The DFS Namespace reparse point for folder targets are missing in Windows Server 2008 R2

Symptoms

Consider the following scenario:
  • You have a server that is running Windows Server 2008 R2.
  • You have the DFS Namespaces role service installed on the server.
  • You have more than 1,000 folders in the domain-based namespace in Windows Server 2008 mode.
  • There's a significant number of namespace servers.
  • You have turned on Root Scalability Mode. It makes the problem more likely to happen.
  • There are clients that make DFS management API calls, maybe because the DFS Management tools are used on the field DFS servers. For details see the More Information section.
In this scenario, some DFS namespace reparse points that are in the servers root share are unexpectedly deleted during a full synchronization of the large DFS volume with the Primary Domain Controller (PDC).

Cause

This problem occurs because of an issue in the paged Lightweight Directory Access Protocol (LDAP) search query. If the server namespace contains more than 1,000 folders when the paged LDAP query reads the namespace configuration from the Active Directory domain, this query fails because of network errors, slow links, or a resource shortage on the PDC. When this problem occurs, the DFSN service mistakenly deletes the links that are not returned in the successful part of the paged LDAP query.

Resolution

This update avoids the loss of the links that are lost in the update. But it does not resolve the situation when the DFS Service starts and cannot complete populating the full list of links from Active Directory on startup. See the More Information Section for more Details.

Hotfix information

A supported hotfix is available from Microsoft Support. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must have Service Pack 1 for Windows Server 2008 R2 installed.

Restart requirement

You have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any previously released hotfix.

File information

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Short-Term Workaround: Reloading the DFS namespace

When this problem occurs, you may notice that the number of Namespace folders that are left in the DFS Namespace root share is a multiple 1,000. For example, when you run the dir *.* command in the root directory, the results returned will be a multiple of 1,000 + 2.

To re-trigger reading the Active Directory configuration to re-create the missing folders, run the following command:

dfsutil root ForceSync \\contoso.com\DFSRoot

Background on LDAP Server resource shortage

There are two known issues in Windows 7 where clients might trigger DFS synchronization:When such an API call is received, the DFS server synchronizes with the PDC. If Root Scalability Mode is enabled, a full sync might be done and when many DFS servers do this at the same time, you can run into the LDAP server resource issue discussed in the Cause section.

There's a managed memory pool managed by the LDAP server that can hit limits for this query scenario. An article discusses this memory pool: How LDAP Server Cookies Are Handled.

For the purposes of domain-based DFS volumes, you can calculate MaxResultSetSize as follows to have a safe upper value for the LDAP cookie memory buffer:
(400+4*(number of links))*(number of DCs)
For example, if you have 50000 links and 100 namespace Servers, you get:
(400+4*(50000))*(100) = 20040000
You would use this value for the MaxResultSetSize in the LDAP Query Policy for the PDC.
Additional file information

References

See the terminology Microsoft uses to describe software updates for more information.
คุณสมบัติ

รหัสบทความ: 2916267 - การตรวจสอบครั้งสุดท้าย: 1 ก.ค. 2016 - ฉบับแก้ไข: 1

คำติชม