All files are conflicted on all domain controllers except the PDC Emulator when a DFSR migration of the SYSVOL share reaches the Redirected state in Windows Server 2008 or in Windows Server 2008 R2

Symptoms

In Windows Server 2008 or in Windows Server 2008 R2, you perform a Distributed File System Replication (DFSR) migration of the SYSVOL share. When the migration reaches the Redirected state, you may find that all files are conflicted on all domain controllers except the PDC Emulator (PDCE). 

If you examine the DFS Replication event log on any non-PDCE, you will find the following event:



If you examine the following folder, you will find the copies of the conflicted files:

%Systemroot%\Sysvol_dfsr\Sysvol\Dfsrprivate\Conflictanddeleted
Even if there are no 4412 events or conflicts, you find that all files in the SYSVOL share are being replicated when they are outgoing from the PDCE when domain controllers enter the Redirected state.

Cause

This problem occurs because the ROBOCOPY process that is used during the SYSVOL migration from the Prepared state to the Redirected state incorrectly sets a NULL System Access Control List (SACL) that propagates to all files. This changes the SHA-1 file hash that is used by DFSR for file comparison between servers and then leads to the conflicts.

Typically, the conflict events occur when you run the DFSRMIG.EXE /SETGLOBALSTATE 2 command without first running the DFSRMIG.EXE /SETGLOBALSTATE 1 command.

However, the conflict events may occur when you use the following typical steps:

DFSRMIG.EXE /SETGLOBALSTATE 1
DFSRMIG.EXE /SETGLOBALSTATE 2

The unnecessary replication of files, without conflict events, always occurs when the migration reaches the Redirected state.

Resolution

To avoid conflict events or the unnecessary replication of files during the migration process, install an updated version of ROBOCOPY.EXE on all domain controllers. To do this, click one of the following article numbers to view the article in the Microsoft Knowledge Base:  
979808 "Robocopy /B" does not copy the security information such as ACL in Windows 7 and in Windows Server 2008 R2

973776  The security configuration information, such as the ACL, is not copied if a backup operator uses the Robocopy.exe utility together with the /B option to copy a file on a computer that is running Windows Vista or Windows Server 2008  

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

Robocopy.exe is used by the DFSR migration process for local SYSVOL seeding on individual domain controllers during the Prepared phase and on the PDC Emulator during the Redirected phase.

References

For more information about SYSVOL Replication migration, visit the following Microsoft website: 
Properties

Article ID: 972105 - Last Review: Jan 17, 2011 - Revision: 1

Windows Server 2008 Standard, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter

Feedback