[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Do subdomains need to contact each other, and why?

Posted on 2012-08-23
Medium Priority
Last Modified: 2012-08-24
Hello everyone,

need help with the following:

We have several subdomains in my company's network, each in a remote location, each over IPsec vpn. Let's call my remote sites 1 and 2 and my central site HQ.

Everything is windows 2008 R2. Everything works fine (so far) except an error I see on event viewer. KCC tries to map the active directory topology, and it seems the domain controller from site 1 tries to connect to the DC in site 2, and it fails. Now, both of those sites are remote sites. Actually I DON'T want those 2 sites to be able to access each other.
I could fix this via firewalling and just letting the DC related traffic through, but do I really need this?

I did remove replication object between DCs in sites 1 and 2, however I get the following errors:

1925 (The attempt to establish a replication link for the following writable directory partition failed. )


1865 (The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. )


1311 (There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers. )

So, can anyone suggest what I should do? Do I need to fix this and let the sites communicate, or can I simply bypass this somehow? What would be the effect?
Question by:Dimitris Ioakimoglou
  • 4
  • 3

Accepted Solution

TI2Heaven earned 1500 total points
ID: 38324202
I am not sure but you probably are working with one realm (name in Kerberos for domain), and multiple sites. If you don’t want any replication at all you need 3 realms each in a different forest (name for Kerberos scope of trust relations).
But you probably don’t want that because users of any site will not be able to use resources of other site.
If users off site1 and site2 only use resources of HQ you will probably want to make site1 and site2 realms children of HQ realm (the root realm).

Author Comment

by:Dimitris Ioakimoglou
ID: 38324250
I'll search for a how-to and I'll get back to you on whether it solves my problem :)

Expert Comment

ID: 38324271
OK. But please if you get stuck make another question so I may receive more points. This is a huge issue.
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

by:Dimitris Ioakimoglou
ID: 38327563
Hm. Wouldn't a windows subdomain be considered a different realm in Kerberos terms? I think it would (from what I've been reading but I might be wrong of course), therefore I already use 3 distinct realms - since HQ is the parent windows domain and 1 and 2 are subdomains.

for example:


are those not distinct realms?

Expert Comment

ID: 38328617
You can map any number of DNS domains with just one realm (kerberos domain).
And you can map any number of realms with just one DNS domain.
The only restriction is that any Windows instance can only be member of one realm.
That is why I introduce you the term realm, to make a distinction between both terms.
The way a windows instance became a member of a realm is by asking the active directory. (The User Interface to make the request is in the system properties).
Told you is a huge issue ;-) !!!

Author Closing Comment

by:Dimitris Ioakimoglou
ID: 38328828
Ok, points for you then. Looks like I can fix it your way.

Expert Comment

ID: 38329597
I really appreciated your points and I don’t want you walk that long way by your own.
Let us help you in the design of the realms. Make an open question with your scenery.
I think you only need one realm but I can’t tell until you explain why replication is an issue.
For your answer I guess you are going to make 3 realms in 3 different forest; don’t do it until you have this open question answered.

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question