How to Setup BranchCache


Quick and Easy BranchCache Setup.


 This article provides instructions on how to implement BranchCache.


  • Three office locations:  
    • Primary office in Atlanta (ATL).   
    • Branch offices in Chicago (CHI) and Washington D.C (DCA).
  • CHI and ATL host local file servers (i.e., hosted cache mode).
  • DCA is the only office without a dedicated file server (i.e., distributed cache mode).
  • All clients use Windows Enterprise.

Implement BranchCache:

  • Install the BranchCache Role and Feature.
  • BranchCace SSL Certificates.  
  • BranchCache Group policy.

Step 1.  Add Roles and Features.

Run the Add Roles and Features Wizard on each file server.  Install the (a) BranchCache for Network Files Role; and (b)the BranchCache Feature.
Install-WindowsFeature BranchCache -IncludeManagementTools Enable-BCHostedServer -RegisterSCP

Step 2.  Adjust Caching.

BranchCache stores files in two directories:  (a) HashCache and (b) DataCache.
File servers store file hashes in the HashCache directory.  Remote Hosted Cache servers, as well as Distributed Cache clients, use files hashes for content tracking and updates.

The DataCache directory stores content derived from the hash.  This directory contains cached remote content (i.e., files) that are served to local clients.  Both directories are stored on the system drive -not good!

Adjust the Cache Location:

netsh branchcache set publicationcache directory=D:\BranchCache\ netsh branchcache set localcache directory=D:\LocalCache\

The default HashCache size is a measly 1% of the system disk.  The Data Cache is slightly improved with 5% of total disk.  Now consider that most system drives hold less that than 100GB.  5GB does not provide enough storage to make BrachCache worthwhile.  Let's make BrachCache useful:

Adjust the Cache Size:

Netsh branchcache set publicationcachesize size=5 percent=TRUE Netsh branchcache set localcachesize size=5 percent=TRUE
Additional caching attributes will be configured via Group Policy (Step 4).

Step 3. BranchCache SSL

BranchCache SSL certificates support Windows 7 clients.  It's not necessary for organizations with only Windows 8 or Windows 10 clients.  Of course, the file server will probably require certificates for other services -just not BranchCache.
Any trusted SSL certificate will work with BranchCache.  We simply need to associate the server certificate with BranchCache:  
  1. Add a server certificate in the personal certificate directory for each  BranchCache hosted cache server (e.g., ATL and CHI).
  2. Bind the SSL certificate hash (i.e., thumbprint) to the hosted cache server.  Use the following command: NETSH HTTP ADD SSLCERT IPPORT= CERTHASH=xxxxxxxxxxx APPID={d673f5ee-a714-454d-8de2-492e4c1bd8f8}
    N.B.,  CERTHASH is the certificate's thumbprint.  Further certificate information found here.

Step 4.  Group Policy

Use Group Policies to adjust caching attributes and client settings.

Policies for the File Servers:  

Table 1.  BranchCache Policy for File Servers.

Turn on BranchCache
  Administrative Templates/
Hash Publication for BranchCache
Administrative Templates/  Network/
Value 2
(Hash publication for all shared folders).
MinContentLength Registry Key
Windows Settings/

Default caching 64KB. 
New caching 32K.
Set as low as 4KB. 

N.B., Low values may impact performance.

Policies for Windows clients:

Table 2.  BranchCache policies for Win 8 and Win 10:
Turn on BranchCache
 Administrative Templates/
Configure BranchCache for network files
Computer Configuration/
 Administrative Templates/
Enable Automatic Hosted Cache Discovery by Service Connection Point
Computer Configuration/
 Administrative Templates/
Set BranchCache Distributed Cache mode
Computer Configuration/
 Administrative Templates/
Note:  BranchCache for network files uses round trip latency.  Value 10 = 10ms.  Hosted Cache mode is for location with dedicated file servers.  Distributed Caching is for locations without dedicated file servers.

BranchCache Firewall Policies:

     BranchCache requires inbound and outbound client firewall rules.
Table 3.  BranchCache Inbound Firewall Group Policies
BranchCache Content Retrieval (HTTP-In)
Computer Configuration/
   Windows  Settings/
    Security Settings/
     Windows Firewall with
      Advanced Security/
       Inbound Rules
a. Right-click Inbound Rules. 

b. Left-click New Rule.    

c. Add predefined BranchCache rules.
BranchCache Hosted Cache Server (HTTP-In)
BranchCache Peer Discovery (WSD-In)
BranchCache Content Retrieval (HTTP-Out)
Computer Configuration/
   Windows  Settings/
    Security Settings/
     Windows Firewall with
      Advanced Security/
       Outbound Rules
a. Right-click Inbound Rules.
b. Left-click New Rule.

c. Add predefined BranchCache rules.
BranchCache Hosted Cache Clietnt (HTTP-Out)
BranchCache Hosted Cache Server (HTTP-Out)
BranchCache Peer Discovery (WSD-Out)

Optional:  BranchCache for WSUS and IIS Servers

BranchCache also accelerates content for web servers and BITS application servers.  Simply install the BranchCache feature and ensure the service is running.  No other configuration steps are necessary.  


User PowerShell and Performance monitor to ensure BranchCache works:
That's It!


Check DFSR for Backlogs


Determine if file share replication is up-to-date between shares.


DFS replication propagation reports show usually high replication times (e.g., 11 days instead of 11 seconds).  Users complain about missing data.


Use DFS diagnostic commands to check for backlogs.  Large backlogs indicate replication problems (e.g., insufficient staging size, failed pre-seeding, etc.).


C:\dfsrdiag backlog /rgname:"contoso\data\content" /rfname:Namespace-Folder /sendingmember:server1-hostname /receivingmember:server2-hostname

No Backlog - member 


DFS Namespace problems at branch offices.

Symptoms:  Some Offline Files are inaccessible from the DFS namespace.  Users may get the following errors when working on the files server from branch offices:

          “locked for editing by another user” 

Other users may get a "sync status" error, or "offline files unavailable", while connected to the LAN from the branch office.

Users may experience missing files or directories.  Workstation system error log may indicate:  

     EVENT ID:  1004
       Path \\file path transitioned to slow link with latency = 74 and bandwidth = 10580536

The problem is most like caused because of high latency between the main office and the branch office when DFS Namespace is enabled.

Windows Offline files measures for latency and sets the default threshold at 80ms for Windows 7.   When the latency from the branch office passed the Offline threshold the DFS namespace 
directory automatically transitions  to offline mode.
The Offline Files treats DFS namespace and DFS network shares separately.  A namespace can be offline while it's child directories remain online; or vice-verse.

Even worse, if a client attempts to access the target Offline, and the target is unavailable, the Windows client interprets the entire namespace as unavailable; and will attempt to open a user’s locally cached files (if they exist).  If they don't exist the user will get network unavailable or permission errors.

Here is a good explanation:

The files never properly transitioned to an online state.  Disabling the Offline Mode was the only short-term solution that seemed to correct the DFS namespace problem.  This is not practical long-term because staff may want to use the Offline File Sync.  BranchCache also has a dependency on the Offline Files service.

To resolve the cached DFS namespace must be manually deleted from the cache directory before the DFS root and the Offlies Files can run simultaneously.  There may be an easier way but these are the steps I took:
1.  Disabled Offlie Files.

2.  Installed the Windows Resource Tool, SubinACL, to allow me to take ownership of the Offline cache directories.

     SubinACL is located at

SubinACL doesn't have to be used but all files are owned by the System; manually changing ownership and permissions would take forever.

3.  From the command line:

C:\Program Files (x86)\Windows Resource Kits\tools>subinacl.exe /subdirectories c:\windows\CSC\*.* /\username

4. Manually Deleted the namespace directory from:  C:\Windows\CSC\v2.0.6\
    There may also be a directory for the local namespace file server that should be deleted as well.
After ownership has been applied the security for the user must be changed to full or modify.  Be sure to apply  the change to all child directories or the files cannot be deleted.
Things should be back to normal after a restart.
I was surprised we hadn't run into this issue earlier.  For whatever reason, latency did seem higher than usual when the problem started.  To correct the problem the Offline latency threshold limits in either the local or group policy must be set.

Local Computer Policy > Administrative Templates > Network > Offline Files > Configure slow-link mode
Because this issue can impact any staff, at branch offices, or on VPNs, I recommend this GPO when DFS namespaces are used in correlation with branch offices.  My understanding this latency group policy setting is independent from latency settings for BranchCache in Group Policy. 

Last updated  July 16th, 2013 by Steven Jordan