Always Upgrading Blog

A blog (mostly) about Enterprise IT upgrades.

Ad Replication - FRS to DFSR Migration

Migration Complete

I’m sure with Microsoft announcing the End of Life of Server 2008R2 on January 14th 2020 many people are looking around and still seeing it all over the enterprise. You may still be running domain controllers on 2008R2 which are using FRS for AD replication and are looking to move these to 2019 or similar and finding that it’s unsupported until you’ve migrated your AD replication from FRS to DFSR.

If this is your situation, this guide should help you get them migrated over to DFSR. The method below provides for some rollback options if required, please see the full migration guide from Microsoft for more information. I’d recommend at least scanning through this document before you proceed with the steps below.

Existing domain functional level

To migrate to DFSR replication, all of your existing domain controllers must be running at least Windows Server 2008 and your domain functional level must be at least Windows Server 2008. If you haven’t done this yet, you must before you start the migration.

Check your existing Active Directory replication health

Before you begin attempting to migrate replication to DFSR, you’re going to want to make sure your existing FRS replication is healthy. Make sure you have no tombstoned domain controllers or domain controllers that are having replication issues with the existing FRS setup. This will save you a lot of headaches along the way.

Microsoft’s AD Replication Status Tool is your friend here. You want to see a nice empty white box when you click the Errors Only button (shown below). If you do see any errors you need to fix all of these or perform a metadata cleanup for domain controllers that no longer exist before starting your migration.

Replication Status

You’ll also need to ensure that SYSVOL is correctly shared on your existing domain controllers, this can be done using the following command:

dcdiag /e /test:sysvolcheck /test:advertising

dcdiag 1 dcdiag 2

Since the migration process is going to copy your existing SYSVOL folder (e.g. C:\Windows\SYSVOL will be copied to C:\Windows\SYSVOL_DFSR) to allow side by side replication until you’re ready to shut off FRS, you’re going to need to ensure that you have enough free space. So if your existing SYSVOL folder is 800MB, ensure you have at least 800MB free on the same drive of each domain controller.

Beginning the migration to DFSR

Now that everything should be in good shape, you’re going to start the migration process. You’ll want to run the commands from the domain controller which holds the PDC Emulator role for your domain. You can find this by running detdom query fsmo on any computer with the AD management tools installed.

Netdom Query FSMO

On the domain controller with the PDC Emulator roll, open an elevated cmd prompt and run the command dfsrmig /setglobalstate 1. This is going to migrate you to the Prepared State. At this stage, your SYSVOL folder will be cloned on all domain controllers (to SYSVOL_DFSR) and both FRS and DFSR will replicate their respective copies, though the original FRS folder will still be shared as SYSVOL on each domain controller. You can monitor the progress of each of your domain controllers by running the command dfsrmig /getmigrationstate. Depending on replication times, you’ll start to see each of the domain controllers move to the Prepared State (each will disappear from the list as they do).

Global State 1-1 Global State 1-2 Global State 1-3

Once all domain controllers have migrated successfully to the Prepared State, your output will look like below:

All servers prepared

You’re now ready to move to the Redirected State with the following command dfsrmig /setglobalstate 2. This is going to stop sharing the original FRS SYSVOL folder and start sharing the new DFSR SYSVOL_DFSR folder (as SYSVOL). At this point, DFSR is handling your AD replication between the domain controllers (FRS will still replicate in the background to allow rollback).

Global State 2-1

Once all domain controllers reach the Redirected State (as shown below), you should start testing things. Make some changes in AD and ensure they’re reflected on a number of other domain controllers. Now would also be a good time to use the AD Replication Status Tool again to check for any issues.

All servers redirected

If you are happy that all of your domain controllers are replicating without issues, you can now move to the Eliminated State with the following command dfsrmig /setglobalstate 3. This is going to delete the original FRS SYSVOL folder and remove FRS from all domain controllers.

Global State 3-1 Global State 3-2 All servers eliminated

At this point, your migration from FRS to DFSR AD replication is now complete!