Friday Mailbag: Best practices for DFS-R on Domain Controllers

___________________________________________________________________________________________________________________________

IMPORTANT ANNOUNCEMENT FOR OUR READERS!

AskPFEPlat is in the process of a transformation to the new Core Infrastructure and Security TechCommunity, and will be moving by the end of March 2019 to our new home at https://aka.ms/CISTechComm (hosted at https://techcommunity.microsoft.com). Please bear with us while we are still under construction!

We will continue bringing you the same great content, from the same great contributors, on our new platform. Until then, you can access our new content on either https://aka.ms/askpfeplat as you do today, or at our new site https://aka.ms/CISTechComm. Please feel free to update your bookmarks accordingly!

Why are we doing this? Simple really; we are looking to expand our team internally in order to provide you even more great content, as well as take on a more proactive role in the future with our readers (more to come on that later)! Since our team encompasses many more roles than Premier Field Engineers these days, we felt it was also time we reflected that initial expansion.

If you have never visited the TechCommunity site, it can be found at https://techcommunity.microsoft.com. On the TechCommunity site, you will find numerous technical communities across many topics, which include discussion areas, along with blog content.

NOTE: In addition to the AskPFEPlat-to-Core Infrastructure and Security transformation, Premier Field Engineers from all technology areas will be working together to expand the TechCommunity site even further, joining together in the technology agnostic Premier Field Engineering TechCommunity (along with Core Infrastructure and Security), which can be found at https://aka.ms/PFETechComm!

As always, thank you for continuing to read the Core Infrastructure and Security (AskPFEPlat) blog, and we look forward to providing you more great content well into the future!

__________________________________________________________________________________________________________________________

Greg Jaworski here again…After a lengthy conversation with one of our readers around migrating SYSVOL to DFS-R and some confusion around the various KBs I decided it was worth blogging some best practices and Frequently Asked Questions around SYSVOL and DFS-R.

1. If you have not yet migrated to DFS-R make sure you have the latest version of robocopy. This applies to Windows Server 2008 R2 RTM and SP1. If you are running Windows Server 2012 then robocopy is up to date. This ensures that all of your files don’t end up conflicted and we have to then replicate everything. If you missed or forgot this hotfix you won’t lose data you will just have the files twice essentially. This causes extra replication and storage use. This hotfix will require a reboot due to an update of ntfs.sys http://support.microsoft.com/kb/2639043.

2. Update to the latest DFS-R binaries. You can do this prior to the migration since DFS-R will already be running on the DC. Also a good time to check the status of this service and that it wasn’t removed or stopped as part of a server hardening procedure. List of latest binaries http://support.microsoft.com/kb/968429.

a. Install http://support.microsoft.com/kb/2780453 and enable content freshness protection on Windows Server 2008 R2 DCs. Also see http://blogs.technet.com/b/askds/archive/2009/11/18/implementing-content-freshness-protection-in-dfsr.aspx.

b. Windows Server 2008 R2 install http://support.microsoft.com/kb/2663685 and then enable DFS-R autorecovery as outlined in http://support.microsoft.com/kb/2846759. For Windows Server 2012 you just need to enable autorecovery. It is the usual double negative so this should be changed from 1 to 0. Restart the DFS-R service for the change to take effect. There is conflicting information between these two KB articles however after further review we recommend that autorecovery be enabled for Domain Controllers. For file server workloads we recommend that it be disabled.

3. Start the SYSVOL migration and be patient. DFS-R only polls AD once every 60 minutes and that plus replication means it will take some time for DCs to complete each step. We have lots of great blogs and documentation on that procedure so I won’t repeat that here. Please see the references section below for those.

References:

968429 List of currently available hotfixes for Distributed File System (DFS) technologies in Windows Server 2008 and in Windows Server 2008 R2

http://support.microsoft.com/kb/968429/EN-US

2639043 A robocopy command updates DACLs incorrectly in Windows 7 or in Windows Server 2008 R2

http://support.microsoft.com/kb/2639043/EN-US

2780453 Event ID 4114 and Event ID 4008 are logged in the DFS Replication log in Windows Server 2008 R2

http://support.microsoft.com/kb/2780453/EN-US

2846759 DFSR Event ID 2213 is logged on Windows Server 2008 R2 and Windows Server 2012

http://support.microsoft.com/kb/2846759/EN-US

Implementing Content Freshness protection in DFSR

http://blogs.technet.com/b/askds/archive/2009/11/18/implementing-content-freshness-protection-in-dfsr.aspx

SYSVOL Replication Migration Guide: FRS to DFS Replication

http://technet.microsoft.com/en-us/library/dd640019(v=WS.10).aspx

DFSR SYSVOL Migration FAQ: Useful trivia that may save your follicles

http://blogs.technet.com/b/askds/archive/2009/01/05/dfsr-sysvol-migration-faq-useful-trivia-that-may-save-your-follicles.aspx

Until next time….

Greg “Good Cop” Jaworski