Migrating DFS from 2000 Mode to 2008 made like a piece of cake


This article will guide you through the steps for Migrating your DFS mode from 2000 to 2008, in the same time we’ll migrate DFS Namespace servers from 2008 to 2016 but keep the folder targets and replication groups intact without any change

This is a Microsoft summary about the process including my lab migration config step by step, I hope you find this useful and share it with others.


The Windows Server 2008 mode for domain-based namespaces includes support for access-based enumeration and increased scalability.

To migrate a domain-based namespace from Windows 2000 Server mode to Windows Server 2008 mode, you must export the namespace to a file, delete the namespace, recreate it in Windows Server 2008 mode, and then import the namespace settings. To do so, use the following procedure.


After raising domain and forest functional level to 2008, you need to restart DFS services on the FSMO DC


To migrate a domain-based namespace to Windows Server 2008 mode

Open a Command Prompt window and type the following command to export the namespace to a file, where \\ domain \ namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the export file:

On the source DC/DFS Server

Dfsutil root export \\domain\namespace C:\filename.xml



Write down the path (\\ server \ share ) for each namespace server. You must manually add namespace servers to the recreated namespace because Dfsutil cannot import namespace servers.



In DFS Management, right-click the namespace and then click Delete , or type the following command at a command prompt, where \\ domain \ namespace is the name of the appropriate domain and namespace:

Dfsutil root remove \\domain\namespace


Let’s go refresh the console and see if it’s deleted there



Next remove



I will remove the rest of the name spaces


All have been removed, Now lets remove the name spaces from the display and observe what happens to the replication groups



Replication groups didn’t get affected


In DFS Management, recreate the namespace with the same name, but use the Windows Server 2008 mode, or type the following command at a command prompt, where \\ server \ namespace is the name of the appropriate server and share for the namespace root:
Dfsutil root adddom
\\server\namespace v2

I will use the UI instead of the command


Although we raised the forest and domain function forest but still the 2008 is still greyed out. Lets try to restart the DFS services on the FSMO server



After restarting the services on FSMO server we are able to see the “Enable Windows Server 2008 Mode”



Next, I will copy all the xml files to the new server and import them there

My new server is 2016


To import the namespace from the export file, type the following command at a command prompt, where \\ domain \ namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the file to import:

Dfsutil root import merge path\filename.xml


After the Import



I will continue to import the rest of the namespaces

First we need to create them with their matching namespaces from the GUI



Now I will import and merge the xml file



After adding the NEW folder which has replicating group existing already from the previous mode. First it didn’t show up


but after navigating to the NewFolder and clicking on Replication tab then Navigate to the replication group showed the replication group underneath the Replication


What has changed?

The only noticeable thing which has changed is the NameSpace Servers, everything else like ( Folder targets still the same, replication is identical to previous settings)

See this screenshot


Let’s check the access to the new namespace


Finally, Let’s import the latest namespace and its configuration (PublicFolder)



Let’s check the result on GUI


Notice the replication group for the PF didn’t come, so let’s do as we have explained before to show the replication group

Here we go


Right after this process finishes, the command creates some kind of a report with time, importing status and other related settings such as site cost, timeout.. Etc



To minimize the time that is required to import a large namespace, run the Dfsutil root import command locally on a namespace server.

Add any remaining namespace servers to the recreated namespace by right-clicking the namespace in DFS Management and then clicking Add Namespace Server , or by typing the following command at a command prompt, where \\ server \ share is the name of the appropriate server and share for the namespace root:

Dfsutil target add \\server\share


You can add namespace servers before importing the namespace, but doing so causes the namespace servers to incrementally download the metadata for the namespace instead of immediately downloading the entire namespace after being added as a namespace server.

From <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753875(v=ws.11)>

If you have any other issues or struggling, check out this link it might be of use


Create 10 years Certificate template for Skype for Business, Exchange Server .etc

Having a certificate template that would last for years is a requirements that’s become more of a need during these days due to the amount of time it takes to renew the servers which are certificate dependent.

Some servers would automatically be renewed their Certificate using GPO’s auto enrollment however when this doesn’t work or if you don’t like dealing with GPO and its headache then the best way to solve this is to create a template that would last for sometime and leave you at peace.

Note that having a long term certificate (10 years for example) is not a good practice since encryption algorithm changes over the time and security related issues rise up every now and then so if you decided to go with this article and create 10 years template for your servers, you will need to keep an eye on latest news related to certificates, encryption and signature algorithm so they are not exploitable.

To begin with this article, I will tell a small story of a company that had suffered production disasters due to this might look tiny kind of problem.

A company called AP have deployed Lync 2013 (Currently Skype for Business) and decided to use the default CA (Webserver) template which lasts for 2 years by default.

This company called me when their Lync servers were all down and PSTN calls were not going through so the first thing that came to my mind is to check Services and as soon as I saw services were not able to run I checked the eventlog’s Lync tab.

The errors were mostly referring to an expired certificate. upon renewing the certificates for all servers everything went back to normal but that took long downtime and delayed the company’s productivity.

Here came the idea of creating a long template which would last for 10 years, achieving this on Exchange is done through the following steps:

On CA Server Find and open the Certification Authority MMC

Right click on Certificate Templates and click Manage


IN certificate templates console right click on Web Server and click Duplicate template


Select Windows Server 2003 Enterprise



Enable “Allow private key to be exported”



Select Enroll for the Authenticated users


Back to the Certificate Authority Console, Right click on Certificate Templates and click New -> Certificate template to issue and add the certificate template you created to the list.


Web Server V2 is on top


Let’s check it on Certserv IIS


Certificate is generated for 5 years. The reason why the certificate is generated for 5 years is because the Certification Authority server’s Certificate is limited to 5 years.

So the CA certificate must be set to longer then the client’s requested Certificate limit.


Certification Authority Issuing Certificate validity period extending

To change the Validity Period for the Root CA you can configure a CAPolicy.inf.  To create a CAPolicy.inf file that changes the lifietime of the certificate to 30 years, you would type the following into a text file, and save it with the name CAPolicy.inf in the

C:\Windows directory,:


Signature= “$Windows NT$”




From <http://blogs.technet.com/b/xdot509/archive/2013/06/06/operating-a-windows-pki-renewing-ca-certificates.aspx>

After this you will need to renew the CA certificate from the CA console : right click on your certification authority and choose All Tasks -> then choose -> Renew CA Certificate


When you click on Renew CA certificate you will get the following prompt asking you to stop the CA to renew its Certificate, Click Yes


Once you click on Yes the service will stop and you will get this window telling you if you would like to generate new public and private key it’s up to you to use a new or not but if you choose Yes the clients using the old Certificate might be provoked and you might need to install the new CA Certificate on all clients using GPO.

Click Ok


After clicking OK you will see that you were able to generate the new CA Certificate and then you can issue clients certificates.


In order to allow the CA to issue certificates that has longer than the default age (2 years) you must run the following command line on the CMD on the CA server.


Run the certutil commands above to change the maximum lifetime of certs issued by the CA

certutil -setreg ca\validityperiodunits 30
certutil -setreg ca\validityperiod years
net stop certsvc net stop certsvc

Now when you try to generate a new certificate for your Exchange or any other app you should choose the new template which is 30 years valid.