Raising the Domain Functional Level
A domain’s functional level is a setting that both restricts the operating systems that are supported as domain controllers in a domain and enables additional functionality in Active Directory. A domain with a Windows Server 2008 R2 domain controller can be at one of four functional levels: Windows 2000 Native, Windows Server 2003 Native, Windows Server 2008, and Windows Server 2008 R2.
At Windows 2000 Native domain functional level, domain controllers can be running Windows 2000 Server or Windows Server 2003. At Windows Server 2003 Native domain functional level, domain controllers can be running Windows Server 2003. At Windows Server 2008 domain functional level, all domain controllers must be running Windows Server 2008 or Windows Server 2008 R2. And at Windows Server 2008 R2 domain functional level, all domain controllers must be running Windows Server 2008 R2.
As you raise functional levels, new capabilities of Active Directory are enabled. At Windows Server 2008 domain functional level, for example, you can use DFS-R to replicate SYSVOL. Simply upgrading all domain controllers to Windows Server 2008 is not enough: You must specifically raise the domain functional level. You do this by using Active Directory Domains And Trusts.
To raise the domain functional level:
- Run the Active Directory Domains And Trusts snap-in.
- Right-click the domain and choose Raise Domain Functional Level.
- Select Windows Server 2008, or the desired functional level, and then click Raise.
After you’ve set the domain functional level to Windows Server 2008, you cannot add domain controllers running previous versions of Windows Server. The functional level is associated only with domain controller operating systems; member servers and workstations can be running Windows Server 2003, Windows 2000 Server, Windows Vista, Windows XP, or Windows 2000 Workstation.
Understanding Migration Stages
Because SYSVOL is critical to the health and functionality of your domain, Windows does not provide a mechanism with which to convert replication of SYSVOL from FRS to DFS-R instantly. In fact, migration to DFS-R involves creating a parallel SYSVOL structure. When the parallel structure is successfully in place, clients are redirected to the new structure as the domain’s system volume. When the operation has proven successful, you can eliminate FRS.
Migration to DFS-R thus consists of four stages or states:
- 0 (start) The default state of a domain controller. Only FRS is used to replicate SYSVOL.
- 1 (prepared) A copy of SYSVOL is created in a folder called SYSVOL_DFSR and is added to a replication set. DFS-R begins to replicate the contents of the SYSVOL_DFSR folders on all domain controllers. However, FRS continues to replicate the original SYSVOL folders and clients continue to use SYSVOL.
- 2 (redirected) The SYSVOL share, which originally refers to SYSVOL\domain\sysvol, is changed to refer to SYSVOL_DFSR\domain\sysvol. Clients now use the SYSVOL_DFSR folder to obtain logon scripts and Group Policy templates.
- 3 (eliminated) Replication of the old SYSVOL folder by FRS is stopped. The original SYSVOL folder is not deleted, however, so if you want to remove it entirely, you must do so manually.
You move your domain controllers through these stages by using the Dfsrmig.exe command. You use the following three options with Dfsrmig.exe:
- setglobalstate The setglobalstate option configures the current global DFSR migration state, which applies to all domain controllers. The state is specified by the state parameter, which is 0–3. Each domain controller is notified of the new DFSR migration state and migrates to that state automatically.
- getglobalstate The getglobalstate option reports the current global DFSR migration state.
- getmigrationstate The getmigrationstate option reports the current migration state of each domain controller. Because it might take time for domain controllers to be notified of the new global DFSR migration state, and because it might take even more time for a DC to make the changes required by that state, DCs are not synchronized with the global state instantly. The getmigrationstate option allows you to monitor the progress of DCs toward the current global DFSR migration state.
If there is a problem moving from one state to the next higher state, you can revert to previous states by using the setglobalstate option. However, after you have used the setglobalstate option to specify state 3 (eliminated), you cannot revert to earlier states.
Migrating SYSVOL Replication to DFS-R
To migrate SYSVOL replication from FRS to DFS-R, perform the following steps:
- Open the Active Directory Domains And Trusts snap-in.
- Right-click the domain and choose Raise Domain Functional Level.
- If the Current Domain Functional Level box does not indicate Windows Server 2008 or Windows Server 2008 R2, choose either Windows Server 2008 or Windows Server 2008 R2 from the Select An Available Domain Functional Level list.
- Click Raise. Click OK twice in response to the dialog boxes that appear.
- Open an elevated Command Prompt.
- Type dfsrmig /setglobalstate 1.
- Type dfsrmig /getmigrationstate to query the progress of DCs toward the Prepared global state. Repeat this step until the state has been attained by all DCs.
This can take 15 minutes to an hour or longer.
- Type dfsrmig /setglobalstate 2.
- Type dfsrmig /getmigrationstate to query the progress of DCs toward the Redirected global state. Repeat this step until the state has been attained by all DCs.
This can take 15 minutes to an hour or longer.
- Type dfsrmig /setglobalstate 3.
After you begin migration from state 2 (redirected) to state 3 (eliminated), any changes made to the SYSVOL folder must be replicated manually to the SYSVOL_DFSR folder.
- Type dfsrmig /getmigrationstate to query the progress of DCs toward the Eliminated global state. Repeat this step until the state has been attained by all DCs.
This can take 15 minutes to an hour or longer.
For more information about the Dfsrmig.exe command, type dfsrmig.exe /? .
Practice Configuring DFS Replication of SYSVOL
In this practice, you experience SYSVOL replication and migrate the replication mechanism from FRS to DFS-R. You then verify that SYSVOL is being replicated by DFS-R.
Other practices in the training kit require Windows Server 2008 R2 forest functional level. To perform the exercises in this practice, you need a domain running at Windows Server 2003 domain functional level, so you must create a new forest running at Windows Server 2003 forest functional level consisting of one domain at Windows Server 2003 domain functional level and two domain controllers. To prepare for this practice, perform the following tasks:
- Install a server running Windows Server 2008 R2 full installation. The server must be named SERVER01. Its configuration should be as follows:
- Computer Name: SERVER01
- Workgroup membership: WORKGROUP
- IPv4 address: 10.0.0.11
- Subnet Mask: 255.255.255.0
- Default Gateway: 10.0.0.1
- DNS Server: 10.0.0.11
- Promote SERVER01 as a domain controller in a new forest named contoso.com. Select Windows Server 2003 forest and domain functional levels. Allow the Active Directory Domain Services Installation Wizard to install DNS on the domain controller.
- Install a second server running Windows Server 2008 R2 full installation. The server must be named SERVER02. Its configuration should be as follows:
- Computer Name: SERVER02
- Workgroup membership: WORKGROUP
- IPv4 address: 10.0.0.12
- Subnet Mask: 255.255.255.0
- Default Gateway: 10.0.0.1
- DNS Server: 10.0.0.11
- Promote SERVER02 as an additional domain controller in the contoso.com domain. Do not make it a GC or DNS server.
EXERCISE 1 Experience SYSVOL Replication
In this exercise, you experience SYSVOL replication by adding a logon script to the NETLOGON share and observing its replication to another domain controller.
- Log on to SERVER01 as Administrator.
- Open %SystemRoot%\Sysvol\Domain\Scripts.
- Create a new text file called Sample Logon Script.
- Log on to SERVER02 as Administrator.
- Open %SystemRoot%\Sysvol\Domain\Scripts.
- Confirm that the text file replicated to the SERVER02 Scripts folder.
EXERCISE 2 Prepare to Migrate to DFS-R
Before you can migrate replication of SYSVOL to DFS-R, the domain must contain only Windows Server 2008 R2 domain controllers, and the domain functional level must be raised to Windows Server 2008 or higher. In this exercise, you confirm the fact that DFS-R migration is not supported in other domain functional levels. You also install the DFS administrative tools.
- On SERVER01, open the Active Directory Domains And Trusts snap-in.
- Right-click the contoso.com domain and choose Raise Domain Functional Level.
- Confirm that the Current Domain Functional Level is Windows Server 2003.
- Cancel out of the dialog box without raising the functional level.
- Open a command prompt.
- Type dfsrmig /getglobalstate and press Enter.
A message informs you that Dfsrmig.exe is supported only on domains at the Windows Server 2008 functional level or higher.
- Open the Active Directory Domains And Trusts snap-in.
- Right-click the contoso.com domain and choose Raise Domain Functional Level.
- Confirm that the Select An Available Domain Functional Level list indicates Windows Server 2008.
- Click Raise. Click OK to confirm your change.
A message informs you that the functional level was raised successfully.
- Click OK.
- At the command prompt, type dfsrmig /getglobalstate and press Enter.
A message informs you that DFSR migration has not yet initialized.
EXERCISE 3 Migrate Replication of SYSVOL to DFS-R
In this exercise, you migrate SYSVOL replication from FRS to DFS-R.
- On SERVER01, open Command Prompt.
- Type dfsrmig /setglobalstate 0 and press Enter.
The following message appears:
Current DFSR global state: 'Start' New DFSR global state: 'Start' Invalid state change requested.The default global state is already 0, ‘Start,’ so your command is not valid. However, this does serve to initialize DFSR migration.
- Type dfsrmig /getglobalstate and press Enter.
The following message appears:
Current DFSR global state: 'Start' Succeeded. - Type dfsrmig /getmigrationstate and press Enter.
The following message appears:
All Domain Controllers have migrated successfully to Global state ('Start'). Migration has reached a consistent state on all Domain Controllers. Succeeded. - Type dfsrmig /setglobalstate 1 and press Enter.
The following message appears:
Current DFSR global state: 'Start' New DFSR global state: 'Prepared' Migration will proceed to 'Prepared' state. DFSR service will copy the contents of SYSVOL to SYSVOL_DFSR folder. If any DC is unable to start migration then try manual polling. OR Run with option /CreateGlobalObjects. Migration can start anytime between 15 min to 1 hour. Succeeded. - Type dfsrmig /getmigrationstate and press Enter.
A message appears that reflects the migration state of each domain controller. Migration can take up to 15 minutes. Repeat this step until you receive the following message that indicates migration has progressed to the ‘Prepared’ state and is successful:
All Domain Controllers have migrated successfully to Global state ('Prepared'). Migration has reached a consistent state on all Domain Controllers. Succeeded.When you receive the message just shown, continue to step 7.
During migration to the ‘Prepared’ state, you might see one of these messages:
The following Domain Controllers are not in sync with Global state ('Prepared'): Domain Controller (Local Migration State) - DC Type =================================================== SERVER01 ('Start') - Primary DC SERVER02 ('Start') - Writable DC Migration has not yet reached a consistent state on all Domain Controllers. State information might be stale due to AD latency.or
The following Domain Controllers are not in sync with Global state ('Prepared'): Domain Controller (Local Migration State) - DC Type =================================================== SERVER01 ('Start') - Primary DC SERVER02 ('Waiting For Initial Sync') - Writable DC Migration has not yet reached a consistent state on all Domain Controllers. State information might be stale due to AD latency.or
The following Domain Controllers are not in sync with Global state ('Prepared'): Domain Controller (Local Migration State) - DC Type =================================================== SERVER02 ('Waiting For Initial Sync') - Writable DC Migration has not yet reached a consistent state on all Domain Controllers. State information might be stale due to AD latency. - Open the Event Viewer console from the Administrative Tools program group.
- Expand Applications And Services Logs and select DFS Replication.
- Locate the event with event ID 8014 and open its properties.
You should see the details shown in Figure 1.
Figure 1. DFS-R event indicating successful migration to the ‘Prepared’ state
Type dfsrmig /setglobalstate 2 and press Enter.
The following message appears:
Current DFSR global state: 'Prepared' New DFSR global state: 'Redirected' Migration will proceed to 'Redirected' state. The SYSVOL share will be changed to SYSVOL_DFSR folder, which is replicated using DFSR. Succeeded. - Type dfsrmig /getmigrationstate and press Enter.
A message appears that reflects the migration state of each domain controller. Migration can take up to 15 minutes. Repeat this step until you receive the following message that indicates migration has progressed to the ‘Prepared’ state and is successful:
All Domain Controllers have migrated successfully to Global state ('Redirected'). Migration has reached a consistent state on all Domain Controllers. Succeeded.When you receive the message just shown, continue to step 12.
During migration, you might receive messages like the following:
The following Domain Controllers are not in sync with Global state ('Redirected'): Domain Controller (Local Migration State) - DC Type =================================================== SERVER02 ('Prepared') - Writable DC Migration has not yet reached a consistent state on all Domain Controllers. State information might be stale due to AD latency. - Type net share and press Enter.
- Confirm that the NETLOGON share refers to the %SystemRoot%\SYSVOL_DFSR\Sysvol \contoso.com\Scripts folder.
- Confirm that the SYSVOL share refers to the %SystemRoot%\SYSVOL_DFSR\Sysvol folder.
- In Windows Explorer, open the %SystemRoot%\SYSVOL_DFSR\Sysvol\contoso.com \Scripts folder.
- Confirm that the Sample Logon Script file was migrated to the new Scripts folder.
- Create a new text file named Sample Logon Script DFSR.
- On SERVER02, confirm that the file replicated to the %SystemRoot%\SYSVOL_DFSR \Sysvol\contoso.com\Scripts folder.
