Win Server 2008 Directory Services, SYSVOL DFS Replication Page 2

The 9 DFS-R States

• START (stable state 0) designates the initial point of the migration. At this stage, it is critical to make sure that both Active Directory and FRS-based SYSVOL replication function properly. To test the former, use the RepAdmin command line utility (with /showrepl /all or /replsum switches). To verify status of the latter, take advantage of such utilities as FRSDiag, Sonar, or Ultrasound, which is available from the Microsoft Download Center. Make sure that the DFS Replication service is running and configured with Automatic startup on each domain controller. Confirm that the domain operates on the Windows Server 2008 functional level (which implies that all domain controllers are running Windows Server 2008). Verify that all domain controllers function properly and are accessible, paying particular attention to the PDC Emulator (as a matter of fact, you might want to consider running the migration directly from its console). Avoid adding new domain controllers or introducing changes to SYSVOL for the duration of the migration. If you decide to install a Read Only Domain Controller after the domain reaches the PREPARED state, you will need to manually create its DFS-R specific Active Directory settings by executing DFSRMig /CreateGlobalObjects command.
  

  Read More About Windows Server 2008

  Finally, make sure that every volume containing SYSVOL folder on each domain controller has a sufficient amount of disk space (at a minimum, it should be capable of holding its copy). Once you have confirmed that all prerequistes are satisfied, enter the PREPARING transitional state by executing DFSRMig /SetGlobalState 1 command while logged on with an account that is a member of the Domain Admin (or Enterprise Admin) group. Note that although it is possible to perform the migration by specifying the final value of 3, representing the ELIMINATED state, such approach is not recommended since it does not provide rollback capabilities).

• PREPARING (transitional state 4) starts with creation of the DFS-R Global Settings object CN=DFSR-GlobalSettings (and its child objects) under the System container of the default naming context in Active Directory (the change takes place on the PDC Emulator and propagates afterwards via standard AD replication to other domain controllers). Its msDFSR-Flags attribute is used throughout the migration to serve as an indication of the current global status (its value is derived from the msDFSR-Flags attribute of the CN=dfsr-LocalSettings child object of each domain controller computer account (which also gets created when the PREPARING state starts and is updated throughout the migration to reflect status of individual domain controllers). Other settings (under CN=DFSR-GlobalSettings) are used to designate replication content and topology of SYSVOL_DFSR among all domain controllers. Note that PDC Emulator is also responsible for all necessary objects specific to all Read Only Domain Controllers residing in the same the domain (since such changes can not be applied directly to Active Directory database hosted on each RODC). DFS-R service also creates SYSVOL_DFSR folder on the same volume as the SYSVOL and duplicates the content (leveraging robocopy utility) of its domain subfolder (including permissions and junction points). This is intended to minimize time and bandwidth required to complete initial DFS-R based replication with other domain controllers (which takes place in the REDIRECTING state). The current state of migration gets registered using the Local State entry of REG_DWORD datatype under HKLMSystemCurrentControlSetServicesDFSRParametersSysVolsMigrating SysVols registry key.
• WAITING FOR INITIAL SYNC (transitional state 5) follows automatically the PREPARING state. It is designed to complete configuration of the SYSVOL_DFSR, including its synchronization with another writable domain controller and setup of the corresponding Jet database. Effectively, once this step successfully completes, there are two separate replication mechanisms, with the FRS handling the original SYSVOL and DFS-R synchronizing its SYSVOL_DFSR-based duplicate. During its execution, the value of Local State registry entry on each domain controller changes from 4 to 5.
• PREPARED (stable state 1) is characterized by existence of two independently replicated instances of SYSVOL, with FRS as the primary replication engine, handling the content available via the SYSVOL share and DFS-R managing its non-shared duplicate residing in the SYSVOL_DFSR folder. In order to confirm whether this stage has been reached (which coincides with the event id 8014 registered in the local DFS Replication Event Log), examine output of the DFSRMig /GetMigrationState command, which queries migration state information from all domain controllers and displays the outcome, identifying any that have not reached the migration state set on the PDC Emulator. Remember that such discrepancies should be remediated before you proceed further. Note also that it is possible to manually expedite migration process. This can be done by forcing AD replication (to propagate changes to the global msDFSR-Flags attribute) with repadmin utility (by leveraging its replicate or SyncAll switches). It is also possible to force DFS Replication service to discover the newly applied global migration settings by executing DFSRDiag PollAD with Member attribute pointing to the PDC Emulator. Once you confirm that the PREPARED state is consistent across the domain, you are ready to proceed to the next step by launching the DFSRMig /SetGlobalState 2 command.
• REDIRECTING (transitional state 6) starts by synchronizing content of the SYSVOL and its DFS-R equivalent SYSVOL_DFSR on the PDC Emulator (which subsequently replicates to other domain controllers). This is done to account for any changes that might have taken place (typically introduced via Group Policy modifications) since the PREPARED state has been reached. Next, the SysvolReady entry under HKLMSystemCurrentControlSetServicesNetlogonParameters registry key is set to 0 (translating into boolean FALSE), which effectively prevents the SYSVOL from being shared. This action is followed by changing the value of SYSVOL share Path parameter to SYSVOL_DFSRsysvol. Finally, SysvolReady gets set back to 1 (corresponding to the boolean TRUE), which reinstates the SYSVOL share (but associated with the new file system location). In addition, the Active Directory Domain Services service is added to the list of dependencies of the DSF Replication service (along with the File Replication service).
• REDIRECTED (stable state 2) is somewhat similar to PREPARED, since both SYSVOL replication mechanisms are still active, with DFS-R handling replication of the SYSVOL_DFSR folder and FRS being responsible for SYSVOL. However, the SYSVOL share no longer points to the legacy location but instead provides access to the SYSVOL_DFSRsysvol folder. As the implication of this arrangement, any direct changes to the original SYSVOL folder should be avoided, since they will be lost once you perform remaining migration steps (note, however, that this concern does not apply to modifications applied via Group Policy Management Console, which properly points to the new shared location). As before, you can confirm the status of transition by reviewing output generated by the DFSRMig /GetMigrationState command (successful outcome is also be reflected by an event ID 8017 recorded in the DFS Replication event log on each of domain controllers and the value of Local State registry entry referenced by us earlier). For more in-depth troubleshooting, use DFSRMig_xxx.Log.gz files residing in the Debug subfolder under Windows folder (where xxx is sequentially assigned integer value). This verification is critical, since the next step is non-reversible (the only way to return your domain from the ELIMINATED to START state is the full domain restore). Once you are ready, execute the DFSRMig /SetGlobalState 3 command.
• ELIMINATING (transitional state 7) eliminates dependency of the Active Directory Domain Services service on the File Replication Service, stops it temporarily and removes all Active Directory-resident settings pertinent to its SYSVOL replication characteristics. These changes are relayed to other domain controllers via standard AD replication. It also deletes content of the SYSVOL folder. Once these changes are completed, the FRS service is restarted again to accommodate scenarios where other content is replicated using this mechanism.
• ELIMINATED (stable state 3) constitutes the final state of migration. As before, its status can be verified by running the DFSRMig /GetMigrationState command or checking the value of Local State registry entry on individual domain controllers (as well as the presence of the event 8019 in the DFS Replication event log). In addition, the SysVol registry entry (under HKLMSystemCurrentControlSetServicesNetlogonParameters key) should point out the SYSVOL_DFSR folder (and the value of SysvolReady entry in the same location should be set to 1).
• UNDO REDIRECTING (transitional state 8) facilitates reverting from the REDIRECTED to PREPARED state. To invoke it, execute DFSRMig /SetGlobalState 1. As part of the transition, the SYSVOL_DFSR folder is first synchronized with its SYSVOL counterpart (leveraging robocopy utility) to account for any changes to its content that might have taken place while in REDIRECTED state (typically introduced via Group Policy modifications). This synchronization takes place on the PDC Emulator and is subsequently replicated via FRS-driven replication.
• UNDO PREPARING (transitional state 9) permits you to return to the START state from PREPARED state (with FRS mechanism handling SYSVOL replication and the SYSVOL_DFSR folder removed). To invoke it, use DFSRMig /SetGlobalState 0 command. Note that, similarly to the PREPARING transitional state, PDC Emulator will be responsible for deleting all DFS-R Active Directory objects specific to Read Only Domain Controllers.

This concludes our overview of characteristics of DFS-R SYSVOL replication available in Windows Server 2008 functional level domains and an outline of the steps involved in transitioning to it from FRS mechanism employed in earlier implementations of Active Directory. Our next article will focus on new Group Policy features.