The term Active Directory is most commonly equated with the NTDS.DIT database and its characteristics; however, its functionality is affected in a profound manner by content of the SYSVOL folder, residing by default, directly under the Windows directory (although its placement is customizable) and providing file system storage required to implement a wide range of Group Policies.
Although both NTDS.DIT and SYSVOL get created as a direct result of domain controller promotion and their coherence is necessary to keep directory services fully operational, they are subject to different rules and processes. One of more prominent examples of this dissonance is the use of two distinct replication engines to synchronize their respective contents across distributed set of domain controllers. In particular, since the introduction of Active Directory with the release of Windows 2000 Server product line, SYSVOL relied on File Replication Service (FRS) to accomplish this goal (physically separate and conceptually different from NTDS.DIT replication). Although the same technology still remains available in Windows Server 2008 environment, once you switch to Windows Server 2008 domain functional level, you have an option to take advantage of considerably more robust, efficient, and scalable mechanism based on the Distributed File System Replication (DFS-R).
The purpose of this article is to describe its advantages over FRS and describe migration path between them.
In principle, both File Replication Service and Distributed File System-based replication rely on the NTFS constructs (such as Update Sequence Number journal and internal jet database) to keep track of changes to the file system. The latter (which was introduced in Windows Server 2003 R2) offers a number of significant benefits over its predecessor. More specifically, it minimizes network usage by employing block-level (rather than file-level) replication, which means that partial changes to large files do not trigger their full transfer, as well as the Remote Differential Compression (RDC) algorithm, which can also be adjusted to arbitrary threshold or disabled altogether in environments with sufficient network bandwidth. It also has self-healing capabilities, handling more gracefully journal wrap conditions and database corruption. The efficiency and reliability of DFS-R has been further improved in Windows Server 2008, bringing such features as support for RPC asynchronous pipes (boosting the volume of replication requests that can be serviced simultaneously and mitigating blocking behavior that might surface if one of the replication partners is slower or overloaded) and the ability to take advantage of unbuffered I/O, allowing for higher number of concurrent downloads. In addition, the new version of DFS-R is RODC (Read Only Domain Controller) aware, automatically rolling back any changes applied to local replica of SYSVOL (such functionality is missing from FRS maintained volumes, which increases chances for administrative error). Finally, for larger environments, it eliminates the recommended limit on 1200 domain controllers per domain, stipulated in the Windows Server 2003 Active Directory Branch Office Guide.
Another significant factor to note when contemplating DFS-R deployment concerns the method of transitioning from FRS. The process of migrating SYSVOL replication mechanism to DFS-R has been designed in the manner minimizing the impact on Active Directory availability as well as allowing for gradual, controlled, easy-to-track, and reversible (with the notable exception of the final stage) transition. From the administrative standpoint, the process is managed using a built-in DFS-R specific utility DFSRMig.exe (residing in the %SystemRoot%system32 folder), which triggers each individual migration step (by setting a global migration state, represented internally by a group of designated Active Directory objects and their attributes), automatically carried out across all domain controllers in the same domain. These steps are referred to (using DFS-R nomenclature) as transition states (total of 5), with each starting and ending in a clearly defined set of conditions labeled as stable states (total of 4). Each state gets associated with a unique integer value between 0 to 9, with the stable states occupying lower part of this range.
The 9 DFS-R States
START(stable state 0) designates the initial point of the migration. At this stage, it is critical to make sure that both Active Directory and FRS-basedSYSVOLreplication function properly. To test the former, use theRepAdmincommand line utility (with/showrepl /allor/replsumswitches). To verify status of the latter, take advantage of such utilities as FRSDiag, Sonar, or Ultrasound, which is available from the Microsoft Download Center. Make sure that the DFS Replication service is running and configured with Automatic startup on each domain controller. Confirm that the domain operates on the Windows Server 2008 functional level (which implies that all domain controllers are running Windows Server 2008). Verify that all domain controllers function properly and are accessible, paying particular attention to the PDC Emulator (as a matter of fact, you might want to consider running the migration directly from its console). Avoid adding new domain controllers or introducing changes toSYSVOLfor the duration of the migration. If you decide to install a Read Only Domain Controller after the domain reaches thePREPAREDstate, you will need to manually create its DFS-R specific Active Directory settings by executingDFSRMig /CreateGlobalObjectscommand.
Finally, make sure that every volume containing SYSVOL folder on each domain controller has a sufficient amount of disk space (at a minimum, it should be capable of holding its copy). Once you have confirmed that all prerequistes are satisfied, enter the PREPARING transitional state by executing DFSRMig /SetGlobalState 1 command while logged on with an account that is a member of the Domain Admin (or Enterprise Admin) group. Note that although it is possible to perform the migration by specifying the final value of 3, representing the ELIMINATED state, such approach is not recommended since it does not provide rollback capabilities).
PREPARING (transitional state 4) starts with creation of the DFS-R Global Settings object CN=DFSR-GlobalSettings (and its child objects) under the System container of the default naming context in Active Directory (the change takes place on the PDC Emulator and propagates afterwards via standard AD replication to other domain controllers). Its msDFSR-Flags attribute is used throughout the migration to serve as an indication of the current global status (its value is derived from the msDFSR-Flags attribute of the CN=dfsr-LocalSettings child object of each domain controller computer account (which also gets created when the PREPARING state starts and is updated throughout the migration to reflect status of individual domain controllers). Other settings (under CN=DFSR-GlobalSettings) are used to designate replication content and topology of SYSVOL_DFSR among all domain controllers. Note that PDC Emulator is also responsible for all necessary objects specific to all Read Only Domain Controllers residing in the same the domain (since such changes can not be applied directly to Active Directory database hosted on each RODC). DFS-R service also creates SYSVOL_DFSR folder on the same volume as the SYSVOL and duplicates the content (leveraging robocopy utility) of its domain subfolder (including permissions and junction points). This is intended to minimize time and bandwidth required to complete initial DFS-R based replication with other domain controllers (which takes place in the REDIRECTING state). The current state of migration gets registered using the Local State entry of REG_DWORD datatype under HKLMSystemCurrentControlSetServicesDFSRParametersSysVolsMigrating SysVols registry key. WAITING FOR INITIAL SYNC (transitional state 5) follows automatically the PREPARING state. It is designed to complete configuration of the SYSVOL_DFSR, including its synchronization with another writable domain controller and setup of the corresponding Jet database. Effectively, once this step successfully completes, there are two separate replication mechanisms, with the FRS handling the original SYSVOL and DFS-R synchronizing its SYSVOL_DFSR-based duplicate. During its execution, the value of Local State registry entry on each domain controller changes from 4 to 5. PREPARED (stable state 1) is characterized by existence of two independently replicated instances of SYSVOL, with FRS as the primary replication engine, handling the content available via the SYSVOL share and DFS-R managing its non-shared duplicate residing in the SYSVOL_DFSR folder. In order to confirm whether this stage has been reached (which coincides with the event id 8014 registered in the local DFS Replication Event Log), examine output of the DFSRMig /GetMigrationState command, which queries migration state information from all domain controllers and displays the outcome, identifying any that have not reached the migration state set on the PDC Emulator. Remember that such discrepancies should be remediated before you proceed further. Note also that it is possible to manually expedite migration process. This can be done by forcing AD replication (to propagate changes to the global msDFSR-Flags attribute) with repadmin utility (by leveraging its replicate or SyncAll switches). It is also possible to force DFS Replication service to discover the newly applied global migration settings by executing DFSRDiag PollAD with Member attribute pointing to the PDC Emulator. Once you confirm that the PREPARED state is consistent across the domain, you are ready to proceed to the next step by launching the DFSRMig /SetGlobalState 2 command.REDIRECTING (transitional state 6) starts by synchronizing content of the SYSVOL and its DFS-R equivalent SYSVOL_DFSR on the PDC Emulator (which subsequently replicates to other domain controllers). This is done to account for any changes that might have taken place (typically introduced via Group Policy modifications) since the PREPARED state has been reached. Next, the SysvolReady entry under HKLMSystemCurrentControlSetServicesNetlogonParameters registry key is set to 0 (translating into boolean FALSE), which effectively prevents the SYSVOL from being shared. This action is followed by changing the value of SYSVOL share Path parameter to SYSVOL_DFSRsysvol. Finally, SysvolReady gets set back to 1 (corresponding to the boolean TRUE), which reinstates the SYSVOL share (but associated with the new file system location). In addition, the Active Directory Domain Services service is added to the list of dependencies of the DSF Replication service (along with the File Replication service). REDIRECTED (stable state 2) is somewhat similar to PREPARED, since both SYSVOL replication mechanisms are still active, with DFS-R handling replication of the SYSVOL_DFSR folder and FRS being responsible for SYSVOL. However, the SYSVOL share no longer points to the legacy location but instead provides access to the SYSVOL_DFSRsysvol folder. As the implication of this arrangement, any direct changes to the original SYSVOL folder should be avoided, since they will be lost once you perform remaining migration steps (note, however, that this concern does not apply to modifications applied via Group Policy Management Console, which properly points to the new shared location). As before, you can confirm the status of transition by reviewing output generated by the DFSRMig /GetMigrationState command (successful outcome is also be reflected by an event ID 8017 recorded in the DFS Replication event log on each of domain controllers and the value of Local State registry entry referenced by us earlier). For more in-depth troubleshooting, use DFSRMig_xxx.Log.gz files residing in the Debug subfolder under Windows folder (where xxx is sequentially assigned integer value). This verification is critical, since the next step is non-reversible (the only way to return your domain from the ELIMINATED to START state is the full domain restore). Once you are ready, execute the DFSRMig /SetGlobalState 3 command. ELIMINATING (transitional state 7) eliminates dependency of the Active Directory Domain Services service on the File Replication Service, stops it temporarily and removes all Active Directory-resident settings pertinent to its SYSVOL replication characteristics. These changes are relayed to other domain controllers via standard AD replication. It also deletes content of the SYSVOL folder. Once these changes are completed, the FRS service is restarted again to accommodate scenarios where other content is replicated using this mechanism. ELIMINATED (stable state 3) constitutes the final state of migration. As before, its status can be verified by running the DFSRMig /GetMigrationState command or checking the value of Local State registry entry on individual domain controllers (as well as the presence of the event 8019 in the DFS Replication event log). In addition, the SysVol registry entry (under HKLMSystemCurrentControlSetServicesNetlogonParameters key) should point out the SYSVOL_DFSR folder (and the value of SysvolReady entry in the same location should be set to 1).
UNDO REDIRECTING (transitional state 8) facilitates reverting from the REDIRECTED to PREPARED state. To invoke it, execute DFSRMig /SetGlobalState 1. As part of the transition, the SYSVOL_DFSR folder is first synchronized with its SYSVOL counterpart (leveraging robocopy utility) to account for any changes to its content that might have taken place while in REDIRECTED state (typically introduced via Group Policy modifications). This synchronization takes place on the PDC Emulator and is subsequently replicated via FRS-driven replication. UNDO PREPARING (transitional state 9) permits you to return to the START state from PREPARED state (with FRS mechanism handling SYSVOL replication and the SYSVOL_DFSR folder removed). To invoke it, use DFSRMig /SetGlobalState 0 command. Note that, similarly to the PREPARING transitional state, PDC Emulator will be responsible for deleting all DFS-R Active Directory objects specific to Read Only Domain Controllers.This concludes our overview of characteristics of DFS-R SYSVOL replication available in Windows Server 2008 functional level domains and an outline of the steps involved in transitioning to it from FRS mechanism employed in earlier implementations of Active Directory. Our next article will focus on new Group Policy features. UNDO REDIRECTING (transitional state 8) facilitates reverting from the REDIRECTED to PREPARED state. To invoke it, execute DFSRMig /SetGlobalState 1. As part of the transition, the SYSVOL_DFSR folder is first synchronized with its SYSVOL counterpart (leveraging robocopy utility) to account for any changes to its content that might have taken place while in REDIRECTED state (typically introduced via Group Policy modifications). This synchronization takes place on the PDC Emulator and is subsequently replicated via FRS-driven replication. UNDO PREPARING (transitional state 9) permits you to return to the START state from PREPARED state (with FRS mechanism handling SYSVOL replication and the SYSVOL_DFSR folder removed). To invoke it, use DFSRMig /SetGlobalState 0 command. Note that, similarly to the PREPARING transitional state, PDC Emulator will be responsible for deleting all DFS-R Active Directory objects specific to Read Only Domain Controllers.This concludes our overview of characteristics of DFS-R SYSVOL replication available in Windows Server 2008 functional level domains and an outline of the steps involved in transitioning to it from FRS mechanism employed in earlier implementations of Active Directory. Our next article will focus on new Group Policy features. Filed under: Windows 2008
