Solved

KCC Not Creating New Active Directory Domain Services Connection

Posted on 2011-03-08
5
2,819 Views
Last Modified: 2012-05-11
Hi, I have a situation with three domain controllers that I'm perplexed about.

Firstly, we have two sites.  We'll call the domain controllers North1, North2, and South1.  North1 and South1 run Server 2003, North2 runs Server 2008 R2.

North1 and South1 are the DCs for two different sites.  North1 is old, so we're replacing it.  I installed North2 and promoted it to a domain controller a couple weeks ago, and everything has been going well.  As it stands now, there are AD links between South1 and North1, and North1 and North2, but not North2 and South1.  To test if KCC would do its thing, I shut down North1 over the weekend.  I waited a couple hours and checked on it, and no links were created, and I was presented with several repeating Event log messages.  

About 1 hour after shutting it down,  Igot event ID 1404, "This directory service is now the intersite topology generator and has assumed responsibility for generating and maintaining intersite replication topologies for this site."

30 minutes after that, event ID 1308 came up, saying basically that it could not contact North1, and that it was going to create a temporary connection that would be removed once North1 was back up.  

From there, it repeated event IDs 1566, 1311, and 1865 over and over for a couple hours until I powered North1 on again.  

1566: All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.

1865: The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.

1311: There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.

DCDIAG checks out okay (at least right now, I didn't test much while North1 was down).  I've been reading up on using repadmin to troubleshoot, and from what I can see all replication is fine, it's just when I took North1 down, it couldn't do what it needed to do, and I'm not really understanding from the errors what might be preventing it from working.  

Additionally, the inter-site transports are set up under IP.  There are two (I don't know why, someone else set this up long before I was involved).  One looks like the default one, one looks user created.  The default one has a cost of 100 and replicates every 180 minutes, the user created one has a cost of 200 and replicates every 60 minutes (I assume that one isn't being used).  Don't know if this could effect things at all, but thought I'd mention it.
0
Comment
Question by:netperf
  • 4
5 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35070995
when you bring North1 down, the KCC (on North2 i assume) informs you that is now responsible for the intersite topology generator and that some temporary new links (with South1) were created while North1 (elected as bridgehead server for almost all NCs i assume) was down.
so for me seems good.
you can check that each site has the properly subnet configured, and you can delete all ntds connections and force the KCC to create them using the:
repadmin /kcc
0
 

Author Comment

by:netperf
ID: 35118068
I have the DC North1 down again (almost for 24 hours now, will be keeping it off for the weekend).  I haven't looked at it much yet, but replication definitely isn't occurring (I modified the login script on North2 4 hours ago, and it hasn't changed on South1 yet).  I'll be looking into it and have more information in a little while.
0
 

Author Comment

by:netperf
ID: 35118148
Not sure what information I can post that would be helpful.  I ran repadmin /kcc and that didn't seem to change anything, is it safe to delete the ntds stuff in ADS&S and run it?  All I got for output when I ran it without changing anything was:

Repadmin: running command /kcc against full DC localhost
North
Current Site Options: (none)
Consistency check on localhost successful.

Open in new window


DCDIAG fails on replications and kcc tests (which isn't surprising).  

REPADMIN /showreps gives errors like:

DSA object GUID: fcb888b3-df20-4a64-97b9-2b6945231fed
Last attempt @ 2011-03-12 16:56:57 failed, result 1722 (0x6ba):
    The RPC server is unavailable.
19 consecutive failure(s).
Last success @ 2011-03-11 22:13:06.

Open in new window


Any idea what I should do from here?  I'm a little hesitant to start mucking around in AD S&S too much, but if someone can tell me exactly what they think I should do I'd be willing to give it a try.  Thanks!
0
 

Accepted Solution

by:
netperf earned 0 total points
ID: 35138159
I believe I figured out my problem.  North1 was configured as the Bridgehead Server.  Once I removed that, and made North2 a Bridgehead Server in Sites & Services, I forced it to check topology again and it built the links that I was hoping to see.  
0
 

Author Closing Comment

by:netperf
ID: 35174514
Figured out my issue myself.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now