Friday, June 23, 2017

Windows Server 2016 - FRS Deprecated: How to migrate SYSVOL replication from FRS to DFS replication

This blog contains a step-by-step guide: “how to migrate the SYSVOL FRS to DFS Replication (DFSR)”

Windows Server 2016 Domain Controllers: FRS Replication deprecated!

Since the introduction of Windows Server 2008, Microsoft moved away from FRS replication and introduced DFS replication for SYSVOL. With the introduction of Windows Server 2016 the old FRS SYSVOL replication is deprecated. For now (23-06-2017) this means the FRS feature is still there, but you will receive warnings while promoting a Windows 2016 DC and still using FRS. The FRS-feature will be removed in nearby future of new Windows 2016 releases. So migrate your SYSVOL FRS replication to DFSR before introducing new Windows 2016 Domain Controllers to your domain.

Customers don’t know they still using FRS SYSVOL replication after Windows 2008 or higher migration

As a consultant I see a lot of customers, which are running Windows 2008 or higher domains/forest functional levels and unconsciously still using the old FRS-replication technique. The FRS-replication is still in place because their domain/forest had a functional level of Windows 2003 R2 or lower in the past. The customer migrated away from Windows 2003 R2 to a domain/forest functional level of Windows 2008 or higher and didn’t migrate to DFSR. When the domain/forest functional level is raised to Windows 2008 or higher the SYSVOL replication doesn’t automatically upgrades to DFSR. You need to do this manually!

This is also the case when you install a brand new domain with Windows 2012 R2 DC’s and configure the forest/domain functional level to Windows 2003 R2 or lower. In a domain with functional level of Windows 2003 R2 you can introduce Windows 2003 R2 Domain Controllers and since they don’t have DFSR technology the Windows 2008 or higher DC’s fall back to FRS to communicate with the 2003 R2 DC’s in your domain.

Check if you still using FRS replication

Check if you are still using FRS as follows:
  1. On your Domain Controller the “File Replication Service” is present and is running. Startup type: Automatic.
  2. In the Application log events appear in the “File Replication Service” log. Which contains information about FRS replication and the message “The File Replication Service is no longer preventing the computer PBO-DC01 from becoming a domain controller….” is registered after a domain controller reboot.
Example: Visual: The migration process with dfsrmig

The DFSRMIG process has three states:

Preparations

WARNING: Execute the DFS migration on the Domain Controller which has the PDC-emulator role.

INFO: Read the following technet blog for more detailed information about the FRS to DFSR migration: http://blogs.technet.com/b/filecab/archive/2008/02/08/sysvol-migration-series-part-1-introduction-to-the-sysvol-migration-process.aspx

  1. Create a backup of your domain (systemstate)
  2. Make sure you know the Active Directory Restore Mode password. If you are not 100% sure, reset the ADRM password to something you know. You will need this password if you want to restore your Active Directory backup.
  3. Ensure that the domain and forest level is at least Windows 2008 (you can use AD Trusts cpl)
  4. Check your Domain Controllers with DCDIAG and ensure there are no issues
  5. Check Active Directory replication: repadmin /showrepl . You need to ensure that AD replication is OK.
  6. Check if SYSVOL is shared/ready on every domain controller: net share
  7. Check every Domain Controller if SYSVOL is ready:  HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\Sysvol [SysvolReady] = 1
  8. Check the current DFSR status and ensure you are not half way a DFSR migration already. Dfsrmig /getMigrationState
  9. Check if the DFS Service is installed on every domain controller:

Phase 1: Migrated to “PREPARED” state

If you have ensured done the preparation and you can fallback to a backup. Your good to go and start the FRS to DFSR migration as follows.

INFO: The prepared state is a state where the DFSR Replication will be introduced parallel of the FRS Replication. When in DFSMig state “PREPARED”, the FRS Replication is leading.


WARNING: The SYSVOL to SYSVOL_DFSR copy is done once, so changes to SYSVOL are not replicated to SYSVOL_DFSR!


=============================================
DFSR has successfully migrated the Domain Controller PBO-DC-01 to the 'PREPARED' state.

TO CONTINUE MIGRATION: If you choose to continue the migration process and proceed to the 'REDIRECTED' state, please note that any changes made henceforth to the SYSVOL share located at C:\Windows\SYSVOL (which is under NTFRS replication) will not be updated in the SYSVOL_DFSR folder located at C:\Windows\SYSVOL_DFSR (which is under DFSR replication). To avoid this possibility of data loss, please make sure no file system changes on the SYSVOL share occur while DCs are migrating from 'PREPARED' to 'REDIRECTED' state.

TO ROLLBACK MIGRATION: If you choose to rollback the migration process and return to the 'START' state, please note that DFSR will no longer be replicating the SYSVOL_DFSR folder and all DFSR information will be removed from the Active Directory.

Additional Information:
Sysvol NTFRS folder: C:\Windows\SYSVOL
Sysvol DFSR folder: C:\Windows\SYSVOL_DFSR
Domain Controller: PBO-DC-01

=============================================
  1. Execute command dfsrmig /setGlobalState 1
  2. Check the progress with command: dfsrmig /getMigrationState
Output – not completed:

Output – Completed:

Phase 2: Migrate to “REDIRECTED” state

INFO: In a redirected state the DFSR will become primary. In this state you still have the opportunity to rollback to FRS replication.

WARNING: There could be data loss when rolling back to FRS replication:

=============================================
DFSR has successfully migrated the Domain Controller PBO-DC-01 to the 'REDIRECTED' state. DFSR is now replicating the SYSVOL_DFSR folder located at C:\Windows\SYSVOL_DFSR.

TO CONTINUE MIGRATION: If you choose to continue the migration process and proceed to the 'ELIMINATED' state, please note that it will not be possible to revert the migration process. Once migration reaches the 'ELIMINATED' state, the SYSVOL folder located at C:\Windows\SYSVOL will be deleted and NTFRS will no longer replicate it. All the NTFRS related information in the Active Directory will be deleted. After that, DFSR will be solely responsible for the SYSVOL share replication process on the Domain Controller PBO-DC-01.

TO ROLLBACK MIGRATION: If you choose to rollback the migration process to the 'PREPARED' state, any changes made after moving to the 'REDIRECTED' state to the SYSVOL_DFSR folder located at C:\Windows\SYSVOL_DFSR (which is currently under DFSR replication) will not be updated in the SYSVOL share located at C:\Windows\SYSVOL (which is under NTFRS replication). To avoid this possibility of data loss post rollback, please make sure that no file system changes on the SYSVOL share  occur while DCs are migrating from 'REDIRECTED' to 'PREPARED' state.


After rollback, NTFRS will replicate the SYSVOL share located at C:\Windows\SYSVOL and DFSR will continue replicating the SYSVOL_DFSR folder located at C:\Windows\SYSVOL_DFSR. However, NTFRS will still primarily be responsible for the SYSVOL share replication process on the Domain Controller PBO-DC-01.

Additional Information:
Sysvol NTFRS folder: C:\Windows\SYSVOL
Sysvol DFSR folder: C:\Windows\SYSVOL_DFSR

Domain Controller: PBO-DC-01

 =============================================
  1. Check if SYSVOL folder is still shared: net share
  2. Check if SysvolReady has value 1
  3. Check if the AD replication is still OK: repadmin /showrepl or repadmin /replsum
  4. Execute the following command to get to the REDIRECTED state: dfsrmig /setGlobalState 2
  5. Check the progress with command dfsrmig /getMigrationState
Output – not completed:
Output – Completed:

Phase 3: Migrate to “ELIMINATED” state

WARNING: There is no rollback possibility to FRS when migrated to the ELIMINATED state.
  1. Check if SYSVOL folder is still shared: net share
  2. Check if SysvolReady has value 1
  3. Check if the AD replication is still OK: repadmin /showrepl or repadmin /replsum
  4. Execute the following command to get to the ELIMINATED state: dfsrmig /setGlobalState 3
  5. Check the progress with command dfsrmig /getMigrationState
Output – Not completed:

Output – Completed:


When done, the following events are in the event viewer:

11 comments:

  1. Thank you!!
    I've had problems with netologon replication with win2008 and win2016 DC.
    I checked so many things.
    The migration from FRS to DFS solved the problems....and the system is prepared for future :-)
    Many thanks.

    ReplyDelete
  2. Thanks Patrick! Very clear procedure which helped us out :-)

    ReplyDelete
  3. Thank you very much for this.
    We had a client who had 2 domain controllers. We were replicating the PDC only to the DR site, due to lack of Veeam licenses, and when we performed a test at the DR site, the DC took very long to apply settings and once logged in AD users and computers, Domains and Trusts, Sites and services management consoles all failed to load. in event viewer all services had started properly but on the DR site we noted no sysvol and netlogon volumes. repladm and dcdiag all showed everything was o.k. Read this article and to my surprise we found that the replication was still using FRS. We decided to migrate to DFS-R to be future ready and it resolved our problem and use a supported replication mechanism. Once we replicated the DC VM again to the DR, it started up properly.

    Thank you once Again.

    ReplyDelete
  4. Thanks! Verry clear description and procedure. Succesfully migrated to DFS.

    ReplyDelete
  5. Thank you! This was very helpful and answered all of my questions.

    ReplyDelete
  6. Great guide, thanks for putting this up. Successfully migrated here.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. Thanks Patrick. Great a guide.

    ReplyDelete
  9. Dear all,
    After setting "dfsrmig /setGlobalState 1" I'm facing following issue:

    C:\Users\>Dfsrmig /getmigrationstate

    The following domain controllers have not reached Global state ('Prepared'):

    Domain Controller (Local Migration State) - DC Type
    ===================================================

    DC01 ('Start') - Primary DC
    DC02 ('Start') - Writable DC
    DC03 ('Start') - Writable DC


    Migration has not yet reached a consistent state on all domain controllers.
    State information might be stale due to Active Directory Domain Services latency
    .

    C:\Users\>Dfsrmig /getmigrationstate

    The following domain controllers have not reached Global state ('Prepared'):

    Domain Controller (Local Migration State) - DC Type
    ===================================================

    DC01 ('Waiting For Initial Sync') - Primary DC
    DC02 ('Waiting For Initial Sync') - Writable DC
    DC03 ('Waiting For Initial Sync') - Writable DC

    Migration has not yet reached a consistent state on all domain controllers.
    State information might be stale due to Active Directory Domain Services latency

    Plz help me to solve this issue

    ReplyDelete
  10. Thanks Patrick. Very clear and helpful guide !

    ReplyDelete
  11. Hey Patrick...any idea why after completing this procedure my DC's not only did not automatically disable FRS, but even after I disable FRS manually on all of my DC's, something is setting them all back to automatically start? Of course, none of them start but nonetheless, the errors in the Event logs are annoying. GetGlobaState shows Eliminated. Any thoughts...anyone? Thanks!

    ReplyDelete