Group Policy Preferences items take a long time to apply because of full DFS namespace sync

Applies to: Windows 8.1 EnterpriseWindows 8.1 ProWindows 8.1

Symptoms


Consider the following scenario:
  • You have an environment that uses Group Policy Preferences items that use files, folders or shortcuts.
  • The items are accessed from Windows 8.1, Windows Server 2012 R2, Windows 7 Service Pack 1 (SP1), or Windows Server 2008 R2 SP1 through a domain-based Distributed File System (DFS) share.

In this scenario, it takes longer than expected to apply a Group Policy setting. You may also see delays when you examine the logging in the Gpsvc.log file. These delays do not occur when the file server behind the DFS namespace is used by a particular client.

Additionally, the following behavior may occur:
  • When you view the network traces of the slow transactions, you notice that a NetrDfsGetInfo or dfs_GetInfo DFS API request takes longer than expected to finish.
  • You view the processing of the request at the DFS server. Most of the time, this should be the local domain controller. You find that there is a delay in communicating with the primary domain controller (PDC) of the domain. There are two basic reasons why a delay occurs:
    • Reason 1: When the DFS volume has many links and the PDC is attached over a low-bandwidth WAN link, it can take a long time to retrieve the data that the local domain controller requests by using the LDAP protocol.

      The combined load of all domain controllers in a large domain against the PDC might become so large, the connection to the PDC fails, and the DFS API does not respond with a valid path. When this occurs, the Group Policy Preferences item is not applied after the delay. For more information, see the "More Information" section.

    • Reason 2: When the domain controller cannot reach the PDC, it spends significant time retrying a connection to it.

Cause


This problem occurs when the real location of a path in a DFS volume is being determined. The Group Policy Preferences client-side extension contacts the DFS service through a NetDfsGetInfo call. It does this because the domain controller makes sure that the NetDfsGetInfo call has the most current information on the DFS volume and queries the PDC for it. The NetDfsGetInfo call does not have prerequisites, but is considered a management API.

Resolution


To resolve this issue in Windows 8.1 and Windows Server 2012 R2, install update 2967917. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
2967917 July 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
To resolve this issue in Windows 7 and Windows Server 2008 R2, install the hotfix that is described in the "Hotfix information" section in this article.

Hotfix information

A supported hotfix is available from Microsoft Support. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have Service Pack 1 for Windows 7 or Windows Server 2008 R2 installed.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any previously released hotfix.

Workaround


To work around this problem, disable RootScalability mode. The DFS server then uses the PDC to synchronize. However, it will use incremental synchronization to the PDC, and this is typically much faster. To do this, run the following command:

dfsutil /root:\\domain\dfsroot /RootScalability /Enable
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

305027 Summary of "piling on" scenarios in Active Directory domains

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


With this hotfix installed, Group Policy Preferences does not rely on NetDfs API any longer than is required for the DFS service to contact the PDC. Group Policy Preferences uses a different method that builds on the DFS Get Referral SMB command. Learn more about how DFS works on the Microsoft TechNet website.

If you experience this combination of GPP and DFS Service behavior, we recommend that you apply this update on all computers where users who have GPP items typically log on. This generally applies to all workstations and Remote Desktop servers.

The problem is that the user profile links are missing after the update is already addressed by an update for DFS Service:

2916267 The DFS Namespace reparse point for folder targets are missing in Windows Server 2008 R2

Note This update does not resolve the performance problem behind the PDC dependency.

A similar problem that occurs roaming profiles are used on file servers that are accessed through a DFS namespace, as described in the following  Microsoft Knowledge Base article:

2915094 Profile loading takes a long time due to full DFS namespace sync with PDC

References


Learn about the terminology that Microsoft uses to describe software updates.