SYSVOL Migration Series: Part 4 – Migrating to the ‘REDIRECTED’ state

SYSVOL Migration Series: Part 4 – Migrating to the ‘REDIRECTED’ state

  • Comments 3
  • Likes

The previous article in this series explained how to migrate replication of the SYSVOL share to the ‘PREPARED’ state. In this article, we examine how to migrate all domain controllers to the ‘REDIRECTED’ state.

 

Before we begin …

Before migrating to the ‘REDIRECTED’ state, a couple of precautions are advised.

a)       All domain controllers are in ‘PREPARED’ state: The most important precaution is to ensure that all domain controllers have successfully migrated to the ‘PREPARED’ state before changing the global migration state to the ‘REDIRECTED’ state. Depending upon Active Directory replication latencies and the amount of data present in the ‘SYSVOL’ share, it might take a while before all domain controllers in the domain successfully migrate to the ‘PREPARED’ state. As mentioned in the previous article, the dfsrmig.exe command line switch ‘GetMigrationState’ can be used to ensure that all domain controllers have reached the ‘PREPARED’ state. 

b)       Verify that the SYSVOL share is still being shared out: by all domain controllers. This can be done by typing ‘net share’ on the domain controller. The SYSVOL share is listed if it is being shared out by that domain controller. Verify that the SYSVOL share path is still pointing to the same location as before starting the entire SYSVOL migration process. This is because in the ‘PREPARED’ state, the ‘SYSVOL’ folder that FRS is replicating is still the one shared out on the domain controller. Please see the ‘Taking Stock’ section of the previous article for a quick recap.

 

Figure 1: The 'SysvolReady' registry key.

 

Migrating to ‘REDIRECTED’ state

Let’s look at how to migrate SYSVOL replication on the domain to the ‘REDIRECTED’ state. Please follow the below mentioned steps and pay special attention to any caution or warnings that are mentioned below.

ü  STEP 1: Check health of Active Directory Replication.

Since the migration directive is set on the Primary Domain Controller and needs to be replicated to the Active Directory on each of the replica domain controllers in the domain, it is necessary to ensure that Active Directory replication is working fine. This can be done using the ‘RepAdmin /ReplSum’ command. This step assumes importance in case of remote domain controllers, since those domain controllers will participate in SYSVOL migration only after noticing the migration directive, which in turn is dependent on Active Directory replication between the two sites.

 

ü  STEP 2: Set the migration directive.

On the Primary Domain Controller, run the dfsrmig.exe tool and set the migration global state to ‘REDIRECTED’ state (State 2). It is recommended not to directly set the migration state to 3 (‘ELIMINATED’) but to rather proceed through each of the migration states individually. This enables the possibility of rolling back migration in case things are not working as expected.  Issue the command ‘dfsrmig /setGlobalState 2’ on the Primary Domain Controller to commence migration to the ‘REDIRECTED’ state.

 

ü  STEP 3: Monitor to ensure that all domain controllers have reached the ‘REDIRECTED’ state successfully.

Use the ‘dfsrmig /getMigrationState’ command line switch to ensure that all domain controllers have successfully migrated to the ‘REDIRECTED’ state. Ensure that the output for this command mentions that all domain controllers have reached the ‘REDIRECTED’ state before the domain is migrated to the ‘ELIMINATED’ state.

When the DFS Replication service on each domain controller reaches the ‘REDIRECTED’ state, Information event 8017 will be registered in its event log.

 

What happens under the hood?

When the DFS Replication service notices the migration directive that has been set in Active Directory instructing it to migrate to the global migration state ‘REDIRECTED’, it performs the following sequence of operations on each domain controller:

a)       The migration local state is set to 6 (‘REDIRECTING’). 

b)       Since the domain controller can be in the ‘PREPARED’ state for a while before migrating to the ‘REDIRECTED’ state, the ‘SYSVOL’ and ‘SYSVOL_DFSR’ folders can get out of sync. This is because any group policy changes that are made on the domain after migrating to the ‘PREPARED’ state will be made only on the SYSVOL share. Remember that in the ‘PREPARED’ state, the ‘SYSVOL’ folder that is being replicated by FRS is the one that is shared out by the domain controller. Therefore, any group policy changes are made only in the ‘SYSVOL’ folder and the ‘SYSVOL_DFSR’ folder is not in sync with it. In other words, the DFS Replication service ‘will not see’ such changes.

Therefore, the DFS Replication service updates the ‘SYSVOL_DFSR’ folder with the contents of the ‘SYSVOL’ folder before starting the migration to the ‘REDIRECTED’ state. Note that this happens only on the Primary Domain Controller, since these changes will then be replicated out to all other replica domain controllers by the DFS Replication service.

c)       The DFS Replication service now performs the following set of actions on every domain controller:

·         It sets the ‘SysvolReady’ registry key to ‘FALSE’ (0). This causes the Netlogon service to stop sharing out SYSVOL on that domain controller.

·         It then updates the SYSVOL share path (‘SysVol’ registry key) to point to the new ‘SYSVOL_DFSR’ folder that is being replicated by the DFS Replication service. This is the operation that causes the redirection of SYSVOL replication from FRS to the DFS Replication service.

·         Thereafter, it sets the ‘SysvolReady’ registry key back to ‘TRUE’ (1). This causes the Netlogon service to resume sharing out SYSVOL on the domain controller. 

d)       A dependency is added such that the NTDS service depends on the DFS Replication service. This ensures that after reboots of the domain controller, the DFS Replication service too is started along with Directory Services.

e)       The migration local state is set to 2 (’REDIRECTED’). From this point onwards, the SYSVOL share advertised by the domain controller is the one that is replicated using the DFS Replication service.


During this migration process, the local migration state on the domain controller will cycle through the intermediate state of ‘REDIRECTING’ (State 6). All domain controllers undergo this procedure until they reach the ‘REDIRECTED’ migration state. Thereafter, the administrator is ready to proceed with migrating to the ‘ELIMINATED’ state.

 

Can this migration step be rolled back?

Yes, absolutely! In order to rollback this migration step, an administrator can run the dfsrmig.exe tool and set the global migration state back to 0 (‘START’ state) or 1 (‘PREPARED’ state). This command will cause the DFS Replication service to cycle through the reverse set of steps that were taken during migration. The intermediate states 8 (‘UNDO REDIRECTING’) and 9 (‘UNDO PREPARING’) will be encountered during this roll back process.



Note that if the domain controllers are in ‘REDIRECTED’ state for an extended period of time, and if any group policy changes are made on the domain in that time period, those changes are reflected only in the ‘SYSVOL_DFSR’ folder. Thus, the older SYSVOL folder which is being replicated by FRS will not be in sync with these changes. If the admin decides to roll back migration to the ‘PREPARED’ state, the DFS Replication service syncs the ‘SYSVOL’ folder with the contents of the ‘SYSVOL_DFSR’ folder on the Primary Domain Controller during the rollback process. FRS then replicates these updates to the other replica domain controllers.

 

Monitoring things closely

SYSVOL migration is designed to automatically recognize the migration directive and take steps on each domain controller to comply with that directive. Therefore, for the most part, the ‘/getMigrationState’ command should be sufficient to monitor the progress of migration to the ‘REDIRECTED’ state.

However, it is also possible for an administrator to monitor the domain controller closely and ensure that the tasks performed by the DFS Replication service while migrating to the ‘REDIRECTED’ state have been completed successfully. There are also some troubleshooting steps that can be performed to speed up Active Directory replication and Active Directory poll induced delays in the migration process.

a)       Verify the current local state on each domain controller. Navigate through the registry to the location ‘HKLM\System\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating SysVols’ and check to see the value of the registry key ‘LocalState’. Ensure this registry key is set to 2 once the domain controller has migrated to the ‘REDIRECTED’ state.

b)       Ensure that SYSVOL share replication has indeed been redirected. In order to ensure that the DFS Replication service is replicating the SYSVOL share that is shared out on the domain, check to see the value of the ‘SysVol’ and ‘SysvolReady’ registry keys mentioned above. Ensure that the ‘SysVol’ registry key is pointing to the location of the ‘SYSVOL_DFSR’ folder. 

c)        Force Active Directory replication on a domain controller. In order to force Active Directory replication, issue the command ‘repadmin /syncall /AeD on the domain controller. 

d)       Force the DFS Replication service to poll Active Directory. In order to force an Active Directory poll, issue the command ‘dfsrdiag PollAd’ on the domain controller. To force an Active Directory poll on another domain controller issue the command ‘dfsrdiag PollAd /Member:DC_NAME’.

e)       If you find that migration is taking a long time to reach the ‘PREPARED’ state on a particular domain controller, the following set of monitoring steps may be taken:

·         Issue the ‘dfsrmig /getGlobalState’ command to find the global migration state and ensure that it is indeed set to ‘REDIRECTED’. If this command is issued on the domain controller that is taking a long time to migrate, the administrator can figure out whether Active Directory replication has completed replication of the migration directive to that domain controller.

·         Check to see the local migration state. The local state could take any of the values below during this migration step:

·         Local state 1 (‘PREPARED’ state)

·         Local state 6 (intermediate ‘REDIRECTING’ state)

·         Local state 2 (‘REDIRECTED’ state). This usually signifies that the domain controller has completed migration to the ‘REDIRECTED’ state.

·         Note that there are valid reasons for delay. Ensure that you are cognizant of these and have given enough time for these latencies to ‘play out’.

-          The migration directive relies on Active Directory replication to be ‘visible’ on each individual domain controller. Therefore, the speed with which each domain controller notices and acts upon the migration directive is dependent on Active Directory replication latencies.

·         Check to see the Eventlog for any events (Warning or Error) which the DFS Replication service logs during the SYSVOL migration process. These events will tell you more about what operations have completed and whether the service is stuck for any particular reason.

 


Taking stock

Now that we’ve completed migration of the domain to the ‘REDIRECTED’ state, it is time to take stock of things. In the ‘REDIRECTED’ state:

a)       Both FRS and DFSR are replicating their own copies of the contents of the SYSVOL folder. FRS is replicating the ‘SYSVOL’ folder while DFSR is replicating the ‘SYSVOL_DFSR’ folder.

b)       The SYSVOL share that is advertised by the domain controller is now the ‘SYSVOL_DFSR’ folder that is replicated by the DFS Replication service. Therefore, the main replication engine on the domain in the ‘REDIRECTED’ state is DFSR.

c)       It is recommended to wait until all domain controllers have reached the ‘REDIRECTED’ state before proceeding with migration to the ‘ELIMINATED’ state.

d)       If things are not going as per expectation, it is possible to rollback from the ‘REDIRECTED’ state to the ‘PREPARED’ state or the ‘START’ state by setting the global migration state appropriately using the dfsrmig.exe tool.

In the next blog post in this series, we’ll complete the migration process to the ‘ELIMINATED’ state and eliminate the use of FRS for SYSVOL replication on the domain.

 

 

More articles on SYSVOL Migration Series:

1: SYSVOL Migration Series: Part 1 – Introduction to the SYSVOL migration process 
2: SYSVOL Migration Series: Part 2 – Dfsrmig.exe: The SYSVOL migration tool
3: SYSVOL Migration Series: Part 3 – Migrating to the 'PREPARED' state
5: SYSVOL Migration Series: Part 5 – Migrating to the ‘ELIMINATED’ state

 

-------

Mahesh Unnikrishnan

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment