question

WalterWodzien-2600 avatar image
0 Votes"
WalterWodzien-2600 asked SunnyQi-MSFT commented

access DFS root from workgroup client

are there any tricks to access domain DFS root from a workgroup computer (ie use case being AAD joined machine talking to domain DFS), using \\domain\dfsroot path? the issue is with dfsroot component (i can trick the DNS resolution but not sure how to get the client to "resolve" dfsroot)

windows-server
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Just checking in to see if the information provided was helpful.

If yes, you may accept useful reply as answer, if not, welcome to feedback.

Best Regards,
Sunny

0 Votes 0 ·
LeonLaude avatar image
0 Votes"
LeonLaude answered

Hi @WalterWodzien-2600,

In order to access a DFS namespace your server will have to be either part of the domain or in a domain that has a trust relationship with the domain the DFS namespace is in.

Here's a similar thread:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/c3214a4c-8088-446c-ba4d-643d5baf87cc/how-to-access-dfs-namespace-from-a-standalone-windows-2003-server?forum=winservergen


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)


Best regards,
Leon

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

Thanks for posting in Q&A platform.

I have tested in my lab and workgroup client can access the DFS Root successfully.

As a workaround, you can access DFS Root from non-domain joined computer via the following detailed steps.

From target server side:

A. Enable guest account in the control panel – user accounts. Please do not setup a guest password.


B. Locate to the registry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA], please configure the value of restrictanonymous is 0 and forceguest is 1, and then reboot the server.

94343-image.png

C. Open Local Group Policy Editor and locate to the following policies:

Computer Configuration->Windows Settings->Security Settings->Local Policies->User Right Assignment->Access this computer from the network, please ensure Everyone group was listed here

94335-image.png

Computer Configuration->Windows Settings->Security Settings->Local Policies->User Right Assignment->Deny access to this computer from the network, please ensure “Guests ” and “Anonymous Logon” group were not listed here

94351-image.png

Computer Configuration->Windows Settings->Security Settings->Local Policies->Security Options->Network access: Let Everyone permissions apply to anonymous users->Enable

94337-image.png

D. Configure the NTFS permission and share permission in the properties of shared folder on target server for Everyone group:

94249-image.png 94308-image.png 94391-image.png

From the non-domain joined computer side, add the DNS suffix for this client with the specific domain name.

94299-image.png

And now we can access the DFS root from the non-domain joined computer:

94269-image.png

And here is a similar thread discussed before, you could also try the method in this thread:

Access to DFS Namespace Target from Non-Domain Member Client Computer

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image.png (64.2 KiB)
image.png (170.2 KiB)
image.png (167.4 KiB)
image.png (151.7 KiB)
image.png (16.2 KiB)
image.png (19.8 KiB)
image.png (30.2 KiB)
image.png (106.2 KiB)
image.png (56.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

WalterWodzien-2600 avatar image
0 Votes"
WalterWodzien-2600 answered SunnyQi-MSFT commented

@SunnyQi-MSFT , thank you kindly for your extended response. However, how does a Windows computer in a workgroup get to "resolve" the dfsroot part of the namespace (ie \\domain\dfsroot\folder1)?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for your update. It depends on how was DNS configured on workgroup client side. The DNS server on my workgroup client was configured as domain DNS server (DNS server which hosts the zone sunny.com).

0 Votes 0 ·