How to Properly Share Windows Symbolic Links as Network Shares (SMB/CIFS)


2 views

Sharing symbolic links (symlinks) as network shares in Windows presents unique technical challenges that differ from regular folder sharing. The fundamental issue stems from how Windows Server handles redirections across different security contexts.

// Example of creating a problematic symlink share
mklink /D C:\Shares\NetworkLink \\remote\path
net share NetworkLink=C:\Shares\NetworkLink /GRANT:Everyone,FULL

When attempting to access \\server\symlink_test, Windows Server performs these operations:

  1. Resolves the local path via SMB service
  2. Follows the symbolic link to the remote target
  3. Attempts to access the remote path using SYSTEM account credentials
  4. Fails with "Device not ready" due to permission constraints

Solution 1: Junction Points for Local Paths

For paths on the same volume:

// Create junction point
mklink /J D:\Shares\Engineering D:\NewLocation\Engineering
net share Engineering=D:\Shares\Engineering

Solution 2: DFS Namespace Integration

For distributed file systems:

// Configure DFS namespace
dfsutil root adddom \\domain.com\namespace \\fs1\Shares
dfsutil link add \\domain.com\namespace\Engineering \\abc\def\Engineering

Solution 3: Virtual File Server with Redirects

Using Server 2016+ with these PowerShell commands:

# Create virtual file server
New-SmbShare -Name "Engineering" -Path "D:\Shares\Engineering" 
Set-SmbPathAcl -ShareName "Engineering" -FullAccess "DOMAIN\Users"

# Configure reparse point
New-Item -ItemType SymbolicLink -Path "D:\Shares\Engineering" -Target "\\abc\def"

Essential GPO/registry modifications:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"SymlinkLocalToLocalEvaluation"=dword:00000001
"SymlinkLocalToRemoteEvaluation"=dword:00000001
"SymlinkRemoteToLocalEvaluation"=dword:00000001
"SymlinkRemoteToRemoteEvaluation"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"EnableLinkedConnections"=dword:00000001

When benchmarking different approaches:

Method Latency Throughput Compatibility
Direct Symlink High Low Limited
DFS Medium High Excellent
Server 2016+ Low High Good

For "Device not ready" errors, verify:

  • SYSTEM account has access to target share
  • DFS-R service is running (if applicable)
  • No group policy conflicts (check with gpresult /h report.html)
  • SMB1 is disabled on all systems

Many Windows administrators face this scenario: You've created a directory symbolic link (symlink) pointing to a network location, shared it via SMB, but clients receive "Device not ready" errors when accessing it. Let's break down why this happens and how to work around it.

Windows Server has fundamental restrictions when sharing symlinks:

  • The SMB server component doesn't properly resolve symlinks that point to remote locations
  • Even with proper permissions, the share infrastructure treats such symlinks differently
  • The error occurs at the SMB protocol level before filesystem permissions are checked

Based on real-world testing across Windows Server 2008 R2 through 2019, here are verified approaches:

Option 1: Mount Points Instead of Symlinks

For local-to-local redirection, mount points work where symlinks fail:

# Create mount point
mkdir D:\Shares\Shared\Engineering
mountvol D:\Shares\Shared\Engineering \\?\Volume{guid-from-diskpart}

Option 2: DFS Namespace Integration

Since you're already using DFS, leverage its namespace features:

# On DFS server:
dfsutil link add \\domain\sys\Engineering \\abc\def\Engineering

Option 3: Junction Points for Local Paths

When redirecting within the same server:

mklink /J D:\Shares\Shared\Engineering E:\NewStorage\Engineering

To diagnose why your specific configuration fails:

  1. Check server-side event logs (Event ID 2017 in Microsoft-Windows-SMBServer/Operational)
  2. Test with Process Monitor running to see where the resolution fails
  3. Verify the Computer Configuration > Administrative Templates > System > Filesystem > "Selectively allow the evaluation of a symbolic link" GPO setting

For large-scale migrations, consider:

  • Server-side symbolic links with robocopy mirroring
  • DFS Replication groups for seamless cutover
  • Storage Migration Service for Windows Server 2016+ environments

Here's a robust PowerShell alternative to your batch approach:

# Migrate-Folder.ps1
param(
    [string]$SourcePath,
    [string]$TargetUNC,
    [string]$ShareName
)

try {
    # Robocopy phase
    $null = robocopy $SourcePath $TargetUNC /MIR /ZB /R:1 /W:1 /LOG:C:\logs\$ShareName-migration.log
    
    # Backup original
    Rename-Item -Path $SourcePath -NewName "$($SourcePath)_old"
    
    # Create reparse point
    $null = cmd /c mklink /D $SourcePath $TargetUNC
    
    # Reapply original permissions
    icacls $SourcePath /reset /T /C
    
    Write-Host "Migration completed for $ShareName"
} catch {
    Write-Error "Migration failed: $_"
    # Add rollback logic here
}

For your specific case with DFS already in place:

  1. Create DFS links pointing to your new storage targets
  2. Update client drive mappings to use the DFS paths directly
  3. Decommission the old shares after confirming client transitions

This approach provides better long-term manageability than symlink workarounds.