Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 13567 Source: Ntfrs

Source
Level
Description
File Replication Service has detected and suppressed an average of 15 or more file updates every hour for the last 3 hours because the updates did not change the contents of the file. The tracking records in FRS debug logs will have the filename and event time for the suppressed updates. The tracking records have the date and time followed by :T: as their prefix.

Updates that do not change the content of the file are suppressed to prevent unnecessary replication traffic. Following are common examples of updates that do not change the contents of the file.

[1] Overwriting a file with a copy of the same file.
[2] Setting the same ACLs on a file multiple times.
[3] Restoring an identical copy of the file over an existing one.

Suppression of updates can be disabled by running regedit.

Click on Start, Run and type regedit.

Expand HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet, Services, NtFrs, Parameters, and create or update the value "Suppress Identical Updates To Files" to 0 (Default is 1) to force identical updates to replicate.
Comments
 
Event 13567 in the FRS event log is generated on computers running Windows 2000 SP3 when unnecessary file change activity is detected. Unnecessary file change activity means that a file has been written by some user or application, but no change is actually made to the file. FRS detects that the file has not changed, and maintains a count of how often this happens. If the condition is detected more than 15 times per hour during a three-hour period, FRS logs the 13567 event. See the link to "Troubleshooting File Replication Service" for details.
As per ME315045, FRS event id 13567 is recorded in the File replication Service event log after you install Service Pack 3. FRS was updated in SP3 to detect and suppress duplicate updates. This conserves network bandwidth. Event 13567 is logged to inform the administrator that this suppression has occurred.

Se ME815263 for a list of antivirus, backup, and disk optimization programs that are compatible with the File Replication Service.
The hotfixes for this are included in Windows 2000 Service Pack 4.
This event may be caused by antivirus software or defrag programs marking files in the sysvol folder. I have experienced this error when using Diskeeper version 6, to stop the error add the sysvol folder to diskeepers file/folder exclusion list.
If you have a group policy applying to your DCs which sets file permissions on the sysvol folder, sysvol replication will be unpredictable and you will get this error in your logs. The group policy tries to refresh the ACLS on all the sysvol files every five minutes. The File Replication Service registers this as a change - so every DC thinks it has to replicate the full sysvol share every five minutes. See ME279156.


Possible an NTFS replication storm.
There is a hotfix from Microsoft that is related to this issue, see ME307319 and ME321557.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...