By Ted Dasher Jr, Senior Solution Architect

I have been working on various networking and security projects lately that involve active directory (AD) and have noticed that our clients are still using old Microsoft AD versions. Here are a few things I’ve learned along the way about AD and some of the efficiencies gained when upgrading to a “more recent” version.

If you’ve been using Microsoft AD since the 2003 version or earlier, then there is a chance that you are using an old and inefficient method of replication known as file replication service (FRS) versus the more modern distributed file system replication (DFSR) method. Utilizing the “an old” version of software is not necessarily a reason to move to a new version, but in this case there are many reasons to research the new method and upgrade if the improvements warrant a change.

Why is DFSR better than FRS?

Both methods replicate the SYSVOL folder between domain controllers, but they do so very differently. For starters, FRS is only capable of replicating whole files, while DFSR replicates changes at the block level. This greatly reduces the amount of data that must move between domain controllers and can reduce WAN capacity requirements for larger environments significantly. As you might guess, DFSR utilizes the Microsoft Distributed File System which has many other uses.

Beyond efficiency, you might consider these several reasons for moving to DFSR:

1.       FRS is in maintenance mode at Microsoft with no new features being added
2.       If you use “read only” domain controllers for remote offices, there are cases where FRS does not fully replicate
3.       There are very few options for monitoring/instrumenting FRS replication
4.       For more reasons, see this informative article on Technet – written in 2010!:   https://blogs.technet.microsoft.com/askds/2010/04/22/the-case-for-migrating-sysvol-to-dfsr/

Support for FRS in Windows Server is probably going away… soon…

The original plan was for Windows Server 2016 to have no support for FRS. At the last minute, Microsoft changed this plan, which is a good indication that many users have not yet made the change to DFSR. It would be a large surprise for this extension to carry through to 2016R2 or whatever the next Windows Server release is called as it’s been more than a decade since there have been any changes to the FRS code.

Where are you running today? Hint, (‘Eliminated’) is better than (‘Start’)

It’s very easy to determine which replication method is currently being used in your environment. From PowerShell or an administrative command prompt, run the following command:

“dfsrmig /getmigrationstate”

If you are using FRS, then your result will look like this:

The statement about “All Domain Controllers have migrated successfully” is deceiving. The “Start” state actually translates to FRS being used for the domain and means migration has not started much less completed as the word “successfully” in the response implies.

If you are using DRFS, then your result will look like the following image.

The screen capture below shows the result for a domain that has completely migrated to DFSR. Any result that differs from these two examples indicates a partial migration has occurred. As before, the terminology is a bit odd, as “Eliminated” usually doesn’t really sound like a desired state for anything. In this case, however it is where you want to be as this indicates that FRS is completely eliminated from your AD replication process.

We’re still using FRS, What are our options?

The Microsoft guide for DFSR migration can be found at the following link: https://www.microsoft.com/en-us/download/details.aspx?id=4843

The guide is 52 pages long and fully explains what is required to accomplish this task. If your internal IT staff does not have the needed training or experience or simply does not have the available time to devote to this task, then we would be glad to help. If you do choose to do this on your own, do not be alarmed if the first of three migration stages takes a long time. Depending on the size of your domain and other factors, this stage can take hours or even days to complete.

After you have completed the migration, you will enjoy faster and more reliable replication, reduced bandwidth usage between sites, and will have more options for instrumenting this critical part of your active directory infrastructure to keep tabs on its health.