On Distributed File System (DFS) replica members or on domain controllers that are hosting a SYSVOL replica set, you may find an event that is similar to the following in the File Replication service (FRS) area of Event Viewer:
Event Type: Warning Event Source: NtFrs Event Category: None Event ID: 13573 Date: date Time: time User: N/A Computer: ComputerName Description: File Replication Service has been repeatedly prevented from updating
File Name :Filename.txt File GUID : 97130a43-f134-4595-88cc6c87c3d41955
due to consistent sharing violations encountered on the file. Sharing violations occur when another user or application holds a file open, blocking FRS from updating it. Blockage caused by sharing violations can result in out-of-date replicated content. FRS will continue to retry this update, but will be blocked until the sharing violations are eliminated.
Possible reasons for a sharing violation are other sources that may have opened the file to be replicated in on the target machine. To determine the full path of the file in sharing violation open the Computer Management, Shared Folders, Open Files from compmgmt.msc for the file in question and the user that has the file opened. Search for the file listed above, Right click on the file, Select the close option to forcibly close the file. Note if multiple files with the same name are held open you may need to close all or perform more detailed steps listed in the KB article to determine file with full path that matches the GUID reported in the event.
This issue may occur for either of the following reasons:
FRS cannot install a file at the destination location because it encountered a sharing violation.
FRS cannot generate the staging file to be replicated because FRS encountered a sharing violation.
A sharing violation can occur if other sources have open handles to the file to be replicated. Typically, programs that can instigate sharing violations are:
Disk optimization tools
File system policies that repeatedly apply access control list (ACL) changes
A user profile or personal data that is constantly in use that is placed on the replica set
Any other type of data that is held open for long periods by an end user, a program, or a process
To resolve this issue, use one of the following methods.
Method 1: Use the Install Override Feature
You can use the Install Override feature in Windows Server 2003 to rename the locked file. This allows FRS to replicate the file. For additional information about how to turn on this feature and use it, click the following article number to view the article in the Microsoft Knowledge Base:
816493 How to Configure the File Replication Service to Allow Fewer Sharing Violations That Block Replication
Method 2: Identify the Locked Files and Release the Handles
If you are not using Windows Server 2003 or if you do not want to turn on the Install Override feature, the only way to prevent the issue from occurring is to release the handles of the locked files. However, because the 13573 event is only reported for the number of times per hour that is specified in the Max Sharing Violation Event setting, files in the same situation may not have been reported yet. Therefore, to release the handles of all locked files, you must first identify the complete set of open files.
To track the problem in Windows 2000, download and install the fix that is documented in the following Microsoft Knowledge Base article:
815473 File Replication Service Does Not Log Errors on Sharing Violations
With this hotfix, you can set the options to control the logging of event 13573. This hotfix does not contain the "Install Override Feature" that Windows Server 2003 has.
To identify the complete set of files in the INSTALL_RETRY state, run the ntfrsutl.exe inlog command, and then look for all file entries with a state that is marked IBCO_INSTALL_RETRY. To find out the full path of the file that is being held, follow these steps:
Find out the file GUID from either the description of the event ID or from the inlog data that is retrieved. The inlog data will look similar to the following example:
Table Type : Inbound Log Table for DOMAIN SYSTEM VOLUME (SYSVOL SHARE) (1) Flags : 010000c6 Flags [VVAct Content Retry InstallInc CmpresStage ] IFlags : 00000001 Flags [IFlagVVRetireExec ] State : 0000000d CO STATE: IBCO_INSTALL_RETRY FileGuid : 36a42f7e-b3a9-494c-ae0cef2929771d6e EventTime : Thu May 29, 2003 19:13:40 FileName : Filename.txt
Convert the file GUID to a full path by using available tools or by parsing data from the IDTable entries. You can extract this data by using the ntfrsutl idtable command.
Find the Path of a File That Is Being Held Open
To find the path of a file that is being held open, follow these steps:
Obtain FRSDiag.exe, and then run it. To obtain FRSDiag.exe, visit the following Microsoft Web site:
Type the name of the target server that contains the error, or click Browse, and then locate the server.
On the Selections menu, click Uncheck All.
Click to select the IDTable Parser check box.
A file that is named FRSDiag.txt under the %USERPROFILE%\Desktop\Logs folder is created.
Look up the file GUID and the file's date in FRSDiag.txt.
After you determine which file is being held open, you can use Process Explorer from Sysinternals to find out which process has the file locked. To download Process Explorer, visit the following Sysinternals Web site:
Start Process Explorer, and then wait until all the process information is loaded.
On the Find menu, click Find Handle or DLL.
Type the path of the file (for example, type scripts\filename.txt), and then click Search.
After the process is found, double-click it, and then verify that this is the name of the file that is being held open.
End the process if you want to.
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
If you determine that keeping this file open is the expected behavior for your environment, either disable logging of this event, or increase or decrease the number of reported events per hour. To do this, follow these steps to edit the designated registry subkeys.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Value Name: Sharing Violation Retry Count Value Type: DWORD Value Range: 1 to 2000 Default value: 10 Description: Determines the frequency of sharing violation events for each change order. For example, for a value of 10, report 1 of every 10 sharing violations that are encountered by the change order.
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
284947 Antivirus Programs May Modify Security Descriptors and Cause Excessive Replication of FRS Data in Sysvol and DFS
279156 The Effects of Setting the File System Policy on a Disk Drive or Folder Replicated by the File Replication Service
815263 Antivirus, Backup, and Disk Optimization Programs That Are Compatible with the File Replication Service