Share via

FRS-to-DFSr migration when sysvol/netlogon are not shared or replicated

MistreJ 1 Reputation point
2022-09-27T16:24:39.267+00:00

I have a unique situation (to me) with which I could use some assistance.

I have a server environment with 4 domain controllers, general details below:
DC01 = 2008 R2
DC02 = 2012
DC03 = 2016 Std.
DC04 = 2016 Std.

I am trying to add some new 2019 domain controllers but cannot due to the FRS warning during DCPROMO.
The older DCs will be decommissioned and removed after new ones in place and domain functional level will be raised.

Relevant information:

  • DC02 is the primary FSMO holder and where the source SYSVOL and NETLOGON shares reside. SysvolReady parameter is set to (1).
  • Domain is at 2008 R2 functional level.
  • Replication is being done by FRS.
  • All other domain controllers (DC01, DC03, DC04) do not have SYSVOL or NETLOGON shares present at all. SysvolReady parameter is set to (0). <------I suspect this is the issue but wanted to confirm.

Work Done so far:
I have run replication tests which return no errors, but are only showing results for the DC I run it on.
I also ran the FRSDIAG tool and the primary DC passes, but states it cannot communicate with the other DCs.
I have confirmed all 4 DCs can see each other on the domain and there is no issues in ADUC or Sites and Services or Domains and Trusts.
I have confirmed the SysvolReady registry value on each server located at 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' are in varied states (see above).

My question is, in the current state, would it still be OK and relatively trouble-free to convert the domain to DFSR?
Would that, in turn, help to create and sync the SYSVOL and NETLOGON shares across all DCs once converted?
Should I be changing the SysvolReady registry entries and validating SYSVOL and NETLOGON are visible/replicated across all DCs prior to attempting conversion to DFSR?

Any help/guidance would be appreciated and thanks in advance.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2022-09-27T16:41:52.587+00:00

    All other domain controllers (DC01, DC03, DC04) do not have SYSVOL or NETLOGON shares present at all

    How long has this been happening? If greater than tomebstone lifetime then you'll need to remove from network and seize roles to a healthy one (if needed)
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

    then perform cleanup to remove them.
    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

    then when domain health has been confirmed you can proceed.

    The two prerequisites to introducing the first 2019 or 2022 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
    https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

    I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019 or 2022, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.