need help with the following:
We have several subdomains in my company's network, each in a remote location, each over IPsec vpn. Let's call my remote sites 1 and 2 and my central site HQ.
Everything is windows 2008 R2. Everything works fine (so far) except an error I see on event viewer. KCC tries to map the active directory topology, and it seems the domain controller from site 1 tries to connect to the DC in site 2, and it fails. Now, both of those sites are remote sites. Actually I DON'T want those 2 sites to be able to access each other.
I could fix this via firewalling and just letting the DC related traffic through, but do I really need this?
I did remove replication object between DCs in sites 1 and 2, however I get the following errors:
1925 (The attempt to establish a replication link for the following writable directory partition failed. )
1865 (The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. )
1311 (There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers. )
So, can anyone suggest what I should do? Do I need to fix this and let the sites communicate, or can I simply bypass this somehow? What would be the effect?