DFS file share access freeze

asked 2018-08-03 00:27:55 +0000

Totally new. I got one wired issue in our domain with multi site. Users got issues accessing the \\corpdata share intermittently. its freeze and noticed hapanning everywhere at the same time too.

So just install Wireshark on my laptop and start the capture and noticed having issue around 11.55 -12.05PM I have the capture saved. but try to identify with my limited knowledge but still couldn't figure this out.

ip.addr== and ip.addr== and smb2

Can someone help me or direct me. happy to share the capture. and want to know how to save only that period.


answered 2018-08-05 17:55:26 +0000

Unfortunately the screenshot shows only one side of the communication (client to server).

I understand from your question that the "freezes" affect every client at the same time. Unfortunately your screenshot only shows traffic from the server to the client. Since the timestamps in the screenshot don't match your question we hardly give any comment. You have tagged the question DFS, but didn't give further information in the question. We get back DFS later.

Only one server affected?

You didn't mentioned it, but I assume that no other servers in that network segment are affected. If the freezes affect other servers as well I suggest to check the network topology (flapping interfaces, problems in the spanning tree, routing, maybe a load balancer ...).

Catastrophic events mentioned in the event logs?

Assuming that the symptoms only occur on one server I suggest to take a look at the server itself. Start by examining the event logs. Application and system event logs are the first, but take your time to browse through the other event logs as well.

  • Do you see anything indicating hardware problems? Disk and controller errors are logged to the system event log.
  • Do you experience blue screens? If yes you would find the files C:\Windows\Memory.dmp and more files in C:\Windows\Minidump. Fix all hardware- and driver problems before spending too much time on other topics.

Check the network configuration

My next recommendation is a look at the network interface:

  • Do you have a flapping network interface? Double check with the log file / console of the servers access switch.
  • If the server uses multiple network interfaces: Does the teaming configuration for the server match the configuration for the switch?

Basic checks

Next take a look at the server itself:

  • Do you have problems with "flapping devices" on the server? Say, an external device (thumb drive, tape etc.) is reported as plugged in and removed? If yes, the server might be busy handling these events and cannot respond to the clients.
  • Do you have a run-away process that is hogging the CPU?

Steady network?

If you want to continue troubleshooting from the network side I suggest to take a trace file from the server side. I would recommend to use a SPAN port to capture the traffic. Do not install Wireshark on the server. Take a look at the network capture playbook for detailed instructions:

DFS The question is tagged "DFS". Unfortunately we don't get any details.

DFS clients will query the server if a share is mounted through DFS. If yes, the client will ask for the servers that host this share. The client might switch to another, better suited server to share the load.

The client can also switch to another DFS server later. The user wouldn't notice anything. Again, time outs can occur if the connection another server fails. The client side trace should show the failed connection attempts. This should not ... (more)

HI Eddi,

I'm happy share the both client and server trace files. But is that possible to send to you only?


you can PM me on Twitter: PcapReader

Hi Eddi,

Send the link via twitter. We have two DFS servers and five more sites users are connecting. Generally users are complaining about network slowness and freeze for 2-5mints.

All users are connect using single drive letter W: \\corpdata

SCSfs01 and scsfs02 are the two dfs servers.

Noticed lot of sharing violation on Recruitment target folder.

DFS server in resource forest \ and users/computers are in account forest \

Pls help to solve these issues.


Sorry, I had my Twitter account locked down too tight. The message didn't go through. Can you send me your mail address? Cheers

I just send u'r message with my email and link

answered 2018-08-07 19:21:32 +0000

(New answer for clarity and readability)

I just looked through the trace files.

We can see a lot of Windows systems (both servers and clients) using outdated SMB configurations:

  • Clients (and at least a few servers) still support SMB v1
  • In the client network segment and in the server network segment we see frequent Master Browser Elections

The browser elections indicate a problem with at least one system. Could be a host based firewall / iptables configuration blocking incoming UDP 138, could be a faulty SMB implementation in a very old box.

Please get rid of SMB v1.

Or at least configure one stable system as master browser.

Hi Eddi,

Thank you so much for your time and help. I'll work towards your recommendation.

also i'll post few Event errors that both DFS servers to non responsive state for 5 sites users.

Description: The DFS Replication service has been repeatedly prevented from replicating a file due to consistent sharing violations encountered on the file. The service failed to stage a file for replication due to a sharing violation.

Additional Information: File Path: E:\CorpData\Recruitment\Recruitment Team\1. Volume Recruitment Campaigns\7. xxx\3. Candidate Folders*xxx, Monxxe\xxxx, Monxxxe - Ref Check 2.pdf.dcsfp3g.partial* Replicated Folder Root: E:\CorpData\Recruitment

I thought of set the DFS replication schedule to 6pm to 6.00Am.


Asked: 2018-08-03 00:27:55 +0000

Seen: 1,532 times

Last updated: Aug 07 '18