Moving a client from Server 2008 to Server 2019 Domain Controller. Which means adding the 2019 server to the domain as a domain controller, promoting it, etc. But the first step is to do DFSRMig – migrate from FRS to DFSR for Active Directory.
DFSRMig – Run this on the old DC
1# To see what state DFS is in
2# Start the migration to DFSR with
DFSRMig /SetGlobalState 1
3# To check on the migration progress
DFSRMig /GetMigrationState – This will take some time: Run this command until it is in a consistent state.
4# Next step is to Redirect
DFSRMig /SetGlobalState 2
5# When that process is complete (check using /GetMigrationState), move to 3
DFSRMig /SetGlobalState 3
The idea is to get to “Eliminated” state – so you can promote the 2019 server to a DC. Well, I found out that when you get it to “Eliminating” – just after running Set Global State 3 – you can go ahead and promote. However… the old DC might get stuck in eliminating.
Now, the interwebs have plenty of suggestions and those should work in most cases – not mine, but most. I was completely baffled… but was restarting the service and looking at event logs… and seeing “access denied” messages. Which was totally weird. I eventually put 7 and 10 together and got 42…
I opened ADSIEdit (as admin) and went to Domain Controllers, expanded those…
And clicked on the Domain Controller names that was there and went to security… at first, nothing looked off… but eventually, I saw that somebody(!!) had set a Deny on the EVERYONE group so that nobody could delete anything under there – including the NTFSR (NTFRS?) folders! So, of course, it couldn’t eliminate it – access was, in fact, denied. I removed the deny from a couple ‘delete’ permissions and stopped the DFSR service and started it again – Boom! Eliminated!