Knowledgebase: In-place Upgrading Domain Controllers to Windows Server 2019 while still using NTFRS breaks SYSVOL Replication and DSLocator

Windows Server

In a domain that is configured to use the File Replication Service, the SYSVOL folder is not shared after you in-place upgrade a Windows Server 2019-based Domain Controller from an earlier version of Windows. Until this directory is shared, Domain Controllers do not respond to DCLOCATOR requests for LDAP, Kerberos, and other Domain Controller workloads.

   

The situation

In a domain that uses the legacy File Replication Service(NTFRS) for the Active Directory System Volume (SYSVOL), you in-place upgrade a Domain Controller to Windows Server 2019.

    

The issue

When you try to migrate the domain to Distributed File System (DFS) Replication, the following issues occur:

  • All Windows Server 2019-based Domain Controllers in the domain stop sharing the SYSVOL folder and stop responding to DCLOCATOR requests.
  • All Windows Server 2019-based Domain Controllers in the domain have the following event log errors:
    • Event ID 8013 with source DFS Replication
    • Event ID 8028 with source DFS Replication

When you run dfsrmig.exe /GetMigrationState, this command generates the following output for all Windows Server 2019 Domain Controllers:

The following domain controllers have not reached Global state (‘Prepared’): Domain Controller (Local Migration State) – DC Type ===================================================
<Computer name> (‘Start’) – Writable DC Migration has not yet reached a consistent state on all domain controllers. State information might be stale due to Active Directory Domain Services latency.

    

The cause

The File Replication Service (FRS) was deprecated in Windows Server 2008 R2 and is included in later operating system releases for backwards compatibility only.

Starting in Windows Server 2019, promoting new Domain Controllers requires DFS Replication (DFSR) to replicate the contents of the SYSVOL share. If you try to promote a Windows Server 2019-based computer in a domain that still using FRS for SYSVOL replication, the following error occurs:

Verification of prerequisites for Domain Controller promotion failed. The specified domain domain.tld is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is deprecated. The server being promoted does not support FRS and cannot be promoted as a replica into the specified domain. You MUST migrate the specified domain to use DFS Replication using the DFSRMIG command before continuing. For more information, see https://go.microsoft.com/fwlink/?linkid=849270

However, in-place upgrading a Windows Server 2012 R2 or Windows Server 2016-based Domain Controller to Windows Server 2019 does not enforce this block.

When you then run dfsrmig.exe /SetGlobalState to migrate SYSVOL replication to DFSR, all upgraded Windows Server 2019 Domain Controllers are stuck in the Start phase and cannot complete the transition to the Prepared or later phases. Therefore, the SYSVOL and NETLOGON folders for the Domain Controllers are no longer shared, and the Domain Controllers stop responding to location questions from clients in the domain.

   

The solution

There are several workarounds for this issue, depending on which migration global state you specified earlier.

Issue occurs in the Preparing or Redirecting phase

  1. If you have already run dfsrmig.exe /SetGlobalState 1 or dfsrmig.exe /SetGlobalState 2 previously, run the following command as a Domain Admin:
             
    dfsrmig.exe /SetGlobalState 0
             
  2. Wait for Active Directory replication to propagate throughout the domain, and for the state of Windows Server 2019 Domain Controllers to revert to the Start phase.
  3. Verify that SYSVOL is shared on those Domain Controllers and that SYSVOL is replicating as usual again by using NTFRS.
  4. Make sure that at least one Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016-based Domain Controller exists in that domain. Verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source Domain Controllers and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 Domain Controllers in the next step. For more information, see Troubleshooting Active Directory Replication Problems.
  5. Demote all Windows Server 2019-based Domain Controllers to member servers. 
    This is a temporary step.
  6. Migrate SYSVOL to DFSR normally on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 Domain Controllers.
  7. Re-promote the Windows Server 2019-based member servers to Domain Controllers.
              

Issue occurs in the Eliminating phase

The FRS elimination phase cannot be rolled back by using dfsrmig.exe. If have already specified FRS elimination, you can use either of the following workarounds.

Option 1

If you still have one or more Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016-based Domain Controllers in that domain, verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source Domain Controllers and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 Domain Controllers in the next step. For more information, see Troubleshooting Active Directory Replication Problems.

  1. Demote all Windows Server 2019-based Domain Controllers. 
    This is a temporary step.
  2. Migrate SYSVOL to DFSR as usual on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 Domain Controllers.
  3. Re-promote the Windows Server 2019-based member servers to Domain Controllers.

Option 2

If all Domain Controllers in the domain are running Windows Server 2019, perform these steps:

  1. Open AdsiEdit (AdsiEdit.msc)
  2. In the AdsiEdit tool, change the following distinguished name value and attribute on the PDC Emulator:
              
    CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=tld
    msDFSR-Flags = 0

            
  3. Wait for Active Directory replication to propagate throughout the domain.
  4. On all Windows Server 2019 DCs, change the DWORD type registry value Local State to 0:

    Registry Setting: Local State
    Registry Path:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating SysVols
    Registry Value: 0
    Data Type: REG_DWORD
               

  5. On all Windows Server 2019 Domain Controllers, restart the following services by running the following lines of Windows PowerShell:

    Restart-Service NetLogon
    Restart-Service DFSR

  6. Verify that SYSVOL has shared on those Domain Controllers and that SYSVOL is replicating as usual again by using FRS.
  7. Promote one or more Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016-based Domain Controller in that domain.  Verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source Domain Controllers and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 Domain Controllers in the next step. For more information, see  Troubleshooting Active Directory Replication Problems.
  8. Demote all Windows Server 2019-based Domain Controllers to member servers.
    This is a temporary step.
  9. Migrate SYSVOL to DFSR as usual on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016-based Domain Controllers.
  10. Re-promote the Windows Server 2019-based member servers to Domain Controllers.
  11. Optional: Demote the Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016-based Domain Controllers that you added in step 7.

     

Concluding

NTFRS is an old technology, but many organizations still seem to cling onto it. It’s not hard to migrate, but it just needs to be done. We’ve been putting this tasks on agendas of Active Directory admins for a while now, but regret seeing that this slight code defect means admins that haven’t performed this action yet, may now start experiencing troubles.

Troubleshooting NTFRS without burflags? Wow. Hot smile

Further reading

4493934 SYSVOL DFSR Migration fails after you in-place upgrade a Domain Controller to Windows Server 2019 
SYSVOL Replication Migration Guide: FRS to DFS Replication
SYSVOL Replication Migration Guide: FRS to DFS Replication (downloadable)
Streamlined Migration of FRS to DFSR SYSVOL

One Response to Knowledgebase: In-place Upgrading Domain Controllers to Windows Server 2019 while still using NTFRS breaks SYSVOL Replication and DSLocator

  1.  

    only way out is to install a 2016 dc since forest is too new for 08 and 12

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.