Indyrb
asked on
KCC errors
I have a remote site named 200_Seattle
There are two DCs in this site.
I have a Datacenter Site with all root Dcs named 500_HQ
There is a sitelink named 200 - 500 SiteLink
In the Sitelink both the 200_Seattle and 500_Hq sites are in the link
We have over 200-300 sites
Each site has its name and the associated subnet
Then that site has a sitelink paired with the Datacenter Site only
Hub and Spoke.
However when I check KCC it looks like it is replicating with spoke Dcs not the Root.
And whaqts even more bizare. Is one of the Remote Dcs has over 200-300 Automatically generated KCC replication partners. Which gives tons of SCOM alerts as there are too many. and the other DC in the Site Keeps given the below KCC error. I am confused as why its replication partners are those in other cities instead of the ROOT _ HQ _ datacenter Site.
How can I control this? or do I need to?
And how do I fix the below error
Domain is mixture of win 2003 and win 2008 servers.
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=domain ,DC=com
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
There are two DCs in this site.
I have a Datacenter Site with all root Dcs named 500_HQ
There is a sitelink named 200 - 500 SiteLink
In the Sitelink both the 200_Seattle and 500_Hq sites are in the link
We have over 200-300 sites
Each site has its name and the associated subnet
Then that site has a sitelink paired with the Datacenter Site only
Hub and Spoke.
However when I check KCC it looks like it is replicating with spoke Dcs not the Root.
And whaqts even more bizare. Is one of the Remote Dcs has over 200-300 Automatically generated KCC replication partners. Which gives tons of SCOM alerts as there are too many. and the other DC in the Site Keeps given the below KCC error. I am confused as why its replication partners are those in other cities instead of the ROOT _ HQ _ datacenter Site.
How can I control this? or do I need to?
And how do I fix the below error
Domain is mixture of win 2003 and win 2008 servers.
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=domain
There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.
User Action
Use Active Directory Sites and Services to perform one of the following actions:
- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
What is the cost setting between 200 - 500 SiteLink 200-300.? What is the connection object created in the remote site. have you bridged your site links ?
ASKER
There is NOT a site-bridge for any sites. only site-links.....
There are hundreds of subnets and sites for the subnets.
The site Link for each site is Cost 45 Replication Interval 15
There are hundreds of Domain controllers, and a mixture of win2003 and win2008
What should be my next steps. What does a site-bridge do? why are the pros and cons of a site bridge?
Its also important to note that I believe your artice was followed:
http://jaihunt.wordpress.com/tag/srv-records/
There is a GPO excluding all the generic srv records on dns.
The other weird thing is all remote DCs DNSSearchOrder is that of the HQ-Datacenter DNS, and not itself. Not sure why this is, and if there is a legitiment reason for all dcs to point to 192.168.1.10 and 192.168.1.15
Reason I ask, is I read these a few places. Need clarification on next steps please
In addition to the reasons already given for restricting how domain controllers register their SRV records, when Active Directory-integrated DNS zones are used in large deployments, the storage limitations of attributes will come into play. DNS registrations are stored in multivalued attributes. Active Directory has a limitation for nonlinked, multivalued attributes such that approximately 1,200 values can be saved per object. This limit is different from the limit for linked multivalued attributes, such as groups, that can hold many more values. For small deployments, the Net Logon configuration is optional and optimizes service location. For deployments with more than 1,200 domain controllers, this configuration is mandatory because of the storage limitation for nonlinked, multivalued attributes
If, for example, more than 1,200 domain controllers try to register services for the same domain, this limitation will be reached. If Net Logon is configured correctly (so that branch office domain controllers will register entries only on a per-site level, but not on the domain level), this limitation will be moved from a per-domain level to a per-site level, and thus allows thousands of domain controllers to register services.
To avoid the situation where clients in one branch contact a domain controller in another branch, the Net Logon service on all branch office domain controllers must be configured to publish only site-specific Locator records and not generic domain controller Locator records. With this configuration, only the data center domain controllers publish generic Locator records, in addition to their site-specific records. If this configuration change is made, branch clients that cannot find a domain controller in their own site will find generic domain controller Locator records for only data center domain controllers. To limit the domain controllers that are found by preventing the registration of generic SRV records, you have to configure Net Logon with the policies discussed in the next section.
Group Policy Setting for the Domain Controllers
To prevent Net Logon on a domain controller from attempting dynamic updates of certain DNS records, use the Group Policy snap-in to edit the Default Domain Controllers Policy:
Computer Configuration/Administrati ve Templates/System/NetLogon/ DC Locator DNS Record
DC Locator DNS records not registered by the DCs/VALUE: ENABLED/Mnemonics: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
In the Group Policy snap-in, the configuration is as follows:
• Group Policy object: Default Domain Controllers Policy
• Group Policy snap-in path: Computer Configuration/Administrati ve Templates/System/NetLogon/ DC Locator DNS Record
• Policy setting to edit: DC Locator DNS records not registered by the DCs
• VALUE: ENABLED
• Mnemonics to select: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
In this value, specify the list of mnemonics corresponding to the DNS records that should not be registered by this domain controller. Table 4.1 shows all available mnemonics:
Table 4.1 Mnemonics Available for Customized DNS Configuration
Mnemonic Type DNS Record
Dc SRV _ldap._tcp.dc._msdcs.<DnsD omainName>
DcAtSite SRV _ldap._tcp.<SiteName>._sit es.dc._msd cs.<DnsDom ainName>
DcByGuid SRV _ldap._tcp.<DomainGuid>.do mains._msd cs.<DnsFor estName>
Pdc SRV _ldap._tcp.pdc._msdcs.<Dns DomainName >
Gc SRV _ldap._tcp.gc._msdcs.<DnsF orestName>
GcAtSite SRV _ldap._tcp.<SiteName>._sit es.gc._msd cs.<DnsFor estName>
GenericGc SRV _gc._tcp.<DnsForestName>
GenericGcAtSite SRV _gc._tcp.<SiteName>._sites .<DnsFores tName>
GcIpAddress A _gc._msdcs.<DnsForestName>
DsaCname CNAME <DsaGuid>._msdcs.<DnsFores tName>
Kdc SRV _kerberos._tcp.dc._msdcs.< DnsDomainN ame>
KdcAtSite SRV _kerberos._tcp.dc._msdcs.< SiteName>. _sites.<Dn sDomainNam e>
Ldap SRV _ldap._tcp.<DnsDomainName>
LdapAtSite SRV _ldap._tcp.<SiteName>._sit es.<DnsDom ainName>
LdapIpAddress A <DnsDomainName>
Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainN ame>
Rfc1510KdcAtSite SRV _kerberos._tcp.<SiteName>. _sites.<Dn sDomainNam e>
Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainN ame>
Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainNa me>
Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainNa me>
The recommended configuration in a branch office deployment is as follows:
• For all branch office domain controllers, add all mnemonic entries that do not have “AtSite” as part of the mnemonic, except do not add DsaCname.
• For data center domain controllers, do not edit the policy setting. Allow the domain controllers to register all records.
http://jaihunt.wordpress.com/tag/srv-records/
There are hundreds of subnets and sites for the subnets.
The site Link for each site is Cost 45 Replication Interval 15
There are hundreds of Domain controllers, and a mixture of win2003 and win2008
What should be my next steps. What does a site-bridge do? why are the pros and cons of a site bridge?
Its also important to note that I believe your artice was followed:
http://jaihunt.wordpress.com/tag/srv-records/
There is a GPO excluding all the generic srv records on dns.
The other weird thing is all remote DCs DNSSearchOrder is that of the HQ-Datacenter DNS, and not itself. Not sure why this is, and if there is a legitiment reason for all dcs to point to 192.168.1.10 and 192.168.1.15
Reason I ask, is I read these a few places. Need clarification on next steps please
In addition to the reasons already given for restricting how domain controllers register their SRV records, when Active Directory-integrated DNS zones are used in large deployments, the storage limitations of attributes will come into play. DNS registrations are stored in multivalued attributes. Active Directory has a limitation for nonlinked, multivalued attributes such that approximately 1,200 values can be saved per object. This limit is different from the limit for linked multivalued attributes, such as groups, that can hold many more values. For small deployments, the Net Logon configuration is optional and optimizes service location. For deployments with more than 1,200 domain controllers, this configuration is mandatory because of the storage limitation for nonlinked, multivalued attributes
If, for example, more than 1,200 domain controllers try to register services for the same domain, this limitation will be reached. If Net Logon is configured correctly (so that branch office domain controllers will register entries only on a per-site level, but not on the domain level), this limitation will be moved from a per-domain level to a per-site level, and thus allows thousands of domain controllers to register services.
To avoid the situation where clients in one branch contact a domain controller in another branch, the Net Logon service on all branch office domain controllers must be configured to publish only site-specific Locator records and not generic domain controller Locator records. With this configuration, only the data center domain controllers publish generic Locator records, in addition to their site-specific records. If this configuration change is made, branch clients that cannot find a domain controller in their own site will find generic domain controller Locator records for only data center domain controllers. To limit the domain controllers that are found by preventing the registration of generic SRV records, you have to configure Net Logon with the policies discussed in the next section.
Group Policy Setting for the Domain Controllers
To prevent Net Logon on a domain controller from attempting dynamic updates of certain DNS records, use the Group Policy snap-in to edit the Default Domain Controllers Policy:
Computer Configuration/Administrati
DC Locator DNS records not registered by the DCs/VALUE: ENABLED/Mnemonics: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
In the Group Policy snap-in, the configuration is as follows:
• Group Policy object: Default Domain Controllers Policy
• Group Policy snap-in path: Computer Configuration/Administrati
• Policy setting to edit: DC Locator DNS records not registered by the DCs
• VALUE: ENABLED
• Mnemonics to select: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
In this value, specify the list of mnemonics corresponding to the DNS records that should not be registered by this domain controller. Table 4.1 shows all available mnemonics:
Table 4.1 Mnemonics Available for Customized DNS Configuration
Mnemonic Type DNS Record
Dc SRV _ldap._tcp.dc._msdcs.<DnsD
DcAtSite SRV _ldap._tcp.<SiteName>._sit
DcByGuid SRV _ldap._tcp.<DomainGuid>.do
Pdc SRV _ldap._tcp.pdc._msdcs.<Dns
Gc SRV _ldap._tcp.gc._msdcs.<DnsF
GcAtSite SRV _ldap._tcp.<SiteName>._sit
GenericGc SRV _gc._tcp.<DnsForestName>
GenericGcAtSite SRV _gc._tcp.<SiteName>._sites
GcIpAddress A _gc._msdcs.<DnsForestName>
DsaCname CNAME <DsaGuid>._msdcs.<DnsFores
Kdc SRV _kerberos._tcp.dc._msdcs.<
KdcAtSite SRV _kerberos._tcp.dc._msdcs.<
Ldap SRV _ldap._tcp.<DnsDomainName>
LdapAtSite SRV _ldap._tcp.<SiteName>._sit
LdapIpAddress A <DnsDomainName>
Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainN
Rfc1510KdcAtSite SRV _kerberos._tcp.<SiteName>.
Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomainN
Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainNa
Rfc1510UdpKpwd SRV _kpasswd._udp.<DnsDomainNa
The recommended configuration in a branch office deployment is as follows:
• For all branch office domain controllers, add all mnemonic entries that do not have “AtSite” as part of the mnemonic, except do not add DsaCname.
• For data center domain controllers, do not edit the policy setting. Allow the domain controllers to register all records.
http://jaihunt.wordpress.com/tag/srv-records/
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the Reply...
In sites and services in Sites - Inter-Site-Transport - IP
The bridge all sites was already cleared or disabled.
So like I mentioned I have Several Hundred sites.
Each site is linked with the Data-Center site.
Cost 45 Replication Interval 15
When looking in Sites and Services - Sites - Site Name - Server - DC - NTDS Settings
it has servers that are not Datacenter DCS... and some sites don't even have the Data Center DCS in them. Like weird random partners. Like one in Michigan has a partner in New York and One in San fransico and DataCenter is in Atlanta.
So my question.
When you setup Site links - Is it suppose to only sync with the DCs at the Datacenter in my case, and /kcc would only automatically generate partners to the datacenter.... I am confused alittle, since some don't have the Datacenter in its ntds settings, and some sites have all the partners. Hundreds of them...
Looking further into one of the sites.
I saw HQ - Datacenter, had all the sites in its site-link.
I removed all sites, except that of HQ-Datacenter.
Running repadmin /kcc *
Will this fix the issues?
will partners only be the actual site and the datacenter in KCC or is it still random generated and could replicate with other sites. Is this Okay?
If you run repadmin /kcc does it remove all previous connections and recreate new connections? how can you remove all connections from every site, then run repadmin /kcc if needed?
Jaihunt,
you said DNS configuration is fine, Do yuou mean that all DCs point to the Datacenter DNS, and only that DNS server? What are the pros and cons of this?
How Do I check for network delay.
I am also needing confirmation on proper GPO and if SRV records should or should not get generated? Like I said hundreds of ADS/DNS servers all across North America at remote branches. Not 100% sure how they are connected.. vpn, etc.
Sandeshdubey
You mention that All DNS servers should point to theirselves, then secondary DNS would go to the Datacenter DCs.
What are some of the benefits of this, and what are the Cons. Also if it points to itself and the GPO is applied to keep certain srv records from registering, would this cause a problem?
I just want to make sure all DCS, DNS, Sites, Links, ADS, is setup properly..
I really appreciate your time, suggestions, and willingness to help.
In sites and services in Sites - Inter-Site-Transport - IP
The bridge all sites was already cleared or disabled.
So like I mentioned I have Several Hundred sites.
Each site is linked with the Data-Center site.
Cost 45 Replication Interval 15
When looking in Sites and Services - Sites - Site Name - Server - DC - NTDS Settings
it has servers that are not Datacenter DCS... and some sites don't even have the Data Center DCS in them. Like weird random partners. Like one in Michigan has a partner in New York and One in San fransico and DataCenter is in Atlanta.
So my question.
When you setup Site links - Is it suppose to only sync with the DCs at the Datacenter in my case, and /kcc would only automatically generate partners to the datacenter.... I am confused alittle, since some don't have the Datacenter in its ntds settings, and some sites have all the partners. Hundreds of them...
Looking further into one of the sites.
I saw HQ - Datacenter, had all the sites in its site-link.
I removed all sites, except that of HQ-Datacenter.
Running repadmin /kcc *
Will this fix the issues?
will partners only be the actual site and the datacenter in KCC or is it still random generated and could replicate with other sites. Is this Okay?
If you run repadmin /kcc does it remove all previous connections and recreate new connections? how can you remove all connections from every site, then run repadmin /kcc if needed?
Jaihunt,
you said DNS configuration is fine, Do yuou mean that all DCs point to the Datacenter DNS, and only that DNS server? What are the pros and cons of this?
How Do I check for network delay.
I am also needing confirmation on proper GPO and if SRV records should or should not get generated? Like I said hundreds of ADS/DNS servers all across North America at remote branches. Not 100% sure how they are connected.. vpn, etc.
Sandeshdubey
You mention that All DNS servers should point to theirselves, then secondary DNS would go to the Datacenter DCs.
What are some of the benefits of this, and what are the Cons. Also if it points to itself and the GPO is applied to keep certain srv records from registering, would this cause a problem?
I just want to make sure all DCS, DNS, Sites, Links, ADS, is setup properly..
I really appreciate your time, suggestions, and willingness to help.
ASKER
Awarding points, still reasearching issue -- thanks for your help EE Experts.