All files are conflicted on all domain controllers except the PDC Emulator when a DFSR migration of the SYSVOL share reaches the Redirected state in Windows Server 2008 or in Windows Server 2008 R2

In Windows Server 2008 or in Windows Server 2008 R2, you perform a Distributed File System Replication (DFSR) migration of the SYSVOL share. When the migration reaches the Redirected state, you may find that all files are conflicted on all domain controllers except the PDC Emulator (PDCE). 

If you examine the DFS Replication event log on any non-PDCE, you will find the following event:

Log Name: DFS Replication
Source: DFSR
Date: <Date> <Time>
Event ID: 4412
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: <Computername>
The DFS Replication service detected that a file was changed on multiple servers. A conflict resolution algorithm was used to determine the winning file. The losing file was moved to the Conflict and Deleted folder.

Additional Information:
Original File Path: C:\Windows\SYSVOL_DFSR\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
New Name in Conflict Folder: GptTmpl-{E452C806-948A-479B-968D-472A8A33203C}-v67.inf
Replicated Folder Root: C:\Windows\SYSVOL_DFSR\domain
File ID: {D857B689-927C-4E49-ACFA-CC62D4D39B6C}-v242
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 3944EA91-A80B-404C-A234-BC7686D9870F
Replication Group Name: Domain System Volume
Replication Group ID: C59A9389-037A-4079-BBE3-C6F6F9329877
Member ID: 76CD1228-E718-4D4D-9FAD-7E774A88FADB

If you examine the following folder, you will find the copies of the conflicted files:

Even if there are no 4412 events or conflicts, you find that all files in the SYSVOL share are being replicated when they are outgoing from the PDCE when domain controllers enter the Redirected state.
This problem occurs because the ROBOCOPY process that is used during the SYSVOL migration from the Prepared state to the Redirected state incorrectly sets a NULL System Access Control List (SACL) that propagates to all files. This changes the SHA-1 file hash that is used by DFSR for file comparison between servers and then leads to the conflicts.

Typically, the conflict events occur when you run the DFSRMIG.EXE /SETGLOBALSTATE 2 command without first running the DFSRMIG.EXE /SETGLOBALSTATE 1 command.

However, the conflict events may occur when you use the following typical steps:


The unnecessary replication of files, without conflict events, always occurs when the migration reaches the Redirected state.
To avoid conflict events or the unnecessary replication of files during the migration process, install an updated version of ROBOCOPY.EXE on all domain controllers. To do this, click one of the following article numbers to view the article in the Microsoft Knowledge Base:  
979808 "Robocopy /B" does not copy the security information such as ACL in Windows 7 and in Windows Server 2008 R2

973776 The security configuration information, such as the ACL, is not copied if a backup operator uses the Robocopy.exe utility together with the /B option to copy a file on a computer that is running Windows Vista or Windows Server 2008  
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Robocopy.exe is used by the DFSR migration process for local SYSVOL seeding on individual domain controllers during the Prepared phase and on the PDC Emulator during the Redirected phase.
For more information about SYSVOL Replication migration, visit the following Microsoft website: 

Article ID: 972105 - Last Review: 01/17/2011 20:04:00 - Revision: 5.0

Windows Server 2008 Standard, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter

  • kbtshoot kbsurveynew kbprb KB972105