This object monitors the removal of DFS folders (links).
This rule monitors the removal of DFS folders (links) by looking for the presence of DfsSvc event 14540, and generates an Error alert if the folder removal failed.
This can occur if DFS Namespaces fails to delete the overwritten folder when a program or script uses the NetDFSMove function with the DFS_MOVE_FLAG_REPLACE_IF_EXISTS flag to move or rename a folder and overwrite any existing folders with the same name.
To resolve this issue, manually delete the DFS folder using the DFS Management snap-in or the Dfsutil link remove command.
Note: To manage a namespace, you must be a member of the Local Administrators group on each namespace server hosting the namespace or have been delegated permissions.
DFS Namespaces Event 14540 (http://go.microsoft.com/fwlink/?LinkId=186552)
Delegate Management Permissions (http://go.microsoft.com/fwlink/?LinkId=186531)
| Target | Microsoft.Windows.FileServer.DFSN.10.0.RootTarget | ||
| Category | Custom | ||
| Enabled | True | ||
| Alert Generate | True | ||
| Alert Severity | Warning | ||
| Alert Priority | Low | ||
| Remotable | True | ||
| Alert Message |
| ||
| Event Log | System |
| ID | Module Type | TypeId | RunAs |
|---|---|---|---|
| DS | DataSource | Microsoft.Windows.EventProvider | Default |
| Alert | WriteAction | System.Health.GenerateAlert | Default |
Home
<Rule ID="Microsoft.Windows.FileServer.DFSN.10.0.RootTarget.RemoveLinkFailedAlertRule" Enabled="true" Target="Microsoft.Windows.FileServer.DFSN.10.0.RootTarget" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>Custom</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>System</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">14540</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>ContainsSubstring</Operator>
<Pattern>DfsSvc</Pattern>
</RegExExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Params/Param[1]</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">$Target/Property[Type="DFSNLib!Microsoft.Windows.FileServer.DFSN.RootTarget"]/RootName$</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>0</Priority>
<Severity>1</Severity>
<AlertName/>
<AlertDescription/>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.FileServer.DFSN.10.0.RootTarget.RemoveLinkFailedAlertRule.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/EventDescription$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>
<SuppressionValue>$Data/Channel$</SuppressionValue>
<SuppressionValue>$Data/PublisherName$</SuppressionValue>
<SuppressionValue>$Data/LoggingComputer$</SuppressionValue>
<SuppressionValue>$Data/Params/Param[1]$</SuppressionValue>
</Suppression>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
</WriteActions>
</Rule>