DFSR status shows as ('Start') - Read-Only DC

Yankee30 206 Reputation points
2021-02-10T16:51:26.277+00:00

I just ran a dfsr migration state check in my domain, the Domain controllers are mix of Windows Server 2008 R2 Standard & Windows Server 2008 Standard. I'm not sure if this was an in place upgrade previously or FRS to DFSR migration. While I see the below message where in it says the Global State is "Eliminated" which means we're on DFSR but for one RODC-DC01 its at "Start". I'm not sure since when is this stuck at.

So basically we need to Introduce 2019 DC & replace all 2008 DC in this domain. And as a pre-requisite I checked if we're on DFSR or FRS which lead me to run the below command. Please help on how do we proceed ?

How do we fix this error before proceeding ?

**C:\> dfsrmig /getmigrationstate
The following Domain Controllers are not in sync with Global state ('Eliminated'
):

Domain Controller (Local Migration State) - DC Type

DC01 ('Start') - Read-Only DC
Migration has not yet reached a consistent state on all Domain Controllers.
State information might be stale due to AD latency.**

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,542 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,083 questions
Windows Server Storage
Windows Server Storage
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Storage: The hardware and software system used to retain data for subsequent retrieval.
640 questions
{count} votes

Accepted answer
  1. Dave Patrick 426.3K Reputation points MVP
    2021-02-10T19:01:02.65+00:00

    The simplest solution is to demote, reboot, then promo it again.

    --please don't forget to Accept as answer if the reply is helpful--


3 additional answers

Sort by: Most helpful
  1. Dave Patrick 426.3K Reputation points MVP
    2021-02-10T19:15:34.713+00:00

    It is imperative that domain health is 100% before making any changes such as adding new domain controllers so yes fix the problematic one as first step.

    The two prerequisites to introducing the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
    https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

    I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

    --please don't forget to Accept as answer if the reply is helpful--


  2. Dave Patrick 426.3K Reputation points MVP
    2021-02-10T19:36:47.17+00:00

    So shall I demote the problematic Win2008 RODC and directly bring in the new RODC as Win2019 with same name and IP or should that be initially Win2008?

    It doesn't matter. What does matter is that health has been confirmed 100% before making any changes. The simplest solution to reuse names / addresses is to move roles off, decommission, then build new one with correct name / address, promo, move on to next one. This is a 10,000 foot view of steps. Follow the detailed steps I outlined above.

    --please don't forget to Accept as answer if the reply is helpful--


  3. Dave Patrick 426.3K Reputation points MVP
    2021-02-10T22:46:42.247+00:00

    is there some amount of wait that I shall do in between

    It really should not be necessary assuming the demotion goes cleanly. You can check it and do manual cleanup if necessary.

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
    https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564

    --please don't forget to Accept as answer if the reply is helpful--