JSI Tip 4517. Antivirus Problems May Modify Security Descriptors Causing Excessive Replication of FRS Data in Sysvol and DFS.
December 6, 2001
Microsoft Knowledge Base Article 284947 contains the following summary:
The File Replication service (FRS) is a multi-threaded, multi-master replication engine that replaces the Lmrepl service in the 3.x and 4.0 versions of Microsoft Windows NT. Microsoft Windows 2000-based domain controllers and servers use FRS to replicate system policy and logon scripts that reside in the System Volume (SYSVOL) for Windows 2000-based clients and earlier.
FRS can also replicate files and directories between Windows 2000-based servers that are members of the same fault-tolerant Distributed File System (DFS) root or link replicas.
FRS initiates replication on "closed" files in directory trees in which replication has been enabled. Events that can trigger replication include the creation or deletion of a file, a version change to an existing file, or the resetting of permissions on a file or directory. This article describes the symptoms that occur when some antivirus programs that are not FRS-compliant perform virus scans on directories that host FRS-replicated files. Additional symptoms include:
• | Files in SYSVOL and DFS shares are replicated excessivelywith no apparent change to the files in those replica sets. |
• | Files may replicate at off-peak hours, or at regularlyoccurring times if virus scans are scheduled to occur at specific times, orduring periods of low server utilization. |
• | The number of files in the staging directory constantlygrows, perhaps emptying sometime after the virus scan program completes, orafter the FRS schedule opens to allow replication. |
• | The number of files in the staging directory constantlygrows but never empties if changes to downstream partners cannot be replicatedeither because of network connectivity or an inability to process the number ofmodified files needing replication. |
• | Network traffic between replication partners is consumingexcessive network bandwidth and FRS is determined to be the responsibleservice. |
One program that is known to reset security descriptors during virus scan is Norton AntiVirus (NAV) versions 7.0 and 7.5. Other virus checking programs that modify security descriptors during virus scans will result in the same symptoms.
About the Author
You May Also Like