeoutValueInSeconds has to  be displayed.
<value> : The default value is 30 seconds, the minimum value is 3 seconds  and the maximum value is 300 seconds (5 minutes).		 SUBCOMMANDS:
Set - Set LdapTimeoutValueInSeconds key in server registry.

OLD: dfsutil /LdapTimeoutValueInSeconds[:<Value>] /Server:<Name> /Display|/Set
Server
Registry
SyncInterval		 This key specifies how often domain-based root servers and domain controllers poll the primary domain controller (PDC) emulator master to obtain updated DFS metadata. dfsutil server registry syncinterval <Server>

PARAMETERS:
<Server> : The server whose registry key SyncIntervalinSeconds has to be displayed.		 SUBCOMMANDS:
Set Set SyncIntervalinSeconds key in server registry.

OLD: dfsutil /SyncIntervalinSeconds[:<Value>] /Server:<Name> /Display|/Set
Server
Registry
SiteCostedReferrals		 When set to 0 (the default), SYSVOL and NETLOGON referrals contain domain controllers in the client’s site listed first in random order, followed by a random list of domain controllers. When set to 1, SYSVOL and NETLOGON referrals sort domain controllers in order of lowest cost. Domain controllers in the clients site are at the top of the referral list, followed by domain controllers sorted by lowest cost. dfsutil server registry sitecostedreferrals <Server>

PARAMETERS:
<Server> : The server whose registry key SiteCostedReferrals has to be displayed.		 SUBCOMMANDS:
Set - Set SiteCostedReferrals key in server registry.
Reset - Reset SiteCostedReferrals key in server registry.

OLD: dfsutil /SiteCostedReferrals[:<Value>] /Server:<Name> /Display|/Set
Server
Registry
InsiteReferrals		 If this registry key is set, the server the provides referrals which are in the same site as that of the client. dfsutil server registry insitereferrals <Server>
 SUBCOMMANDS:
Set - Set InsiteReferrals key in server registry.
Reset - Reset InsiteReferrals key in server registry.

OLD: dfsutil /InsiteReferrals[:<Value>] /Server:<Name> /Display|/Set
Server
Registry
PreferLogonDC		 When PreferLogonDc registry key is set, the logon server will be put on the top of the referral list. dfsutil server registry preferlogondc <Server>
 		 SUBCOMMANDS:
Set Set PreferLogonDC key in server registry.
Reset Reset PreferLogonDC key in server registry.

OLD: dfsutil /PreferLogonDC[:<Value>] /Server:<Name> /Display|/Set
Diag Diag is used to perform diagnostics on DFS Namespace. dfsutil diag SUBCOMMANDS:
UnMapDomRoot - Delete obsolete references to Domain based root target.
Clean - Remove reference to obsolete root from host machine.
Viewdfsdirs - List/Remove all DFS reparse directories in a volume.
Viewdfspath - Resolve a DfsPath to a destination UNC path.
Diag
UnMapDomRoot		 UnMapDomRoot deletes DFS references to an obsolete domain based root target. This is a special problem repair command. dfsutil diag unmapdomroot <\\domain\root> <\\rootreplica/share> [Verbose]

PARAMETERS:
<\\domain\root>: DfsName containing domain name and root name.
<\\roottargetserver\RootTargetShare>: RootTargetServer - Name of the root
target server to unmap. Should be exactly as it appears in DFS target info.
RootTargetShare - Name of the root Target share to unmap
Verbose: Show additional information while the tool is executing

EXAMPLES:
dfsutil diag unmapdomroot \\contoso.com\RootName \\myroottarget\RootTargetShare 		 
Diag
Clean		 Clean is a special problem repair command to remove a reference to an obsolete root from a host machine. These changes will be done in the given system's registry. dfsutil diag clean <\\server\share> [Verbose]

PARAMETERS:
<\\server\share>: server - Name of the system hosting the root to be cleaned
share - Name of the Domain based or Standalone root to remove.
Verbose: Show additional information while the tool is executing

EXAMPLES:
dfsutil diag clean \\mytargetserver\ShareName		 OLD: dfsutil /Clean /Server:<ServerName> /Share:<ShareName>
Diag
Viewdfsdirs		 ViewDfsDirs lists all existing DFS reparse directories in a volume. Those directories can also be deleted using the optional argument RemoveReparse. dfsutil diag viewdfsdirs <drive> [removereparse] [Verbose]

PARAMETERS:
<drive>: Drive letter of the volume to scan (with colon at the end).
RemoveReparse: Remove all reparse directories as they are listed.
Verbose: Show additional information while the tool is executing		 NOTES:
1 - The volume drive letter must contain a colon at the end.
2 - This command will always enumerate dfs reparse points starting at the root of the volume. It is not possible to specify a directory below the root of the volume as a starting point

OLD: dfsutil /ViewDfsDirs:<VolumeName> [/RemoveReparse] [/Verbose]
Diag
Viewdfspath		 ViewDfsPath can be used to resolve a DfsPath to a destination UNC path. The DfsPath can be a domain based/standalone DFS Namespace or even path to the link. This command is supported only in Windows Vista or above. dfsutil diag viewdfspath <DfsPath>

PARAMETERS:
<DfsPath>: Path of DFS root or link to be resolved.

EXAMPLES:
dfsutil diag ViewDfsPath \\domain\docs (will be resolved as \\servername\share)
dfsutil diag ViewDfsPath \\domain\docs\link1 (will be resolved as \\linktarget\share)		 OLD: dfsutil /DisplayDfsPath:<DfsPath>
Domain Domain command is a quick way to view all namespaces in the domain. dfsutil domain <domain> OLD: dfsutil /Domain:<DomainName> /View
Cache Cache commands are used to display or flush the client cache. dfsutil cache  SUBCOMMANDS:
Domain - View/Flush the Domain cache.
Referral - View/Flush the Referral cache.
Provider - View/Flush the Provider cache.
Cache
Domain		 Domain commands are used to display or flush the domain cache. dfsutil cache domain SUBCOMMANDS:
Flush - Flush the Domain cache.

OLD: dfsutil /SpcInfo
OLD: dfsutil /SpcFlush
Cache
Referral		 Referral commands are used to display or flush the Referral cache. dfsutil cache referral [<Level>] SUBCOMMANDS:
Flush - Flush the Referral cache.

OLD: dfsutil /PktInfo
OLD: dfsutil /PktFlush
Cache
Provider		 Provider commands are used to display or flush the provider cache. dfsutil cache provider SUBCOMMANDS:
Flush - Flush the Provider cache.

OLD: dfsutil /PurgeMupCache
OLD: dfsutil /DisplayMupCache
Posted Friday, May 01, 2009 11:24 AM by josebda | 1 Comments
Filed under: ,

RC for Windows Server 2008 R2 and Windows 7 released to TechNet Plus and MSDN (includes filenames and sizes)

If you are a TechNet Plus or an MSDN subscriber, you can now download the Release Candidate (RC) for Windows Server 2008 R2 and Windows 7.

There are different files for each client architecture (x64, x86) and server architecture (x64, ia64). Additional files include the language packs for each one, plus the WAIK (Windows Automated Installation Kit), Windows SDK (Software Development Kit) and WDK (Windows Driver Kit).

See a list of files and sizes in the table below:

Name
Filename		 Size
Windows 7 Ultimate RC (x64) - DVD (English)
en_windows_7_ultimate_rc_x64_dvd_347803.iso 		3,119.30
Windows 7 RC Language Pack (x64) - DVD (English, French, German, Japanese, Spanish)
en_fr_de_ja_es_windows_7_rc_language_pack_x64_dvd_347834.iso 		556.05
Windows 7 Ultimate RC (x86) - DVD (English)
en_windows_7_ultimate_rc_x86_dvd_349010.iso 		2,413.73
Windows 7 RC Language Pack (x86) - DVD (English, French, German, Japanese, Spanish)
en_fr_de_ja_es_windows_7_rc_language_pack_x86_dvd_348352.iso 		507.63
Windows Server 2008 R2 Datacenter, Enterprise, Standard, and Web RC (x64) - DVD (English)
en_windows_server_2008_r2_datacenter_enterprise_standard_web_rc_x64_dvd_347937.iso 		2,930.83
Windows Server 2008 R2 RC Language Pack (x64) - DVD (English, French, German, Japanese, Spanish)
en_fr_de_ja_es_windows_server_2008_r2_rc_language_pack_x64_dvd_347839.iso 		343.69
Windows Server 2008 R2 RC for Itanium Based Systems (ia64) - DVD (English)
en_windows_server_2008_r2_rc_for_itanium_based_systems_ia64_dvd_347936.iso 		2,371.79
Windows Server 2008 R2 RC Language Pack (ia64) - DVD (English, French, German, Japanese, Spanish)
en_fr_de_ja_es_windows_server_2008_r2_rc_language_pack_ia64_dvd_347831.iso 		262.49
Windows Automated Installation Kit for Windows 7 RC and Windows Server 2008 R2 RC (x86/x64/ia64) - DVD (English)
en_windows_automated_installation_kit_x86_x64_ia64_dvd_349519.iso 		1,435.54
Windows Software Development Kit for Windows 7 RC (x86) - DVD (English)
en_windows_software_development_kit_for_windows_7_rc_x86_dvd_350616.iso 		1,250.91
Windows Software Development Kit for Windows 7 RC (x64) - DVD (English)
en_windows_software_development_kit_for_windows_7_rc_x64_dvd_350618.iso 		1,251.31
Windows Software Development Kit for Windows 7 RC (ia64) - DVD (English)
en_windows_software_development_kit_for_windows_7_rc_ia64_dvd_350617.iso 		1,252.56
Windows Driver Kit Release 7.0.7100.0 (x86, x64, and ia64) - DVD (English)
en_windows_driver_kit_7.0.7100.0_x86_x64_ia64_dvd_349524.iso 		604.25

Subscribers can download from their usual web sites. If you're not a subscriber, learn how to become one at:

Public downloads are expected in a few days. Keep an eye on:

Posted Thursday, April 30, 2009 10:39 AM by josebda | 1 Comments

Microsoft Management Summit 2009 keynotes available (includes updated System Center roadmap)

The Microsoft Management Summit 2009 has started, touching on interesting themes like Virtualization, Dynamic IT and Private Clouds. For those not fortunate enough to be in Las Vegas attending in person, you can watch the keynotes on domand. The first one, delivered by Bob Kelly (Microsoft Corporate VP for Microsoft Infrastructure Server Marketing), started the series.  He also described new features of Hyper-V in Windows Server 2008 R2 and Virtual Machine Manager 2008 R2. The second keynote, delivered by Brad Anderson (General Manager for the Microsoft Management & Services Division), included a roadmap of the System Center family and details about the upcoming System Center Service Manager and System Center Online. See the roadmap slide below (captured from the video published online).

MMS2009Roadmap

Also, as usual, both keynotes included several demos... Check them out at
http://www.microsoft.com/presspass/presskits/infrastructure/videoGallery.aspx

Posted Wednesday, April 29, 2009 4:00 PM by josebda | 1 Comments
Filed under:

Microsoft keynote at the RSA Conference 2009: End to End Trust

Microsoft's Corporate VP of Trustworthy Computing (Scott Charney) delivered an interesting keynote as part of this year's RSA Conference about End to End Trust, following up on Craig Mundie's keynote last year. End to End Trust is described as "Microsoft’s vision for a safer, more trusted Internet that can only be achieved through broad cross industry collaboration and alignment".

Check this and other keynotes from the conference at http://media.omediaweb.com/rsa2009/keynote_catalog.htm

Posted Sunday, April 26, 2009 7:14 PM by josebda | 1 Comments
Filed under: ,

Final version of Network Monitor 3.3 available for download

NetMon 3.3 has just been released, with a number of new features. One of my favorites this time around is the ability to add comments to a frame. Also, keep in mind that protocols are evolving and having the latest NetMon can help. For instance, only the more recent versions of NetMon include an SMB2 protocol parser that can properly show more complex frames like compound SMB2 requests and responses.

Get all the details, including a complete list of new features, a download link and a picture of the NetMon team :-) at
http://blogs.technet.com/netmon/archive/2009/04/22/network-monitor-3-3-has-arrived.aspx

Posted Thursday, April 23, 2009 8:45 AM by josebda | 0 Comments
Filed under:

An Open Source NFS Client for Windows

Microsoft is sponsoring research at the University of Michigan's Center for Information Technology Integration (CITI) to develop an open source NFS client for Windows. CITI developed the open source Linux-based reference implementation of NFSv4 that is already included in all Linux distributions. Details were shared by Bob Muglia, president of the Server and Tools Business (STB) at Microsoft.

Check the announcement on Microsoft's Port25 site at  
http://port25.technet.com/archive/2009/04/22/an-open-source-network-file-system-client-for-windows.aspx

You can also check the University of Michigan's press release at 
http://www.engin.umich.edu/newscenter/pressReleases/20090422111000nvi/

Posted Wednesday, April 22, 2009 10:57 PM by josebda | 0 Comments
Filed under: ,

Understanding Windows Server 2008 DFS-N by analyzing network traces

1 – Overview

This blog post details the behavior of Windows Server 2008 DFS-N (Distributed File System - Namespaces) clients by looking at network traces. 
The main goal here is to show the interaction between a DFS-N client, a domain controller, a namespace server and a file server.
These traces were taken using Network Monitor 3.3 beta from a set of isolated computers in a domain.
To understand this post, you need some familiarity with common protocols like ARP, ICMP, TCP and DNS.
At least a basic understanding of some more sophisticated protocols like SMB and Kerberos are also helpful.

2 – The environment

There are 4 computers in this environment, as described below.

# Name FQDN IP Role Details
1 DC DC.josebda.local 10.1.1.1 DNS, Domain Controller DNS Server for zone josebda.local
Only DC for josebda.local domain
2 NS NS.josebda.local 10.1.1.2 File Server, DFS Namespace Server Hosts namespace \\josebda\NS1
Includes a folder \\josebda\NS1\Folder1
Target for that folder is \\fs.josebda.local\Share1
3 FS FS.josebda.local 10.1.1.3 File Server Hosts the share \\fs.josebda.local\Share1
4 CL CL.josebda.local 10.1.1.4 Client Where the command lines are run
Running Network Monitor

All computers in this setup are running Windows Server 2008 Enterprise Edition (with Service Pack 2 RC).
All command lines and traces are from the point of view of the client (CL.josebda.local or 10.1.1.4).

3 – Cleaning up the caches

In order to clean all the related caches before each trace, I used a series of command on the client:

  • To clear the DFS-N domain cache: DFSUTIL cache domain flush
  • To clean the DFS-N referral cache: DFSUTIL cache referral flush
  • To clear the cached Kerberos tickets: KLIST purge
  • To clear the DNS cache: IPCONFIG /flushdns
  • To clear the ARP cache: ARP –d * 

Note that each of the commands clears a different kind of cache.

4 – Warming up with a ping by DNS name

This first trace shows a ping of the file server by the client, using the file server name.
This is a simple one, just to get you started with the format. It uses the ARP, DNS and ICMP protocols.
This involves the client (CL), the DNS server (DC) and the file server (FS).

First, here is the actual command used (in bold) and its output.

C:\Users\administrator>ping fs.josebda.local



Pinging fs.josebda.local [10.1.1.3] with 32 bytes of data:
Reply from 10.1.1.3: bytes=32 time<1ms TTL=128
Reply from 10.1.1.3: bytes=32 time<1ms TTL=128
Reply from 10.1.1.3: bytes=32 time<1ms TTL=128
Reply from 10.1.1.3: bytes=32 time<1ms TTL=128



Ping statistics for 10.1.1.3:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms



C:\Users\administrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details
4.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
4.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3 (DC queries ARP back to CL)
CL DC DNS DNS:QueryId = 0xFDF5, QUERY (Standard query), Query  for fs.josebda.local of type Host Addr on class Internet
DC CL ARP ARP:Request, 10.1.1.1 asks for 10.1.1.4
CL DC ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
DC CL DNS DNS:QueryId = 0xFDF5, QUERY (Standard query), Response - Success, 10.1.1.3
4.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local
CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
4.4. CL pings 10.1.1.3 four times (first time, FS queries ARP back to CL)
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4
CL FS ICMP ICMP:Echo Request Message, From 10.1.1.4 To 10.1.1.3
FS CL ICMP ICMP:Echo Reply Message, From 10.1.1.3 To 10.1.1.4

Last, here is a sample NetMon screenshot. You can see the details of the DNS query response frame:

DFSNM1

5 – Querying the file server directly

This trace is more interesting, showing an SMB client enumerating a folder on a file server.
Note that, in this case, we are not actually using a DFS namespace yet.
You will be exposed to a larger set of protocols this time, including SMB and Kerberos.
Now there will be three computers involved: the client (CL), the file server (FS) and the domain controller (DC).

First, here is the actual command used (in bold) and its output.

C:\Users\administrator>dir \\fs.josebda.local\share1



 Volume in drive \\fs.josebda.local\share1 has no label.
 Volume Serial Number is 68CD-6098



Directory of \\fs.josebda.local\share1



04/10/2009  10:06 PM    <DIR>          .
04/10/2009  10:06 PM    <DIR>          ..
04/10/2009  10:06 PM                15 File1.txt
               1 File(s)             15 bytes
               2 Dir(s)  11,459,997,696 bytes free



C:\Users\administrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details
5.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
5.2. CL queries DNS for “fs.josebda.local”, gets 10.1.1.3
CL DC DNS DNS:QueryId = 0x5667, QUERY (Standard query), Query  for fs.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x5667, QUERY (Standard query), Response - Success, 10.1.1.3
5.3. CL uses ARP to find MAC address for 10.1.1.3, the IP for fs.josebda.local
CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
5.4. CL negotiates a TCP session with FS on port 445 (SMB)
CL FS TCP TCP:Flags=......S., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892114495, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956516548, Ack=892114496, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL FS TCP TCP:Flags=...A...., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892114496, Ack=1956516549, Win=513 (scale factor 0x8) = 131328
5.5. CL and FS negotiate an SMB session (note that FS offers SMB2 and CL takes it)
CL FS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
FS CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={8E4F0109-0E04-FD9C-434A-05881428984C}, Mid = 0
5.6. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for  the domain.
CL DC TCP TCP:Flags=......S., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451346, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134793418, Ack=1788451347, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451347, Ack=4134793419, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=51, Seq=4134794879 - 4134794930, Ack=1788451665, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451665, Ack=4134794930, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49258, DstPort=Kerberos(88), PayloadLen=0, Seq=1788451665, Ack=4134794930, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134794930, Ack=1788451666, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49258, PayloadLen=0, Seq=4134794930, Ack=1788451666, Win=0 (scale factor 0x8) = 0
5.7. CL requests a Kerberos client service authorization ticket for CL to present to FS.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552892024, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290555248, Ack=3552892025, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552892025, Ack=1290555249, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/fs.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290555249, Ack=3552893597, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=118, Seq=1290556709 - 1290556827, Ack=3552893597, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552893597, Ack=1290556827, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49259, DstPort=Kerberos(88), PayloadLen=0, Seq=3552893597, Ack=1290556827, Win=513 (scale factor 0x8) = 131328
5.8. The SMB session is setup (while the last ACKs for the DC are still coming)
CL FS SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290556827, Ack=3552893598, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49259, PayloadLen=0, Seq=1290556827, Ack=3552893598, Win=0 (scale factor 0x8) = 0
FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956516789, Ack=892116277, Win=513 (scale factor 0x8) = 131328
FS CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
5.9. CL connects to \\fs.josebda.local\IPC$ tree, gets referral for \\fs.josebda.local\share1. Note the code 412, telling us that FS is not a DFS server, just a regular file server.
CL FS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\fs.josebda.local\IPC$, Mid = 2
FS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL FS DFS DFS:Get DFS Referral Request, FileName: \fs.josebda.local\share1, MaxReferralLevel: 4
FS CL SMB2 SMB2:R , Mid = 3 - NT Status: System - Error, Code = (412) STATUS_FS_DRIVER_REQUIRED
5.10. CL connects to \\fs.josebda.local\share1 tree, get all information required by DIR command (note that SMB CREATE is used as “OPEN”)
CL FS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\fs.josebda.local\share1, Mid = 4
FS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x5, Mid = 4
CL FS SMB2 SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 5
FS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 5
CL FS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 6
FS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 6
CL FS SMB2 SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 8
FS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 8
CL FS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 11
FS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 11
CL FS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Full Size Info, FID=0xFFFFFFFF00000005, Mid = 12
FS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 12
5.11. CL disconnects from both trees, logs off SMB2, closes the TCP session with FS
CL FS TCP TCP:Flags=...A...., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117764, Ack=1956518678, Win=512 (scale factor 0x8) = 131072
CL FS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 13
FS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 13
CL FS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x5, Mid = 14
FS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 14
CL FS SMB2 SMB2:C  LOGOFF (0x2), Mid = 15
FS CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 15
CL FS TCP TCP:Flags=...A...F, SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117980, Ack=1956518894, Win=511 (scale factor 0x8) = 130816
FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956518894, Ack=892117981, Win=512 (scale factor 0x8) = 131072
CL FS TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49257, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=892117981, Ack=1956518894, Win=0 (scale factor 0x8) = 0
FS CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49257, PayloadLen=0, Seq=1956518894, Ack=892117981, Win=0

 

6 – Querying only the DFS namespace

This trace now uses a DFS namespace.
In this case, we’re querying just the namespace itself, not following any links in the namespace.
Now we are working with the client (CL), the domain controller (DC) and the namespace server (NS).

First, here is the actual command used (in bold) and its output.

C:\Users\administrator>dir \\josebda.local\ns1


 Volume in drive \\josebda.local\ns1 has no label.
 Volume Serial Number is 34A5-C4AB



 Directory of \\josebda.local\ns1



04/10/2009  10:08 PM    <DIR>          .
04/10/2009  10:08 PM    <DIR>          ..
04/10/2009  10:08 PM    <DIR>          Folder1
               0 File(s)              0 bytes
               3 Dir(s)  11,448,500,224 bytes free
 
C:\Users\administrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details
6.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
6.2. CL queries DNS for “dc.josebda.local”, gets 10.1.1.1
CL DC DNS DNS:QueryId = 0x7447, QUERY (Standard query), Query  for DC.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x7447, QUERY (Standard query), Response - Success, 10.1.1.1
6.3. CL negotiates a TCP session with DC on port 445 (SMB)
CL DC TCP TCP:Flags=......S., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570594720, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429848417, Ack=1570594721, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570594721, Ack=1429848418, Win=513 (scale factor 0x8) = 131328
6.4. CL and DC negotiate an SMB session (note that DC offers SMB2 and CL takes it)
CL DC SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
DC CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={83C66016-F309-B5A1-42A3-3B37BF0AE071}, Mid = 0
6.5. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain.
CL DC TCP TCP:Flags=......S., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221627845, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225518474, Ack=1221627846, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221627846, Ack=4225518475, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=51, Seq=4225519935 - 4225519986, Ack=1221628164, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221628164, Ack=4225519986, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49268, DstPort=Kerberos(88), PayloadLen=0, Seq=1221628164, Ack=4225519986, Win=513 (scale factor 0x8) = 131328
6.6. CL requests a Kerberos service authorization ticket to present to DC.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290068782, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286883192, Ack=4290068783, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225519986, Ack=1221628165, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49268, PayloadLen=0, Seq=4225519986, Ack=1221628165, Win=0 (scale factor 0x8) = 0
CL DC TCP TCP:Flags=...A...., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290068783, Ack=3286883193, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/DC.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286883193, Ack=4290070355, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=118, Seq=3286884653 - 3286884771, Ack=4290070355, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290070355, Ack=3286884771, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49269, DstPort=Kerberos(88), PayloadLen=0, Seq=4290070355, Ack=3286884771, Win=513 (scale factor 0x8) = 131328
6.7. CL asks DC for another Kerberos ticket
CL DC TCP TCP:Flags=......S., SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341990730, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502819863, Ack=341990731, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286884771, Ack=4290070356, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49269, PayloadLen=0, Seq=3286884771, Ack=4290070356, Win=0 (scale factor 0x8) = 0
CL DC TCP TCP:Flags=...A...., SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341990731, Ack=2502819864, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
CL DC TCP TCP:Flags=...A...F, SrcPort=49270, DstPort=Kerberos(88), PayloadLen=0, Seq=341992176, Ack=2502821322, Win=507 (scale factor 0x8) = 129792
6.8. SMB session with DC is setup. (while the last ACKs for the DC are still coming)
CL DC SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502821322, Ack=341992177, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429848658, Ack=1570597908, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49270, PayloadLen=0, Seq=2502821322, Ack=341992177, Win=0 (scale factor 0x8) = 0
DC CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
6.9. CL connects to tree \\dc.josebda.local\IPC$, asks DFS for a referral for “josebda.local”, then “\josebda.local\ns1”
CL DC SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\DC.josebda.local\IPC$, Mid = 2
DC CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL DC DFS DFS:Get DFS Referral Request, FileName: josebda.local, MaxReferralLevel: 3
DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 3
CL DC DFS DFS:Get DFS Referral Request, FileName: \josebda.local\ns1, MaxReferralLevel: 4
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849264, Ack=1570598348, Win=511 (scale factor 0x8) = 130816
DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4
6.10. CL now knows that it needs to talk to “ns.josebda.local”.  Queries DNS to find it’s “10.1.1.2”, then ARP
CL DC DNS DNS:QueryId = 0xC0C7, QUERY (Standard query), Query  for NS.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0xC0C7, QUERY (Standard query), Response - Success, 10.1.1.2
CL NS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.2
NS CL ARP ARP:Response, 10.1.1.2 at 00-15-5D-6C-0D-04
6.11. CL negotiates a TCP session with NS on port 445 (SMB)
CL NS TCP TCP:Flags=......S., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869345207, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
NS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42140879, Ack=869345208, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL NS TCP TCP:Flags=...A...., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869345208, Ack=42140880, Win=513 (scale factor 0x8) = 131328
6.12. CL negotiates an SMB session with DC (selects SMB2 dialect)
CL NS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
NS CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={9832F94A-1CD3-61B4-40A3-F01305CCDB7E}, Mid = 0
6.13. CL requests a Kerberos service authorization ticket to present to NS.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328527949, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914299011, Ack=1328527950, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328527950, Ack=1914299012, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/NS.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914299012, Ack=1328529522, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=118, Seq=1914300472 - 1914300590, Ack=1328529522, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328529522, Ack=1914300590, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49272, DstPort=Kerberos(88), PayloadLen=0, Seq=1328529522, Ack=1914300590, Win=513 (scale factor 0x8) = 131328
6.14. SMB session with NS is setup. (while the last ACKs for the DC are still coming)
CL NS SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914300590, Ack=1328529523, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49272, PayloadLen=0, Seq=1914300590, Ack=1328529523, Win=0 (scale factor 0x8) = 0
NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42141120, Ack=869346989, Win=513 (scale factor 0x8) = 131328
NS CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
6.15. CL connects to tree \\ns\NS1, opens the \NS\ns1 namespace and links, queries information (note that SMB2 CREATE is also used as “OPEN”)
CL NS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\NS\NS1, Mid = 2
NS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL NS SMB2 SMB2:C  CREATE (0x5), Name=josebda.local\ns1@#380, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3
NS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3
CL NS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 4
NS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 4
CL NS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 6
NS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 6
CL NS SMB2 SMB2:C  CREATE (0x5), Name=josebda.local\ns1@#386, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 7
NS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 7
CL NS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000005, Mid = 10
NS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 10
CL NS SMB2 SMB2:C  CREATE (0x5), Name=josebda.local\ns1@#390, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 11
NS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000009, Mid = 11
CL NS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000009, Mid = 13
NS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 13
6.16. CL disconnects from trees, logs off SMB2 and closes TCP sessions with DC, NS
CL DC TCP TCP:Flags=...A...., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598348, Ack=1429849514, Win=509 (scale factor 0x8) = 130304
CL NS TCP TCP:Flags=...A...., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348640, Ack=42143344, Win=510 (scale factor 0x8) = 130560
CL DC SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 5
DC CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 5
CL DC SMB2 SMB2:C  LOGOFF (0x2), Mid = 6
DC CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 6
CL NS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 14
CL DC TCP TCP:Flags=...A...F, SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598492, Ack=1429849658, Win=508 (scale factor 0x8) = 130048
NS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 14
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849658, Ack=1570598493, Win=511 (scale factor 0x8) = 130816
CL NS SMB2 SMB2:C  LOGOFF (0x2), Mid = 15
CL DC TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49267, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1570598493, Ack=1429849658, Win=0 (scale factor 0x8) = 0
DC CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49267, PayloadLen=0, Seq=1429849658, Ack=1570598493, Win=0
NS CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 15
CL NS TCP TCP:Flags=...A...F, SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348784, Ack=42143488, Win=510 (scale factor 0x8) = 130560
NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49271, PayloadLen=0, Seq=42143488, Ack=869348785, Win=512 (scale factor 0x8) = 131072
CL NS TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49271, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=869348785, Ack=42143488, Win=0 (scale factor 0x8) = 0

Last, here is a sample NetMon screenshot. Here we see the detail of the DFS referral response in (the second one in 6.9), with the frame details showing that josebda.local\ns1 is actually handled by \ns\ns1. See also that the referral has a time-to-live (how much time it should be kept in the cache).

DFSNM2

7 – Finally, looking at the file server via the DFS namespace

This is the final and most complex of the traces here. We’re listing details about a file inside a link in a namespace.
This time we’re involving the client (CL), the domain controller (DC), the namespace server (NS) and the file server (FS).

First, here is the actual command used (in bold) and its output.

C:\Users\administrator>dir \\josebda.local\ns1\folder1


 Volume in drive \\josebda.local\ns1 has no label.
 Volume Serial Number is 34A5-C4AB
 
 Directory of \\josebda.local\ns1\folder1

 
04/10/2009  10:06 PM    <DIR>          .
04/10/2009  10:06 PM    <DIR>          ..
04/10/2009  10:06 PM                15 File1.txt
               1 File(s)             15 bytes
               2 Dir(s)  11,459,997,696 bytes free



C:\Users\administrator>

Next, here is the summary of the NetMon trace with some highlights (in bold) and comments (in italics).

From To Protocol Details
7.1. CL uses ARP to find MAC address for 10.1.1.1, its DNS server
CL DC ARP ARP:Request, 10.1.1.4 asks for 10.1.1.1
DC CL ARP ARP:Response, 10.1.1.1 at 00-15-5D-6C-0D-06
7.2. CL queries DNS for “dc.josebda.local”, gets 10.1.1.1
CL DC DNS DNS:QueryId = 0x36AE, QUERY (Standard query), Query  for DC.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x36AE, QUERY (Standard query), Response - Success, 10.1.1.1
7.3. CL negotiates a TCP session with DC on port 445 (SMB)
CL DC TCP TCP:Flags=......S., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348427785, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806692608, Ack=1348427786, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348427786, Ack=806692609, Win=513 (scale factor 0x8) = 131328
7.4. CL and DC negotiate an SMB session (note that DC offers SMB2 and CL takes it)
CL DC SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
DC CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={83C66016-F309-B5A1-42A3-3B37BF0AE071}, Mid = 0
7.5. CL talks to the DC on port (88) to get a set of Kerberos tickets. First, the client Authentication for the domain
CL DC TCP TCP:Flags=......S., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774373, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481525383, Ack=2790774374, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774374, Ack=2481525384, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:AS Request Cname: administrator Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:AS Response Ticket[Realm: JOSEBDA.LOCAL, Sname: krbtgt/JOSEBDA.LOCAL]
DC CL TCP TCP:[Continuation to #451]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=51, Seq=2481526844 - 2481526895, Ack=2790774692, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774692, Ack=2481526895, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49275, DstPort=Kerberos(88), PayloadLen=0, Seq=2790774692, Ack=2481526895, Win=513 (scale factor 0x8) = 131328
7.6. CL requests a Kerberos service authorization ticket to present to DC.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217473064, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51552186, Ack=1217473065, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481526895, Ack=2790774693, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49275, PayloadLen=0, Seq=2481526895, Ack=2790774693, Win=0 (scale factor 0x8) = 0
CL DC TCP TCP:Flags=...A...., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217473065, Ack=51552187, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/DC.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51552187, Ack=1217474637, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation to #462]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=118, Seq=51553647 - 51553765, Ack=1217474637, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217474637, Ack=51553765, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49276, DstPort=Kerberos(88), PayloadLen=0, Seq=1217474637, Ack=51553765, Win=513 (scale factor 0x8) = 131328
7.7. CL asks DC for another Kerberos ticket
CL DC TCP TCP:Flags=......S., SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381120000, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51553765, Ack=1217474638, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49276, PayloadLen=0, Seq=51553765, Ack=1217474638, Win=0 (scale factor 0x8) = 0
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880462364, Ack=2381120001, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381120001, Ack=1880462365, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: krbtgt/JOSEBDA.LOCAL
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
CL DC TCP TCP:Flags=...A...F, SrcPort=49277, DstPort=Kerberos(88), PayloadLen=0, Seq=2381121446, Ack=1880463823, Win=507 (scale factor 0x8) = 129792
7.8. SMB session with DC is setup. (while the last ACKs for the DC are still coming)
CL DC SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880463823, Ack=2381121447, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806692849, Ack=1348430973, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49277, PayloadLen=0, Seq=1880463823, Ack=2381121447, Win=0 (scale factor 0x8) = 0
DC CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
7.9. CL connects to tree \\dc.josebda.local\IPC$, asks DFS for a referral for “josebda.local”, then “\josebda.local\ns1”
CL DC SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\DC.josebda.local\IPC$, Mid = 2
DC CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL DC DFS DFS:Get DFS Referral Request, FileName: josebda.local, MaxReferralLevel: 3
DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 3
CL DC DFS DFS:Get DFS Referral Request, FileName: \josebda.local\ns1, MaxReferralLevel: 4
DC CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4
7.11. CL now knows that it needs to talk to “ns.josebda.local”.  Queries DNS to find it’s “10.1.1.2”, then ARP
CL DC DNS DNS:QueryId = 0xA941, QUERY (Standard query), Query  for NS.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0xA941, QUERY (Standard query), Response - Success, 10.1.1.2
CL NS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.2
NS CL ARP ARP:Response, 10.1.1.2 at 00-15-5D-6C-0D-04
7.12. CL negotiates a TCP session with NS on port 445 (SMB)
CL NS TCP TCP:Flags=......S., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616429650, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
NS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802553199, Ack=1616429651, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL NS TCP TCP:Flags=...A...., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616429651, Ack=802553200, Win=513 (scale factor 0x8) = 131328
7.13. CL negotiates an SMB session with NS (selects SMB2 dialect)
CL NS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
NS CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={9832F94A-1CD3-61B4-40A3-F01305CCDB7E}, Mid = 0
7.14. CL requests a Kerberos service authorization ticket to present to NS.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584167390, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711096963, Ack=2584167391, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584167391, Ack=2711096964, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/NS.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711096964, Ack=2584168963, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation to #499]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=118, Seq=2711098424 - 2711098542, Ack=2584168963, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584168963, Ack=2711098542, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49279, DstPort=Kerberos(88), PayloadLen=0, Seq=2584168963, Ack=2711098542, Win=513 (scale factor 0x8) = 131328
7.15. SMB session with NS is setup. (while the last ACKs for the DC are still coming)
CL NS SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711098542, Ack=2584168964, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49279, PayloadLen=0, Seq=2711098542, Ack=2584168964, Win=0 (scale factor 0x8) = 0
NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802553440, Ack=1616431432, Win=513 (scale factor 0x8) = 131328
NS CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
7.16. CL connects to tree \\ns\NS1, opens and queries information for josebda.local\ns1 and josebda.local\ns1\folder1. Error 599 on the last response indicates we need a referral
CL NS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\NS\NS1, Mid = 2
NS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL NS SMB2 SMB2:C  CREATE (0x5), Name=josebda.local\ns1@#510, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3
NS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3
CL NS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000001, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000001, Mid = 4
NS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 4
CL NS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 6
NS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 6
CL NS SMB2 SMB2:C  CREATE (0x5), Name=josebda.local\ns1\folder1@#516, Context=DHnQ, Context=MxAc, Context=QFid, Mid = 7
NS CL SMB2 SMB2:R , Mid = 7 - NT Status: System - Error, Code = (599) STATUS_PATH_NOT_COVERED
7.17. CL connects to tree \\ns\IPC$, asks DFS for a referral for “\NS\ns1\folder1”  (note via ARP that NS talks to the DC)
CL NS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\NS\IPC$, Mid = 8
NS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x5, Mid = 8
CL NS DFS DFS:Get DFS Referral Request, FileName: \NS\ns1\folder1, MaxReferralLevel: 4
NS DC ARP ARP:Request, 10.1.1.2 asks for 10.1.1.1
DC NS ARP ARP:Request, 10.1.1.1 asks for 10.1.1.2
CL DC TCP TCP:Flags=...A...., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431413, Ack=806693705, Win=509 (scale factor 0x8) = 130304
NS CL DFS DFS:Get DFS Referral Response, NumberOfReferrals: 1 VersionNumber: 4
7.18. CL now knows that it needs to talk to “fs.josebda.local”.  Queries DNS to find it’s “10.1.1.3”, then ARP
CL DC DNS DNS:QueryId = 0x9848, QUERY (Standard query), Query  for FS.josebda.local of type Host Addr on class Internet
DC CL DNS DNS:QueryId = 0x9848, QUERY (Standard query), Response - Success, 10.1.1.3
CL FS ARP ARP:Request, 10.1.1.4 asks for 10.1.1.3
FS CL ARP ARP:Response, 10.1.1.3 at 00-15-5D-6C-0D-05
7.19. CL negotiates a TCP session with FS on port 445 (SMB). Note the ARP back from FS, since it’s the first time it talks to CL
CL FS TCP TCP:Flags=......S., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441020583, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
FS CL ARP ARP:Request, 10.1.1.3 asks for 10.1.1.4
CL FS ARP ARP:Response, 10.1.1.4 at 00-15-5D-6C-0D-03
FS CL TCP TCP:Flags=...A..S., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109428157, Ack=3441020584, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL FS TCP TCP:Flags=...A...., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441020584, Ack=109428158, Win=513 (scale factor 0x8) = 131328
7.20. CL negotiates an SMB session with FS(selects SMB2 dialect)
CL FS SMB SMB:C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups 3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
FS CL SMB2 SMB2:R  NEGOTIATE (0x0), GUID={8E4F0109-0E04-FD9C-434A-05881428984C}, Mid = 0
7.21. CL requests a Kerberos service authorization ticket to present to FS.joseba.local for cifs service
CL DC TCP TCP:Flags=......S., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155214818, Ack=0, Win=8192 ( Negotiating scale factor 0x8 ) = 8192
DC CL TCP TCP:Flags=...A..S., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938378401, Ack=4155214819, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152
CL DC TCP TCP:Flags=...A...., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155214819, Ack=938378402, Win=513 (scale factor 0x8) = 131328
CL DC KerberosV5 KerberosV5:TGS Request Realm: JOSEBDA.LOCAL Sname: cifs/FS.josebda.local
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938378402, Ack=4155216391, Win=513 (scale factor 0x8) = 131328
DC CL KerberosV5 KerberosV5:TGS Response Cname: Administrator
DC CL TCP TCP:[Continuation to #543]Flags=...AP..., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=118, Seq=938379862 - 938379980, Ack=4155216391, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...., SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155216391, Ack=938379980, Win=513 (scale factor 0x8) = 131328
CL DC TCP TCP:Flags=...A...F, SrcPort=49281, DstPort=Kerberos(88), PayloadLen=0, Seq=4155216391, Ack=938379980, Win=513 (scale factor 0x8) = 131328
7.22. SMB session with FS is setup. (while the last ACKs for the DC are still coming)
CL FS SMB2 SMB2:C  SESSION SETUP (0x1), Mid = 1
DC CL TCP TCP:Flags=...A...., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938379980, Ack=4155216392, Win=513 (scale factor 0x8) = 131328
DC CL TCP TCP:Flags=...A.R.., SrcPort=Kerberos(88), DstPort=49281, PayloadLen=0, Seq=938379980, Ack=4155216392, Win=0 (scale factor 0x8) = 0
FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109428398, Ack=3441022365, Win=513 (scale factor 0x8) = 131328
FS CL SMB2 SMB2:R  SESSION SETUP (0x1) ,SessionFlags=0x0, Mid = 1
7.23. CL connects to tree \\fs\josebda.local\Share1, opens the folder and file, queries information (note that SMB2 CREATE is also used as “OPEN”)
CL FS SMB2 SMB2:C  TREE CONNECT (0x3), Path=\\FS.josebda.local\Share1, Mid = 2
FS CL SMB2 SMB2:R  TREE CONNECT (0x3), TID=0x1, Mid = 2
CL FS SMB2 SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 3
FS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000001, Mid = 3
CL FS SMB2 SMB2:C  CREATE (0x5), Context=DHnQ, Context=MxAc, Context=QFid, Mid = 4
FS CL SMB2 SMB2:R  CREATE (0x5), Context=MxAc, Context=QFid, FID=0xFFFFFFFF00000005, Mid = 4
CL FS SMB2 SMB2:C  CLOSE (0x6), FID=0xFFFFFFFF00000001, Mid = 7
FS CL SMB2 SMB2:R  CLOSE (0x6), Mid = 7
CL FS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Volume Info, FID=0xFFFFFFFF00000005, Mid = 8
FS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 8
CL FS SMB2 SMB2:C  QUERY INFORMATION (0x10), FID=0xFFFFFFFF00000005, InformationClass=Query FS Full Size Info, FID=0xFFFFFFFF00000005, Mid = 10
FS CL SMB2 SMB2:R  QUERY INFORMATION (0x10), Mid = 10
7.24. CL disconnects from trees, logs off SMB2 and closes TCP sessions with DC, NS, FS
CL NS TCP TCP:Flags=...A...., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432609, Ack=802554785, Win=513 (scale factor 0x8) = 131328
CL FS TCP TCP:Flags=...A...., SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441023554, Ack=109430126, Win=511 (scale factor 0x8) = 130816
CL DC SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 5
DC CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 5
CL DC SMB2 SMB2:C  LOGOFF (0x2), Mid = 6
DC CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 6
CL NS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x5, Mid = 10
CL DC TCP TCP:Flags=...A...F, SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431557, Ack=806693849, Win=508 (scale factor 0x8) = 130048
NS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 10
DC CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49274, PayloadLen=0, Seq=806693849, Ack=1348431558, Win=511 (scale factor 0x8) = 130816
CL NS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 11
CL DC TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49274, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1348431558, Ack=806693849, Win=0 (scale factor 0x8) = 0
NS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 11
CL NS SMB2 SMB2:C  LOGOFF (0x2), Mid = 12
NS CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 12
CL FS SMB2 SMB2:C  TREE DISCONNECT (0x4), TID=0x1, Mid = 11
CL NS TCP TCP:Flags=...A...F, SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432825, Ack=802555001, Win=512 (scale factor 0x8) = 131072
NS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802555001, Ack=1616432826, Win=507 (scale factor 0x8) = 129792
FS CL SMB2 SMB2:R  TREE DISCONNECT (0x4), Mid = 11
CL NS TCP TCP:[Segment Lost]Flags=...A.R.., SrcPort=49278, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=1616432826, Ack=802555001, Win=0 (scale factor 0x8) = 0
NS CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49278, PayloadLen=0, Seq=802555001, Ack=1616432826, Win=0
CL FS SMB2 SMB2:C  LOGOFF (0x2), Mid = 12
FS CL SMB2 SMB2:R  LOGOFF (0x2), Mid = 12
CL FS TCP TCP:Flags=...A...F, SrcPort=49280, DstPort=Microsoft-DS(445), PayloadLen=0, Seq=3441023698, Ack=109430270, Win=511 (scale factor 0x8) = 130816
FS CL TCP TCP:Flags=...A...., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109430270, Ack=3441023699, Win=508 (scale factor 0x8) = 130048
FS CL TCP TCP:Flags=...A.R.., SrcPort=Microsoft-DS(445), DstPort=49280, PayloadLen=0, Seq=109430270, Ack=3441023699, Win=0 (scale factor 0x8) = 0

Last, here is a sample NetMon screenshot. I'm using this to highlight compound SMB2 requests. What you see above in step 7.23 as simple a CREATE (or OPEN) for the folder is actually a CREATE and a couple of QUERY DIRECTORY. The frame details shows the compound response, which shows that we actually enumerated the entire folder (with just 1 file) with a single request:

DFSNM3

8 – Conclusion

I hope this blog post helped you understand the behavior of DFS-N clients and encouraged you to try running Network Monitor and capturing some traces yourself.

For additional information on how DFS-N works, check these two links:
http://technet.microsoft.com/en-us/library/cc782417.aspx
http://www.snia.org/events/storage-developer2008/presentations/wednesday/DanLovingerImplementingDFSN-SDC08-v2.pdf

Posted Wednesday, April 15, 2009 8:00 PM by josebda | 3 Comments
Filed under: ,
More Posts Next page »
 
Page view tracker