Upgrading your domain and forest functional levels is a simple task once the new domain controllers are in place and the old ones are decommissioned. But what about the features that take advantage of the upgraded functional levels? There are two important things to do as a domain is upgraded to the 2008 and 2008 R2 functional levels: migrate SYSVOL to DFS replication and enable the AD Recycle Bin.
Although these features have been available for a long time, it’s good to revisit items like these occasionally. Although many domains are using them, there are plenty of environments that have yet to take advantage.
SYSVOL DFS Replication
The Windows Server 2008 domain functional level introduces the ability to use DFS for replicating SYSVOL content among domain controllers. Prior to server 2008, SYSVOL was replicated using FRS - File Replication Service. For domains set up in Windows Server 2008 and later, SYSVOL replication is done using DFS-R - Distributed File System replication. What about domains that started at the Server 2003 or earlier level and are then upgraded to 2008 or later? For these domains, FRS will continue to be used for SYSVOL replication until it is manually migrated to DFS by an administrator. Note that the SYSVOL replicated folder contains both the NETLOGON and SYSVOL shares that are present on each DC.
Migrating to DFS replication has a few key advantages:
- Windows Server 2019 does not support FRS replication for SYSVOL. Before introducing a Windows Server 2019 domain controller, SYSVOL must be migrated to DFS.
- FRS is a legacy technology that was officially deprecated in Server 2008 R2, which was released 9 years ago in 2009. As such, no improvements or bug fixes have been released in nearly 10 years.
- DFS has significant improvements over FRS, including better monitoring capabilities, decreased bandwidth usage, and better scalability.
Many guides have been written covering how to migrate to DFS replication for the SYSVOL folder, including the official guide in the documentation and a blog post by the storage team at Microsoft. You can refer to those for the step-by-step process. However, the high level steps are:
- Ensure replication is healthy throughout the domain. The migration to DFS uses standard AD replication to communicate the changes to all DCs. Unhealthy replication can hinder the ability to successfully migrate.
- Ensure you have an up-to-date system state backup of a healthy DC. This will be used in the unlikely event of a significant issue during the migration.
- Ensure the domain functional level is Windows Server 2008 or higher.
- Use the dfsrmig.exe tool to perform the migration, pausing at each stage to ensure the change has replicated to all DCs.
Once the migration is complete, no other actions are immediately necessary. However, you may want to take advantage of DFS's monitoring capabilities going forward.
Active Directory Recycle Bin
Once the forest functional level reaches Windows Server 2008 R2 or later, the Active Directory Recycle Bin becomes available. The AD Recycle Bin provides a way to restore deleted AD objects, like users and groups, in their entirety. This can be done through simple PowerShell commands or through the AD Admin Center in Server 2012 and later. Keep in mind that the recycle bin is a forest-wide configuration. It is enabled on the root domain of the forest and effects any child domains that exist.
Without the AD Recycle Bin, there are two ways to recover deleted objects. The first is reanimating them out of the tombstoned state using ldp.exe or adrestore.exe. Doing this retains the object's name and SID but no other attributes. For example, user passwords, group memberships, and Exchange attributes are lost when taking this approach. Alternatively, objects can be recovered by restoring a system state backup of a domain controller and recovering the deleted objects with an authoritative restore. Although this does retain all of the object's attributes, it is a very time consuming process that is prone to errors.
The AD Recycle Bin solves these challenges by making it quick and easy to restore objects and by keeping all of their attributes during the restoration process. The only drawback to the AD Recycle Bin is it can increase the size of your Active Directory database. Each deleted object is maintained for the duration of the Deleted Object Lifetime plus the Tombstone Lifetime. Whereas without the recycle bin, objects are purged after just the Tombstone Lifetime. In an environment with extremely heavy turnover of objects, this overhead should be taken into consideration. However, this shouldn't be an issue for most environments.
Enabling the recycle bin is easy, but it can't be disabled once it's turned on. Ensure that a good system state backup of a domain controller has been taken recently in case the change needs to be undone. To enable the feature run these PowerShell commands, replacing root_domain_name with the DNS name of the root domain in the forest.
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target root_domain_name
Additionally, you can use the Active Directory Admin Center in Server 2012 or later to enable the recycle bin without using PowerShell:
Restoring a deleted user named JohnDoe is as easy as this PowerShell command:
Get-ADObject -Filter 'samaccountname -eq "JohnDoe"' -IncludeDeletedObjects | Restore-ADObject
For more examples on restoring objects and using the recycle bin, see this blog post from the directory services team.
Although both of these features – DFS-R SYSVOL replication and the AD Recycle Bin – are optional, all modern domains should take advantage of both of them. Since they don't provide a huge benefit in day to day operations, they're easy to overlook. However as soon as a user is accidentally deleted and must be restored, you will be grateful for the AD Recycle Bin. And if you plan on moving to Windows Server 2019, the switch to DFS replication for the SYSVOL folder is mandatory.