Group Policies settings and templates, scripts, and other objects that the AD or GPO administrator placed in the SYSVOL folder on any Active Directory domain controller are stored in the SYSVOL folder on any Active Directory domain controller. Each domain controller also has its own copy of GPOs, which is synchronised with the domain’s other domain controllers over time. Replication is used to synchronise the contents of the SYSVOL directory between DCs, and it is delivered via the NtFRS (File Replication Service) or DFS-R services, rather than through AD. Replication is multi-master, which means that any domain controller can be the source of change. If multiple controllers have been changed, the most recent change will take precedence.
FRS technology was used to duplicate the SYSVOL folder in the domain in Windows Server 2003 (and earlier), however in Windows Server 2008 R2, this replication method was deprecated, and Microsoft now recommends DFS replication because FRS is not a reliable file replication technology.
Furthermore, you cannot add a new DC to the domain that the FRS service uses for SYSVOL replication with Windows Server 2016:
Windows Server 1709 cannot be added as an Active Directory domain controller (DC) to an existing domain that still uses File Replication Service (FRS) for SYSVOL share replication.
If you add a new DC with Windows Server 2008/2012 R2 to an Active Directory domain based on Windows Server 2003, Group Policy replication is still handled by the File Replication Service (NtFRS).
In line with this article, you can switch to the SYSVOL catalog’s DFS replication mechanism.
The AD for Windows PowerShell module will be used:
import-module activedirectory
First you need to check what type of replication is used in your domain. Check the current status with the command:
dfsrmig /getglobalstate“DFSR migration has not yet been initialised,” if this command returns. Please set global state to desired value to begin migration,” which indicates that the FRS to DFS migration has not yet been completed. Otherwise, the notice “The current domain functional level is not Windows Server 2008 or above” would show. Only Windows Server 2008 or higher level domains are supported by DFSRMig.” This means you must first upgrade the functional level of your AD domain to Windows Server 2008 or higher.
After you update the domain functional level, force a full replication of Active Directory partitions on each domain controllers using the Repadmin tool.
Repadmin /syncall /force /Aped
Check the replication and sysvol directory status:
repadmin /showrepl
Dcdiag /e /test:sysvolcheck /test:advertising
The migration process of replicating SYSVOL to DFS consists of 4 stages:
- State 0: Start
- State 1: Prepared
- State 2: Redirected
- State 3: Eliminated
Now let’s move on to the first phase of migration (global state: Prepared). Run the command:
dfsrmig /setGlobalState 1And check the status of the domain controllers. All DC must be in Prepared state:
dfsrmig /getmigrationstate
After that, we proceed to the second phase—Redirected.
dfsrmig /setGlobalState 2Similarly, make sure that all DCs are in the Redirected state with the command:
dfsrmig /getmigrationstateNow go to the third phase—Eliminated (Warning. This state can not be canceled!).
dfsrmig /setGlobalState 3Check the status with the command:
dfsrmig /getmigrationstatWait until you see the following text in the results:
All Domain Controllers have successfully migrated to the ‘Eliminated’ state.
On all Domain Controllers, migration has reached a consistent state.
As a result, the SYSVOL directory will be migrated to the SYSVOL_DFSR folder. Now for replication SYSVOL used the DFS service.
Check replication status with the dcdiag.
Dcdiag /e /test:sysvolcheck