- How to use VMware vSAN ReadyNode Configurator - Fri, Dec 17 2021
- VMware Tanzu Kubernetes Toolkit version 1.3 new features - Fri, Dec 10 2021
- Disaster recovery strategies for vCenter Server appliance VM - Fri, Nov 26 2021
Many networks are still running Windows Server 2003 or 2008 machines as Microsoft Active Directory (AD) domain controllers (DCs). Window Server 2003 systems used FRS for replicating the SYSVOL folder between DCs. Only later did Microsoft change from FRS to DFSR with Windows Server 2008. But many admins just kept using FRS because at that time there was no real pressure to rush and change to DFSR.
With newer releases of Windows Server, such as 2016 or 2019, the possibility for using FRS for replicating SYSVOL between DCs disappeared. In fact, if you try to add a Windows Server 2016 or 2019 system as an additional DC, you'll get an error message saying that specified domain is still using FRS to replicate the SYSVOL share. You can't do that.
I assume you have a mixed environment of legacy Windows Server 2003, 2003R2, and 2008/2008R2 servers, and you want them to migrate to Server 2019 (or 2016).
FRS to DFSR migration checklist ^
Windows Server 2003 or 2003 R2: You must set the domain and forest function level to Windows Server 2008 or later, so if you're still running some legacy Windows Server 2003 or 2003 R2 systems, you should decommission those first.
dcpromo: You should execute the dcpromo command on Windows Server 2003 from a command prompt window with elevated privileges of a domain admin account.
Raise the domain functional level: Run the domain.msc snap-in.
Then right-click on Active Directory Domains and Trust and select Raise Forest Functional Level.
Move Flexible Single-Master Operations (FSMO) roles to the 2008 Server DC: You might already have done this when adding additional DCs, but make sure this is the case. You should also make sure you've transferred all FSMO roles to one of your Window Server 2008 or 2008 R2 systems; otherwise, you'll receive prompts to do so, and you won't be able to decommission your old 2003 servers.
dfsrmig: One of the first tools you should be familiar with is the dfsrmig command. It calls the dfsrmig.exe utility, and you can find all syntax and parameters on Microsoft's website here.
The dfsrmig command migrates SYSVOL replication from FRS to DFSR. But dfsrmig can also give you an overview of your architecture's overall state before you actually start migrating.
To verify your DCs are using FRS and not DFSR, you can use this command:
Note that you must be logged in as Domain Admin or Enterprise Admin.
You should run another command, which is:
This command verifies that no other admins before you have tried to run the migration. You might be in a situation where you join a company after the previous admins left, and you don't have an idea what they did, so you need to run this to clear any doubts.
If you want to avoid using the command line while discovering your environment, Microsoft released a tool called FRSDiag, and you can download it here. The latest 1.7 release of this tool came out at the end of October 2019.
FRSDiag helps to get snapshot information about the service, do some automated tests, and show an overview of possible errors that may exist in the environment.
Make sure AD replication works: Another tool from Microsoft is the Active Directory Replication Status Tool. You can download it from Microsoft here. After the installation, you can scan your domain for errors. If you see any errors, you can fix them and continue. You should not attempt migration if you have any errors.
Up-to-date systems only: You should make sure you've installed all updates and security fixes—highly recommended.
Make sure replication for all of your DCs is in good shape and in a healthy state. You can open a command prompt as Administrator and run this command:
dcdiag /e /c /q
It gives you a summary of potential errors on your directory configuration for the entire environment.
Another command can tell you whether SYSVOL is advertised among all DCs without any problems:
dcdiag /e /test:sysvolcheck /test:advertising
If you have errors or the sync has not completed for any reason, you should initiate a full sync and wait. You'll force the replication to run immediately instead of waiting for your DC scheduler's next run.
Run this command:
repadmin /syncall /AdeP
Is the service running: One issue you might have is quite simple to fix. You should check whether you have the DFSR service running. Go to Server Manager > Configuration > Services and check that the DFSR service is started. Check all of your DCs!
If you can, create a system state backup on all of your DCs. You can use third-party software or the built-in Microsoft backup tool.
Subscribe to 4sysops newsletter!
Final words ^
Make sure you don't see any errors to avoid troubleshooting afterward. You should attempt to migrate without diagnostics only if you're absolutely sure your AD environment is 100% healthy and has no issues.