Category Archives: General

DFS NameSpace Issues – MIGRATING FROM FSR TO DFSR FOLLOWING AD Upgrade

I recently assisted a friend who had an issue with DFS Namespaces following an Active Directory Upgrade from 2008R2 to 2012R2.  They were faced with not being able to access the NameSpace following the demotion of the last 2008R2 controller and promotion of the final 2012R2 controller.

Upon opening the DFS NameSpace management console, the following error was displayed when selecting the required NameSpace – “The namespace cannot be queried. Element not found.”

After looking in the FRS (File Replication Service) and DFSR (Distributed File System Replication) event logs, I came to realise that the forest was using FRS for replication! This isn’t supported after 2008R2.  Ideally, you would have completed the migration from FRS to DFSR before upgrading the domain controllers.

Note: Always make sure you have a backup, snapshot or other reliable rollback method in place before doing anything in your live environment. This worked for me, it doesn’t guarantee it will work for you!

With FRS being the likely cause, I needed to confirm this.  I ran the following command to confirm the status –

Dfsrmig /getglobalstate

It returned the following result confirming that FRS was still in fact being used.

Current DFSR global state: 'Start'
Succeeded.

Before being able to look at the DFS NameSpace issue, this needed addressing.  Luckily you can still remediate this after upgrading the domain controllers. I would still advise confirming all the prerequisites are in place BEFORE upgrading!

Now onto the migration from FRS to DFSR.

Firstly, run the following command to move the state to the second of the four states.  The four states being; Start, Prepared, Redirected and Eliminated.

Dfsrmig /setglobalstate 1

You will then want to run a directory sync to speed things up, especially if you have a large replication interval!

Run the following RepAdmin command to get things moving.

Repadmin /syncall /AdeP

You can then monitor the progress by running –

Dfsrmig /getmigrationstate

You will then see any remaining domain controllers that are yet to have synchronized the new state.  Eventually you will see that all domain controllers have migrated to the second state; Prepared.

undefined

Now time to move to the Redirected state.  Same process as the previous set but this time specifying ‘setglobalstate 2’

Dfsrmig /setglobalstate 2
Repadmin /syncall /AdeP
Dfsrmig /getmigrationstate

Again run the RepAdmin to get replication moving and monitor using the ‘getmigrationstate’ command.  As in the previous step, you will eventually see that all domain controllers have migrated to the third state; Redirected.

undefined

Last one! Same as before, but this time you want to use ‘setglobalstate 3 –

Dfsrmig /setglobalstate 3
Repadmin /syncall /AdeP
Dfsrmig /getmigrationstate

Once complete you will get confirmation that you have reached the final state; Eliminated.

undefined

You will now be able to run the ‘net share’ command to see that the SYSVOL share has been moved to ‘C:\Windows\SYSVOL_DFSR\sysvol’ and that the FRS Windows service is stopped and set to disabled.

Output of the ‘net share’ command
File Replication Service Properties (Local Computer) 
General Ing On Recovery Dependencies 
Service name 
Display name 
File Replication Service 
chronizas folders wth fila servers that use Fila 
Cation Service (FRS) instead of the newer OFS 
Path to executable 
C exe 
Startup type 
Service status 
Start 
Stopped 
Stop 
Pause 
Resume 
You can specify the start parameters that apply when you start the service 
Start parameters: 
*ppb'
File Replication Service (FRS) service

This should now give you a correctly functioning directory again! You will want to now check the Directory Services, File Replication and DFSR Logs in Windows Event Viewer to ensure you have no further errors.

Now onto repairing the NameSpace.  I read a few different blogs and guides for this, some included deleting the NameSpace via ADSI Edit others didn’t.

I found I didn’t need to delete anything, bonus.

The get the NameSpace accessible again I found that right clicking the NameSpace and removing it, followed by recreating it using the  ‘New NameSpace Wizard’ did the trick. 

OFS Management 
File Action View Window Help 
z[öl 
OFS Management 
v Namespaces 
Folder I 
Folder 2 
Folder 3 
(Domain-based in Windows Server 2008 mode) 
Namespace Namespace Servers Delegation Search 
New Folder... 
Add Namespace Server... 
Delegate Management Permissions... 
\smt- lab.IocaI\D 
New Folder... 
Replication 
Remove Namespace from Displaym 
New Window from Here 
Delete 
Refresh 
Properties 
Help 
a 
Add Namespace Server... 
Delegate Management 
Remove Namespace fr... 
New Window from Here 
Delete 
Refresh 
Properties 
Help
New Namespace Wizard 
Con 
Namespace Server 
Namespace Name and Settings 
amespace ype 
Review Settings and Create 
Namespace 
You have successfully completed the New Namespace Wizard 
Tasks Enum 
Task 
Creat 
Status 
e namespace
OFS Management 
File Action View Window Help 
zbll O d 
OFS Management 
v Namespaces 
Folder I 
Folder 2 
Folder 3 
Replication 
(Domain-based in Windows Server 2008 mode) 
Namespace Namespace Servers Delegation Search 
FSRoot 
Type 
Name 
Folder I 
Folder 2 
Folder 3 
New Folder... 
Add Namespace Server... 
Delegate Management 
Remove Namespace fr... 
New Window from Here 
Delete 
Refresh 
Properties 
Help

Upon recreating it, all of the folders reappeared and were accessible again with no additional configuration required. (these screenshots are of my lab, not the live environment as it was not appropriate)

Thanks for reading!

VM and vSAN Encryption

In this day an age, securing data is a must.  In this post I’d like to show you two options for protecting your data; vSAN Encryption & VM Encryption.

To achieve either of these you need to have connected a Key Management Server (or Cluster) to your vCenter server.  Check out my previous post of how to do that – Deploying and Connecting a Key Management Server to vCenter.

Lets talk though VM Encryption first.

VM Encryption is achieved using storage policies.  By Default after configuring a KMS server, the ‘VM Encryption’ is available for use.  Alternatively,  you can create your own custom VM Encryption storage policy to include additional host based services such as caching and Storage I/O.

For a new VM, select the ‘Encrypt this virtual machine’ option on the ‘Select Storage’ section of the New Virtual Machine wizard. Then select the default encryption policy, or a custom one if you have one.

Then when customising your hardware you will see the following notification –

Once deployed, you will see confirmation of the virtual machines encryption status on the VM’s summary tab.

Encryption 
Encrypted with standard key provider

For an existing VM, it’s a slightly different approach.

Firstly, power off the VM. Edit the VM’s settings and on the VM Options tab, expand the Encryption option and select your desired VM Encryption policy like so –

Below the policy you will see the option to select which disks you want to encrypt. In this test VM’s case, there is only one disk, disk 0.  You can choose to only encrypt the VM and not the disks if you have a use case to do so. Disks you choose not to encrypt will have the datastore default policy applied to them.

Alternatively, you can take a different route by editing the storage policy of a powered off VM to achieve the same result. Here you can also choose to ‘Configure per disk’. This is a useful option if you only have select hard disks you need to encrypt.

The VM will then reconfigure, this may take some time depending on the size of the disks, so make sure you factor this into your downtime window!

If you check out the performance backend monitor you will notice an increase in throughput an I/O while this is happening.

One disk at a time copies data from unencrypted to new encrypted disk.  Once done, it attaches the new encrypted disk and deletes the old unencrypted disk.  You will need enough disk space on the datastore to allow the duplication of the largest disk attached to the VM.

Once the task is complete, you will notice you have an updated encryption status.

Now the flip side, un-encrypting a VM.  

This is a reverse of the process.  Power off the VM, change the storage policy to a non Encryption policy and power back on when complete.

Now on to vSAN Encryption.

To enable encryption for an entire vSAN cluster, its just a few clicks but there are a few things to be aware of.

  1. Make sure you have adequate free space within the vSAN cluster to allow for the rolling reformatting of the disk groups.
  2. There will be increased IO during this operation, make sure you choose an appropriate maintenance window to do this in so as to not cause unwanted impacts to your workloads.

To enable this feature, select the cluster you wish to enable encryption on and browse to the ‘Configure > vSAN > Services option.

Click to enable ‘Data-At-Rest Encryption’.

You have the option to check the ‘Wipe residual data option’ if you have a need to.  Bare in mind, wiping the storage can take a significant amount of time, so only use this option if you need to wipe existing data.

The final option is ‘Allow Reduced Redundancy’.  This option will allow vSAN to run your workload at a reduced redundancy level during the encryption process.  Make sure you understand the risks before using this option.

Hit apply and the cluster will begin reconfiguring.

Task Name 
Remove dlsk group from 
the vSAN cluster 
Peform dlsk format 
converslon resource check 
task 
Peform vSAN resource 
check task 
Convert dlsk format for 
Update vSAN configuratlon 
Update vSAN configuratlon 
Update vSAN configuratlon 
Remedlate vSAN cluster 
Configure the host key 
Configure the host key 
Configure the host key 
Reconfigure vSAN cluster 
Target 
smt-Iab-esx-01_smt-Ie___ 
smt-Iab-esx-01_smt-Ie___ 
smt-lab-cl-mn-01 
smt-lab-cl-mn-01 
smt-lab-esx-03_smt-l_ 
smt-Iab-esx-01_smt-Ie___ 
smt-lab-cl-mn-01 
smt-lab-esx-03_smt-L__ 
smt-Iab-esx-01_smt-Ie___ 
smt-lab-cl-mn-01 
Status 
Completed 
Completed 
Completed 
Completed 
Completed 
Completed 
Completed 
Completed 
Completed

Once it has cycled through each host in the cluster you will be able to see that the encryption status is now ‘Enabled’

Thanks for reading!

VMWorld 2020 Registration is open!

This year, as much as we have lost the ability to travel and connect with people in person at this event, it has presented an opportunity for individuals to attend from the comfort of the home or office that many have been unable to attend in person in previous year for a variety of reasons.

Don’t waste the opportunity! Head over to the website to register for this years VMWorld 2020! – https://www.vmworld.com/en/index.html. This years event is being held from 29th September to 1st October inclusive.

There are 2 pass options one of them is free! Why wouldn’t you attend?

Let me know in the comments if your attending!