T 4.68 Disruptions in an Active Directory due to unnecessary file replication

Since the introduction of the Windows 2000 Server operating system, the domain controllers have been using the File Replication Service (FRS) to replicate system policies and login scripts of the clients in the network of an organisation.

Furthermore, FRS is also used to replicate the data of fault-tolerant shares in the Distributed File System (DFS) between servers running Windows 2000 Server and higher versions.

The FRS service monitors "File Close" events of the NTFS file system for all directories and files to be replicated via FRS so it can trigger replication at a suitable time. "File Close" events are triggered in this case by certain file operations such as operations that delete or create files or make changes to the file and directory authorisations.

Software used for system administration such as backup programs or virus protection programs that access files and directories monitored by the FRS service can trigger an unnecessary replication if they access the files and directories improperly. All files pending for replication are collected in a folder referred to as the staging folder before actually performing replication.

The following are possible signs of an unnecessary replication in the system environment:

• Files from DFS shares are frequently replicated even though no detectable changes have been made to the files.
• Replication between the replication partners in the network consumes too much bandwidth.
• The number of the files in the staging folder increases constantly. If the number of files always increases when a virus scanner or backup program is executing, for example, then this is a clear sign of unnecessary replication. In many cases, the staging folder will be empty again in the next replication cycle of the FRS after the execution of the virus protection program or backup program has been completed.
  
  If the staging folder is never completely empty, then this indicates that replication cannot be performed completely due to the large number of files that have been modified.

Example:

In one organisation, a virus protection program is used that triggers the "File Close" event every time a file is accessed due to errors in its implementation. The organisation's computer virus protection concept specifies that the virus scanning program used must be started on the servers to perform a full scan of all files at regular intervals.

The incorrect handling of the "File Close" event triggers replication for every file, which then simultaneously triggers an unintended, full synchronisation of all files and directories between the servers and domain controllers in the organisation.

The data traffic resulting from synchronisation can restrict proper access to the resources in an organisation to such an extent that it becomes impossible to guarantee proper operation. This applies especially to the branch offices of an organisation that are connected to the headquarters by connections with a relatively low bandwidth.