Solved

KCC Replication

Posted on 2011-09-08
11
1,084 Views
Last Modified: 2012-05-12
Is the a way to force KCC to recreate the "automatically generated" connection between domain controllers at different sites?

I know it can be done manually but am hoping to force the system to do it.
0
Comment
Question by:EKITA
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 200 total points
Comment Utility
You can run repadmin /kcc    http://technet.microsoft.com/en-us/library/cc742173(WS.10).aspx

The KCC runs every 15 minutes by default.

Thanks

Mike
0
 
LVL 7

Expert Comment

by:BobintheNoc
Comment Utility
If you break the availability of all existing manually configured replication connections, KCC will auto kick in and generate new connections.  By breaking, I mean disrupting the ability to allow that particular connection from functioning.  The resulting KCC automatics will only build working connections, so it's not the best.  Example, if for a site, you have a dc2 connecting ONLY to dc1, and DC1 is the only connector to your other sites, KCC will kick in once it realized it can not reach DC1.  The resulting automatic will only be to DC2, leaving DC1 out of the loop.

To cause the connection to fail, you'd have to do something drastic, like power down the DC that's manually configured, or disable it's nic, etc.  Not very elegant.

Alternatively, when you CHANGE a replication schedule value, such as increase or decrease the interval, this will trigger KCC to re-examine/execute.  This may not create the AUTO connections though, if the manually configured entries are there.
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Generally the KCC does a good job and you should not need manual connections.  Good blog by Mark with more info here

http://blogs.technet.com/b/markmoro/archive/2011/08/05/you-are-not-smarter-than-the-kcc.aspx

Thanks

Mike
0
 

Author Comment

by:EKITA
Comment Utility
mkline71,

I followed the steps outlined in the blog however when i run repadmin /kcc it deletes the newly created connection.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
It may delete the unwanted connection.Along with repadmin /kcc also ran repadmin /syncall /AdeP on all the DC and wait for some interval for the replication to take place.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 7

Expert Comment

by:BobintheNoc
Comment Utility
Kind of thinking that if you remove all existing connections and trigger the KCC with repadmin, it'll create all the auto connections?
0
 

Author Comment

by:EKITA
Comment Utility
I’m upping the points on this one.

Here is the complete picture:

We have two sites. SiteA and SiteB.
SiteA has two DCs and SiteB has one. All DCs are GCs

One of the DCs at SiteA was demoted and re-promoted back to a DC without enough time allotted for AD to replicate to all DCs across sites.

The fallout is that the newly promoted DC at SiteA is not replicating to the DC at SiteB. However, the DC at SiteB is replicating successfully both ways to the other DC at SiteA.

I get the following errors:
The following error occurred with during the attempt to synchronize the naming context domainname.local from domain controller “new promoted DC at Site A” to “DC at Site B”. The naming context is in the process of being removed or is not replicated from the specified server. The operation will not continue.

 I also see event 1272 on the new DC.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 300 total points
Comment Utility
As you have mentioned that in Site A one of the DC was demoted was the demotion gracefull.If not was it removed forcefull and if it was removed forcefully have you ran metadataclean to remove the instances from AD database and dns.It seems that  dc is not promoted properly.

However can you post the dcdiag /q and repadmin /replsum output of DC's in siteA and SiteB this will give clear picture.
0
 

Author Comment

by:EKITA
Comment Utility
DC1 - Rebuilt DC at SITE A
----------------------------
DCDIAG:

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have             Replicating Directory Changes In Filtered Set
         access rights for the naming context:         DC=ForestDnsZones,DC=domainname,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have             Replicating Directory Changes In Filtered Set
         access rights for the naming context:         DC=DomainDnsZones,DC=domainname,DC=com
         ......................... DC1 failed test NCSecDesc

REPLSUM:

Replication Summary Start Time: 2011-09-16 12:35:00
Beginning data collection for replication summary, this may take awhile:

Source DSA          largest delta    fails/total %%   error

 DC1                      40m:52s    0 /   5    0  
 DC2                      46m:28s    0 /  10    0  
 DC3                      40m:52s    0 /   5    0  
 
Destination DSA     largest delta    fails/total %%   error

 DC1                      46m:28s    0 /   5    0  
 DC2                      40m:52s    0 /  10    0
 DC3                      40m:08s    0 /   5    0  
-----------------------------------------------------------------------------------------------------------------------------------
DC2 - Other DC at SITE A

DCDIAG

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have             Replicating Directory Changes In Filtered Set
         access rights for the naming context:         DC=ForestDnsZones,DC=domainname,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have             Replicating Directory Changes In Filtered Set
         access rights for the naming context:         DC=DomainDnsZones,DC=domainname,DC=com
         ......................... DC2 failed test NCSecDesc
             
REPLSUM:

Replication Summary Start Time: 2011-09-16 12:46:03

Beginning data collection for replication summary, this may take awhile:

Source DSA          largest delta    fails/total %%   error
 DC1                      51m:55s    0 /   5    0  
 DC2                      57m:31s    0 /  10    0  
 DC3                      51m:55s    0 /   5    0  

Destination DSA     largest delta    fails/total %%   error
 DC1                      57m:31s    0 /   5    0  
 DC2                      51m:55s    0 /  10    0
 DC3                      51m:11s    0 /   5    0  
             

DC3 - Remote DC at SITE B
-----------------------------------------------------------------------------------------------------------------------------------
DCDIAG

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have             Replicating Directory Changes In Filtered Set
         access rights for the naming context:         DC=ForestDnsZones,DC=domainname,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have             Replicating Directory Changes In Filtered Set
         access rights for the naming context:         DC=DomainDnsZones,DC=domainname,DC=com
         ......................... DC3 failed test NCSecDesc
             
REPLSUM:
Replication Summary Start Time: 2011-09-16 17:52:24
Beginning data collection for replication summary, this may take awhile:

Source DSA          largest delta    fails/total %%   error

 DC1                      58m:16s    0 /   5    0  
 DC2                      57m:31s    0 /  10    0  
 DC3                      58m:16s    0 /   5    0  

Destination DSA     largest delta    fails/total %%   error

 DC1                      03m:53s    0 /   5    0  
 DC2                      58m:19s    0 /  10    0  
 DC3                      57m:35s    0 /   5    0





             

0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
All the three DC's are in sync,the dcdiag and repadmin output shows no issues with any of the DC.
It seems that the KCC has removed the unwanted connection and the required site connectioned is established.

0
 

Author Comment

by:EKITA
Comment Utility
I manually recreated the connection between DC1 & DC3. However, when I right click and select "replicate now", I get this error "The following error occurred during the attempt to synchronize naming context domainname.com from Domain Controller DC1 to Domain Controller DC3: The naming context is in the process of being removed or is not replicated from the specified server." This operation will not continue
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now