Migrating the File Replication Service (FRS) to Distributed File System Replication (DFSR) for SYSVOL Replication

I have recently been working on a project to move a organisation from their no longer supported 2008R2 Domain controller to 2019. Originally I had difficulty in Promoting my 2019 Server to a DC . Originally I thought this was because the Domain & Forrest Functional levels were still on 2003

Raising them both to 2008R2 I received the following error.

Why do we see this. ?

In June 2017 Microsoft released an update to Server 2016 RSI announcing that FRS – RS3 will no longer be supported see this article

SYSVOL

The SYSVOL folder on Domain Controllers is used to replicate log on scripts. FRS was is now a redundant technology so it stands to reason on our new 2019 Domain controller we need to move our domain to DFS

How Do we do this.

In order to achieve this we need to use the DFSRMIG tool to migrate the domain from File Replication Service (FRS) to DFS

Now there a3 3 types of Migration we can do.

  • Quick Migration (where you don’t know if your domain controllers are healthy, and you want a rollback option)
  • Express Migration (where you are sure that your domain controllers are healthy, and you want a rollback option)
  • Hyper Migration (where you want to migrate with the minimum steps and are confident of domain controller health)



**Disclaimer*** Doing this wrong could seriously harm your Domain. If it is not something you have done before or SYSVOL is not something you have a strong understanding on. I seriously suggest reading up Microsofts Guide – This article is more for notes for me to refer to so follow at your own risk.

When i have done this before I tend to follow a guide for a a Quick Migration as it gives me an option to roll back.

SOURCE: https://techcommunity.microsoft.com/t5/storage-at-microsoft/streamlined-migration-of-frs-to-dfsr-sysvol/ba-p/425405

Quick Migration

In this case, the health of AD and SYSVOL on all domain controllers is not known. For instance, you are not using System Center Operations Manager to monitor your domain controllers for AD replication, SYSVOL availability, and free disk space.

The goal of the Quick Migration scenario is to test the conditions of the domain controllers, then migrate SYSVOL to DFSR, with the ability to roll back during the process.

1. Ensure free disk space – The DFSR migration process copies the contents of SYSVOL to a parallel folder called SYSVOL_DFSR, and then shares out that copy during the Redirection phase. This means that on the volume where your SYSVOL exists on domain controllers – typically the C: drive – you need at least as much free space as the size of the current SYSVOL folder, plus a 10% fudge factor. For instance., if your current SYSVOL folder is 2GB (an unusually large SYSVOL), you should ensure that at least 2.2 GB disk space is free on the same volume. Most SYSVOL are only a few hundred MB or less.

An easy way to determine the free disk space on a bunch of remote DCs is with Psinfo.exe -d . Look here for more info. The WMI Win32_LogicalDisk class is also a possibility, such as through Windows PowerShell:

Get-WmiObject -Class win32_logicaldisk -ComputerName srv01,srv02,srv03 | FT systemname,deviceid,freespace -auto

You can get fancier here, first looking on each computer to decide which volume hosts SYSVOL and comparing sizes and such, but this is the quick migration guide!

Note: you can greatly decrease the size of your SYSVOL by preventing legacy ADM replication using KB813338 . A hundred group policies with 50 registry settings apiece is unlikely to exceed 5MB total when creating group policies using Windows Vista or later. The ADMX central store and alternatives are available for servicing.

2. Ensure correct security policy – You must ensure that the built-in Administrators group has the “Manage Auditing and Security Log” user right on all your domain controllers. This is on by default, so if it’s not set, someone yanked it. Microsoft does not support removing that, no matter what you may have read elsewhere. To validate, examine the group policy applied to your domain controllers by using Gpresult.exe. For more info, examine KB2567421 .

undefined

3. Ensure AD replication is working – The DFSR migration depends entirely on each domain controller receiving and sending state changes via AD replication. There are many ways to examine AD health, but the easiest is probably the Active Directory Replication Status Tool . Install the utility and scan your domain for errors; if there are problems, fix them and then continue. Don’t attempt a DFSR migration unless all your domain controllers are replicating AD correctly.

undefined

Ideally, when you set “Errors Only” mode on, it looks like this:

undefined

undefined

4. Ensure SYSVOL is shared – DFSR migration naturally depends on SYSVOL itself; it must already be shared and the DC must be advertising and available, or migration at each stage will never complete. The simplest way to check all your domain controllers is with the Dcdiag.exe command using two specific tests:

Dcdiag /e /test:sysvolcheck /test:advertising

Don’t attempt a DFSR migration unless all your domain controllers are passing the connectivity, SYSVOL, and advertising tests with no errors.

They should look like this:

undefined

5. Migrate to Prepared State – Now you will migrate to the Prepared state, where both FRS and DFSR are replicating their own individual copies of SYSVOL, but the FRS copy mounts the SYSVOL and Netlogon shares. On the PDC Emulator domain controller, run (as an elevated domain admin):

Dfsrmig /setglobalstate 1

Now you wait for this AD value on the PDCE to converge on all domain controllers, then for DFSR to switch to Prepared state on each domain controller and update AD, and finally for that value to replicate back to the PDCE. Use the following command to see progress:

Dfsrmig /getmigrationstate

When all DCs are ready, the output will look like this:

undefined

As I mentioned in the advice section, you can speed this processing up with faster AD replication and DFSR polling.

6. Migrate to Redirected State – Now you will migrate to the Redirected state, where both FRS and DFSR are replicating their own individual copies of SYSVOL, but the DFSR copy mounts the SYSVOL and Netlogon shares. On the PDC Emulator domain controller, run (as an elevated domain admin):

Dfsrmig /setglobalstate 2

Now you wait for this AD value on the PDCE to converge on all domain controllers, then for DFSR to switch to Redirected state on each domain controller and update AD, and finally for that value to replicate back to the PDCE. Use the following command to see progress:

Dfsrmig /getmigrationstate

When all DCs are ready, the output will look like this:

undefined

7. Migrate to Eliminated State – Finally, you will migrate to the Eliminated state, where DFSR is replicating SYSVOL and FRS is removed. Unlike the Prepared and Redirected states, there is no way to go backwards from this step – once executed, FRS is permanently stopped and cannot be configured again. On the PDC Emulator domain controller, run (as an elevated domain admin):

Dfsrmig /setglobalstate 3

Now you wait for this AD value on the PDCE to converge on all domain controllers, then for DFSR to switch to Eliminated state on each domain controller and update AD, and finally for that value to replicate back to the PDCE. Use the following command to see progress:

Dfsrmig /getmigrationstate

When all DCs are ready, the output will look like this:

undefined


Your migration is complete.


Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.