While writing a Nagios plugin on Active Directory health, dcdiag /e /c got the good idea to give this alert:
Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=myDC,OU=Domain Controllers,DC=mydomain,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: msDFSR-ComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862
Article Q312862 is not really helpful, but the underlying problem is true.
Since Windows 2008, AD replication is meant through DFS-R and not FRS anymore. But it implies to have only DC > Windows Server 2003.
So if your DC are updated enough, you can use dfsrmig to migrate, which main commands are:
Check global state:
PS C:usersmchateauDesktop> dfsrmig /GetGlobalState Current DFSR global state: 'Start' Succeeded.
Values can be:
0 'Start' 1 'Prepared' 2 'Redirected' 3 'Eliminated'
==>if you are already in DFS-R, state is Eliminated.
Check migration state:
PS C:usersmchateauDesktop> dfsrmig /GetMigrationState
All domain controllers have migrated successfully to the Global state ('Start').
Migration has reached a consistent state on all domain controllers.
Succeeded.
Go from start to Prepared:
PS C:usersmchateauDesktop> dfsrmig /SetGlobalState 1 Current DFSR global state: 'Start' New DFSR global state: 'Prepared' Migration will proceed to 'Prepared' state. DFSR service will copy the contents of SYSVOL to SYSVOL_DFSR folder. If any domain controller is unable to start migration, try manual polling. Or run with option /CreateGlobalObjects. Migration can start anytime between 15 minutes to 1 hour. Succeeded.
Check state (in progress):
PS C:usersmchateauDesktop> dfsrmig /GetMigrationState
The following domain controllers have not reached Global state ('Prepared'):
Domain Controller (Local Migration State) - DC Type
===================================================
myDC01 ('Start') - Writable DC
myDC02 ('Start') - Writable DC
myDC03 ('Start') - Primary DC
myDC04 ('Start') - Writable DC
Migration has not yet reached a consistent state on all domain controllers.
State information might be stale due to Active Directory Domain Services latency.
PS C:usersmchateauDesktop>
You just have to go through the last two steps, turn by turn:
dfsrmig /SetGlobalState 2 dfsrmig /SetGlobalState 3
In the end:
PS C:usersmchateauDesktop> dfsrmig /GetMigrationState
All domain controllers have migrated successfully to the Global state ('Eliminated').
Migration has reached a consistent state on all domain controllers.
Succeeded.
Thank you for this!