Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
File Replication Service has detected and suppressed an average of 15 or more file updates every hour for the last 3 hours because the updates did not change the contents of the file. The tracking records in FRS debug logs will have the filename and event time for the suppressed updates. The tracking records have the date and time followed by :T: as their prefix.
Updates that do not change the content of the file are suppressed to prevent unnecessary replication traffic. Following are common examples of updates that do not change the contents of the file.
 Overwriting a file with a copy of the same file.
 Setting the same ACLs on a file multiple times.
 Restoring an identical copy of the file over an existing one.
Suppression of updates can be disabled by running regedit.
Click on Start, Run and type regedit.
Expand HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, NtFrs, Parameters, and create or update the value "Suppress Identical Updates To Files" to 0 (Default is 1) to force identical updates to replicate.
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is the role of File Replication Service?
Event 13567 in the FRS event log is generated on computers running Windows 2000 SP3 when unnecessary file change activity is detected. Unnecessary file change activity means that a file has been written by some user or application, but no change is actually made to the file. FRS detects that the file has not changed, and maintains a count of how often this happens. If the condition is detected more than 15 times per hour during a three-hour period, FRS logs the 13567 event. See the link to "Troubleshooting File Replication Service" for details.
As per ME315045, FRS event id 13567 is recorded in the File replication Service event log after you install Service Pack 3. FRS was updated in SP3 to detect and suppress duplicate updates. This conserves network bandwidth. Event 13567 is logged to inform the administrator that this suppression has occurred.
Se ME815263 for a list of antivirus, backup, and disk optimization programs that are compatible with the File Replication Service.
The hotfixes for this are included in Windows 2000 Service Pack 4.
This event may be caused by antivirus software or defrag programs marking files in the sysvol folder. I have experienced this error when using Diskeeper version 6, to stop the error add the sysvol folder to diskeepers file/folder exclusion list.
If you have a group policy applying to your DCs which sets file permissions on the sysvol folder, sysvol replication will be unpredictable and you will get this error in your logs. The group policy tries to refresh the ACLS on all the sysvol files every five minutes. The File Replication Service registers this as a change - so every DC thinks it has to replicate the full sysvol share every five minutes. See ME279156.
Possible an NTFS replication storm.
There is a hotfix from Microsoft that is related to this issue, see ME307319 and ME321557.
|Private comment: Subscribers only. See example of private comment|
|Links: ME279156, ME307319, ME315045, ME321557, ME815263, Troubleshooting File Replication Service|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated