SYSVOL DFSR migration fails after you in-place upgrade a domain controller to Windows Server 2019
This article provides a solution to an issue where SYSVOL DFSR migration fails after you in-place upgrade a domain controller to Windows Server 2019.
Applies to: Windows Server 2019
Original KB number: 4493934
Summary
In a domain that is configured to use the File Replication Service, the SYSVOL folder is not shared after you in-place upgrade a Windows Server 2019-based domain controller from an earlier version of Windows. Until this directory is shared, the domain controller does not respond to DCLOCATOR requests for LDAP, Kerberos, and other DC workloads.
Symptoms
In a domain that uses the legacy File Replication Service for SYSVOL, you in-place upgrade a domain controller to Windows Server 2019.
When you try to migrate the domain to Distributed File System (DFS) Replication, the following issues occur:
All Windows Server 2019-based domain controllers in the domain stop sharing the SYSVOL folder and stop responding to DCLOCATOR requests.
All Windows Server 2019-based domain controllers in the domain have the following event log errors:
Log Name: DFS Replication
Source: DFSR
Date: <time>
Event ID: 8013
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: <fqdn>
Description:
DFSR was unable to copy the contents of the SYSVOL share located at C:\Windows\SYSVOL\domain to the SYSVOL_DFSR folder located at C:\Windows\SYSVOL_DFSR\domain. This could be due to lack of availability of disk space or due to sharing violations.Additional Information:
Sysvol NTFRS folder: C:\Windows\SYSVOL\domain
Sysvol DFSR folder: C:\Windows\SYSVOL_DFSR\domain
Error: 367 (The process creation has been blocked.)Log Name: DFS Replication
Source: DFSR
Date: <DateTime>
Event ID: 8028
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: <fqdn>
Description:
DFSR Migration was unable to transition to the 'PREPARED' state for Domain Controller <computer name>. DFSR will retry the next time it polls the Active Directory. To force an immediate retry, execute the command 'dfsrdiag /pollad'.
Additional Information:
Domain Controller: <computer name>
Error: 367 (The process creation has been blocked.)
The DFSRMIG.EXE /GetMigrationState
command generates the following output for all Windows Server 2019 domain controllers:
Dfsrmig /getmigrationstate
The following domain controllers have not reached Global state ('Prepared'):Domain Controller (Local Migration State) - DC Type ===================================================
<Computer name>('Start') - Writable DCMigration has not yet reached a consistent state on all domain controllers.
State information might be stale due to Active Directory Domain Services latency.
Note
The global state can be Prepared, Redirected, or Eliminated, depending on which global state you set previously.
Cause
The File Replication Service (FRS) was deprecated in Windows Server 2008 R2 and is included in later operating system releases for backwards compatibility only. Starting in Windows Server 2019, promoting new domain controllers requires the DFS Replication (DFSR) to replicate the contents in the SYSVOL share. If you try to promote a Windows Server 2019-based computer in a domain that still using FRS for SYSVOL replication, the following error occurs:
Verification of prerequisites for Domain Controller promotion failed. The specified domain
contoso.com
is still using the File Replication Service (FRS) to replicate the SYSVOL share. FRS is deprecated. The server being promoted does not support FRS and cannot be promoted as a replica into the specified domain. You MUST migrate the specified domain to use DFS Replication using the DFSRMIG command before continuing. For more information, seehttps://go.microsoft.com/fwlink/?linkid=849270
Because of a code defect, in-place upgrading a Windows Server 2012 R2 or Windows Server 2016 domain controller to Windows Server 2019 does not enforce this block. When you then run DFSRMIG.EXE /SetGlobalState
to migrate to DFSR, all upgraded Windows Server 2019 domain controllers are stuck in the Start phase and cannot complete the transition to the Prepared or later phases. Therefore, the SYSVOL and NETLOGON folders for the domain controllers are no longer shared, and the domain controllers stop responding to location questions from clients in the domain.
Workaround
There are several workarounds for this issue, depending on which migration global state you specified earlier.
Issue occurs in the Preparing or Redirecting phase
If you have already run
DFRSMIG /SetGlobalState 1
orDFRSMIG /SetGlobalState 2
previously, run the following command as a Domain Admin:DFRSMIG /SetGlobalState 0
Wait for Active Directory replication to propagate throughout the domain, and for the state of Windows Server 2019 domain controllers to revert to the Start phase.
Verify that SYSVOL is shared on those domain controllers and that SYSVOL is replicating as usual again by using FRS.
Make sure that at least one Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 domain controller exists in that domain. Verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source domain controllers and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 domain controllers in the next step. For more information, see Troubleshooting Active Directory Replication Problems.
Demote all Windows Server 2019-based domain controllers to member servers. This is a temporary step.
Migrate SYSVOL to DFSR normally on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 domain controllers.
Promote the Windows Server 2019-based member servers to domain controllers.
Issue occurs in the Eliminating phase
The FRS elimination phase cannot be rolled back by using DFSRMIG. If have already specified FRS elimination, you can use either of the following workarounds.
Option 1
You still have one or more Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 domain controllers in that domain. Verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source domain controllers and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 domain controllers in the next step. For more information, see Troubleshooting Active Directory Replication Problems.
- Demote all Windows Server 2019-based domain controllers. This is a temporary step.
- Migrate SYSVOL to DFSR as usual on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 domain controllers.
- Promote the Windows Server 2019-based member servers to domain controllers.
Option 2
All domain controllers in the domain are running Windows Server 2019.
Note
- Step 6 of this workaround requires the promotion of at least one Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 DC.
- Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
In the ADSIEDIT.MSC tool, change the following distinguished name value and attribute on the PDC Emulator:
CN=DFSR-GlobalSettings,CN=System,DC=<domain>,DC=<TLD> msDFSR-Flags = 0Wait for Active Directory replication to propagate throughout the domain.
On all Windows Server 2019 domain controllers, change the DWORD type registry value Local State to 0:
- Registry setting: Local State
- Registry path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating SysVols
- Registry value: 0
- Data type: REG_DWORD
On all Windows Server 2019 domain controllers, restart the following services by running the following commands:
net stop netlogon & net start netlogon net stop DFSR & net start DFSR
Verify that SYSVOL has shared on those domain controllers and that SYSVOL is replicating as usual again by using FRS.
Promote one or more Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 domain controllers in that domain. Verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source domain controllers and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 domain controllers in the next step. For more information, see Troubleshooting Active Directory Replication Problems.
Demote all Windows Server 2019-based domain controllers to member servers. This is a temporary step.
Migrate SYSVOL to DFSR as usual on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 domain controllers.
Promote the Windows Server 2019-based member servers to domain controllers.
Optional: Demote the Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 DC that you added in step 6.
References
For more information about how to migrate FRS to DFSR for SYSVOL, see the following articles: