Home
  •  

DFS-R: NTFS Change Journal Wrap Frequency

Microsoft.Windows.FileServer.DFSR.FrequentChangeJournalWrapsMonitor (UnitMonitor)

This object monitors the NTFS change journal and creates a Warning alert if the journal wraps (overwrites old journal entries) twice in the past 24 hours on a volume hosting a replicated folder.

Knowledge Base article:

Summary

This object monitors the NTFS change journal and creates a Warning alert if the journal wraps (overwrites old journal entries) twice in the past 24 hours on a volume hosting a replicated folder.

Causes

An unhealthy state of this monitor indicates that the NTFS change journal wrapped twice in the past 24 hours on a volume hosting a replicated folder. A journal wrap occurs when the change journal cannot store all entries and must overwrite old journal entries. This can occur for the following reasons:

Resolutions

Wait for NTFS change journal recovery to complete

No action is required.

DFS Replication automatically initiates a journal recovery process.

Important Ensure that the DFS Replication service is not stopped for extended periods on replication group members.

Increase the size of the NTFS change journal

If the rate of change to replicated files is very high on the affected volume, increase the size of the change journal. Increasing the USN journal size, and thus the number of changes that it can hold before the journal "wraps," decreases the possibility that USN journal wraps will occur.

To increase the USN change journal size, contact Microsoft Customer Service and Support (http://support.microsoft.com).

Verification

This monitor automatically resets to a healthy state after recovering from the NTFS change journal recovery.

Additional

Change Journals (http://go.microsoft.com/fwlink/?LinkId=187090)

Element properties:

TargetMicrosoft.Windows.FileServer.DFSR.Volume
Parent MonitorSystem.Health.ConfigurationState
CategoryStateCollection
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.Windows.RepeatedEventLogSingleEventLog2StateMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
DFS-R: Frequent Change Journal Wraps on Volume Hosting a Replicated Folder
DFS Replication detected at least two journal wraps in the past 24 hours in the NTFS change journal for a volume hosting a replicated folder, and is automatically recovering. A journal wrap occurs when the change journal cannot store all entries and must overwrite old journal entries.
Additional Information:
Volume: {0}
GUID: {1}
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.Windows.FileServer.DFSR.FrequentChangeJournalWrapsMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.Windows.FileServer.DFSR.Volume" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.RepeatedEventLogSingleEventLog2StateMonitorType" ConfirmDelivery="true">

  <Category>StateCollection</Category>

  <AlertSettings AlertMessage="Microsoft.Windows.FileServer.DFSR.FrequentChangeJournalWrapsMonitor_AlertMessageResourceID">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Warning</AlertSeverity>

    <AlertParameters>

      <AlertParameter1>$Data/Context/Params/Param[2]$</AlertParameter1>

      <AlertParameter2>$Data/Context/Params/Param[1]$</AlertParameter2>

    </AlertParameters>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="RepeatedEventRaised" MonitorTypeStateID="RepeatedEventRaised" HealthState="Warning"/>

    <OperationalState ID="EventRaised" MonitorTypeStateID="EventRaised" HealthState="Success"/>

  </OperationalStates>

  <Configuration>

    <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

    <LogName>DFS Replication</LogName>

    <Expression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">DFSR</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <Or>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="UnsignedInteger">1004</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

            <Expression>

              <SimpleExpression>

                <ValueExpression>

                  <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                </ValueExpression>

                <Operator>Equal</Operator>

                <ValueExpression>

                  <Value Type="UnsignedInteger">1104</Value>

                </ValueExpression>

              </SimpleExpression>

            </Expression>

            <Expression>

              <And>

                <Expression>

                  <SimpleExpression>

                    <ValueExpression>

                      <XPathQuery Type="String">Params/Param[1]</XPathQuery>

                    </ValueExpression>

                    <Operator>Equal</Operator>

                    <ValueExpression>

                      <Value Type="String">$Target/Property[Type="Microsoft.Windows.FileServer.DFSR.Volume"]/VolumeGUID$</Value>

                    </ValueExpression>

                  </SimpleExpression>

                </Expression>

                <Expression>

                  <Or>

                    <Expression>

                      <SimpleExpression>

                        <ValueExpression>

                          <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                        </ValueExpression>

                        <Operator>Equal</Operator>

                        <ValueExpression>

                          <Value Type="UnsignedInteger">2206</Value>

                        </ValueExpression>

                      </SimpleExpression>

                    </Expression>

                    <Expression>

                      <SimpleExpression>

                        <ValueExpression>

                          <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                        </ValueExpression>

                        <Operator>Equal</Operator>

                        <ValueExpression>

                          <Value Type="UnsignedInteger">2208</Value>

                        </ValueExpression>

                      </SimpleExpression>

                    </Expression>

                    <Expression>

                      <SimpleExpression>

                        <ValueExpression>

                          <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                        </ValueExpression>

                        <Operator>Equal</Operator>

                        <ValueExpression>

                          <Value Type="UnsignedInteger">2002</Value>

                        </ValueExpression>

                      </SimpleExpression>

                    </Expression>

                    <Expression>

                      <SimpleExpression>

                        <ValueExpression>

                          <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                        </ValueExpression>

                        <Operator>Equal</Operator>

                        <ValueExpression>

                          <Value Type="UnsignedInteger">2008</Value>

                        </ValueExpression>

                      </SimpleExpression>

                    </Expression>

                    <Expression>

                      <SimpleExpression>

                        <ValueExpression>

                          <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                        </ValueExpression>

                        <Operator>Equal</Operator>

                        <ValueExpression>

                          <Value Type="UnsignedInteger">2010</Value>

                        </ValueExpression>

                      </SimpleExpression>

                    </Expression>

                  </Or>

                </Expression>

              </And>

            </Expression>

            <Expression>

              <And>

                <Expression>

                  <SimpleExpression>

                    <ValueExpression>

                      <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

                    </ValueExpression>

                    <Operator>Equal</Operator>

                    <ValueExpression>

                      <Value Type="UnsignedInteger">9111</Value>

                    </ValueExpression>

                  </SimpleExpression>

                </Expression>

                <Expression>

                  <RegExExpression>

                    <ValueExpression>

                      <XPathQuery Type="String">Params/Param[2]</XPathQuery>

                    </ValueExpression>

                    <Operator>ContainsSubstring</Operator>

                    <Pattern>$Target/Property[Type="System!System.Entity"]/DisplayName$</Pattern>

                  </RegExExpression>

                </Expression>

              </And>

            </Expression>

          </Or>

        </Expression>

      </And>

    </Expression>

    <RepeatedComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</RepeatedComputerName>

    <RepeatedLogName>DFS Replication</RepeatedLogName>

    <RepeatedExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">2202</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">DFSR</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="String">Params/Param[1]</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="String">$Target/Property[Type="Microsoft.Windows.FileServer.DFSR.Volume"]/VolumeGUID$</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

      </And>

    </RepeatedExpression>

    <Consolidator>

      <ConsolidationProperties>

        <PropertyXPathQuery>EventDisplayNumber</PropertyXPathQuery>

        <PropertyXPathQuery>PublisherName</PropertyXPathQuery>

        <PropertyXPathQuery>LoggingComputer</PropertyXPathQuery>

      </ConsolidationProperties>

      <TimeControl>

        <WithinTimeSchedule>

          <Interval>86400</Interval>

        </WithinTimeSchedule>

      </TimeControl>

      <CountingCondition>

        <Count>2</Count>

        <CountMode>OnNewItemTestOutputRestart_OnTimerRestart</CountMode>

      </CountingCondition>

    </Consolidator>

  </Configuration>

</UnitMonitor>