Our environment has several domain controllers, including one that is in a vendor's managed cloud. We just recently removed the last 2008 server and have now updated our domain and forest levels to 2012r2. One of the first things I want to do is move from FRS to DFS. I'm following the blog post at (blogs.technet.microsoft.com/filecab/2008/02/08/sysvol-migration-series-part-1-introduction-to-the-sysvol-migration-process/) for this. I've gotten to the point of running 'dfsrmig /getmigrationstate' repeatedly to make sure all DCs are showing as 'Prepared'. It's been at least 5 hours and all but one of our DCs is done.
As I'm sure you've guessed, it's the one in our vendors managed cloud. Per their requirements, it has to be behind their firewall and we have to specifically request ports to be opened on an as needed basis. I've looked through all of the technet articles and am fairly sure that we have all of them open between this remote server and two of our DCs (including the PDC).
For reference, here are the ports that are opened:
25 TCP 42 TCP 67 UDP 137 TCP 137 UDP 138 UDP 139 TCP 636 TCP 2535 udp 3269 TCP 9389 TCP 135 TCP 389 Tcp 389 UDP 3268 TCP 88 TCP 88 UDP 53 TCP 53 UDP 445 TCP 445 UDP 5722 TCP 464 TCP 464 UDP 123 UDP 1024-5000 TCP 1024-5000 UDP 49152-65535 TCP 49152-65535 UDP
I've gone onto the offending server and confirmed the following:
- C:\windows\sysvol_DFSR exists and is populated
- I can ping both DCs from this server without issue
- DFSRDiag /pollad to either of the DCs comes back as 'Operation Succeeded'
- Sites/Services has replication links created b/t the two DCs and the problem server
- repadmin /show repl shows successful for all queries
- DFSDiag /testdcs is successful on the two DCs it can reach, errors out on the others
- Running repadmin /syncall /AeD fails for the DCs it can't see. Succeeds for most of the tests...
- PDC response for 'syncall' is "(network error): -2146893041 (0x8009030f): The message or signature supplied for verification has been altered."
- Other DC response for 'syncing partition' is "(network error): -2146893041 (0x8009030f): The message or signature supplied for verification has been altered."
For all intents and purposes, I believe that the replication has taken place, but the server can't report it back to the rest of the domain.
When I go to ADSIEdit per this solution (social.technet.microsoft.com/Forums/windows/en-US/7730f4e2-c5f2-4c21-bcde-c30c5d25ef9a/migrating-sysvol-to-dfsr-one-server-stuck-when-using-getmigrationstate-but-it-looks-ok-locally?forum=winserverDS) on the PDC, I do not see any folders under 'OU=Domain Controllers\CN=OtherDC'. However, when I look on the problem DC, I do see the folders that should be there.
I've also checked in the DFS management console, but this problem server doesn't show up in there as part of the replication
I did just run 'DFSRMig /getglobalstate' and it shows 'Current DFSR global state: 'Prepared"
My question(s) are: What could be blocking the remote server from reporting its DFSR status to the PDC? Since I can see it replicated and the globalstate is 'Prepared', can I go ahead and move forward with the migration?