[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


KCC Not Creating New Active Directory Domain Services Connection

Posted on 2011-03-08
Medium Priority
Last Modified: 2012-05-11
Hi, I have a situation with three domain controllers that I'm perplexed about.

Firstly, we have two sites.  We'll call the domain controllers North1, North2, and South1.  North1 and South1 run Server 2003, North2 runs Server 2008 R2.

North1 and South1 are the DCs for two different sites.  North1 is old, so we're replacing it.  I installed North2 and promoted it to a domain controller a couple weeks ago, and everything has been going well.  As it stands now, there are AD links between South1 and North1, and North1 and North2, but not North2 and South1.  To test if KCC would do its thing, I shut down North1 over the weekend.  I waited a couple hours and checked on it, and no links were created, and I was presented with several repeating Event log messages.  

About 1 hour after shutting it down,  Igot event ID 1404, "This directory service is now the intersite topology generator and has assumed responsibility for generating and maintaining intersite replication topologies for this site."

30 minutes after that, event ID 1308 came up, saying basically that it could not contact North1, and that it was going to create a temporary connection that would be removed once North1 was back up.  

From there, it repeated event IDs 1566, 1311, and 1865 over and over for a couple hours until I powered North1 on again.  

1566: All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.

1865: The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.

1311: There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
User Action
Perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.

DCDIAG checks out okay (at least right now, I didn't test much while North1 was down).  I've been reading up on using repadmin to troubleshoot, and from what I can see all replication is fine, it's just when I took North1 down, it couldn't do what it needed to do, and I'm not really understanding from the errors what might be preventing it from working.  

Additionally, the inter-site transports are set up under IP.  There are two (I don't know why, someone else set this up long before I was involved).  One looks like the default one, one looks user created.  The default one has a cost of 100 and replicates every 180 minutes, the user created one has a cost of 200 and replicates every 60 minutes (I assume that one isn't being used).  Don't know if this could effect things at all, but thought I'd mention it.
Question by:netperf
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
LVL 11

Expert Comment

ID: 35070995
when you bring North1 down, the KCC (on North2 i assume) informs you that is now responsible for the intersite topology generator and that some temporary new links (with South1) were created while North1 (elected as bridgehead server for almost all NCs i assume) was down.
so for me seems good.
you can check that each site has the properly subnet configured, and you can delete all ntds connections and force the KCC to create them using the:
repadmin /kcc

Author Comment

ID: 35118068
I have the DC North1 down again (almost for 24 hours now, will be keeping it off for the weekend).  I haven't looked at it much yet, but replication definitely isn't occurring (I modified the login script on North2 4 hours ago, and it hasn't changed on South1 yet).  I'll be looking into it and have more information in a little while.

Author Comment

ID: 35118148
Not sure what information I can post that would be helpful.  I ran repadmin /kcc and that didn't seem to change anything, is it safe to delete the ntds stuff in ADS&S and run it?  All I got for output when I ran it without changing anything was:

Repadmin: running command /kcc against full DC localhost
Current Site Options: (none)
Consistency check on localhost successful.

Open in new window

DCDIAG fails on replications and kcc tests (which isn't surprising).  

REPADMIN /showreps gives errors like:

DSA object GUID: fcb888b3-df20-4a64-97b9-2b6945231fed
Last attempt @ 2011-03-12 16:56:57 failed, result 1722 (0x6ba):
    The RPC server is unavailable.
19 consecutive failure(s).
Last success @ 2011-03-11 22:13:06.

Open in new window

Any idea what I should do from here?  I'm a little hesitant to start mucking around in AD S&S too much, but if someone can tell me exactly what they think I should do I'd be willing to give it a try.  Thanks!

Accepted Solution

netperf earned 0 total points
ID: 35138159
I believe I figured out my problem.  North1 was configured as the Bridgehead Server.  Once I removed that, and made North2 a Bridgehead Server in Sites & Services, I forced it to check topology again and it built the links that I was hoping to see.  

Author Closing Comment

ID: 35174514
Figured out my issue myself.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question