The best way I have found to see what is happening with the DFS referrals is
to use a packet capture tool like Wireshark (http://www.wireshark.org/).
Install Wireshark onto a client machine, make sure you clear your DFS
referral cache with "dfsutil /pktflush", start the capture, browse to the DFS
path, and stop the capture after a couple of seconds. Then look for the line
"Trans2 Response, GET_DFS_REFERRAL" in the top pane on the right and click on
it. Scroll to the bottom of the middle pane and click on the line "Unknown
Data:" (unfortunately Wireshark does not seem to be able to decode the DFS
referral like it can with other protocols). Clicking on "Unknown Data:" will
highlight a section of the raw data in the bottom pane. Look at the ASCII
half of the highlighted data on the right. I think it is in unicode, so it
appears as though it has spaces between the letters, but if you ignore the
spaces, it will show something like:
\ServerB\DFS\test
\ServerB\DFS\test
\ServerB.domain.local\DFStest
\ServerA.domain.local\DFStest
In my example above, I have a domain root DFS with 2 root targets
\\ServerA\DFS and \\ServerB\DFS. I have within that a DFS Link (Folder)
called "test" (full path \\domain.local\DFS\test) that has 2 targets
\\ServerA.domain.local\DFStest and \\ServerB.domain.local\DFStest. Since the
client is in SiteB (same site as ServerB) it should get a referral for
ServerB first, and ServerA as a secondary alternate.
This example is showing the DFS path twice for some reason, and then each of
the referrals for the targets in the DFS Link (Folder)
\\domain.local\DFS\test. ServerB is listed first, and ServerA as an alternate.
Note that the DFS path is listed as \ServerB\DFS\test instead of
\\domain.local\DFS\test. This is because I had earlier requested a DFS
referral for the path \\domain.local\DFS and got the response \ServerB\DFS.
Now that I am trying to get to \\domain.local\DFS\test, my actual DFS
referral request is sent as \ServerB\DFS\test and I get the response above.
Also note that even though the path I am browsing to starts with a double
backslash "\\" it seems that the underlying Windows only uses a leading
single backslash "\".
Have you checked that the client is detecting that it is in the right site?
Do a gpresult and look for the "Site Name:" in the top section of the
response.
Post by EdwardQI should have stated that.. I am using the FQDN. \\mahar.local\mytest
I have set the "NTDS Settings" nodes to Default Query Policy and have a
gobal catalog at the branch.
Its still using the Main Branch target at the remote branch. How do I see
how the setting are for the referance from the branch location?