2.1 Transport

The DFS root target MUST reside on a server that is accessible through SMB (as specified in [MS-SMB]) or SMB2 (as specified in [MS-SMB2]). A link target can reside on a server that is accessible through any resource access protocol for which appropriate client-side software exists.

The DFS: Namespace Management Protocol uses RPC over SMB, as specified in [MS-RPCE].

This protocol uses a well-known endpoint, \\PIPE\NETDFS, for RPC over SMB. The RPC interface uses transport-level authentication, as specified in [MS-RPCE]. DFS is not directly involved in authentication; however, the DFS service MUST verify whether the user has administrator privileges to the namespace. The authenticated RPC interface allows RPC to negotiate the use of authentication and the authentication level on behalf of the client and server, as specified in [MS-RPCE] section 3.3.1.5.2. The server MUST find the security context indicated by the auth_context_id in the sec_trailer of the request, and it MUST ask the security provider that created the security context to retrieve the client identity.

This protocol MUST use the universally unique identifier (UUID) 4FC742E0-4A10-11CF-8273-00AA004AE673. The RPC version number is 3.0.

This protocol allows any user to establish a connection to a DFS server. It uses the underlying RPC protocol to retrieve the identity of the caller that made the request, as specified in [MS-RPCE] section 3.3.3.4.3. The RPC server SHOULD use this identity to verify method-specific access.