MORE INFORMATION

FRS is a multi-threaded, multi-master replication engine that replaces the LMRepl service in Microsoft Windows NT version 3.x and 4.0. Windows 2000-based domain controllers and servers use FRS to replicate system policy and logon scripts for Windows 2000-based and downlevel client computers that reside in SYSVOL.

FRS can also replicate content between Windows 2000-based servers that host the same fault-tolerant Distributed File System (DFS) roots or child node replicas. FRS replicates the files because of version changes or changes to permissions on files and replicated folders.

Group Policy includes an option to apply permissions to folders for users and groups selected by the administrator. To locate this setting, click Computer Configuration, click Windows Settings, click Security Settings, and then click the File System section of the policy tree. This setting provides a convenient method to apply a uniform set of permissions to a group of computers.

When you define a file system policy on SYSVOL or on FRS-replicated DFS folders explicitly, or implicitly on parent folders including the root of the drive (where inherited permissions are transferred to), FRS replicates all files in the replica set to all members of the replica set.

Windows 2000-based domain controllers apply the policy when they are restarted, during policy updates, and then at regular intervals. The policy is updated every five minutes. If no change is pending, the policy is not applied. The policy is enforced every 16 hours regardless of whether there has been a change to the policy or not. Windows 2000-based clients apply the policy every one to two hours (90 minutes, give or take 30 minutes). Administrator and program-generated changes, such as those made by a Microsoft Systems Management Server-based client that runs on a Windows 2000-based domain controller can generate additional updates to the policy.

More computers in a replica set that apply a file system policy, combined with more frequent updates to policy, can produce more changes replicated by FRS.

To avoid the preceding symptoms, administrators must not apply a file system policy to FRS-replicated folders, particularly to those located on domain controllers, and for FRS replica sets that contain a large number of files or replica members.

To determine if there is excessive FRS replication traffic in your environment, use either of the following methods to answer the following questions:

• Who: The name of the domain controller(s) originating the changes
• When: What time, interval and frequency are changes taking place to files
• Why: What type of change is being applied to files resulting their replication

Method 1: Search the FRS debug logs for excessive replication

1. In Windows NT, at a command prompt, type:

   cd /d %systemroot% \debug

2. From the %SystemRoot%\Debug folder, at a command prompt, type:

   findstr /i "contentcmd:" ntfrs_00??.log

   NOTE: Set the width of the command prompt window size to whatever is required to accommodate the output. Start with approximately 110 characters.
   
   

   The "ContentCmd:" string displays the reason that FRS replicated a file. (The addition of the ":" character is critical for the ContentCmd: string.)

3. Examine the "findstr" output for strings that contain "Security" or "Close Security". "Security" means that the file has been replicated because of a change in permissions and "Close Security" means that the close flag has been set in the NTFS file system journal record. Under some conditions, FRS processes a journal record before it has the entry with the close flag set. The following output is an example of the output of the findstr command that displays inbound and outbound replication as being initiated because of permission changes:

   d:\>findstr /i "contentcmd:" ntfrs_00??.log
   
   ---------- D:\Winnt\Debug\NTFRS_0001.log
   <ChgOrdUpdateIDTableRecord:     1292:  8138: S4: 10:27:58> ContentCmd: 00000800, Flags [Security ]
   <ChgOrdUpdateIDTableRecord:     1292:  8138: S4: 10:27:58> ContentCmd: 00000800, Flags [Security ]
   <ChgOrdAccept:                  1376:   943: S4: 10:27:58> ContentCmd: 80000800, Flags [Close Security ]
   <ChgOrdDispatch:                1376:  6439: S4: 10:27:58> ContentCmd: 80000800, Flags [Close Security ]
   <ChgOrdAccept:                  1376:   943: S4: 10:27:58> ContentCmd: 80000800, Flags [Close Security ]
   <ChgOrdDispatch:                1376:  6439: S4: 10:27:59> ContentCmd: 80000800, Flags [Close Security ]
   <ChgOrdAccept:                  1376:   943: S4: 10:27:59> ContentCmd: 80000800, Flags [Close Security ]
   <ChgOrdDispatch:                1376:  6439: S4: 10:27:59> ContentCmd: 80000800, Flags [Close Security ]
   <ChgOrdAccept:                  1376:   943: S4: 10:27:59> ContentCmd: 80000800, Flags [Close Security ]
   <ChgOrdUpdateIDTableRecord:     1292:  8138: S4: 10:27:59> ContentCmd: 00000800, Flags [Security ]
   <ChgOrdUpdateIDTableRecord:     1292:  8138: S4: 10:27:59> ContentCmd: 00000800, Flags [Security ]
   <ChgOrdUpdateIDTableRecord:     1292:  8138: S4: 10:27:59> ContentCmd: 00000800, Flags [Security ]
   <ChgOrdAccept:                  1376:   943: S4: 10:27:59> ContentCmd: 80000800, Flags [Close Security ]

   To increase the log endurance for FRS, increase the number of log messages to 20,000 (you do not have to enter a comma in the registry entry) and the number of log files between 20 and 50.For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

   221111 Description of FRS Entries in the Registry

4. Locate the Group Policy that is hosting the file system policy. Use the Group Policy snap-in to remove the file system policy from its host policy. Examine the buildup of files in the staging folder for any changes. If the Group Policy you want cannot be located, consider disabling all Group Policy settings, except for default domain and default domain controllers policies. After you disable all Group Policy settings, search for file system policy definitions for the domain controllers organizational unit and its parents.
5. Note that the output from debug logs described in step 3 is identical to the "fingerprint" left by antivirus programs that perform virus scans against FRS replicated content.For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

   284947 Antivirus Problems May Modify Security Descriptors Causing Excessive Replication of FRS Data in SYSVOL and DFS

Method 2: Export the FRS OUTBOUND log with NTFRSUTL.EXE

Tables in the jet database maintained by FRS record outstanding change orders being sent to, or received from replication partners. The inbound log tracks changes received from upstream partners while the Outbound Log records changes files destined for downstream partners. Detail in the the outbound log is typically most interesting tracking excessive replication problems so consider the following action plan:

1. Install NTFRSUTL.EXE from the Windows 2000 Resource Kit.
2. Run "ntfrsutl outlog" and pipe the output to a file.
   
   On a computer suspected of excessive replication or with a large backlog in the outbound log, pipe the output of the outbound log with NTFRSUTL.EXE

   NTFRSUTL OUTLOG [COMPUTERNAME] >OUTLOG.TXT

3. Search OUTLOG.TXT for the string "ContentCmd".

   findstr /i "contentcmd:" ntfrs_00??.log

4. Examine the findstr output.
   
   Examine the "findstr" output for strings that contain "Security" or "Close Security". "Security" means that the file has been replicated because of a change in permissions. "Close Security" means that the close flag has been set in the NTFS file system journal record. Under some conditions, FRS processes a journal record before it has the entry with the close flag set. The following output is an example of outbound replication being initiated because of permission changes:

   ContentCmd                   : 00008800 Flags [Info Security ]
   ContentCmd                   : 00008800 Flags [Info Security ]
   ContentCmd                   : 00008800 Flags [Info Security ]
   ContentCmd                   : 00008800 Flags [Info Security ]
   ContentCmd                   : 00008800 Flags [Info Security ]
   ContentCmd                   : 00008800 Flags [Info Security ]

   If the majority of change reasons is "Security", look for File System Policy or antivirus scans as described in item 4 and item 5 of Method 1.

Method 3: Search Gpttmpl.inf for file system policy

1. In Windows 2000, at a command prompt, use the find command to search all Gpttmpl.inf files in the SYSVOL tree for the string "[File Security]". For example, type the following command:

   for /f "delims=" %a in ('dir /b /s drive\path\gpttmpl.inf') do @find "[File Security]" "%a"

   NOTE: The Find.exe tool is located in the %SystemRoot%\System32 folder in Windows 2000.

2. Examine the output from the find command to locate the Gpttmpl.inf file that contains the "File Security" string. Locate the [File Security] section of the source (the Gpttmpl.inf file) for disk drive letters, environmental variables, or folders that contain FRS-replicated content. Environmental variables, such as System_drive, may be needed if SYSVOL or DFS-replicated disk drives are located on the system drive. The following data is an example of a file system policy:

   [File Security]
   "<SystemDrive>",2,"D:AR(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;BO)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)"

3. Use the Group Policy snap-in to remove the file system policy from its host Group Policy. Examine the buildup of files in the staging folder for any changes.