SYSVOL DFSR Migration fails after you in-place upgrade a domain controller to Windows Server 2019

Applies to: Windows Server 2019, all versions

Summary


In a domain that is configured to use the File Replication Service, the SYSVOL folder is not shared after you in-place upgrade a Windows Server 2019-based domain controller from an earlier version of Windows. Until this directory is shared, DCs does not respond to DCLOCATOR requests for LDAP, Kerberos, and other DC workloads.

Symptoms


In a domain that uses the legacy File Replication Service for SYSVOL, you in-place upgrade a domain controller (DC) to Windows Server 2019.

When you try to migrate the domain to Distributed File System (DFS) Replication, the following issues occur:

  • All Windows Server 2019-based DCs in the domain stop sharing the SYSVOL folder and stop responding to DCLOCATOR requests.
  • All Windows Server 2019-based DCs in the domain have the following event log errors:

The DFSRMIG.EXE /GetMigrationState command generates the following output for all Windows Server 2019 DCs:

Dfsrmig /getmigrationstateThe following domain controllers have not reached Global state ('Prepared'):Domain Controller (Local Migration State) - DC Type===================================================<Computer name> ('Start') - Writable DCMigration has not yet reached a consistent state on all domain controllers.State information might be stale due to Active Directory Domain Services latency.

Note The global state can be Prepared, Redirected, or Eliminated, depending on which global state you set previously.

Cause


The File Replication Service (FRS) was deprecated in Windows Server 2008 R2 and is included in later operating system releases for backwards compatibility only. Starting in Windows Server 2019, promoting new DCs requires the DFS Replication (DFSR) to replicate the contents in the SYSVOL share. If you try to promote a Windows Server 2019-based computer in a domain that still using FRS for SYSVOL replication, the following error occurs:

Because of a code defect, in-place upgrading a Windows Server 2012 R2 or Windows Server 2016 domain controller to Windows Server 2019 does not enforce this block. When you then run DFSRMIG.EXE /SetGlobalState to migrate to DFSR, all upgraded Windows Server 2019 DCs are stuck in the Start phase and cannot complete the transition to the Prepared or later phases. Therefore, the SYSVOL and NETLOGON folders for the DCs are no longer shared, and the DCs stop responding to location questions from clients in the domain.

Resolution


There are several workarounds for this issue, depending on which migration global state you specified earlier.

Issue occurs in the Preparing or Redirecting phase

  1. If you have already runDFRSMIG /SetGlobalState 1 or DFRSMIG /SetGlobalState 2 previously, run the following command as a Domain Admin:
    DFRSMIG /SetGlobalState 0
  2. Wait for Active Directory replication to propagate throughout the domain, and for the state of Windows Server 2019 DCs to revert to the Start phase.
  3. Verify that SYSVOL is shared on those DCs and that SYSVOL is replicating as usual again by using FRS.
  4. Make sure that at least one Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 DC exists in that domain. Verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source DCs and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 DCs in the next step. For more information, see Troubleshooting Active Directory Replication Problems.
  5. Demote all Windows Server 2019-based DCs to member servers.  This is a temporary step.
  6. Migrate SYSVOL to DFSR normally on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 DCs.
  7. Promote the Windows Server 2019-based member servers to DCs.


Issue occurs in the Eliminating phase

The FRS elimination phase cannot be rolled back by using DFSRMIG. If have already specified FRS elimination, you can use either of the following workarounds.

Option 1

You still have one or more Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 DCs in that domain. Verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source DCs and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 DCs in the next step. For more information, see Troubleshooting Active Directory Replication Problems.

  1. Demote all Windows Server 2019-based DCs.  This is a temporary step.
  2. Migrate SYSVOL to DFSR as usual on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 DCs.
  3. Promote the Windows Server 2019-based member servers to DCs.

Option 2

All DCs in the domain are running Windows Server 2019.

Note Step 6 of this workaround requires the promotion of at least one Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 DC.

  1. In the ADSIEDIT.MSC tool, change the following distinguished name value and attribute on the PDC Emulator:
    CN=DFSR-GlobalSettings,CN=System,DC=<domain>,DC=<TLD>msDFSR-Flags = 0
  2. Wait for Active Directory replication to propagate throughout the domain.
  3. On all Windows Server 2019 DCs, change the DWORD type registry value Local State to 0:
    Registry Setting: Local StateRegistry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters\SysVols\Migrating SysVols Registry Value: 0 Data Type: REG_DWORD 
  4. On all Windows Server 2019 DCs, restart the following services by running the following commands:
    net stop netlogon & net start netlogonnet stop DFSR & net start DFSR
  5. Verify that SYSVOL has shared on those DCs and that SYSVOL is replicating as usual again by using FRS.
  6. Promote one or more Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 DCs in that domain.  Verify all Active Directory partitions and the files in the SYSVOL are fully sourced from one or more source DCs and that they are replicating Active Directory as usual before you demote all of your Windows Server 2019 DCs in the next step. For more information, see  Troubleshooting Active Directory Replication Problems.
  7. Demote all Windows Server 2019-based DCs to member servers. This is a temporary step.
  8. Migrate SYSVOL to DFSR as usual on the remaining Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016 DCs.
  9. Promote the Windows Server 2019-based member servers to DCs.
  10. Optional: Demote the Windows Server 2008 R2, Windows Server 2012 R2, or Windows Server 2016 DC that you added in step 6.