qUICKLY Explained: Migrate Your SYSVOL Replication from FRS to DFSR

Hello there, long time since I updated my blog, you can blame all my customers that have been asking for Upgrade and all the things related to it, hehe, no please don’t. Today, I’d like to quickly explain a proper step by step process to migrate your domain SYSVOL from File Replication Service (FRS) to Distributed File System Replication (DFSR). To learn about the benefits and advantages of using DFSR, please see https://technet.microsoft.com/en-us/library/cc794837(WS.10).aspx

There are different stages of SYSVOL migration and each stage has a purpose, the whole idea behind these stages is to create a roadmap where you can decide to move forward or to return back to FRS if something unforeseeable happens. We all know how important SYSVOL is, that is, it contains your entire domain Policies (GPTs) as well as Scripts. Not going into detail of SYSVOL, let’s just look at these stages, also called Stable States, and look at what happens at each state. Remember the last stage is where you cannot reverse from.

There are 4 Stable States of SYSVOL migration to DFSR, though there are total of 9 but we will focus on these Stable States and understand each one separately. I will list the commands as well as the process that happens when you run these commands. We will also see how to check if domain controllers have successfully arrived at a particular state. Also, we will look at Active Directory objects i.e. changes in Active Directory, some DFS parameters, as well as file system changes related to SYSVOL. The 4 Stable States are (drum roll please)….

  1. State 0: Start
  2. State 1: Prepared
  3. State 2: Redirected
  4. State 3: Eliminated

Commands we will use are:

  1. DFSRMIG.EXE (tool to migrate my domain SYSVOL to DFSR)
  2. Repadmin (look at object/attribute changes as well as synchronizing these changes to all domain controllers in my domain)
  3. DFSRDIAG (tool to poll these changes from Active Directory, otherswise by default DFS changes are polled once an hour – and this being qUICKLY blog, you get the idea)

So, first, what are the requirements before we take our first step to this beautiful replication engine, well, the requirements are:

  1. Your Active Directory must be in a healthy state i.e. no issues regarding Active Directory replication between all domain controllers
  2. Your SYSVOL must be healthy as well i.e. no Journal Wraps on any domain controllers and healthy replication of SYSVOL
  3. Your Domain Functional Level (DFL) must be set to Windows Server 2008 or higher i.e. no Windows Server 2003 or older domain controllers
  4. It is preferred to do the migration on PDC Emulator as it is the authority on SYSVOL, though any domain controller in your domain could be used which will attempt to contact PDCe every time and replication will take care of all the steps.
  5. Each domain in your environment would need the same steps to migrate to DFSR. SYSVOL is domain based and hence all the above requirements apply to each domain that you plan to migrate to DFSR

Right then, let’s look at the 4 Stable States in a bit more detail, quickly:

State 0: START

  • The value of CN=msDFSR-Flags,CN=DFSR-GlobalSettings,CN=SYSTEM,DC=DomainName is 0
  • Instruct all domain controllers to create necessary DFSR objects, in registry, in Active Directory under SYSTEM container

State 1: PREPARED

  • Set the value of CN= msDFSR-Flags,CN=DFSR-GlobalSettings,CN=SYSTEM,DC=DomainName to 16
  • Instruct all domain controllers to copy the current SYSVOL location to another folder called SYSVOL_DFSR in the same parent folder

State 2: REDIRECTED

  • Set the value of CN= msDFSR-Flags,CN=DFSR-GlobalSettings,CN=SYSTEM,DC=DomainName to 32
  • Instruct all domain controllers to change the share SYSVOL to point to this new folder SYSVOL_DFSR. Take another copy of SYSVOL before sharing this folder (just in case, there was a modification in SYSVOL between Step 1 and Step 2)

State 3: ELIMINATED (irreversible step aka no going back)

  • Set the value of CN= msDFSR-Flags,CN=DFSR-GlobalSettings,CN=SYSTEM,DC=DomainName to 48
  • Instruct all domain controllers to delete SYSVOL folder, stop FRS service and use DFSR to replicate the share SYSVOL which is now pointing to SYSVOL_DFSR.

As I mentioned above in State 3 that it is irreversible meaning no going back, however if you were at State 2, you could initiate command to State 1 or State 0 and the appropriate steps would be taken by every domain controller to undo what was done as part of this migration process.

Before I can say ‘we are done’, let me share some more details and the commands for each step, as well as how to speed things up (not necessarily recommended, but if you know what you are doing, then you create your own recommendations J), why you ask, well since we are making changes to DFSR in the database, the content is polled once an hour by the service but we can manually poll these updates from AD. For migration of your SYSVOL replication to DFSR, below is all you need !!!

Requirements:

First, let’s make sure our DFL is atleast Windows Server 2008.

  1. Open DSA.MSC and check it manually by right clicking on the Active Directory Users and Computers and selecting Raise Domain Functional Level
  2. Invoke Active Directory Module for Windows PowerShell as an administrator, and run Get-ADDomain, check the Domain Mode

Now, we can migrate (assuming AD and SYSVOL replication is healthy already). My environment is a single domain forest called Contoso.com with two domain controllers ContosoDC1 and ContosoDC2.

State 0: START

1.       Open a Command Prompt as an Administrator and type the command ‘dfsrmig /CreateGlobalObjects’

            

2.       Notice the creation of DFSR-GlobalSettings container in System container

3.       We can now poll AD for the changes we just made on both ContosoDC1 and ContosoDC2

4.       Check the migration state of all domain controllers by ‘dfsrmig /GetMigrationState’

 

State 1: PREPARED

5.       Moving to the next state, by typing ‘dfsrmig /SetGlobalState 1’

6.       To speed things up, we can replicate just the object where these changes are being made by using the command ‘repadmin /replsingleobj * contosodc1 “CN=DFSR-GlobalSettings,CN=System,DC=Contoso,DC=Com”

7.       Let’s verify the value for msDFSR-Flags, 16 is Prepared

8.       We can again, poll AD for the changes we just made on both ContosoDC1 and ContosoDC2

9.       Let’s replicate inbound from our domain controller ContosoDC1

10.   Check the migration state of all domain controllers by ‘dfsrmig /GetMigrationState’

11.   Notice the copy of SYSVOL folder into SYSVOL_DFSR in C:\Windows or wherever the SYSVOL is placed.

12.   Check that the current shared folder still points to C:\Windows\SYSVOL\Sysvol

State 2: REDIRECTED

13.   Move to Redirected state by typing ‘dfsrmig /SetGlobalState 2’

14.   This time the share SYSVOL is pointing to the copied one i.e. C:\Windows\SYSVOL_DFSR\Sysvol

  

State 3: ELIMINATED (irreversible step aka no going back)

15.   Finally, we can get to Eliminated state by typing ‘dfsrmig /SetGlobalState 3’. Notice the message.

16.   Note that the previous SYSVOL is deleted.

Welcome to wonderful world of DFSR J