none
DFSN-Server ID 516 Flooding Event Log

    Question

  • Good Day,

     Since setting up a Server 2012 server as a DFS root the Administrative Events log is getting flooded with DFSN-Server ID 516 warning events. We have multiple name spaces and we get a message for each every 15 minutes, so for our 6 name spaces that is over 500 messages a day.

    DFSN service has started performing complete refresh of metadata for namespace <DFS-Root>. This task can take time if the namespace has large number of folders and may delay namespace administration operations.

    Although I found one solution on the Russian Technet forum DFSN-Server EventID 516 this disables the entire DFSN-Server Admin log, so if there are any problems with the refresh they will not appear.

    The main cause of the problem appears to be that the 516 Events have a Warning level 3 for something that should be Information level 4. There is no reason for a warning to be issued for what is a regular update process.

    Thanks,

    James

    Tuesday, December 11, 2012 1:13 AM

All replies

  • Hi James,

    As you said, event 516 is newly added in Windows Server 2012 to show the full sync is started. From the following sentence we may not able to disable it:

    DFS Namespace Scalability Considerations

    http://blogs.technet.com/b/filecab/archive/2012/08/26/dfs-namespace-scalability-considerations.aspx

    How do I confirm server is sized for Full sync? The best way to confirm that your namespace server is properly resourced is to kick off the Full sync manually using the command "dfsutil root forcesync \\RootServer1.Contoso.com\PublicDocs" and monitoring the DFS performance counters (see discussion about performance counter specifics a little further down in this blog post), and Resource Monitor to monitor disk, CPU and network usage. Note that this command works only on stand-alone namespaces and Windows Server 2008 mode domain-based namespaces. Notice also that I am forcing a Full sync not on the namespace, but on the desired namespace root server. Since there can be multiple root servers for a namespace, you have to specify the specific root server that you want to fully synchronize.

    In Windows Server 2012, the DFSN service now logs events to the ‘Applications and Services Logs\Microsoft\Windows\DFSN-Server\Admin’ event channel both at the time a Full sync is initiated (Event ID: 516), and at the time the Full sync is completed (Event ID: 517).

    Thursday, December 13, 2012 12:56 AM
    Moderator
  • Hi Shaon,

     Thanks for your reply. I just did some more investigation and found that the two Server 2012 domain controllers that are getting flooded by the 516 events are not even DFS Namespace servers for the namespace mentioned in the event. They are newly added domain controllers and the only DFS namespace they have is SYSVOL.

    It appears they are getting these DFSN service has started performing complete refresh of metadata for namespace <name>  events for namespaces they don't even host.

    Thanks, James

    Thursday, December 13, 2012 1:31 AM
  • Hi James,

    SYSVOL folder will be replicated between domain controllers by design (for syncing AD). So as we discussed earlier it is by design that the event 517 is added in Windows 2012.


    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

    Monday, December 17, 2012 7:17 AM
    Moderator
  • Hi Shaon,

     I agree and understand that SYSVOL is replicated between domain controllers. What I don't understand is why I am receiving event log entries for other name spaces that are not hosted by that server.

    Thanks,
    James

    Tuesday, December 18, 2012 1:56 AM
  • Hi James,

    Do you have anything new regarding these logged events?

    I experience the same issue on two WS2012 domain controllers. The administrative event log is full of DFSN-Server 516 events, which make it very difficult to read: real problems are lost in the middle of the flood.

    A little difference though: in my case, these DCs are namespace servers (two namespaces hosting 10 and 3 folders). DFS works fine and replication occurs normally.

    It would be great if we could disable logging for these events, or make them informative (like event 517).

    Sunday, February 3, 2013 11:50 AM
  • Hi Marin,

     No actual fix, but a workaround. I followed the suggestion on the Russian Technet site and expanded out the logging to DFSN-Server Admin and disabled that log. This means that no logging at all is recorded for DFS so if there is an actual problem it won't appear in event log, but at least you can see if there are any other problems as it is not flooded.

    Why an informational alert is listed as a warning still eludes me, especially as it is attached to an automatic/scheduled process rather than a manual one.

    Regards, James


    • Edited by RuddJ Sunday, February 3, 2013 12:32 PM additional info
    Sunday, February 3, 2013 12:30 PM
  • Hi all

    I have 3 2012 DFS servers and everithing is working fine. But they're all flooded with the same message.

    It's very frustrating.

    I would consider this a BUG from MS.

    Hopefully this will get sorted out with some update!

    Thursday, July 18, 2013 9:58 AM
  • Create a new custom view that suppresses this one event, and use that instead of Administrative Events.

    1. Right click the Administrative Events view, and choose Copy Custom View...
    2. In the Copy Custom View dialog, give your copy a name such as "Admin View".
    3. Right click your "Admin View", and choose Properties.
    4. In the "Admin View" dialog, choose [Edit Filter...]
    5. In the Custom View Properties dialog, choose the XML tab.
    6. Check [X] Edit query manually, and choose [Yes] to confirm the warning dialog /!\ "If you choose to manually edit the query, you will no longer be able to modify the query using the controls on the Filter tab".
    7. Scroll to the bottom of the XML window, and above closing </Query> tag, paste the following:

        <Suppress Path="Microsoft-Windows-DFSN-Server/Admin">*[System[(EventID=516)]]</Suppress>

      Choose [OK]. Choose [Yes] to confirm the dialog (X) "The filter or custom view you are creating references more than 10 event logs"; then choose [OK] out of the Admin View Properties dialog.

    Now you have a custom "Admin View" that no longer shows this (non) event that you don't care to see. And you can start suppressing other events this same way. For instance, if you're using DFSR and using Windows Backup, you might not want to see the warning that replication is paused during backup.

    • Proposed as answer by Tino Schwarze Friday, October 28, 2016 6:29 PM
    Saturday, December 28, 2013 9:41 PM
  • same issue here on 2012R2 DC hosting a few DFS namespaces, I am getting a flood of 516 events in administrative logs, all the more since DC was recently upgraded from 2008R2 and I keep restarting it still frequently reloading drivers, updating, fixing minor issues on the go ... very annoying ... but I don't want to disable DFS reporting all together as I might miss something important related to it in future.

    What bothers me is that those events mention only "started a complete refresh", but they never mention so far completing one ... weird...

    Thank you Microsoft (sarcasm).

    Thursday, May 22, 2014 8:08 PM
  • What bothers me is that those events mention only "started a complete refresh", but they never mention so far completing one ... weird...

    Thank you Microsoft (sarcasm).

    If you look directly at the log, you'll see this message is quickly followed by ID 517 which states it has completed the refresh.  Event 517 is an informational event, so it won't display in the default "Administrative Events" filter.

    My suggestion to MicrosoftChange the severity on ID 516 to Informational.  I don't believe anyone would consider this routine refresh a warning-level concern!!


    Friday, June 27, 2014 12:43 AM
  • Seems to me that Microsoft have totally messed up what used to be an invaluable tool for tracking down problems. When I look at the logs these days, I find myself ignoring most of the content, which is surely not a good sign. How hard can it be to fix these 'benign events' or misrepresented ones...
    Friday, July 25, 2014 9:18 AM
  • What bothers me is that those events mention only "started a complete refresh", but they never mention so far completing one ... weird...

    Thank you Microsoft (sarcasm).

    If you look directly at the log, you'll see this message is quickly followed by ID 517 which states it has completed the refresh.  Event 517 is an informational event, so it won't display in the default "Administrative Events" filter.

    My suggestion to MicrosoftChange the severity on ID 516 to Informational.  I don't believe anyone would consider this routine refresh a warning-level concern!!


    yes, you are right. sorry for super late reply, but I was swamped in company move and server upgrades, new installations, new IP phone system, new IP cams, site-to-site VPN, new faster firewall for new faster Internet link, NAT config changes ... man ... a bit too much for a single person to manage sometimes ...

    anyways, I didn't see the 517 events in "Custom Views - Administrative Events" that's why I was alerted with a flood of 516 (there is 1 every 12 minutes), can't understand why MS would drop one informational event (categorized wrongly as warning) and not add the other one stating it was completed right after (because it's still informational only) ... I finally found the following 517's when I went to the tree of Apps and Services Logs - MS - Win - DFSN-Server - Admin ... it's kinda buried down there ...

    very annoying it still is in end of October, especially then I am troubleshooting a non-replication conditions without any errors between two DFS servers (also DC roles installed) running 2012R2. Ended up removing DFS from secondary DC (VM actually) and building a new DFS dedicated VM with fixed sized disks on Hyper-V 2012 R2 server, hoping it resolves the issue when replication would just stop without error creating a huge file count (and content!) mismatch over time... a flood of meaningless events in administrative logs in not helping with troubleshooting ...


    • Edited by Kuba_L Tuesday, October 28, 2014 7:11 PM
    Tuesday, October 28, 2014 7:10 PM
  • Just wanted to say thanks for verifying this as yet another false positive.

    Thursday, January 8, 2015 3:35 AM
  • Wow. Thank you for this workaround, while it doesn't resolve the issue it sure makes it a lot easier to quickly review the logs for problems. Thanks again.
    Thursday, April 9, 2015 4:05 PM
  • Wow. Thank you for this workaround, while it doesn't resolve the issue it sure makes it a lot easier to quickly review the logs for problems. Thanks again.
    Which workaround are you thanking someone for? Consider proposing that as an answer, or giving it a vote, or both.
    Thursday, April 9, 2015 7:20 PM
  • Create a new custom view that suppresses this one event, and use that instead of Administrative Events.

    1. Right click the Administrative Events view, and choose Copy Custom View...
    2. In the Copy Custom View dialog, give your copy a name such as "Admin View".
    3. Right click your "Admin View", and choose Properties.
    4. In the "Admin View" dialog, choose [Edit Filter...]
    5. In the Custom View Properties dialog, choose the XML tab.
    6. Check [X] Edit query manually, and choose [Yes] to confirm the warning dialog /!\ "If you choose to manually edit the query, you will no longer be able to modify the query using the controls on the Filter tab".
    7. Scroll to the bottom of the XML window, and above closing </Query> tag, paste the following:

        <Suppress Path="Microsoft-Windows-DFSN-Server/Admin">*[System[(EventID=516)]]</Suppress>

      Choose [OK]. Choose [Yes] to confirm the dialog (X) "The filter or custom view you are creating references more than 10 event logs"; then choose [OK] out of the Admin View Properties dialog.

    Now you have a custom "Admin View" that no longer shows this (non) event that you don't care to see. And you can start suppressing other events this same way. For instance, if you're using DFSR and using Windows Backup, you might not want to see the warning that replication is paused during backup.


    This is great information to know even if it isn't a fix.  Thanks for the how-to!
    Tuesday, September 1, 2015 2:48 PM
  • I finally found the following 517's when I went to the tree of Apps and Services Logs - MS - Win - DFSN-Server - Admin ... it's kinda buried down there ...

    Thanks for that
    Wednesday, September 30, 2015 2:23 PM
  • It is nice to know no fix for this and it is 2018...
    Thursday, March 1, 2018 1:16 AM