KCC errors

I have a remote site named 200_Seattle
There are two DCs in this site.

I have a Datacenter Site with all root Dcs named 500_HQ

There is a sitelink named 200 - 500 SiteLink
In the Sitelink both the 200_Seattle and 500_Hq sites are in the link

We have over 200-300 sites
Each site has its name and the associated subnet

Then that site has a sitelink paired with the Datacenter Site only

Hub and Spoke.

However when I check KCC it looks like it is replicating with spoke Dcs not the Root.

And whaqts even more bizare. Is one of the Remote Dcs has over 200-300 Automatically generated KCC replication partners. Which gives tons of SCOM alerts as there are too many. and the other DC in the Site Keeps given the below KCC error. I am confused as why its replication partners are those in other cities instead of the ROOT _ HQ _ datacenter Site.

How can I control this? or do I need to?

And how do I fix the below error

Domain is mixture of win 2003 and win 2008 servers.

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.

Directory partition:

There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.

User Action

Use Active Directory Sites and Services to perform one of the following actions:

- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.

- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
Who is Participating?
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
If your network isn't fully routed than first disable Bridge All Site Links (BASL) as this may be causing unwanted connection.

If manaul connection are created in AD sites and services for replication then delete the same let kcc do the job.

As you have a hub-and-spoke topolgoy, where remote sites can only direclty communicate to the hub (such as the datacenter), then you should:
•Disable bridging
•Create specific IP connectors for each site to connect from the remote site to the hub.
•Add the two sites in each specific connector.

Assuming that dns role is configured on server,each DC / DNS server points to its private IP address as primary DNS server and other internal/remote DNS servers(datacenter) as secondary DNS in TCP/IP property.

Best practices for DNS client settings on DC and domain members.

Ensure required port are open for AD communication:http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

Hope this helps
What is the cost setting between 200 - 500 SiteLink 200-300.? What is the connection object created in the remote site. have you bridged your site links ?
IndyrbAuthor Commented:
There is NOT a site-bridge for any sites. only site-links.....
There are hundreds of subnets and sites for the subnets.
The site Link for each site is Cost 45 Replication Interval 15
There are hundreds of Domain controllers, and a mixture of win2003 and win2008

What should be my next steps. What does a site-bridge do? why are the pros and cons of a site bridge?

Its also important to note that I believe your artice was followed:


There is a GPO excluding all the generic srv records on dns.

The other weird thing is all remote DCs  DNSSearchOrder is that of the HQ-Datacenter DNS, and not itself. Not sure why this is, and if there is a legitiment reason for all dcs to point to and

Reason I ask, is I read these a few places. Need clarification on next steps please

In addition to the reasons already given for restricting how domain controllers register their SRV records, when Active Directory-integrated DNS zones are used in large deployments, the storage limitations of attributes will come into play. DNS registrations are stored in multivalued attributes. Active Directory has a limitation for nonlinked, multivalued attributes such that approximately 1,200 values can be saved per object. This limit is different from the limit for linked multivalued attributes, such as groups, that can hold many more values. For small deployments, the Net Logon configuration is optional and optimizes service location. For deployments with more than 1,200 domain controllers, this configuration is mandatory because of the storage limitation for nonlinked, multivalued attributes
If, for example, more than 1,200 domain controllers try to register services for the same domain, this limitation will be reached. If Net Logon is configured correctly (so that branch office domain controllers will register entries only on a per-site level, but not on the domain level), this limitation will be moved from a per-domain level to a per-site level, and thus allows thousands of domain controllers to register services.

To avoid the situation where clients in one branch contact a domain controller in another branch, the Net Logon service on all branch office domain controllers must be configured to publish only site-specific Locator records and not generic domain controller Locator records. With this configuration, only the data center domain controllers publish generic Locator records, in addition to their site-specific records. If this configuration change is made, branch clients that cannot find a domain controller in their own site will find generic domain controller Locator records for only data center domain controllers. To limit the domain controllers that are found by preventing the registration of generic SRV records, you have to configure Net Logon with the  policies discussed in the next section.
Group Policy Setting for the Domain Controllers
To prevent Net Logon on a domain controller from attempting dynamic updates of certain DNS records, use the Group Policy snap-in to edit the Default Domain Controllers Policy:
Computer Configuration/Administrative Templates/System/NetLogon/DC Locator DNS Record
DC Locator DNS records not registered by the DCs/VALUE: ENABLED/Mnemonics: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
In the Group Policy snap-in, the configuration is as follows:
•      Group Policy object: Default Domain Controllers Policy
•      Group Policy snap-in path: Computer Configuration/Administrative Templates/System/NetLogon/DC Locator DNS Record
•      Policy setting to edit: DC Locator DNS records not registered by the DCs
•      Mnemonics to select: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
In this value, specify the list of mnemonics corresponding to the DNS records that should not be registered by this domain controller. Table 4.1 shows all available mnemonics:
Table 4.1   Mnemonics Available for Customized DNS Configuration
Mnemonic      Type      DNS Record
Dc      SRV      _ldap._tcp.dc._msdcs.<DnsDomainName>
DcAtSite      SRV      _ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>
DcByGuid      SRV      _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>
Pdc      SRV      _ldap._tcp.pdc._msdcs.<DnsDomainName>
Gc      SRV      _ldap._tcp.gc._msdcs.<DnsForestName>
GcAtSite      SRV      _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>
GenericGc      SRV      _gc._tcp.<DnsForestName>
GenericGcAtSite      SRV      _gc._tcp.<SiteName>._sites.<DnsForestName>
GcIpAddress      A      _gc._msdcs.<DnsForestName>
DsaCname      CNAME      <DsaGuid>._msdcs.<DnsForestName>
Kdc      SRV      _kerberos._tcp.dc._msdcs.<DnsDomainName>
KdcAtSite      SRV      _kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName>
Ldap      SRV      _ldap._tcp.<DnsDomainName>
LdapAtSite      SRV      _ldap._tcp.<SiteName>._sites.<DnsDomainName>
LdapIpAddress      A      <DnsDomainName>
Rfc1510Kdc      SRV      _kerberos._tcp.<DnsDomainName>
Rfc1510KdcAtSite      SRV      _kerberos._tcp.<SiteName>._sites.<DnsDomainName>
Rfc1510UdpKdc      SRV      _kerberos._udp.<DnsDomainName>
Rfc1510Kpwd      SRV      _kpasswd._tcp.<DnsDomainName>
Rfc1510UdpKpwd      SRV      _kpasswd._udp.<DnsDomainName>

The recommended configuration in a branch office deployment is as follows:
•      For all branch office domain controllers, add all mnemonic entries that do not have “AtSite” as part of the mnemonic, except do not add DsaCname.
•      For data center domain controllers, do not edit the policy setting. Allow the domain controllers to register all records.

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

JaihuntConnect With a Mentor Commented:
DNS configuration is fine as long as the primary DNS is reachable.

Check the Network delay between the sites  if the network delay or any unreachable DC  you will face replication issue.

Run the DCdiag /v on the problematic DC check for the error details

Check the below links


IndyrbAuthor Commented:
Thanks for the Reply...

In sites and services in Sites - Inter-Site-Transport - IP
The bridge all sites was already cleared or disabled.

So like I mentioned I have Several Hundred sites.
Each site is linked with the Data-Center site.
Cost 45 Replication Interval 15

When looking in Sites and Services - Sites - Site Name - Server - DC - NTDS Settings
it has servers that are not Datacenter DCS... and some sites don't even have the Data Center DCS in them. Like weird random partners. Like one in Michigan has a partner in New York and One in San fransico and DataCenter is in Atlanta.

So my question.
When you setup Site links - Is it suppose to only sync with the DCs at the Datacenter in my case, and /kcc would only automatically generate partners to the datacenter.... I am confused alittle, since some don't have the Datacenter in its ntds settings, and some sites have all the partners. Hundreds of them...

Looking further into one of the sites.
I saw HQ - Datacenter, had all the sites in its site-link.
I removed all sites, except that of HQ-Datacenter.
Running repadmin /kcc *

Will this fix the issues?
will partners only be the actual site and the datacenter in KCC or is it still random generated and could replicate with other sites. Is this Okay?

If you run repadmin /kcc does it remove all previous connections and recreate new connections?  how can you remove all connections from every site, then run repadmin /kcc if needed?

you said DNS configuration is fine, Do yuou mean that all DCs point to the Datacenter DNS, and only that DNS server?  What are the pros and cons of this?
How Do I check for network delay.

I am also needing confirmation on proper GPO and if SRV records should or should not get generated? Like I said hundreds of ADS/DNS servers all across North America at remote branches. Not 100% sure how they are connected.. vpn, etc.

You mention that All DNS servers should point to theirselves, then secondary DNS would go to the Datacenter DCs.
What are some of the benefits of this, and what are the Cons. Also if it points to itself and the GPO is applied to keep certain srv records from registering, would this cause a problem?

I just want to make sure all DCS, DNS, Sites, Links, ADS, is setup properly..
I really appreciate your time, suggestions, and willingness to help.
IndyrbAuthor Commented:
Awarding points, still reasearching issue -- thanks for your help EE Experts.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.