Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 13568 Source: NtFrs

Source
Level
Description
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

Replica set name is: "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\winnt\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.This can occur because of one of the following reasons.

[1] Volume "\\.\C:" has been formatted.
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.

WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.

To change this registry parameter, run regedit.

Click on Start, Run and type regedit.

Expand HKEY_LOCAL_MACHINE.
Click down the key path:
"System\CurrentControlSet\Services\NtFrs\Parameters"
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.

If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.
Comments
 
DC3 had several warning errors: event ID 2112, MSExchangeDSAccess and event ID 13508, NtFrs... Exchange was recently installed on DC3 when the File Replication Service errors were noticed. Both errors were related to DC2 and upon examining the event logs of DC2, errors with event id 13568 were observed. Following the steps for a non-authoritative restore of the FRS Sets on DC2 removed this error. See ME290762.
In my case these changes didn't resolve the problem
1. Stop FRS.
2. Start Registry Editor (Regedt32.exe).
3. Locate and click the following key in the registry:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters
4. On the Edit menu, click Add Value, and then add the following registry value:
   Value name: Enable Journal Wrap Automatic Restore
   Data type: REG_DWORD
   Radix: Hexadecimal
   Value data: 1 (Default 0)
5. Quit Registry Editor.
6. Restart FRS.

So i did these too
1. Stop FRS.
2. Start Registry Editor (Regedt32.exe).
3. Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore/Process at Startup
4. On the Edit menu, click Add Value, and then add the following registry value:
   Value name: BurFlags
   Data type: REG_DWORD
   Radix: Hexadecimal
   Value data: D2
5. Quit Registry Editor.
6. Restart FRS.
I received this error and tried the Regedit recommended. It worked for me, I created the DWORD "Enable Journal Wrap Automatic Restore" key as there was none (with default value). I stopped/started NTFRS and did not cure the issue. I changed Dword value to 1 and was successful after a NTFRS stop/restart.
Performing the steps below solved my problem:
1. Expand "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters"
2. Change value for "Enable Journal Wrap Automatic Restore" from 0 to 1. If the DWORD Value does not exist, create a new one with the exact spelling as above, including spaces but without the quotes.
3. Stop the NTFRS Service (open a command prompt and type "net stop ntfrs")
4. Start the NTFRS Service (net start ntfrs)
5. Monitor the File Replication Service Event Logs for events:
13553 The DC is performing the recovery process
13554 The DC is ready to pull the replica from another DC.
13516 - At this point go to step 6. (the problem is resolved if you receive this event)
6. Using a command prompt type: "net share" and look for the Netlogon and Sysvol Shares to appear. The Journal Wrap error is only fixed after the Domain Controller receives the new SYSVOL replica from a peer Domain Controller. This may take a period of time depending on where your peer DC is located and on bandwidth.
7. Change value for "Enable Journal Wrap Automatic Restore" from 1 to 0.
See the link to "Troubleshooting File Replication Service" for a complete description of this event.


ME292438 gives information on troubleshooting Journal_Wrap errors on Sysvol and DFS Replica Sets. See ME887303 for additional information on this issue.
As per Microsoft: "FRS no longer performs an automatic non-authoritative restore if a journal wrap condition is detected. Instead, it logs an event ID 13568 message in the FRS event log to remind you to perform the operation at a convenient time. A registry key has been included to configure an automatic non-authoritative restore operation if you want to do so. However, if you configure this setting, the contents of the replica tree may be made unavailable while the restore operation is taking place". See ME321557 for more details.
After speaking with MS Technical Support, I was emailed a Q article, which did fix the problem. See ME315070 ("Event 13568 Is Logged in the File Replication Service Event Log[ntrelease]").

The Q article does not appear to be available anymore so here is the content (please note that if the article is not available anymore then it probably means that is no longer valid or was wrong!):

Event 13568 Is Logged in the File Replication Service Event Log[ntrelease]
ID: ME315070    CREATED: 18-DEC-2001   MODIFIED: 06-AUG-2002

The information in this article applies to:
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
-------------------------------------------------------------------------------
[...]
SYMPTOMS
========

The following event may be logged in the File Replication service (FRS) event
log after you install Windows 2000 Service Pack 3 (SP3):

   Event Type: Warning
   Event Source: NtFrs
   Event Category: None
   Event ID: 13568
   Date: 12/12/2001
   Time: 2:03:32 PM
   User: N/A
   computer: NA-DC-01
   Description:
[... event description...]

CAUSE
=====

This error message is logged because the requested data is not available due to
the following series of events:

- FRS uses the NTFS file system journal to track changes to files and to
   folders that are in a replica tree to propagate those changes to other
   members of the replica set.

- If FRS does not record the changes, the journal wraps and FRS does not know
   which change to process next. FRS may not record the changes because:
    - FRS is off for an extended period of time.
      -or-
    - The changes are occurring faster than FRS can process them.

- To recover from this error state, FRS needs to:
    - Re-initialize the content of the replicated directory.
    - Resume tracking the NTFS journal from a known good starting point.

- To re-initialize the replica tree, FRS moves all content into the
   NTFRS_Pre-Existing folder, and then FRS rejoins the replica set by sourcing
   from an upstream partner. Based on the contents of the file, one of the
   following events occurs:
    - If a file on the upstream partner is identical to the file that is in the NTFRS_Pre-Existing folder, the local copy is moved into the replica tree.
    - If the file is different, or if new files have been added to the replica  set, FRS replicates the update from the upstream partner and moves it into the replica tree.
- During this procedure, the data on that particular member becomes
   unavailable.

In Service Pack 2 (SP2), this re-initialization takes place automatically, which may take the data offline at an inopportune time. In SP3, the event is logged by default and an administrator can re-initialize the replica tree at a convenient time.

RESOLUTION
==========

[...]

To modify the default behavior, make the following changes in the registry to
instruct FRS to handle the JRNL_WRAP_ERROR status automatically:
1. Stop FRS.
2. Start Registry Editor (Regedt32.exe).
3. Locate and click the following key in the registry:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters
4. On the Edit menu, click Add Value, and then add the following registry value:
   Value name: Enable Journal Wrap Automatic Restore
   Data type: REG_DWORD
   Radix: Hexadecimal
   Value data: 1 (Default 0)
5. Quit Registry Editor.
6. Restart FRS.

If these steps do not modify the default settings and the automatic
re-initialization is not turned on, you need to manually re-initialize the
replica tree. At a convenient time, make the following changes to the registry:

1. Stop FRS.
2. Start Registry Editor (Regedt32.exe).
3. Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore/Process at Startup
4. On the Edit menu, click Add Value, and then add the following registry value:
   Value name: BurFlags
   Data type: REG_DWORD
   Radix: Hexadecimal
   Value data: D2
5. Quit Registry Editor.
6. Restart FRS.

MORE INFORMATION
================
For additional information about SP3 updates to the File Replication service,
click the article number below to view the article in the Microsoft Knowledge
Base:
   ME307319 File Replication Service Improvements in Windows 2000 SP3

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...