Active Directory is one of the most critical roles in every infrastructure and each Domain Controller is like diamond: no one must touch them, no update, no changes, nothing of nothing. This is very bad because all DCs must be keep aligned for the security area and this means install updates and do the best to ensure protection and compliant.
By the way, I’m sure that the majority of administrators missed a message from event viewer, similar figure 1.
The message detail is:
The specified domain %1 is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is deprecated.
The server being promoted does not support FRS and cannot be promoted as a replica into the specified domain.
You MUST migrate the specified domain to use DFS Replication using the DFSRMIG command before continuing.
For more information, see https://go.microsoft.com/fwlink/?linkid=849270.
Starting Windows Server version 1709, no longer be added an Active Directory Domain Controller to an existing domain that is still using File Replication Service (FRS) for replication of the SYSVOL share.
File Replication Service came into the picture with Windows Server 2000. Microsoft was using FRS to replicate the SYSVOL between its domain controller members. Later on with Windows Server 2008, Microsoft introduced Distributed File System Replication (DFSR) that was able to replicate SYSVOL.
For an example, a Windows Server 2008 R2 with a Windows Server 2003 Forest and Domain functional level may still be using FRS as the default SYSVOL replication method. In this environment if you are to upgrade your domain controllers to Windows Server 2016 you will come into issues with FRS.
So, if your infrastructure was built before Windows Server 2008 you still using FRS even the Domain Controller are based on Windows Server 2016 and this means that you must migrate the schema replication from FRS to DFSR, even the schema was raised to Windows Server 2016.
Migration
To achieve this goal, you must migrate the replication engine. These operations can be done from one of your DC. Be careful before starts all tasks because a wrong moving can be dangerous for your AD.
Open Prompt and make sure all Domain Controllers are replicated with command repadmin /syncall /force /aped
If everything is ok, the migration can start. There are three steps to follow very careful:
- 0 – Start State
- 1 – Prepared State
- 2 – Redirected State
- 3 – Eliminated State
The first step is Prepared State with command dfsrmig /SetGlobalState 1
Into the event viewer you can see a new event with message about migration started – figure 3.
First thing you might want to do is to check what SYSVOL replication is used in your environment. To do this, from prompt use the command dfsrmig /GetGlobalState.
If everything works fine you can check the migration status with command dfsrmig /GetMigrationState
Do not run the next command until all DCs are prepared. When everything is ok, you can run the second phase (Redirect) with command dfsrmig /SetGlobalState 2
A new event will be showed into event viewer – figure 6.
This command will also create a new folder into each Domain Controller, called SYSVOL_DFSR, as showed in figure 7.
Once again, run the command dfsrmig /GetMigrationState to check the status and again, do not run nothing until the task is finished.
In case you want force the procedure, run repadmin /syncall /AdeP to manually invoke replication to each Domain Controllers. Check again the status with command dfsrmig /GetMigrationState
Last phase is the Eliminate, that consist the deleting of old SYSVOL folder in each Domain Controller. The command is dfsrmig /SetGlobalState 3.
In case you want force the replication, the command is always the same: repadmin /syncall /AdeP. After few minutes, run again the command dfsrmig /GetMigrationState.
If everything is ok, check the event viewer to find a new event about migration completed – figure 12.
Open the services.msc console to check if the File Replication Service is disabled in each Domain Controller – figure 13.
To close the circle, check that the folder SYSVOL was removed from each Domain Controller.
Summary
This is the procedure to migrate your Active Directory infrastructure from legacy FRS to DFSR. Remember that each phase can request up to 1 hour, depends by number of DCs, the topology and the replication time.
#DBS