I have searched the Internet for answers to this intermittent problem without success. Hoping somehow posting here will get the attention of someone at Microsoft with deep DFS-N knowledge.
I have observed intermittent "Access Denied" errors when a client attempts to connect to a recently changed DFS-N target folder path. The DFS-N target "\\serv1.domain.com\share" is disabled and a new target is created/enabled "\\serv2.domain.com\share"). The target Referral cache duration is set to the default 1800 seconds. Time has passed after the target is updated for all Domain Controllers to replicate and client's cache to update (more than an hour).
The solution so far is
- restart the client
- on a client with RSAT DFS Management Tools installed, in an elevated command window:
DFSUTIL /PKTFLUSH
DFS-N.jpg
In the screenshot attached, you can see the failure when DIR command for a FQDN path is used, then success when DIR command is used with a NetBIOS shortname path. This is an illustration only, the FQDN or shortname will both fail, one or the other will fail; it is an intermittent problem which seems resolved by a restart or DFSUTIL /PKTFLUSH, but is really only fixed until a new Target is modified in the DFS Namespace.
If the DFS-N client is a user PC, the restart is not too disruptive, only a single user is impacted. If there are many users experiencing the problem, then the Service Desk gets many calls and many users are impacted by a restart. Since RSAT is not typically installed on PCs, there is no good work-around to a restart.
If the DFS-N client is a server, then a restart is very difficult to schedule. RSAT can be installed, but this requires notification of server owner, possible change management approvals.
And then if we just ignore the root-cause, always restarting or PKTFLUSH, then in the future whenever we update DFS-N target paths we have this issue again and again. I am looking for a permanent solution to the root-cause and understand why the DFS-N client cache is not always updated every 30 minutes.
Note: I am not using DFS-R (replication).
I am an experienced senior enterprise systems administrator. I have used Distributed File System Namespace (DFS-N) Target Folders many years on Windows Server 2003, 2008, 2012 with Windows 7 clients. I am at a new employer for several years and now we have a requirement to use DFS-N. All of the systems are Windows Server 2016, 2019 and Windows 10 22H2. <Begin Rant> So I do appreciate in advance do not patronize me with "restart" "run chkdsk" "run sfc /scannow" "run antivirus" or other noob answers. <End Rant>
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 11%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETC%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)