Category Archives: Active Directory

Migrating from NTFRS to DFSR replication of Sysvol

DFSR replication of sysvol is much more reliable, and NTFRS is being deprecated after Windows Server 2016.

This is how to migrate to DFSR. The information here is gleamed from :

https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/

and the long version:

https://technet.microsoft.com/en-us/library/dd640019%28v=WS.10%29.aspx?f=255&MSPPError=-2147217396

Check forest functional level using domain.msc and raise if below 2008.

Force a replication with:

Repadmin /syncall /force /APed

this is optional, but will speed things up, and you can use this replication to check for errors.

Check event log for errors, especially the File Replication Service logs.

Repadmin /replsummary

Check that replication is working.

Dcdiag /e /test:sysvolcheck /test:advertising

Fix any errors.

Next the migration.

dfsrmig /setglobalstate 1

Run

dfsrmig /getmigrationstate

Do not proceed further until it tells you that “All domain controllers have migrated successfully to the Global state.”

dfsrmig /setglobalstate 2

Again check it with

dfsrmig /getmigrationstate

And make sure all DCs have migrated.

Finally

dfsrmig /setglobalstate 3

And it is finished when

dfsrmig /getglobalstate

tells you that all DCs have migrated successfully.

You can apparently go straight to state 3, but it doesn’t take long to go the full route, so better taking a little time.

 

Moving FSMO Roles with Powershell

Another article about a command that I can never remember the syntax when I need it.

The information here is from: https://social.technet.microsoft.com/wiki/contents/articles/6736.move-transfering-or-seizing-fsmo-roles-with-ad-powershell-command-to-another-domain-controller.aspx

To transfer all roles use:

Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

To seize the roles append -Force.

You can also substitute the role names with numbers, making a more manageable:

Move-ADDirectoryServerOperationMasterRole -Identity “Target-DC” -OperationMasterRole 0,1,2,3,4 -Force

Much easier to remember than trying to remember which bit of the gui does which role.

Older servers use ntdsutil.exe:

https://support.microsoft.com/en-gb/help/255504/using-ntdsutil.exe-to-transfer-or-seize-fsmo-roles-to-a-domain-controller