This monitor checks whether the DFS Replication service on the monitored computer encountered frequent NTFS change journal wraps.
This monitor may be triggered if the NTFS change journal has wrapped two or more times per day for the specified volume. Consider increasing the size configured for the NTFS change journal on this volume.
The NTFS change journal is required by the DFS Replication service so that it can keep track of changes occurring to the contents of the replicated folder. This helps it replicate changed files to the replication partners in that replication group.
The service may register this event if it detects that the NTFS change journal has wrapped on the specified volume. A journal wrap may occur for any of the following reasons:
The change journal on the specified volume has been truncated. Chkdsk may truncate the change journal if it finds corrupt entries at the end of the journal. The chkdsk operation may have been triggered if the volume was not cleanly dismounted or if the computer shut down abruptly in the recent past.
The DFS Replication service was not running on this computer for an extended period of time.
The DFS Replication service could not keep up with the rate of file changes on the volume.
No user action is required.
The DFS Replication service will automatically initiate a journal wrap recovery process.
If you see this event being registered frequently, perform the following actions:
Ensure that the DFS Replication service is not stopped for extended periods on replication group members.
If the rate of change to replicated files is very high on the affected volume, you may need to increase the size configured for the change journal. Increasing the USN journal size, and thus the number of changes that it can hold before the journal "wraps", decreases the possibility that USN journal wraps will occur.
To modify the USN change journal size
The USN journal size can be changed by setting the registry key: HKLM\System\CCS\Services\NTFRS\Parameters\"Ntfs Journal size in MB" (REG_DWORD)
Valid settings range from 8 to 128 megabytes (MB) with a default of 32 MB. This setting applies to all volumes that are hosting a DFSR replicated folder.
After changing the registry setting, stop and then restart the DFS Replication service. To do so from the Operations console, click the Stop DFS Replication Service task, and then click the Start DFS Replication Service task.
Decreases to the USN journal size can only be made by reformatting all volumes that contain DFS replicated content.
As a guideline, Microsoft recommends configuring 128 MB of journal per 100,000 files replicated on that volume.
| Target | Microsoft.Windows.DfsReplication.Volume | ||
| Parent Monitor | System.Health.ConfigurationState | ||
| Category | StateCollection | ||
| Enabled | True | ||
| Alert Generate | True | ||
| Alert Severity | Warning | ||
| Alert Priority | Normal | ||
| Alert Auto Resolve | True | ||
| Monitor Type | Microsoft.Windows.RepeatedEventLogSingleEventLog2StateMonitorType | ||
| Remotable | True | ||
| Accessibility | Public | ||
| Alert Message |
| ||
| RunAs | Default |
Home<UnitMonitor ID="Microsoft.Windows.DfsReplication.FrequentChangeJournalWrapsMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.DfsReplication.Volume" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.RepeatedEventLogSingleEventLog2StateMonitorType" ConfirmDelivery="true">
<Category>StateCollection</Category>
<AlertSettings AlertMessage="Microsoft.Windows.DfsReplication.FrequentChangeJournalWrapsMonitor_AlertMessageResourceID">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Warning</AlertSeverity>
</AlertSettings>
<OperationalStates>
<OperationalState ID="RepeatedEventRaised" MonitorTypeStateID="RepeatedEventRaised" HealthState="Warning"/>
<OperationalState ID="EventRaised" MonitorTypeStateID="EventRaised" HealthState="Success"/>
</OperationalStates>
<Configuration>
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>DFS Replication</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">DFSR</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1004</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">1104</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[1]</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">$Target/Property[Type="Microsoft.Windows.DfsReplication.Volume"]/VolumeGUID$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<Or>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">2206</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">2208</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">2002</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">2008</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">2010</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</Or>
</Expression>
</And>
</Expression>
</Or>
</Expression>
</And>
</Expression>
<RepeatedComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</RepeatedComputerName>
<RepeatedLogName>DFS Replication</RepeatedLogName>
<RepeatedExpression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">2202</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">DFSR</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[1]</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">$Target/Property[Type="Microsoft.Windows.DfsReplication.Volume"]/VolumeGUID$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</RepeatedExpression>
<Consolidator>
<ConsolidationProperties>
<PropertyXPathQuery>EventDisplayNumber</PropertyXPathQuery>
<PropertyXPathQuery>PublisherName</PropertyXPathQuery>
<PropertyXPathQuery>LoggingComputer</PropertyXPathQuery>
</ConsolidationProperties>
<TimeControl>
<WithinTimeSchedule>
<Interval>86400</Interval>
</WithinTimeSchedule>
</TimeControl>
<CountingCondition>
<Count>2</Count>
<CountMode>OnNewItemTestOutputRestart_OnTimerRestart</CountMode>
</CountingCondition>
</Consolidator>
</Configuration>
</UnitMonitor>