The previous article in this series explained how to migrate replication of the SYSVOL share to the ‘REDIRECTED’ state. In this article, we examine how to complete migration of all domain controllers to the ‘ELIMINATED’ state.
Before we begin …
Remember that the migration process to the ‘ELIMINATED’ state cannot be reverted under any circumstances. Therefore, ensure that SYSVOL replication using the DFS Replication service is healthy, before committing entirely to finalizing the migration process.
Before migrating to the ‘ELIMINATED’ state, a couple of precautions are advised.
a) All domain controllers are in ‘REDIRECTED’ state: The most important precaution is to ensure that all domain controllers have successfully migrated to the ‘REDIRECTED’ state before changing the global migration state to the ‘ELIMINATED’ state. As mentioned in the previous article, the command line switch ‘GetMigrationState’ can be used to ensure that all domain controllers have reached the ‘REDIRECTED’ state.
b) Verify that the SYSVOL share is still being shared out: by all domain controllers and that the SYSVOL share path points to the path that is being replicated by the DFS Replication service (the ‘SYSVOL_DFSR’ folder location). This can be done by typing ‘net share’ on the domain controller. The SYSVOL share is listed if it is being shared out by that domain controller.
Migrating to ‘ELIMINATED’ state
Let’s look at how to migrate SYSVOL replication on the domain to the ‘ELIMINATED’ state. Please follow the below mentioned steps and pay special attention to any caution or warnings that are mentioned below.
ü STEP 1: Check health of Active Directory Replication.
Since the migration directive is set on the Primary Domain Controller and needs to be replicated to the Active Directory on each of the replica domain controllers in the domain, it is necessary to ensure that Active Directory replication is working fine. This can be done using the ‘RepAdmin /ReplSum’ command. This step assumes importance in case of remote domain controllers, since those domain controllers will participate in SYSVOL migration only after noticing the migration directive, which in turn is dependent on Active Directory replication between the two sites.
ü STEP 2: Set the migration directive.
On the Primary Domain Controller, run the dfsrmig.exe tool and set the migration global state to ‘ELIMINATED’ state (State 3). Issue the command ‘dfsrmig /setGlobalState 3’ on the Primary Domain Controller to commence migration to the ‘ELIMINATED’ state.
ü STEP 3: Monitor to ensure that all domain controllers have reached the ‘ELIMINATED’ state successfully.
Use the ‘dfsrmig /getMigrationState’ command to ensure that all domain controllers have successfully migrated to the ‘ELIMINATED’ state. Ensure that the output for this command mentions that all domain controllers have reached the ‘ELIMINATED’ state.
When the DFS Replication service on each domain controller reaches the ‘ELIMINATED’ state, Information event 8019 will be registered in the event log.
What happens under the hood?
When the DFS Replication service notices the migration directive that has been set in Active Directory instructing it to migrate to the global migration state ‘ELIMINATED’, it performs the following sequence of operations on each domain controller:
a) The migration local state is set to 7 (’ELIMINATING’).
b) The DFS Replication service now performs the following set of actions on every domain controller:
· The dependency between the NTDS service and the FRS service is now removed.
· If the FRS service is running on the domain controller, it is then stopped. It deletes the Active Directory configuration settings required for the FRS service to replicate the SYSVOL share between domain controllers. Thus, all global settings of the FRS service that pertain to the SYSVOL content set are deleted.
· The ‘SYSVOL’ folder which was being replicated by the FRS service is now deleted. Note that if you have Windows Explorer or the command shell open on the domain controller and if the current directory corresponds to the ‘SYSVOL’ folder location, the DFS Replication service will be unable to delete this folder owing to sharing violations.
· If the FRS service is replicating any other content sets (apart from SYSVOL) on the domain controller, it is then started up again.
c) The migration local state is set to 3 (’ELIMINATED’). From this point onwards, the SYSVOL share advertised by the domain controller is the one that is replicated using the DFS Replication service. The FRS service no longer replicates any copy of the ‘SYSVOL’ folder on the domain controller.
During this migration process, the local migration state on the domain controller will cycle through the intermediate state of ‘ELIMINATING’ (State 7). All domain controllers undergo this procedure until they reach the ‘ELIMINATED’ migration state.
Can this migration step be rolled back?
No! At this point, the use of FRS on the domain controller for SYSVOL replication purposes has been eliminated.
Monitoring things closely
SYSVOL migration is designed to automatically recognize the migration directive and take steps on each domain controller to comply with that directive. Therefore, for the most part, the ‘/getMigrationState’ command should be sufficient to monitor the progress of migration to the ‘ELIMINATED’ state.
However, it is also possible for an administrator to monitor the domain controller closely and ensure that the tasks performed by the DFS Replication service while migrating to the ‘ELIMINATED’ state have been completed successfully. There are also some troubleshooting steps that can be performed to speed up Active Directory replication and Active Directory poll induced delays in the migration process.
a) Verify the current local state on each domain controller. Navigate through the registry to the location ‘HKLM\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating SysVols’ and check to see the value of the registry key ‘LocalState’. Ensure this registry key is set to 3 once the domain controller has migrated to the ‘ELIMINATED’ state.
b) Ensure that SYSVOL share replication has indeed been redirected. In order to ensure that the DFS Replication service is replicating the SYSVOL share that is shared out on the domain, check to see the values of the ‘SysVol’ and ‘SysvolReady’ registry keys mentioned above. Ensure that the ‘SysVol’ registry key is pointing to the ‘SYSVOL_DFSR’ folder location. Once the migration to the ‘ELIMINATED’ state is complete, ensure that the old copy of the ‘SYSVOL’ folder that was being replicated by FRS is deleted.
c) Force Active Directory replication on a domain controller. In order to force Active Directory replication, issue the command ‘repadmin /syncall /AeD’ on the domain controller.
d) Force the DFS Replication service to poll Active Directory. In order to force an Active Directory poll, issue the command ‘dfsrdiag PollAd’ on the domain controller. To force an Active Directory poll on another domain controller issue the command ‘dfsrdiag PollAd /Member:DC_NAME’.
e) If you find that migration is taking a long time to reach the ‘ELIMINATED’ state on a particular domain controller, the following set of monitoring steps may be taken:
· Issue the ‘dfsrmig /getGlobalState’ command to find the global migration state and ensure that it is indeed set to ‘ELIMINATED’. If this command is issued on the domain controller that is taking a long time to migrate, the administrator can figure out whether Active Directory replication has completed replication of the migration directive to that domain controller.
· Check to see the local migration state. The local state could take any of the values below during this migration step:
· Local state 2 (‘REDIRECTED’ state)
· Local state 7 (intermediate ‘ELIMINATING’ state)
· Local state 3 (‘ELIMINATED’ state). This usually signifies that the domain controller has completed migration to the ‘ELIMINATED’ state.
· Note that there are valid reasons for delay. Ensure that you are cognizant of these and have given enough time for these latencies to ‘play out’.
– The migration directive relies on Active Directory replication to be ‘visible’ on each individual domain controller. Therefore, the speed with which each domain controller notices and acts upon the migration directive is dependent on Active Directory replication latencies.
– During this migration process, the DFS Replication service needs to delete the corresponding FRS settings in Active Directory. Since read-only domain controllers cannot modify objects in Active Directory they rely on the Primary Domain Controller doing so on their behalf. Therefore, it is not uncommon to find that a read-only domain controller takes a longer time at the intermediate local state 7 (‘ELIMINATING’), while it waits for the Primary Domain Controller to delete its FRS settings.
· Check to see the Eventlog for any events (Warning or Error) which the DFS Replication service logs during the SYSVOL migration process. These events will tell you more about what operations have completed and whether the service is stuck for any particular reason.
Now that we’ve completed migration of the domain to the ‘ELIMINATED’ state, it is time to take stock of things. In the ‘ELIMINATED’ state:
a) Only DFSR is replicating the SYSVOL share on the domain.
b) The SYSVOL share that is advertised by the domain controller corresponds to the ‘SYSVOL_DFSR’ folder that is replicated by the DFS Replication service. Therefore, the main replication engine on the domain in the ‘ELIMINATED’ state is DFSR.
c) New domain controllers that are promoted after reaching the ‘ELIMINATED’ state will default to using the DFS Replication service for replicating the contents of the SYSVOL share.
d) It is not possible to rollback from the ‘ELIMINATED’ state.
The author would like to thank Wakkas Rafiq, Jatin Shah, Christophe Robert on the DFS Replication Service product team for their help with these articles and indeed for building this feature in Windows Server 2008.
More articles on SYSVOL Migration Series:
1: SYSVOL Migration Series: Part 1 – Introduction to the SYSVOL migration process
2: SYSVOL Migration Series: Part 2 – Dfsrmig.exe: The SYSVOL migration tool
3: SYSVOL Migration Series: Part 3 – Migrating to the ‘PREPARED’ State
4: SYSVOL Migration Series: Part 4 – Migrating to the ‘REDIRECTED’ state