DFSR or Distributed File System Replication is a technology that is use to Replicate Data between Servers. Introduced in Windows 2003 R2, the technology has made enormous improvement since its inception. Before DFSR came to existence, FRS or File Replication was Used
As stated above, DFSR is use to Replicate "Data"... Data of any kind... Data is one of the most crucial and important resource for any organization... Henceforth, Its quite important to make sure that we have proper backups of the data so that in case the data is "Deleted" we can restore the data from the Backup
So do you mean to say that every time my data is deleted, as an administrator, I should keep on restoring the data. Someone deletes the data, I restore the data, Someone deletes the data, I restore the data... And the story goes on and on... Don't you think that at some point of time I as an Administrator has to stop and think... "WHY THE DATA GOT DELETED" ?
The answer to "WHY THE DATA GOT DELETED" has two parts
1. From WHERE the data got deleted - Finding the name of the server
2. WHO deleted the data - Finding the name of the user (process) who deleted the data
So lets start of with our journey to find and nab the culprit!!!!
LAB
1. Windows 2008 R2 Domain Controller : Win2kR2-DC
2. Windows 2008 R2 Member Server : Win2kR2-CA
Both the servers are hosting data which is getting replicated using DFSR
The data is stored at E:\PDFs\My Data
Server Win2k8R2-DC hosting the data
The same data (replicated using DFSR) hosted on the server Win2k8R2-CA
And here is the proof showing that the data is getting replicated using DFSR
The Replicated Folder (RF) containing the data "My Data" : PDFs
The Replication Group (RG) containing this ReplicatedFolder (RF) : PDFs
Now let the fun begins....
I am deleting (Yes Deliberately :)) the data "My Data" from a Server
Data is deleted...
And so does from the other server as well...
Before we move ahead, we need to know some of the important terms w.r.t DFSR
1. Replicated Folder (RF): The actual folder containing data that we replicate (Like C:\UserData). The Replicated Folder will be stored on the file system
2. Replication Group (RG): The Group that will contain the Replicated Folder. We can give any logical name to the RG. It need not necessary the same as that of RF. It is not stored in the file system. It is stored in AD. Remember, it is just a logical name give to one/multiple RF that we want to replicate. We can have multiple RFs in one RG...
Now to start of with, We need to run the following command:-
wmic /namespace:\\root\microsoftdfs path DfsrReplicatedFolderInfo get ReplicatedFolderGuid,ReplicatedFolderName,ReplicationGroupName > ReplicatedFolder.txt
Lets dissect the above command and see what exactly it does....
WMIC
Windows Management Instrumentation Command-line (WMIC), which uses the power of Windows Management Instrumentation (WMI) to enable systems management from the command line
WMIC extends WMI for operation from several command-line interfaces and through batch scripts
Until the introduction of WMIC, you couldn't easily access the WMI repository or the WMI namespace from a command prompt
Namespace
In the above command, we uses WMIC to connect to the WMI Namespace "\\root\microsoftdfs"
Path
This provides the name of the class in the namespace. Every Namespace in WMI consist of Classes
DfsrReplicatedFolderInfo
This is a class that provides statistical and operational information for each replicated folder hosted on the local computer
WMI Namepsaces contains Classes
WMI classes are used to obtain a variety of operating system and hardware data
So the above command uses WMIC to connect to WMI Namepsace "\\root\microsoftdfs" thereby connecting to the class "DfsrReplicatedFolderInfo"
Get
To get the following Information from the above Class
ReplicatedFolderGuid
By now, I hope we know what is a Replicated Folder. Now we need to get the GUID of the Replicated Folder (The folder which in our case got deleted)
ReplicatedFolderName
Name of the Replicated Folder which got deleted
ReplicationGroupName
Name of the Replication Group which was hosting the Replicated Folder
The Output...
The output shows the GUIDs of the Replicated Folders, Name of the Replicated Folders and the Name of the Replication Group
Another Command...
wmic /namespace:\\root\microsoftdfs path DfsrIdRecordInfo WHERE (filename='File Name' and replicatedfolderguid='<RF GUID>') get filename,flags,updatetime,GVsn > FileStatus.txt
Lets dissect the above command and see what exactly it does....
WMIC
Windows Management Instrumentation Command-line (WMIC), which uses the power of Windows Management Instrumentation (WMI) to enable systems management from the command line
WMIC extends WMI for operation from several command-line interfaces and through batch scripts
Until the introduction of WMIC, you couldn't easily access the WMI repository or the WMI Namespace from a command prompt
Namespace
In the above command, we uses WMIC to connect to the WMI Namespace "\\root\microsoftdfs"
Path
This provides the name of the class in the namespace. Every Namespace in WMI consist of Classes
DfsrReplicatedFolderInfo
This is a class that provides statistical and operational information for each replicated folder hosted on the local computer
WMI Namepsaces contains Classes
WMI classes are used to obtain a variety of operating system and hardware data
So the above command uses WMIC to connect to WMI Namepsace "\\root\microsoftdfs" thereby connecting to the class "DfsrReplicatedFolderInfo"
Where
In programing language, this is a clause to narrow down the search. For Non-Programmers, you can think this as of a Filter
filename='<File Name>'
Name of the File or the Folder which got Deleted
Replicatedfolderguid='<RF GUID>'
The GUID of the Replicated Folder which had the Deleted File or the Folder. This is required as the RF serves as a container in DFSR which specifies which folder is getting Replicated
Get
To get the following Information from the above Class
Filename
This will give us the name of the File/Folder which got Deleted
Flags
Flags show us the state of the File/Folder
Flag value of 4 indicates that the file/folder has been deleted
Updatetime
When the File/Folder got Deleted as this would have been the last update of that File/Folder
GVsn
Global Version Sequence Number (GVsn)
To identify a unique version of a unique resource
Its a pair consisting of two parts
- Machine Identifier
- Version Sequence Number (VSN)
The machine identifier remains the same for a machine, Its the VSN that changes with every update
So theoretically, no two machines containing a resource can have a same GVsn
In this command, we need 2 Inputs
- ReplicatedFolder GUID
- FileName
ReplicatedFolder GUID - This is obtained by running the 1st command
FileName - Name of the File/Folder which got Deleted
Here is the Output...
File/Folder Name (Deleted) - My Data
Flags - 4 (Which means the particular file/folder has been deleted)
GVsn - GUID of the Server where the last change (Deletion) happened along with the VSN
Update Time - When the last update (Deletion) happened on the file/folder
Now we know the GUID of the Server where the Deletion happened in the form of GVsn
To convert this GUID in to the name of the server, we can use a switch in dfsrdiag named "guid2name"
The command requires 2 Inputs
- GUID of the Database (This is the GUID which was obtained in GVsn)
- Name of the RG
And here we are....
And.... The crime happened on the Server : Win2k8R2-DC
A summary of the commands Used.....
Now, Lets explore the same using another Method
Here we need to run only 1 command to get the same details... Yes, you heard it right.... Only 1 Command
wmic /namespace:\\root\microsoftdfs /output:Test.htm path dfsridrecordinfo where filename="<File Name>" get /format:hform.xsl & Test.htm
Dissection begins...
WMIC
Windows Management Instrumentation Command-line (WMIC), which uses the power of Windows Management Instrumentation (WMI) to enable systems management from the command line
WMIC extends WMI for operation from several command-line interfaces and through batch scripts
Until the introduction of WMIC, you couldn't easily access the WMI repository or the WMI namespace from a command prompt
Namespace
In the above command, we uses WMIC to connect to the WMI Namespace \\root\microsoftdfs
Output:Test.htm
In thid command, we want the output in a web page instead of the command prompt
Path
This provides the name of the class in the namespace. Every Namespace in WMI consist of Classes
DfsrIDRecordInfo
This class provides access to ID Table records. The ID Table has a record for each file and folder known to DFSR. In addition, it keeps records of the deleted content
WMI Namepsaces contains Classes
WMI classes are used to obtain a variety of operating system and hardware data
So the above command uses WMIC to connect to WMI Namepsace "\\root\microsoftdfs" thereby connecting to the class "DfsrIDRecordInfo"
Where
In programing language, this is a clause to narrow down the search. For Non-Programmer's, you can think this as of a Filter
filename='<File Name>'
Name of the File or the Folder which got Deleted
Get
To get the following Information from the above Class
Format:hform.xsl
The format in which wants the output
Test.htm
Name of the web page which will display the output
:(
One more command my dear friends....
Lets run the command again...
Wow... Finally the Results...
The dissection begins...
FileName - The File/Folder which got Deleted
Flags - 4 (Which means the File/Folder has been Deleted)
FullPathName - Location of the File/Folder on the File System
GVsn - GVsn of the File/Folder
Lets run the dfsrdiag guid2name command to convert the GUID of the Server to its Name
And here we are... And.... The crime happened on the Server : Win2k8R2-DC
As stated above, DFSR is use to Replicate "Data"... Data of any kind... Data is one of the most crucial and important resource for any organization... Henceforth, Its quite important to make sure that we have proper backups of the data so that in case the data is "Deleted" we can restore the data from the Backup
So do you mean to say that every time my data is deleted, as an administrator, I should keep on restoring the data. Someone deletes the data, I restore the data, Someone deletes the data, I restore the data... And the story goes on and on... Don't you think that at some point of time I as an Administrator has to stop and think... "WHY THE DATA GOT DELETED" ?
The answer to "WHY THE DATA GOT DELETED" has two parts
1. From WHERE the data got deleted - Finding the name of the server
2. WHO deleted the data - Finding the name of the user (process) who deleted the data
So lets start of with our journey to find and nab the culprit!!!!
LAB
1. Windows 2008 R2 Domain Controller : Win2kR2-DC
2. Windows 2008 R2 Member Server : Win2kR2-CA
Both the servers are hosting data which is getting replicated using DFSR
The data is stored at E:\PDFs\My Data
Server Win2k8R2-DC hosting the data
The same data (replicated using DFSR) hosted on the server Win2k8R2-CA
And here is the proof showing that the data is getting replicated using DFSR
The Replicated Folder (RF) containing the data "My Data" : PDFs
The Replication Group (RG) containing this ReplicatedFolder (RF) : PDFs
Now let the fun begins....
I am deleting (Yes Deliberately :)) the data "My Data" from a Server
Data is deleted...
And so does from the other server as well...
Before we move ahead, we need to know some of the important terms w.r.t DFSR
1. Replicated Folder (RF): The actual folder containing data that we replicate (Like C:\UserData). The Replicated Folder will be stored on the file system
2. Replication Group (RG): The Group that will contain the Replicated Folder. We can give any logical name to the RG. It need not necessary the same as that of RF. It is not stored in the file system. It is stored in AD. Remember, it is just a logical name give to one/multiple RF that we want to replicate. We can have multiple RFs in one RG...
Now to start of with, We need to run the following command:-
wmic /namespace:\\root\microsoftdfs path DfsrReplicatedFolderInfo get ReplicatedFolderGuid,ReplicatedFolderName,ReplicationGroupName > ReplicatedFolder.txt
Lets dissect the above command and see what exactly it does....
WMIC
Windows Management Instrumentation Command-line (WMIC), which uses the power of Windows Management Instrumentation (WMI) to enable systems management from the command line
WMIC extends WMI for operation from several command-line interfaces and through batch scripts
Until the introduction of WMIC, you couldn't easily access the WMI repository or the WMI namespace from a command prompt
Namespace
In the above command, we uses WMIC to connect to the WMI Namespace "\\root\microsoftdfs"
Path
This provides the name of the class in the namespace. Every Namespace in WMI consist of Classes
DfsrReplicatedFolderInfo
This is a class that provides statistical and operational information for each replicated folder hosted on the local computer
WMI Namepsaces contains Classes
WMI classes are used to obtain a variety of operating system and hardware data
So the above command uses WMIC to connect to WMI Namepsace "\\root\microsoftdfs" thereby connecting to the class "DfsrReplicatedFolderInfo"
Get
To get the following Information from the above Class
ReplicatedFolderGuid
By now, I hope we know what is a Replicated Folder. Now we need to get the GUID of the Replicated Folder (The folder which in our case got deleted)
ReplicatedFolderName
Name of the Replicated Folder which got deleted
ReplicationGroupName
Name of the Replication Group which was hosting the Replicated Folder
The Output...
The output shows the GUIDs of the Replicated Folders, Name of the Replicated Folders and the Name of the Replication Group
Another Command...
wmic /namespace:\\root\microsoftdfs path DfsrIdRecordInfo WHERE (filename='File Name' and replicatedfolderguid='<RF GUID>') get filename,flags,updatetime,GVsn > FileStatus.txt
Lets dissect the above command and see what exactly it does....
WMIC
Windows Management Instrumentation Command-line (WMIC), which uses the power of Windows Management Instrumentation (WMI) to enable systems management from the command line
WMIC extends WMI for operation from several command-line interfaces and through batch scripts
Until the introduction of WMIC, you couldn't easily access the WMI repository or the WMI Namespace from a command prompt
Namespace
In the above command, we uses WMIC to connect to the WMI Namespace "\\root\microsoftdfs"
Path
This provides the name of the class in the namespace. Every Namespace in WMI consist of Classes
DfsrReplicatedFolderInfo
This is a class that provides statistical and operational information for each replicated folder hosted on the local computer
WMI Namepsaces contains Classes
WMI classes are used to obtain a variety of operating system and hardware data
So the above command uses WMIC to connect to WMI Namepsace "\\root\microsoftdfs" thereby connecting to the class "DfsrReplicatedFolderInfo"
Where
In programing language, this is a clause to narrow down the search. For Non-Programmers, you can think this as of a Filter
filename='<File Name>'
Name of the File or the Folder which got Deleted
Replicatedfolderguid='<RF GUID>'
The GUID of the Replicated Folder which had the Deleted File or the Folder. This is required as the RF serves as a container in DFSR which specifies which folder is getting Replicated
Get
To get the following Information from the above Class
Filename
This will give us the name of the File/Folder which got Deleted
Flags
Flags show us the state of the File/Folder
Flag value of 4 indicates that the file/folder has been deleted
Updatetime
When the File/Folder got Deleted as this would have been the last update of that File/Folder
GVsn
Global Version Sequence Number (GVsn)
To identify a unique version of a unique resource
Its a pair consisting of two parts
- Machine Identifier
- Version Sequence Number (VSN)
The machine identifier remains the same for a machine, Its the VSN that changes with every update
So theoretically, no two machines containing a resource can have a same GVsn
In this command, we need 2 Inputs
- ReplicatedFolder GUID
- FileName
ReplicatedFolder GUID - This is obtained by running the 1st command
FileName - Name of the File/Folder which got Deleted
Here is the Output...
File/Folder Name (Deleted) - My Data
Flags - 4 (Which means the particular file/folder has been deleted)
GVsn - GUID of the Server where the last change (Deletion) happened along with the VSN
Update Time - When the last update (Deletion) happened on the file/folder
Now we know the GUID of the Server where the Deletion happened in the form of GVsn
To convert this GUID in to the name of the server, we can use a switch in dfsrdiag named "guid2name"
The command requires 2 Inputs
- GUID of the Database (This is the GUID which was obtained in GVsn)
- Name of the RG
And here we are....
And.... The crime happened on the Server : Win2k8R2-DC
A summary of the commands Used.....
Now, Lets explore the same using another Method
Here we need to run only 1 command to get the same details... Yes, you heard it right.... Only 1 Command
wmic /namespace:\\root\microsoftdfs /output:Test.htm path dfsridrecordinfo where filename="<File Name>" get /format:hform.xsl & Test.htm
Dissection begins...
WMIC
Windows Management Instrumentation Command-line (WMIC), which uses the power of Windows Management Instrumentation (WMI) to enable systems management from the command line
WMIC extends WMI for operation from several command-line interfaces and through batch scripts
Until the introduction of WMIC, you couldn't easily access the WMI repository or the WMI namespace from a command prompt
Namespace
In the above command, we uses WMIC to connect to the WMI Namespace \\root\microsoftdfs
Output:Test.htm
In thid command, we want the output in a web page instead of the command prompt
Path
This provides the name of the class in the namespace. Every Namespace in WMI consist of Classes
DfsrIDRecordInfo
This class provides access to ID Table records. The ID Table has a record for each file and folder known to DFSR. In addition, it keeps records of the deleted content
WMI Namepsaces contains Classes
WMI classes are used to obtain a variety of operating system and hardware data
So the above command uses WMIC to connect to WMI Namepsace "\\root\microsoftdfs" thereby connecting to the class "DfsrIDRecordInfo"
Where
In programing language, this is a clause to narrow down the search. For Non-Programmer's, you can think this as of a Filter
filename='<File Name>'
Name of the File or the Folder which got Deleted
Get
To get the following Information from the above Class
Format:hform.xsl
The format in which wants the output
Test.htm
Name of the web page which will display the output
:(
One more command my dear friends....
Lets run the command again...
Wow... Finally the Results...
The dissection begins...
FileName - The File/Folder which got Deleted
Flags - 4 (Which means the File/Folder has been Deleted)
FullPathName - Location of the File/Folder on the File System
GVsn - GVsn of the File/Folder
Lets run the dfsrdiag guid2name command to convert the GUID of the Server to its Name
And here we are... And.... The crime happened on the Server : Win2k8R2-DC
