I run propagation tests/reports from  each DFSR servers once a week to insure the health of our DFSR environment.  Recently the propagation reports keep coming back with errors, and it's the same error and server causing them on every report.  That server name is FILE1.  All propagation tests are initiated from FILE1, but they aren't all tests of FILE1.  If the propagation test is for FILE1, I don't get any errors.  If the report is for another server, it always comes back with the error below.

Error: Member File1.domain.local : Cannot read values from WMI provider on the member. WMI query Select * from DfsrIdRecordInfo where ReplicatedFolderGuid = "05662022-3646-4AB5-A15D-C1A26A027C69" AND Fid = 562949953427650 failed. Not found (Error code 0x80041002) 

Hello,

I am attempting to configure two servers (both Server 2008R2) to use DFSR to synchronize the contents of a shared folder. I have configured the replication group, and files from SiteA have been staged to SiteB. I can create a file on the SiteA server, and it is immediately replicated to SiteB. When I attempt to perform the same test on SiteB (creating a local file), that file is NOT replicated to SiteA. 

I started inspecting the DFSR debug logs (on Site B), and I see errors indicating access denied:

20130624 09:04:32.411 1880 MEET  1424 Meet::Install -> WAIT Error processing update. updateName:0263_001.pdf uid:{5D84515E-4D98-46B9-8406-C26ACDDDAD87}-v1276734 gvsn:{5D84515E-4D98-46B9-8406-C26ACDDDAD87}-v1276734 connId:{E2584300-3F22-4A37-B0C0-B0C6A5ACB4AE} csName:Users csId:{7AE4B920-9643-4418-B33D-1D453C391D5A} code:5 Error:
+[Error:9027(0x2343) Meet::InstallStep meet.cpp:1862 1880 C A failure was reported by the remote partner]
+[Error:9027(0x2343) Meet::Download meet.cpp:2281 1880 C A failure was reported by the remote partner]
+[Error:9027(0x2343) InConnection::RdcGet inconnection.cpp:3046 1880 C A failure was reported by the remote partner]
+[Error:9027(0x2343) DownstreamTransport::RdcGet downstreamtransport.cpp:5346 1880 C A failure was reported by the remote partner]
+[Error:9027(0x2343) RpcFinalizeContext downstreamtransport.cpp:1117 1880 C A failure was reported by the remote partner]
+[Error:9027(0x2343) DownstreamTransport::RdcGet downstreamtransport.cpp:5269 1880 C A failure was reported by the remote partner]
+[Error:5(0x5) DownstreamTransport::RdcGet downstreamtransport.cpp:5269 1880 W Access is denied.]

RDC is enabled on both ends, all DCs pass replication tests, the environment (including AD) is otherwise healthy. 

These same two file servers in SiteA and SiteB also host other replication groups. These other replication groups are performing normally, with bidirectional synchronization occurring. I started thinking that perhaps something was configured incorrectly with the SiteB server being added into the replication group, so I removed the SiteB server from the RG and then re-added it after ensuring it fell off of DFSR's radar and deleting the data in SiteB. This gave me the same result. 

Any ideas?

In my work we have a Server 2008 R2 functional wit Active directory and DNS service.
We are having some problems with the visibility of folders on the network, We gave permission to  user for specific folders and there working, but they can see all the folders shared, even if they don't have access and permissions to that folder. ABE is enable on all folders, we gave user rights and permission. ABE wont work at all.

We made a new folder named "TEST" and we gave permissions only to the user "administrator" of the server, any other user doesn't have access to it and... ALL USERS STILL SEE THE FOLDER.

We just did about everything but ABE wont do the work, leaving all files and folders visible on the network.
is there any solution to this?? Or is it a bug ??

I need to modify ntfs permissions on a filer share (root directory) which contains more than 230million files. i tried multiple options using "icacls" but no use, after some time the permission windows gets hung. is there any alternate way to solve this issue via PS scripts or some tools, your reply is highly appreciated.

structure of share \\filer\Rootfolder\subfolders+files  -- share is currently in use and can't "unshare" from storage side and ofcourse there's no guarantee that it works.

A few months back I encrypted a text file. I tested it then, no problems. Now when I attempt to decrypt the file nothing seems to happen. I can encrypt/decrypt all I want, no trouble there. However, when ever I open it the file remains hashed. I can open it 'encrypted' and the hash is the same as when it's 'decrypted'(or at least windows tells me it decrypted it). Certificate is fine, the user account is correct (and obviously working since I can still technically access the file, just not what was written in it), and as far as I can tell everything lines up.

Any ideas?

Hi - It looks to me like the PublicationCache location, configurable via "netsh branchcache set publicationcache directory=<directory>", is where hashes generated for files within a BranchCache-enabled share end up.  I can set this via command line on my Content/File Server.  (If it is possible to set this location per-file share, I would be interested in knowing how to do that.)

But it does not appear that I can set the "publicationcachesize" unless I "enable BranchCache" on the server.  But according to this article, "BranchCache feature" is not required for "Content server (file server using the SMB protocol)".  I do have the needed "BranchCache for network files" Role Service installed, proper GPO setup to enable Hash Publication for BranchCache for shared folders where BranchCache is enabled, and "Enable BranchCache" checked on a test file share.  But when I attempt a "netsh branchcache set publicationcachesize" command, it tells me "This command can only be executed when BranchCache is installed."

So, is the article I'm reading mistaken about the need for BranchCache to be "enabled" on the Content Server?  Or am I misunderstanding the relationship between hash code storage location & the publication cache, or something else?

Thanks!

Hi
We last week moved data from a HP EVA SAN to a HP 3PAR SAN and we ran into a little problem....or not so very small actually.

The problem we had was with a SQL MS-cluster and when was preparing for the move. According to the HP white paper you can this procedure and nothing will happens. This was what we did:

1. In an MS-DOS window, run the diskpart.exe command or click on the PowerShell button and then, at the PowerShell prompt, run the diskpart.exe command.
2. At the DISKPART prompt, type: SAN policy=onlineall and then press Enter.
3. Verify that the SAN policy is set to onlineall, type SAN, and then press Enter.
4. Exit the diskpart.exe application, type exit, and the press Enter.

Now the HP 3PAR LUNs will not be marked offline following an HP 3PAR array firmware upgrade.

On Windows Server 2012, the new SAN policy setting is applied on the fly and a reboot is not necessary.

On Windows Server 2008, the new SAN policy setting will take effect onlyafter the server is rebooted.

Taken from:
http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c03290621/c03290621.pdf

Now, what happend was that we lost the disks for cluster and one database became corrupted.
So, was this a cause of what we did or just a coincident of something else?

This is a Windows 2008 x64 cluster with SQL 2008 R2.
HP EVA 6400 to HP 3PAR.

Cheers!

Installed file server resource manager roll on new 2012 file server.   When I attempt to run a dup report on the local volume, I received an error message: "the report generation task failed with the following errors: Error generating report job with task name".  "

Event ID 8242 and 602 are logged in the event viewer.

Log Name:      Application
Source:        SRMSVC
Date:          6/24/2013 11:11:03 AM
Event ID:      8242
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxxxxxxxxxxxxxxxx
Description:
Reporting or classification consumer '' has failed.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="SRMSVC" />
    <EventID Qualifiers="32772">8242</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-06-24T16:11:03.000000000Z" />
    <EventRecordID>1276</EventRecordID>
    <Channel>Application</Channel>
    <Computer>xxxxxxxxxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data>
    </Data>
    <Data>

Error-specific details:
   Error: (0x80131501) Unknown error</Data>
    <Binary>2D20436F64653A20434E534D4D4F444330303030303234332D2043616C6C3A20434E534D4D4F444330303030303231322D205049443A202030303030333036302D205449443A202030303030333734382D20434D443A2020433A5C57696E646F77735C73797374656D33325C73726D686F73742E657865202D20557365723A204E616D653A204E5420415554484F524954595C53595354454D2C205349443A532D312D352D313820</Binary>
  </EventData>
</Event>

Log Name:      Application
Source:        SRMREPORTS
Date:          6/24/2013 11:11:03 AM
Event ID:      602
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      xxxxxxxxxxxxxxxxxxxx
Description:
Error generating report job with the task name ''.

Context:
 - Exception encountered = System error.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="SRMREPORTS" />
    <EventID Qualifiers="0">602</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-06-24T16:11:03.000000000Z" />
    <EventRecordID>1277</EventRecordID>
    <Channel>Application</Channel>
    <Computer>xxxxxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Error generating report job with the task name ''.

Context:
 - Exception encountered = System error.
</Data>
  </EventData>
</Event>

When I click on schedule a new report task, I get an error "Class not registered".

nada

Hey everyone;

I was having issues with one of our DC's not getting a replica of the SYSVOL folder.  I still don't think it replicates correctly even though I tried the burflags solution, etc.  Anyways, I think when doing a D4 solution it made these _NTFRS folders on all my DC's.  I think they are the current ones being replicated now.

How can I remove these and use the original folder structure???  Please, and thanks in advance!!

Hello,

I'm running into an issue with a Windows 2008 R2 (with SP1) server sharing a folder.

Recently, I've started having problems with some of the files in one of the fileshares getting locked. I was able to determined using Process Monitor that the locking process is the system process (ID: 4).

I can try to end the handle using process monitor, but I get an error that the handle is invalid. I've verified in the File and Storage manager that none of the files are open by users. I've even manually closed all the sessions on the folder and unshared it, but the locks stay in place.

I've disabled the antivirus (ESET) on the server, but the issue remains. The only way to get the files to unlock is to reboot the server. I've even tried unsharing the shared folder, I am able to unshare it, but the lock stays in place.

The issue seems to start at some point after the file is created, as I can often get a copy of the file from a prior volume shadow copy.

Any help or suggestions on the issue are appreciated!

Thanks

Operating system:  Server 2012

Server:  Stand-alone

After I've created an initial quota to report on volume percentage usage, I'm not able to modify the settings.  When I click "OK" to save my modication, I'm prompted this error from File Server Resource Manager:

"An unexpected error has occurred.  Please check application event log for more information.

Details:

Value does not fall within the expected range."

From Event Viewer (isn't very helpful?):

"An unexpected error occurred in the File Server Resource Manager MMC snap-in
   at Microsoft.Storage.SrmMmc.QuotaSettingsPage.SaveChanges(IFsrmQuota quota)
   at Microsoft.Storage.SrmMmc.PropertySheet.OnOkButtonClicked(Object sender, EventArgs eventArgs)
Value does not fall within the expected range.
   at Microsoft.Storage.IFsrmQuota.set_QuotaFlags(Int32 QuotaFlags)
   at Microsoft.Storage.SrmMmc.QuotaSettingsPage.SaveChanges(IFsrmQuota quota)"

Does anyone know if there's a limit on the quota, or have ran into this before?

Thanks!

Hi There,

I have a file server running on Windows 2008 R2. I have to define a quota in one of the folders.

But when I try to open the Quota Management span-in I get an error message asking me to check the Application event logs. I found in the logs the error that is given below :

Log Name:      Application

Source:        FSRM

Date:          6/24/2013 9:59:12 AM

Event ID:      0

Task Category: None

Level:         Error

Keywords:      Classic

User:          N/A

Computer:      Pelis009.latam.americas.gcn.local

Description:

An unexpected error occurred in the File Server Resource Manager MMC snap-in

   at Microsoft.Storage.SrmMmc.QuotaDataCache.Enumerate(RemoteManager remoteManager, SrmDataCacheEnumEventHandler EventHandler, Int32 BatchSize)

   at Microsoft.Storage.SrmMmc.QuotasDisplayArea.EnumerateItemsIntoListView()

   at Microsoft.Storage.SrmMmc.DisplayArea.SafeEnumerateItemsIntoListView()

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

at Microsoft.Storage.IFsrmQuotaManager.EnumQuotas(String Path, _FsrmEnumOptions options)

at Microsoft.Storage.SrmMmc.QuotaDataCache.Enumerate(RemoteManager remoteManager, SrmDataCacheEnumEventHandler EventHandler, Int32 BatchSize)

I don't want to reinstall FSRM or recreate quota.xml,  quota.md, and databasefilescreen files, as it will delete all the quotas that were defined previously.

Is there any way to fix this issue? Thanks in advance for your help.

Hi, we have an ongoing issue where some of our computer is not seeing recently created files on our main file server, and it can take up to an hour for them to appear.  While other computer are able to see the files in real time.

Bit of back ground:

• Clients are all Windows 7 64bit (~60-70 users)
• Server is 2008 R2 64bit, VM/4GBram and is only setup as a file server, drive mounted from an EMC SAN.
• The share is big, it’s our 8TB projects files with 400GB’s free.

We have a 3rd party support company who is responsible for this server. 

I have just done a quick test and it seems to be limited to the same computers each time and it can be reproduced.

Has anybody got any ideas what could be causing this or anything we should try?

Cheers

Aaron

Hi,

I have enabled directory/file auditing on a Windows 2003 server.  There is a Microsoft Access database that repeatedly gets set to read-only which keeps users from being able to access it.

I've gone through several articles such as this:
http://support.microsoft.com/kb/300549

but none of them go into details about what to look for when diving into the event log.  I've pulled thousands of lines relating to access of this file, but they all look the same.

I even just cleared the event log, set the file to read only, then cleared the flag, and exported the event log.  There are still hundreds of events that are of type 560.  I've searching through and I can't determine any difference between them.

Can someone tell me what specifically to look for in the event log when a file is set to read-only?

Thank you!

--Kent

I set up a DFS system for my company about five years ago, and until recently it’s been working flawlessly and without any issues. We have one domain with four sites, and in each site there are two file storage servers. We have about 2TB of data that is stored on each server (all servers have the same data), and a hub and spoke configuration where our central site is the first to receive and the first to send out changes to data. Server A in the central site is the hub for 1TB of the data and Server B in the central site is the hub for the remaining 1TB (approximately). There are about 3 million files total in the replicated folders. We have 20Mbit (up and down) fiber connections running between each of the sites.

About a month ago I got a complaint about missing files on a server which appeared to be due to slow replication. I checked the backlogs on the folder and discovered that it had 1.4 million files backlogged and waiting to replicate. This, on a folder that only contains about 300,000 files. I monitored its progress and after about 24 hours the log was empty and I didn’t think anything more of it. The next morning I decided to check it again, and at some point overnight it jumped to 600,000 files. Checked it 15 MINUTES later and it was up to 1.2 million!

For troubleshooting I have file auditing turned on on all the file servers. I went through the security logs and, using a few of the files from the backlog report, searched to see who or what was changing the files. There is no mention of any of the files being changed in anyway on any of the servers. Also, we don’t have AV running on any of the servers and our backup uses a simple copy procedure that doesn’t set the archive bit or change the date last accessed. I’m at a loss as to why these files keep replicating when it appears that they haven’t changed.

To top this all off, this morning I checked the backlogs and noticed a folder trying to replicate in an area that I’m very familiar with as it’s dedicated to the IT department. The folder was deleted YEARS ago, and that deletion had successfully replicated to all servers as I’ve been in the parent directory on all eight servers within the last couple of months. This latest development is what caused me to submit this question to the forum.

So has anyone seen anything like this? How do I troubleshoot this further? All this seemingly erroneous replication is causing a lot more file collisions and we’re starting to lose work on a regular basis.

Our new (not yet production) file server (W2k12) crashed last night due to an access violation in dfsc.sys. Afaik it happened the first time, but I am not totally sure. I also was unable to find out whether this is a common problem with a known fix. Windbg output is:

MODULE_NAME: dfsc

FAULTING_MODULE: fffff80363a82000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  5010aaed

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.

FAULTING_IP: 
nt!RtlRemoveUnicodePrefix+7d
fffff803`63e5e6fd 483919          cmp     qword ptr [rcx],rbx

CONTEXT:  fffff88008692870 -- (.cxr 0xfffff88008692870)
rax=0000000000000000 rbx=fffff8a068545920 rcx=0000000000000008
rdx=fffff8a068545920 rsi=0000000000000801 rdi=0000000000000802
rip=fffff80363e5e6fd rsp=fffff88008693270 rbp=fffffa804478eec0
 r8=fffff8a068545920  r9=0000000000000053 r10=0000000000000005
r11=fffff8a05f0fc5f0 r12=fffffa804478ee58 r13=0000000000400000
r14=0000000000000000 r15=fffff88001c19110
iopl=0         nv up ei ng nz ac po cy
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010297
nt!RtlRemoveUnicodePrefix+0x7d:
fffff803`63e5e6fd 483919          cmp     qword ptr [rcx],rbx ds:002b:00000000`00000008=????????????????
Resetting default scope

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  0x3B

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff88001c2be61 to fffff80363e5e6fd

STACK_TEXT:  
fffff880`08693270 fffff880`01c2be61 : fffff8a0`685458e0 fffffa80`4478ee20 fffffa80`4478eec0 fffffa80`4478ee20 : nt!RtlRemoveUnicodePrefix+0x7d
fffff880`086932a0 fffff880`01c1b604 : fffff8a0`31531340 fffffa80`4478ee20 fffffa80`4478eec0 fffffa80`4478ee20 : dfsc+0x1ae61
fffff880`086932e0 fffff880`01c29799 : 00000000`00000000 fffff880`08693380 fffff8a0`0ac77d18 00000000`00000000 : dfsc+0xa604
fffff880`08693340 fffff880`01c1d7ef : fffff880`01c19140 fffff880`08693500 00000000`ffffffff fffff8a0`31531340 : dfsc+0x18799
fffff880`086933b0 fffff880`01c1dd01 : fffff880`01c19140 fffff880`08693470 00000000`ffffffff fffff880`08693508 : dfsc+0xc7ef
fffff880`08693410 fffff880`01c1d9f9 : 00000000`00000000 fffff880`08693500 00000000`ffffffff fffff8a0`62436644 : dfsc+0xcd01
fffff880`086934a0 fffff880`01c1dd01 : fffff8a0`f93fb250 fffff880`01c19130 00000000`00000009 fffff8a0`0ac77d18 : dfsc+0xc9f9
fffff880`086934d0 fffff880`01c1ca72 : fffff8a0`f93fb250 fffff8a0`0ac77d10 00000000`00000009 fffff8a0`304b6590 : dfsc+0xcd01
fffff880`08693560 fffff880`01c20151 : 00000000`00000001 fffff880`01c19110 00000000`00000000 fffff880`01c19110 : dfsc+0xba72
fffff880`086935a0 fffff880`0205c411 : fffffa80`ac0495c0 fffff8a0`0ac77d10 00000000`00000000 fffff803`63b6c967 : dfsc+0xf151
fffff880`08693620 fffff880`0205d4b6 : fffff880`086937a0 00000000`00000000 00000000`00000000 fffff880`086936d0 : mup!MupSurrogatePurgeNegativeCacheEntry+0x4975
fffff880`08693680 fffff880`00a694ee : fffffa80`57593960 00000000`00000000 00000000`0000003e 00000000`00000270 : mup!MupSurrogateGetUncProviderDeviceObject+0x806
fffff880`08693750 fffff880`00a9335d : fffffa80`590ed2e0 fffffa80`6c4b6d10 fffffa80`446fe0f0 00000000`00000801 : fltmgr!FltReleaseContext+0x90e
fffff880`086937f0 fffff803`63eae818 : 00000000`00000000 00000000`00000005 fffffa80`575939f8 00000000`000007ff : fltmgr!FltGetRequestorProcessIdEx+0x189c1
fffff880`086938a0 fffff803`63eab8c5 : fffffa80`4acf6cd0 fffffa80`4acf6cd0 00000000`00000000 fffffa80`44700190 : nt!NtAllocateVirtualMemory+0x5c98
fffff880`08693a80 fffff803`63ebb238 : 00000000`00000000 fffff880`08693c48 00000001`00000040 fffffa80`4304b080 : nt!NtAllocateVirtualMemory+0x2d45
fffff880`08693bd0 fffff803`63eb63de : 00000000`00000000 00000000`00000000 fffff8a1`b9575e01 ffffc0f0`7729e80a : nt!ObOpenObjectByName+0x258
fffff880`08693ca0 fffff803`63ec48d9 : 000000a1`34a3e430 ffffc0f0`00100080 000000a1`34a3e438 00000000`00000000 : nt!ObCreateObject+0x6ee
fffff880`08693d40 fffff803`63adb453 : 00000000`00000340 fffff803`63efa0c6 fffff880`08693df8 00000000`00000000 : nt!NtCreateFile+0x79
fffff880`08693dd0 000007ff`345f313a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KeSaveStateForHibernate+0x2a33
000000a1`34a3e3c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x000007ff`345f313a


FOLLOWUP_IP: 
dfsc+1ae61
fffff880`01c2be61 41bbfeff0000    mov     r11d,0FFFEh

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  dfsc+1ae61

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  dfsc.sys

STACK_COMMAND:  .cxr 0xfffff88008692870 ; kb

Does anyone know about this problem and its cause?

Thanks in advance,
Christoph

Hi

We have a Windows 2008 R2 SP1 (6.1.7601 Service Pack 1 Build 7601) serving as file server. Clients are Windows XP and Windows 7.

The files are being served happily and all of a sudden the server stops continuing on NEW SMB2 connections.

For ex,

A. time0 : connection 1 (and all connections before it) came in and is successfully established and is being served

B. time1: I assume something happens to the internals of server

C. time1: connection 2 comes in and tcp handshake is successful.

D. time+1msec: client sends SMB2 Negotiate

E. time+200 msec: server sends an ACK

F. time+59~sec: Server sends a RST

G. Now all the new connections from same or different clients have TCP handshake go thru and a reset from the server on NegotiateRequest!!!!

H. XP clients work fine to same server means SMBv1 or server resource is not an issue

I. If a client had an ongoing connection from BEFORE B (say connection 1). It still gets served but new connections get reset.

J. The only work around is to reboot the server!! Until it happens again!!

This sounds like something on Windows 2008 R2 SMB2 stack which goes into a state where it intentionally stops taking new connection. Some kind of anti-DDOS behavior or something??

Appreciate any help

Here is D (time+1msec: client sends SMB2 Negotiate)

NetBIOS Session Service
    Message Type: Session message (0x00)
    Length: 155
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        SMB Command: Negotiate Protocol (0x72)
        NT Status: STATUS_SUCCESS (0x00000000)
        Flags: 0x18
            0... .... = Request/Response: Message is a request to the server
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
            .... 1... = Case Sensitivity: Path names are caseless
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0xc853
            1... .... .... .... = Unicode Strings: Strings are Unicode
            .1.. .... .... .... = Error Code Type: Error codes are NT error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
            .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path
            .... .... .1.. .... = Long Names Used: Path names in request are long file names
            .... .... ...1 .... = Security Signatures Required: Security signatures are required
            .... .... .... 0... = Compressed: Compression is not requested
            .... .... .... .0.. = Security Signatures: Security signatures are not supported
            .... .... .... ..1. = Extended Attributes: Extended attributes are supported
            .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 65535
        Process ID: 65279
        User ID: 0
        Multiplex ID: 0
    Negotiate Protocol Request (0x72)
        Word Count (WCT): 0
        Byte Count (BCC): 120
        Requested Dialects
            Dialect: PC NETWORK PROGRAM 1.0
                Buffer Format: Dialect (2)
                Name: PC NETWORK PROGRAM 1.0
            Dialect: LANMAN1.0
                Buffer Format: Dialect (2)
                Name: LANMAN1.0
            Dialect: Windows for Workgroups 3.1a
                Buffer Format: Dialect (2)
                Name: Windows for Workgroups 3.1a
            Dialect: LM1.2X002
                Buffer Format: Dialect (2)
                Name: LM1.2X002
            Dialect: LANMAN2.1
                Buffer Format: Dialect (2)
                Name: LANMAN2.1
            Dialect: NT LM 0.12
                Buffer Format: Dialect (2)
                Name: NT LM 0.12
            Dialect: SMB 2.002
                Buffer Format: Dialect (2)
                Name: SMB 2.002
            Dialect: SMB 2.???
                Buffer Format: Dialect (2)
                Name: SMB 2.???

Here is E (time+200 msec: server sends an ACK)

    [Time delta from previous captured frame: 0.201044000 seconds]

    Flags: 0x010 (ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set

Here is F (F. time+59~sec: Server sends a RST)

    [Time delta from previous captured frame: 59.765376000 seconds]

    Flags: 0x014 (RST, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .1.. = Reset: Set
            [Expert Info (Chat/Sequence): Connection reset (RST)]
                [Message: Connection reset (RST)]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set