This alert rule checks whether the list of known domain names is too big to fit in the referral buffer. If the list doesn't fit, the client computer might not be able to access domain-based DFS namespaces in other domains.
This object monitors the list of known domain names maintained by a domain controller. If the list is too big to fit in the DFS client computers cache, the domain controller logs DfsSvc event 14536 locally, and generates a Warning alert. The client computer will not be able to access domain-based DFS namespaces whose domain names were omitted from the list of trusted domains that the domain controller provided to the client computer.
The cache of known domains contains all domains in the client computers Active Directory Domain Services (ADDS) forest and all domains trusted by the client computers domain or forest. The DFS Namespace service populates the cache on domain controllers starting with local domains and domains that are explicitly trusted by the domain in which the client computers account resides.
The following factors contribute to filling the cache:
The number of domains in the client computers forest
The number of domains that the client computers domain has an explicit trust relationship with
Domains that have long names or large Unicode characters. DFS can store up to 28,000 characters in a 56-KB cache if all characters are 2-KB Unicode characters (typical for Western character sets), or as few as 14,000 characters if all characters are 4-KB Unicode characters.
Possible resolutions include:
The administrator of DFS Namespaces can configure DFS to use DNS names for referrals, as discussed in this article in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=171029). After DFS is configured to use DNS names for referrals, you can safely ignore this monitor.
A member of the Domain Administrators group can create explicit trusts in ADDS for important domains, reducing the likelihood that domain-based namespaces in these domains will be inaccessible.
DfsSvc Event 14536 (http://go.microsoft.com/fwlink/?LinkId=187107)
Delegate Management Permissions for DFS Namespaces (http://go.microsoft.com/fwlink/?LinkId=186531)
| Target | Microsoft.Windows.FileServer.DFSN.10.0.RoleService | ||
| Category | Custom | ||
| Enabled | True | ||
| Event_ID | 14536 | ||
| Alert Generate | True | ||
| Alert Severity | Warning | ||
| Alert Priority | Normal | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | System |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| Alert | WriteAction | System.Health.GenerateAlert | Default |
Home
<Rule ID="Microsoft.Windows.FileServer.DFSN.10.0.DomainReferralOverflowAlertRule" Enabled="true" Target="Microsoft.Windows.FileServer.DFSN.10.0.RoleService" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Custom</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">14536</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>DfsSvc</Pattern>
</RegExExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertName/>
<AlertDescription/>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.FileServer.DFSN.10.0.DomainReferralOverflowAlertRule.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
<SuppressionValue>$Data/Channel$</SuppressionValue>
<SuppressionValue>$Data/PublisherName$</SuppressionValue>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
</Suppression>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
</WriteActions>
</Rule>