Active Directory and Morphed Folders

I recently came across a cool tool from Microsoft called Microsoft IT Environment Health Scanner which runs more than 100 checks to help you assess the overall health of your Active Directory and network infrastructure, including the configuration of Active Directory Domain Services, DHCP, DNS, Exchange Server, network adapters, and domain controllers. If the tool detects problems, it links to Microsoft Knowledge Base articles and other Web content for resolution information. I got the tool, installed it and ran it against a client’s network and it exposed some issues in the  Active Directory and network environment that could create problems during server deployments, infrastructure upgrades and migrations.

A good example of what the tool found is the exposure of what is called “Morphed Folders” in the domain controllers. Microsoft describes morphed folders as “…folders and files that have replicated to other servers and are exact copies of one another. When the File Replication Service (FRS) cannot determine which of two folders is most recent, it creates a duplicate folder. These folders are named FolderName_NTFRS_GUIDname, where FolderName is the name of the original folder and GUIDname represents a unique GUID for the morphed folder.”

When you use the Distributed File System (DFS) snap-in to create a domain DFS root or link, the DFS service creates an empty directory tree that mirrors the DFS root and link names and hierarchy on each DFS root target server. If you enable File Replication service (FRS) replication at the DFS root, FRS replicates the directory created by DFS to all other root target computers that participate in the FRS replica set. The code in DFS to create this directory is executed on each DFS root target.

Active Directory is polled by the Distributed File System for any configuration changes one time every hour and recreates these link directories. To do so, the code first deletes any existing file or folder with the associated name, and then it creates a new file or folder. When File Replication Service (FRS) finds the newly created folder, it replicates the folder to the other targets. In certain situations,  it finds a preexisting folder with the same name that was created by DFS. To handle this directory name conflict, FRS appends a suffix in the form “NTFRS_xxxxxxxx” to the end of one of the directories, and then FRS finishes the replication action. The problem is analogous to an administrator creating identically named directories on each member of the FRS replica set, where each directory has a unique file ID. This morphing of directories can lead to  a maintenance problem for the network administrator.

For example, morphed folders can cause the following problems in an Active Directory environment:

  • When you try to remove folders, you receive a message that states that the folders cannot be accessed. You cannot remove the folders.
  • You may find folders that have morphed. In this situation, the original folder’s properties dialog box no longer has a Security tab. When you try to modify the discretionary access control list (DACL) for the original folder or try to take ownership of the original folder, you may receive the following error message: “Access Denied”

To resolve this problem, Microsoft recommends the use one of the following methods, depending on the situation that you want to correct.

Method 1: Use the Fsutil command so that you can remove the folders

If you cannot remove folders and you find morphed directories, use the Fsutil command to remove the reparse point that is associated with the folders. The Fsutil command is included in Windows Server 2003. The syntax of the Fsutil command to remove the reparse point is as follows:

fsutil reparsepoint delete FolderPath

For example, to remove the reparse point that is associated with a folder named MyShare, use the following command:

fsutil reparsepoint delete C:MyShare

After you remove the reparse point, you can remove the folders.

Note You may have to restart the DFS service for this method to work. Or, you may have to restart the DFS server. This method also resolves issues in which DFS roots were incorrectly removed and have invalid junction point (reparse point) folders that previously held link information.

Method 2: Restore the missing Security tab

If the Security tab is not present, follow these steps:

  1. Click Start, click Run, type Dfsgui.msc, and then click OK.
  2. Click the DFS target link to the shared resource that contains the morphed folder.
  3. On the Action menu, click Stop Replication.
  4. Right-click the DFS target link to the shared resource that contains the morphed folder, and then click Delete Link.
  5. When you are prompted to confirm the removal of the DFS target link, click Yes.
  6. Restart all the DFS servers that host the DFS target link that you removed.The changes replicate to all the DFS servers.
  7. Log on to the computer that contains the morphed folder. Then, determine whether the original folder or the morphed folder is most recent.
  8. If the morphed folder is most recent, rename the morphed folder to the original folder name and remove the original folder. If the original folder is most recent, remove the morphed folder and keep the original folder.

You can now create a new DFS target link to the shared resource that contains this folder.

To read more about morphed folders and Active Directory, search for KB 259033.