Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
The File Replication Service has detected that the replica root path has changed from "e:\winnt\sysvol\domain" to "e:\winnt\sysvol\domain". If this is an intentional move then a file with the name NTFRS_CMD_FILE_MOVE_ROOT needs to be created under the new root path. This was detected for the following replica set: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" Changing the replica root path is a two step process which is triggered by the creation of the NTFRS_CMD_FILE_MOVE_ROOT file.  At the first poll which will occur in 5 minutes this computer will be deleted from the replica set.  At the poll following the deletion this computer will be re-added to the replica set with the new root path. This re-addition will trigger a full tree sync for the replica set. At the end of the sync all the files will be at the new location. The files may or may not be deleted from the old location depending on whether they are needed or not.
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is the role of File Replication Service?
What is a replica set?
In our case this issue occured when we virtualized one of the two Windows 2003 domain controllers with VMWare converter tool. It was solved by creating the NTFRS_CMD_FILE_MOVE_ROOT file on the virtualized server and restarting the NTFRS service.
I had this event when I converted my server to VMWare ESXi (backup physical server & restored as VM). As it was the master DC and it didn't replicate to the secondary DC that I have added both running Windows Server 2008 R2.
I had to the an authoritative restore as described in ME290762.
Please verify that all File replication services on ALL Domain Controllers are stopped Before this process: open CMD (Run as Administrator) and type: net stop ntfrs for each DC:
To fix the above issue do the following:
1. Click Start, and then click Run.
2. In the Open box, type cmd and then press ENTER.
3. In the Command box, type net stop ntfrs (as mentioned above)
4. Click Start, and then click Run.
5. In the Open box, type regedit and then press ENTER.
6. Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
7. In the right pane, double click BurFlags.
8. In the Edit DWORD Value dialog box, type D4 and then click OK.
Quit Registry Editor, and then switch to the Command box.
9. In the Command box, type net start ntfrs
10. Quit the Command box.
This should fix the replica issue. If you have other DCs you should start the file replication service:
net start ntfrs
Also you may use Nonauthoritative restore for the other DCs.
You may notice that the %SystemRoot%\Sysvol\<DomainName.com>\Policies folder and the %SystemRoot%\Sysvol\<DomainName.com>\Scripts folder are missing, or contain incomplete data. This behavior may occur if you restore the Sysvol folder, or move the Sysvol folder and then move it back to the original location. See WITP82225 and WITP82435 for details on how to solve this problem.
On a Windows 2000/2003 domain having multiple domain controllers, if one of them displays this event, you may have workstations logging on to the domain and not receiving/applying the appropriate GPOs. As ME887440 says, create a blank file named NTFRS_CMD_FILE_MOVE_ROOT in C:\winnt\sysvol\domain, and run "net stop ntfrs" and then "net start ntfrs". Allow some time (more than 10 minutes) for the system to replicate the GPOs from the primary DC. If you browse to the c:\winnt\sysvol\domain folder, you will see them being copied. The old files will be automatically copied to a subfolder called "NtFrs_PreExisting___See_EventLog". You should delete this folder ASAP after verifying that the NTFRS is working perfectly, because if this problem happens again, you will experience file name errors. See also EventID 13520 from source NtFrs.
See ME887440 for a resolution from Microsoft.
See the link to "File Replication Service Diagnostics Tool" to download FRSDiag.exe. As per Microsoft: "FRSDiag provides a graphical interface to help troubleshoot and diagnose problems with the File Replication Service (FRS). FRS is used to replicate files and folders in the SYSVOL file share on domain controllers and files in Distributed File System (DFS) targets. FRSDiag helps to gather snap-shot information about the service, perform automated tests against that data, and compile an overview of possible problems that may exist in the environment".
I also followed the directions to create the NTFRS_CMD_FILE_MOVE_ROOT file and it worked perfectly.
If the file NTFRS_CMD_FILE_MOVE_ROOT does not solve the problem and the FRS still logs the event, here is what I did to solve the problem. Copy or move the folder "domain" in “c:\winnt\sysvol\” to e.g. “c:\temp” and create a new "domain" folder. Create the file NTFRS_CMD_FILE_MOVE_ROOT in the new "domain" folder. Run “net stop ntfrs” and “net start ntfrs” and your problem should be solved.
Event ID 13552 on DFS replica members or Domain Controllers that are hosting a SYSVOL replica set occurs after you install SP3 or SP4, when there is too little space on the volume that is hosting the FRS Journal. If you are correcting this problem according to the instructions from ME819268, then a good way to make more room to your %systemdrive% is to move your Driver Cache and ServicePackFiles according to ME271484.
From a newsgroup post, this may occur when there are problems with the hard disk containing the files mentioned in the event.
From another newsgroup post: "Problem solved, I just did what the event log said to do - created a file (no extension) named NTFRS_CMD_FILE_MOVE_ROOT in c:\winnt\sysvol\domain and Windows and the FRS did the rest."
|Private comment: Subscribers only. See example of private comment|
|Links: File Replication Service Diagnostics Tool, EventID 13520 from source NtFrs|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (1) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated