Microsoft KB Archive/312862

= Recovering missing FRS objects and FRS attributes in Active Directory =

Article ID: 312862

Article Last Modified on 8/8/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q312862



SUMMARY
File Replication service (FRS) is a multi-threaded, multi-master replication engine that replaces the LMREPL service in Microsoft Windows NT 3. and in Microsoft Windows NT 4.0. Windows 2000-based and Windows Server 2003-based domain controllers and servers use FRS to replicate system policy and logon scripts for clients that run Windows Server 2003 and earlier. You can also use FRS to replicate files and folders between Windows 2000-based and Windows Server 2003-based servers that host the same fault-tolerant Distributed File System (DFS) root or child replicas.

This article describes:
 * How the deletion of FRS objects and FRS attributes occurs.
 * How to detect missing Server-Reference attributes and member objects in SYSVOL replica sets.
 * How to repair missing attributes by using null Server-Reference attributes as an example.
 * How to repair missing objects by using missing member objects as an example.
 * How to repair missing connection objects by using existing connection objects as an example.



MORE INFORMATION
To function correctly, FRS relies on essential containers, objects, and attributes that are stored in Active Directory and that are replicated among domain controllers in a given domain. Critical objects include FRS member and subscriber objects. Required attributes (by schema class definition) and optional attributes include the Schedule attribute, the FRS-File-Filter attribute, the FRS-Folder-Filter attribute, and the FRS database location. Schema definitions define the containers or the location in which FRS objects reside. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

296183 FRS: Overview of Active Directory objects that are used by FRS

FRS supports two replica set types: DFS and SYSVOL. Dcpromo.exe indirectly creates containers, objects, and attributes for SYSVOL replica sets. The DFS snap-in (Dfsgui.msc) creates objects when you enable replication between two or more targets in a DFS Root or a DFS Link, or when you add new members to an existing FRS replica set.

The Deletion or Removal of FRS Objects and FRS Attributes
FRS objects and attributes are removed from Active Directory when you gracefully remove servers from the replica set.

For example:
 * SYSVOL: When you use Dcpromo.exe to demote a server to a member server.
 * Replicated DFS Roots, DFS Links and DFS connections: When you use Dfsgui.msc to remove the DFS Link or the DFS Root or some of the connections.

It is possible for an administrator to delete objects or containers without understanding their importance, which can have a significant negative impact on FRS.

In general, never manually delete FRS member or FRS subscriber objects and their parent containers from Active Directory unless you are reinstalling the operating system to which these objects refer.

For example:
 * In Active Directory Sites and Services, do not delete an NTDS Settings object on a domain controller (regardless of whether it is orphaned or offline). If you make the deletion, the Server-References attributes on the FRS member object become null; null Server-Reference attributes halt inbound and outbound replication of SYSVOL on the domain controller. This type of deletion is a common scenario.
 * Do not delete Machine Account objects for member servers or domain controllers in FRS replica sets or in their child objects.
 * Do not delete one or more member objects of a replica set.
 * Do not delete the SYSVOL NtFrsReplica container that contain (with) member objects for each of the domain controllers in the domain.

Detecting Null Server-Reference Attributes
When FRS replicates the contents of the SYSVOL folder, FRS uses connection objects that are located in the configuration partition of Active Directory. You can manually create these connection objects; however, KCC automatically generates the connection objects by default. An NTDS Settings object is one of two critical objects that distinguish domain controllers from other computer accounts in Active Directory. Among other things, the NTDS Settings object is the parent container for inbound connections from other domain controllers in the domain and in the forest.

The domain name path of the Server-Reference attribute on FRS member objects becomes null (empty) if you delete NTDS Settings objects from the Configuration partition in Active Directory. This behavior is detected or recorded by the following tools or logs:   The output of the ntfrsutl ds command:   MEMBER: ARRENC1 DN  : cn=DC1,cn=domain system volume (sysvol share),cn=file replication service... Guid : c8b10337-4e63-402c-b4a3c1f387284b7d Server Ref    : (null) Computer Ref  : cn=DC1,ou=domain controllers,dc=a,dc=com Cracked Domain : a.com Cracked Name  : 00000002 A\DC1$ Cracked Domain : a.com Cracked Name  : fffffff4 S-1-5-21-1908895637-3267214997-978106868-1105 Computer's DNS : DC1.a.com WARN - DC1 lacks a settings reference  Event 13562 in the FRS event log on computers that are running Service Pack 2 (SP2) or later:

Event Type: Warning

Event Source: NtFrs

Event Category: None

Event ID: 13562

Date:

Time:

User: N/A

Computer:

Description:

Following is the summary of warnings and errors encountered by File Replication service while polling the Domain Controller dc1.a.com for FRS replica set configuration information.

The nTFRSMember object cn=dc1,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=a,dc=com has a invalid value for the attribute ServerReference.

 Errors in the FRS debug logs:

NtFrs_000X.log: :DS: WARN - Member (cn=DC1,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=a,dc=com) of sysvol replica set lacks server reference; skipping

 The output of the ntfrsutl ds command parsed with the PERL script TOPCHK (which is available from Microsoft Product Support Services):

S E R V E R S M I S S I N G I N B O U N D C O N N E C T I O N S

The following FRS Member servers have outbound replication partners but no inbound connection objects. There could be several reasons for this:

1. There are no connection objects under the NTDS Settings object for this server. This is an error.

2. The ServerReference Attribute for this server is null. This is an error.

3. This server could be in a different domain so there will be no FRS member object for it.

4. The FRS member object may be missing. This is an error.

DEFAULT-FIRST-SITE-NAME\DC1



Repairing the Null Server-Reference Attributes
You can use LDP.exe or ADSIedit.msc to repair missing Server-Reference attributes. These tools repair the attribute by resetting the value in the configuration naming context or partition to the distinguished name (DN) of the server's NTDS Settings object. To repair null Server-Reference attributes:  Use one of the following methods to locate the DN path of the NTDS Settings object for the computer that has the missing (null) Server-Reference attribute: <ul> In LDP or ADSIedit, copy the DN path of the NTDS Settings object from the Configuration container in the root domain of the forest to Clipboard.

-or-</li> From the domain partition of Active Directory, copy the value of the Server-Reference attribute from a healthy domain controller to Clipboard. This domain controller needs to be in the same Active Directory domain and site as the broken computer, otherwise you have to edit the DN path.</li></ul> </li> Locate the member object that has the null Server-Reference attribute:   Start ADSIedit. In the Domain partition of Active Directory, locate the member object (nTFRSMember) that lacks the settings reference. The DN path is: DN Path                        ObjectClass

DC=A,DC=COM                                              Root Domain NC CN=SYSTEM,                    Container CN=File Replication Service            nTFRSSettings CN=Domain System Volume (SYSVOL share)             nTFRSReplicaSet CN=DC1                    nTFRSMember CN=DC2                    nTFRSMember </li> Right-click the member object that has the null Server-Reference attribute, and then click Properties.</li></ol> </li> Edit the value for the Server-Reference attribute:  Configure the Attributes tab in ADSIedit: <ul> Select which properties to view: Set this to OPTIONAL.</li> Select a property to view: Click the Server-Reference property.</li></ul> </li> Under Edit Attribute, paste the DN path of the NTDS Settings object from Clipboard. The DN path for an NTDS Settings should have the following format

CN=NTDS Settings, CN= ,CN=, CN=Sites, CN=Configuration, DC= ,DC=COM

where  is the name of the domain controller with the null Server-Reference attribute and where   is the name of the Active Directory site where that server's NTDS Settings object lives.</li> Click SET, and then confirm the value that is written to Active Directory.</li></ol> </li> Wait or force FRS to poll Active Directory:

FRS polls Active Directory at regular intervals to discover configuration changes. You can use either of the following methods to have polling occur:  Use the net stop ntfrs command to stop FRS, and then use the net start ntfrs command to restart FRS.

-or-</li> <li>Use the ntfrsutl poll /now command line to force FRS to poll: <ol> <li>Wait until the short or long polling interval expires. This is a five minute default on domain controllers.</li> <li>FRS registers the change during its next DS polling cycle. Monitor the FRS event log for replication by using the output from the ntfrsutl sets command.</li></ol> </li></ol> </li></ol>

Fixing or Modifying Other Attributes:

You can use the same techniques that are described in the &quot;Fixing Null Server-Reference Attributes&quot; section with any configuration objects or attributes that are used by FRS.

Regarding the particular attributes that you want to modify or repair which you will paste into LDP or ADSIedit during the LDAP modification procedure, Microsoft recommends that you use attributes from a healthy domain controller or member server.

Recovering from Deleted FRS Objects
Bulk deletions of FRS member or subscriber objects are rare; however, to recover from a bulk deletion occurs, you need to use an authoritative restore in the appropriate container. To avoid the damage that bulk deletions cause, you need to protect critical objects by having the appropriate permissions, by training administrators in the domain, and by making regular system state backups. Consider the following action plan if a restore is required:
 * 1) Create a system state backup so that you can return to the current state if necessary.
 * 2) Restore objects as deep in the Active Directory tree as possible.
 * 3) Test bulk restores in test domains that mirror your production domain.
 * 4) Test bulk restores on test production domain controllers on a private network before you introduce it back on the corporate network.

You can use LDP and ADSIedit to recover individual objects by using the same procedure that is described in the &quot;Fixing Null Server-Reference Attributes&quot; section; however, in this scenario, the procedure occurs on a larger scale.

Detecting Missing FRS Member Objects
You can detect missing FRS member objects with the following tools: <ol> <li>Use the ntfrsutl sets command-line output, and then parse it with the PERL script TOPCHK:

S E R V E R S M I S S I N G I N B O U N D C O N N E C T I O N S

The following FRS member servers have outbound replication partners but no inbound connection objects. There could be several reasons for this:

1. There are no connection objects under the NTDS Settings object for this server. This is an error.

2. The ServerReference Attribute for this server is null. This is an error.

3. This server could be in a different domain so there will be no FRS member object for it.

4. The FRS member object may be missing. This is an error.

DEFAULT-FIRST-SITE-NAME\DC1

</li> <li> The output of the ntfrsutl sets command: NOTE: There are no outbound connections in the following output. <pre class="fixed_text">  Servers referenced from cxtions (From List)

DEFAULT-FIRST-SITE-NAME\DC1     2       0 DEFAULT-FIRST-SITE-NAME\DC2     2       3 DEFAULT-FIRST-SITE-NAME\DC3     3       3 DEFAULT-FIRST-SITE-NAME\DC4     1       3 DEFAULT-FIRST-SITE-NAME\DC5     1       3 </li></ol>

Recovering Deleted FRS Member Objects
All objects in Active Directory contain required attributes such as objectclass, ObjectCategory, CN, and so forth. Class definitions in the schema may define additional required attributes as well as optional attributes. Required attributes and optional attributes for FRS member objects include Server-Reference and Frs-Computer-Reference.

In the following procedure, you are using ADSIedit to re-create a deleted member object for the domain controller \\DC1 in the SYSVOL replica set of the A.COM domain where  is the name of the domain controller and   is the domain name.

NOTE: ADSIedit the preferred tool for creating missing objects and attributes because it has a drop-down list of attributes and objects that you can use to help avoid syntax errors.

To recover a deleted FRS member object: <ol> <li>Start ADSIedit. Connect to the domain partition on a domain controller that is a member of the domain that is hosting the missing FRS member object.</li> <li> Review the required attributes and the optional attributes for a healthy member object in the same replica set.

For a SYSVOL replica set in the A.COM domain, the DN path is: DN Path                        ObjectClass

DC=A,DC=COM                                              Root Domain NC CN=SYSTEM,                    Container CN=File Replication Service            nTFRSSettings CN=Domain System Volume (SYSVOL share)             nTFRSReplicaSet NOTE: LDP is the preferred tool in this step because you can look at all of the attributes in a single screen. ADSIedit works better for small attribute sets. </li> <li>In ADSIedit, in the console tree, right-click the name of the FRS replica set to which you want to add the missing member, \\DC1, click New, and then click Object:

(CN=Domain System Volume (SYSVOL share),CN=File Replication Service...)

</li> <li>In the Create Object Wizard, click nTFRSMember, and then click Next.</li> <li>Type the host name of the computer (DC1 in this example) in the Value box, and then click Next.</li> <li>Click More Attributes, and then click BOTH in the Select which properties to view list.</li> <li>Under Edit Attribute, configure the following attributes. Click SET after each entry: <ul> <li>Frs-Computer-Reference: <ul> <li>Expected Value: DN path of computer account in domain NC</li> <li>Example: CN=DC1,OU=Domain Controllers,DC=a,DC=com</li></ul> </li> <li>InstanceType: <ul> <li>Expected Value: 4 for SYSVOL, 2 for DFS replica sets</li> <li>Example: 4</li></ul> </li> <li>Server-Reference: <ul> <li>Expected Value: DN path of NTDS Settings object from Configuration partition</li> <li>Example: CN=NTDS Settings,CN=DC1,CN=Servers,CN=USA-CORP,CN=Sites,CN=Configuration,DC=a,DC=com</li></ul> </li></ul> </li> <li>Update the FrsMemberReference attribute on the NtFrsSubscriber object: <ol style="list-style-type: lower-alpha;"> <li>In ADSIedit, in the console tree, navigate to the NtFrsSubscriber object for same replica set that you used in step 2:

CN=NTFRS Subscriptions,CN=ARRENC1,OU=Domain Controllers,DC=a,DC=com

</li> <li>Right-click NtFrsSubscriber, and then click Properties. You can view the properties in the detail pane:

CN=Domain System Volume (SYSVOL share),CN=NTFRS Subscriptions

</li> <li>On the Attributes tab, set Select which properties to view to OPTIONAL.</li></ol> </li> <li>Under Edit Attribute, configure the following attributes. Click SET after each entry: <ul> <li>FrsMemberReference: <ul> <li>Expected Value: The DN path of the FRS member object for the matching replica set, which is SYSVOL in this example.</li> <li>Example: CN=DC1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=a,DC=com</li> <li>Result: Populates the fRSMemberReferenceBL attribute on the member object in:

CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=a,DC=com

</li></ul> </li></ul> </li></ol>

Recovering deleted FRS subscriber objects
When FRS subscriber objects are missing, FRS can't perform replication for the replica set. You will see evidence of this in the following places: <ul> <li>The NtFrs_*.log report contains the message:

<FrsDsDoesUserWantReplication: 1992: 2817: S4: 11:50:24> :DS: does not have a valid subscriber object

</li> <li>When you run the Ntfrsutl ds command, the following message appears at the end of the text output:

SUBSCRIPTION: NTFRS SUBSCRIPTIONS DN : cn=ntfrs subscriptions,cn=win2k-pdc,ou=domain controllers,dc=crbc-win2k,dc=d... Guid : 5c44b60b-8f01-48c6-8604c630a695dcdd Working : f:\winnt\ntfrs Actual Working: f:\winnt\ntfrs WIN2K-PDC IS NOT A MEMBER OF ANY SET!

This message may look differently for DFS replica sets.</li></ul>

Collect the following information: <ul> <li>Where is the DFS volume/replica set on the hard disk?</li> <li>Where is the staging area for this replica set?</li> <li>Where is the member object for this member? For SYSVOL, the name of the object is:

CN= ,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,dc=

For DFS volumes, the name of the object is:

CN= ,CN= ,CN= ,CN=DFS Volumes,CN=File Replication Service,CN=System,DC=

Locate this object in Active Directory Users and Computers. (Turn on Advanced Features in the View menu to see the System container.) Put the domain name that you get in a text file.</li> <li>What is the GUID of the domain root object? To get the objectGUID of the domain root object, follow these steps: <ol> <li>From a command prompt, type LDP.EXE .</li> <li>Click Connection\Connect, and then enter the name of a domain controller in your domain.</li> <li>Click Connection\Bind. You only need to read from the Active Directory, so any valid credentials work. If you are logged on with a domain account, leave all text fields blank.</li> <li>Click View\Tree. Make sure that the text field is empty, and then press ENTER.</li> <li>On the right side of the LDP window, you see the attributes of the domain root object. Locate the objectGUID attribute, and then copy the GUID that is the attribute's value to a text file.</li></ol> </li></ul>

To resolve the problem of missing FRS subscriber objects, follow these steps.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk. <ol> <li>Stop the NTFRS service on the computer where the object is missing.</li> <li>Run the ADSIedit.msc tool. (This tool comes with the Windows Support Tools). Locate the empty CN=NTFRS Subscriptions object under the computer account.</li> <li>Go to step 4 to repair DFS objects. For SYSVOL objects, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Right-click the subscription object, and then click New\Object.</li> <li>Click nTFRSSubscriber object. For the name, type CN = Domain System Volume (SYSVOL share) .</li> <li> For the Attribute values that are required for the object type the following, where Use the actual paths of the directories on your computer:

<pre class="fixed_text"> fRSStagingPath = F:\WINNT\SYSVOL\staging\domain

fRSRootPath = F:\WINNT\SYSVOL\domain

fRSMemberReference = CN=computer name,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,dc=your domain name </li></ol> </li> <li>If no DFS objects need repair, go to step 5. To repair DFS objects, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>If the object &quot;CN=DFS Volumes&quot; is missing, create two nTFRSSubscriptions objects. To create the first object, right-click the subscription object, and then click New\Object. Click the nTFRSSubscriptions object. For the name, type CN = DFS Volumes. Click OK.</li> <li>If the nTFRSSubscriptions object with the GUID-name (the GUID is the objectGUID of the domain root object) is missing, create that object.</li> <li>Create the last nTFRSSubscriptions object. Switch to the ADSIEdit snap-in, and then locate the CN=DFS Volumes that you created in step 4a.</li> <li>Right-click the object, and then click New\Object - Select nTFRSSubscriptions. For a name, type CN =. Press ENTER.</li> <li>Click the nTFRSSubscriptions object that you created in 4d. Right-click the new subscription object, and click New\Object - Attribute values for the object.</li> <li> Click the nTFRSSubscriber object. For the name, type CN =. Enter the following Attribute values for the object, where you use the actual paths of the directories on your computer:

<pre class="fixed_text">fRSStagingPath = D:\DFS-Volumes\App-Install

fRSRootPath = D:\FRS-Staging

fRSMemberReference = CN=Server name,CN=DFS volume name,CN=DFS volume name,CN=DFS Volumes,CN=File Replication Service,CN=System,DC=your domain </li></ol> </li> <li>Restart the NTFRS service. Check that FRS replication is working.</li></ol>

Recovering Deleted DFS Connection Objects
<ol> <li>Use Adsiedit.msc (which ships with the Windows 2000 and Windows Server 2003 Support Tools) to locate the server that is missing the inbound connection. To do so: <ol style="list-style-type: lower-alpha;"> <li>Start Adsiedit.msc.</li> <li>Locate the following object:

cn=DFS Volumes,cn=File Replication Service, cn= ,dc=

</li> <li>Under this object, there is an entry for each DFS volume (and a second level, also). These DFS volume entries list an nTFRSMember object for each DFS member server. The name of the nTFRSMember object is a GUID, so you must view each object to determine which server it corresponds to. Right-click each nTFRSMember object, click Properties, and then click frsComputerReference.</li> <li>Record the mapping. To do so, copy and paste the Path string at the top of the dialog box, and then copy and paste the data from the Value(s) box to the same text file.</li></ol> </li> <li>Right-click the member object, click New, click Object, and then click nTDSConnection.</li> <li>Click Next, and then type the required attributes.</li> <li>For the cn value, use the name of the source server (this is just a suggestion), and then click Next.</li> <li>In the Value: field for the Options attribute, type 0, and then click Next.</li> <li> In the Value: box for the fromServer attribute, type the DN path of the NTFRS member computer (objectclass=nTFRSMember) from which this connection object will replicate changes. Or from the Windows clipboard, copy the DN path of the NTFRS member computer from which this connection object will replicate changes, paste that DN path into the Value: box for the fromServer attribute, and then click Next.

For example, you may have three domain controllers, \\DC1, \\DC2 and \\DC3 in the CORP.COM domain. All three domain controllers participate in the \\CORP.COM\DFSFT\APPS domain DFS link with the following topology: <ul> <li>\\DC1 replicates inbound changes from \\DC2</li> <li>\\DC2 replicates inbound changes from \\DC1</li> <li>\\DC3 replicates inbound changes from \\DC2</li></ul>

NOTE: The following table lists the DN path strings, followed by a corresponding list of ObjectClass values. The paths and ObjectClass values that have the same number correspond. Also note that the DN path strings are truncated with ellipses (&quot;...&quot;) for formatting and readability. <pre class="fixed_text">DN Path Strings ---

1. CN=dfsft,CN=DFS Volumes,CN=File Replication Service,CN=System,DC=corp,DC=com

2.  CN=apps,CN=dfsft,CN=DFS Volumes,CN=File Replication Service,CN=System,DC=corp,DC=com

3.    CN={06f7572e-4e49-4a6e-9ce5-d3b229b591c5},CN=dfsft|apps,CN=dfsft,CN=DFS Volumes,CN=File Repl...

4.      {6ea1e456-273f-4039-970e-cd3d508fb44d},CN={06f7572e-4e49-4a6e-...},CN=dfsft|apps...

5.    CN={6ea1e456-273f-4039-970e-cd3d508fb44d},CN=dfsft|apps,CN=dfsft,CN=DFS Volumes,CN=File Repl...

6.      CN={06f7572e-4e49-4a6e-9ce5-d3b229b591c5},CN={6ea1e456-273f-4039-...},CN=dfsft|apps

7.    CN={399216f5-7b3d-4608-a579-06a012d17d23},CN=dfsft|apps,CN=dfsft,CN=DFS Volumes,CN=File Repl...

8.      CN={6a09e707-cd7f-43ce-8477-e1b2e09700b1},CN={399216f5-7b3d-4608-a579-...},CN=dfsft|apps <pre class="fixed_text">ObjectClass ---

1. NTFRS Settings (DFSFT is domain DFS)

2. nTFRSReplicaSet

3. NTFRSMember (for \\DC)

4. nTDSConnection (inbound from \\DC2)

5. NTFRSMember (for \\DC2)

6. nTDSConnection (inbound from \\DC1)

7. NTFRSMember (for \\DC3)

8. nTDSConnection (inbound from \\DC2) To create a second inbound connection so that \\DC3 (destination) replicates changes from \\DC1 (source), copy the full DN path of the NTFRSmember object for \\DC1

CN={06f7572e-4e49-4a6e-9ce5-d3b229b591c5},CN=dfsft|apps,CN=dfsft,CN=DFS Volumes,CN=...

into the clipboard, and then paste it into the Value: box for the fromServer attribute. </li> <li>In the Value: box for the enabledConnection attribute, type TRUE, and then click Next.</li> <li>Click Finish.</li></ol>

FRS picks up the connection the next time it reads its configuration from the Active Directory.

Keywords: kbinfo KB312862

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.