• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4186
  • Last Modified:

Active Directory Error Event ID 1311

Here is my Domain Setup.
1 Forest - Abacus-Corp
2 Domains - Abacus-corp and Abacus-winhost

I have 7 DC's total.  2 DC's (ad1 and ad2) in Abacus-corp are located together and hold all the roles and I have 3 off site DC's and I want them to only replicate to those 2 (ad1/ad2).  Basically a hub and spoke model for topology.

I then want the 2 DC's in winhost to replicate to only ad1/2 as well., but I am getting this error in one of my offsite DC's.

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          2/10/2009 2:31:24 PM
Event ID:      1311
Task Category: Knowledge Consistency Checker
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      AD5.abacus-corp.com
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. 
 
Directory partition:
CN=Configuration,DC=abacus-corp,DC=com 
 
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers. 
 
User Action 
Perform one of the following actions: 
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. 
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site. 
 
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS KCC" />
    <EventID Qualifiers="49152">1311</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>1</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8080000000000000</Keywords>
    <TimeCreated SystemTime="2009-02-10T20:31:24.372Z" />
    <EventRecordID>126381</EventRecordID>
    <Correlation />
    <Execution ProcessID="564" ThreadID="1576" />
    <Channel>Directory Service</Channel>
    <Computer>AD5.abacus-corp.com</Computer>
    <Security UserID="S-1-5-7" />
  </System>
  <EventData>
    <Data>CN=Configuration,DC=abacus-corp,DC=com</Data>
  </EventData>
</Event>

Open in new window

0
LrdKanien
Asked:
LrdKanien
  • 8
  • 6
1 Solution
 
Mike KlineCommented:
How do you have your site links setup right now?

Have you looked at this article

http://technet.microsoft.com/en-us/library/cc740252.aspx
Event ID 1311: Replication configuration does not reflect the physical network

Thanks
Mike
0
 
LrdKanienAuthor Commented:
Every site was in the default site link.  How should I configure it to achieve this?
0
 
Mike KlineCommented:
So right now you have all the sites in sites and services and the domain controllers in the sites but just  all using the default site link?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LrdKanienAuthor Commented:
Yes, currently I'm at the point where I have everything subnetted out and assigned to sites, but I do not have separate site links.  I am experimenting with that now.  My assumption is that I have to create a site link for every remote DC and map that site link from the remote site to the hub.  
0
 
Mike KlineCommented:
Your assumption is right, if you have your site design drawn out it makes it easy.
So for example you would have a site link  between remotesite and hub/main site.
0
 
LrdKanienAuthor Commented:
what about the option in AD Sites & Services > Inter-Site Transports > IP > Properties > Bridge all site links.

I don't want my office in PHX contacting my office in KC.  I want them contacting my HUB and my HUB contacting them, but not them contacting each other.
0
 
Mike KlineCommented:
If you have the site links between PHX-Hub and then  KC-Hub then that is how they will replicate
PHX replicates with Hub, and  Hub  replicates with KC. Now, lets say Hub drops dead. PHX will create a connection with KC, that is what happens if Bridge all site links is enabled. (if your network if fully routed)
It is generally recommended to keep it on
http://technet.microsoft.com/en-us/library/cc778718.aspx
 
0
 
LrdKanienAuthor Commented:
HUB don't go down. :)

As a last response can you give me some commands to check replication between HUB and a Site?  I made a change and did a repadmin /syncall and went to a site and it didn't replicate for 10 minutes or so.
0
 
Mike KlineCommented:
I like the confidence in the hub
repadmin /showreps from the DC will show you status
repadmin /showrepl is another command that will help you
http://technet.microsoft.com/en-us/library/cc736355.aspx
dcdiag isanother great tool
Thanks
Mike
0
 
LrdKanienAuthor Commented:
Mike - The site link configuration cleaned up the 1311 KCC errors.  I would open another question, but you seem to have a solid understanding of my setup and AD so I'm going to attach the last event I have a problem with.  

Thanks!
Log Name:      System
Source:        NETLOGON
Date:          2/10/2009 6:02:45 PM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      AD5.abacus-corp.com
Description:
This computer was not able to set up a secure session with a domain controller in domain ABACUS-WINHOST due to the following: 
There are currently no logon servers available to service the logon request. 
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  
 
ADDITIONAL INFO 
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5719</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-02-11T00:02:45.000Z" />
    <EventRecordID>25744</EventRecordID>
    <Channel>System</Channel>
    <Computer>AD5.abacus-corp.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>ABACUS-WINHOST</Data>
    <Data>%%1311</Data>
    <Binary>5E0000C0</Binary>
  </EventData>
</Event>

Open in new window

0
 
LrdKanienAuthor Commented:
Thanks for everything.
0
 
Mike KlineCommented:
0
 
LrdKanienAuthor Commented:
Yes.  I do not want this remote DC talking to a DC in another Domain even though it is in the same Forest.  It is not fully "routed" between the two.  The only parts that are fully routed are between the remote offices and the hub.
0
 
LrdKanienAuthor Commented:
Mike - can I stop netlogon on the remote DC from contacting the DC in the other domain in the forest?
Log Name:      System
Source:        NETLOGON
Date:          2/11/2009 1:20:07 PM
Event ID:      5719
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      AD5.abacus-corp.com
Description:
This computer was not able to set up a secure session with a domain controller in domain ABACUS-WINHOST due to the following: 
There are currently no logon servers available to service the logon request. 
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.  
 
ADDITIONAL INFO 
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NETLOGON" />
    <EventID Qualifiers="0">5719</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-02-11T19:20:07.000Z" />
    <EventRecordID>28473</EventRecordID>
    <Channel>System</Channel>
    <Computer>AD5.abacus-corp.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>ABACUS-WINHOST</Data>
    <Data>%%1311</Data>
    <Binary>5E0000C0</Binary>
  </EventData>
</Event>

Open in new window

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now