Avatar of Indyrb
IndyrbFlag for United States of America asked on

KCC errors

I have a remote site named 200_Seattle
There are two DCs in this site.

I have a Datacenter Site with all root Dcs named 500_HQ

There is a sitelink named 200 - 500 SiteLink
In the Sitelink both the 200_Seattle and 500_Hq sites are in the link

We have over 200-300 sites
Each site has its name and the associated subnet

Then that site has a sitelink paired with the Datacenter Site only

Hub and Spoke.

However when I check KCC it looks like it is replicating with spoke Dcs not the Root.

And whaqts even more bizare. Is one of the Remote Dcs has over 200-300 Automatically generated KCC replication partners. Which gives tons of SCOM alerts as there are too many. and the other DC in the Site Keeps given the below KCC error. I am confused as why its replication partners are those in other cities instead of the ROOT _ HQ _ datacenter Site.

How can I control this? or do I need to?

And how do I fix the below error

Domain is mixture of win 2003 and win 2008 servers.

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.

Directory partition:

There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.

User Action

Use Active Directory Sites and Services to perform one of the following actions:

- Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.

- Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site.
Active DirectoryWindows Server 2008Windows Server 2003Microsoft Server OSDNS

Avatar of undefined
Last Comment

8/22/2022 - Mon

What is the cost setting between 200 - 500 SiteLink 200-300.? What is the connection object created in the remote site. have you bridged your site links ?

There is NOT a site-bridge for any sites. only site-links.....
There are hundreds of subnets and sites for the subnets.
The site Link for each site is Cost 45 Replication Interval 15
There are hundreds of Domain controllers, and a mixture of win2003 and win2008

What should be my next steps. What does a site-bridge do? why are the pros and cons of a site bridge?

Its also important to note that I believe your artice was followed:


There is a GPO excluding all the generic srv records on dns.

The other weird thing is all remote DCs  DNSSearchOrder is that of the HQ-Datacenter DNS, and not itself. Not sure why this is, and if there is a legitiment reason for all dcs to point to and

Reason I ask, is I read these a few places. Need clarification on next steps please

In addition to the reasons already given for restricting how domain controllers register their SRV records, when Active Directory-integrated DNS zones are used in large deployments, the storage limitations of attributes will come into play. DNS registrations are stored in multivalued attributes. Active Directory has a limitation for nonlinked, multivalued attributes such that approximately 1,200 values can be saved per object. This limit is different from the limit for linked multivalued attributes, such as groups, that can hold many more values. For small deployments, the Net Logon configuration is optional and optimizes service location. For deployments with more than 1,200 domain controllers, this configuration is mandatory because of the storage limitation for nonlinked, multivalued attributes
If, for example, more than 1,200 domain controllers try to register services for the same domain, this limitation will be reached. If Net Logon is configured correctly (so that branch office domain controllers will register entries only on a per-site level, but not on the domain level), this limitation will be moved from a per-domain level to a per-site level, and thus allows thousands of domain controllers to register services.

To avoid the situation where clients in one branch contact a domain controller in another branch, the Net Logon service on all branch office domain controllers must be configured to publish only site-specific Locator records and not generic domain controller Locator records. With this configuration, only the data center domain controllers publish generic Locator records, in addition to their site-specific records. If this configuration change is made, branch clients that cannot find a domain controller in their own site will find generic domain controller Locator records for only data center domain controllers. To limit the domain controllers that are found by preventing the registration of generic SRV records, you have to configure Net Logon with the  policies discussed in the next section.
Group Policy Setting for the Domain Controllers
To prevent Net Logon on a domain controller from attempting dynamic updates of certain DNS records, use the Group Policy snap-in to edit the Default Domain Controllers Policy:
Computer Configuration/Administrative Templates/System/NetLogon/DC Locator DNS Record
DC Locator DNS records not registered by the DCs/VALUE: ENABLED/Mnemonics: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
In the Group Policy snap-in, the configuration is as follows:
•      Group Policy object: Default Domain Controllers Policy
•      Group Policy snap-in path: Computer Configuration/Administrative Templates/System/NetLogon/DC Locator DNS Record
•      Policy setting to edit: DC Locator DNS records not registered by the DCs
•      Mnemonics to select: LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc
In this value, specify the list of mnemonics corresponding to the DNS records that should not be registered by this domain controller. Table 4.1 shows all available mnemonics:
Table 4.1   Mnemonics Available for Customized DNS Configuration
Mnemonic      Type      DNS Record
Dc      SRV      _ldap._tcp.dc._msdcs.<DnsDomainName>
DcAtSite      SRV      _ldap._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>
DcByGuid      SRV      _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>
Pdc      SRV      _ldap._tcp.pdc._msdcs.<DnsDomainName>
Gc      SRV      _ldap._tcp.gc._msdcs.<DnsForestName>
GcAtSite      SRV      _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>
GenericGc      SRV      _gc._tcp.<DnsForestName>
GenericGcAtSite      SRV      _gc._tcp.<SiteName>._sites.<DnsForestName>
GcIpAddress      A      _gc._msdcs.<DnsForestName>
DsaCname      CNAME      <DsaGuid>._msdcs.<DnsForestName>
Kdc      SRV      _kerberos._tcp.dc._msdcs.<DnsDomainName>
KdcAtSite      SRV      _kerberos._tcp.dc._msdcs.<SiteName>._sites.<DnsDomainName>
Ldap      SRV      _ldap._tcp.<DnsDomainName>
LdapAtSite      SRV      _ldap._tcp.<SiteName>._sites.<DnsDomainName>
LdapIpAddress      A      <DnsDomainName>
Rfc1510Kdc      SRV      _kerberos._tcp.<DnsDomainName>
Rfc1510KdcAtSite      SRV      _kerberos._tcp.<SiteName>._sites.<DnsDomainName>
Rfc1510UdpKdc      SRV      _kerberos._udp.<DnsDomainName>
Rfc1510Kpwd      SRV      _kpasswd._tcp.<DnsDomainName>
Rfc1510UdpKpwd      SRV      _kpasswd._udp.<DnsDomainName>

The recommended configuration in a branch office deployment is as follows:
•      For all branch office domain controllers, add all mnemonic entries that do not have “AtSite” as part of the mnemonic, except do not add DsaCname.
•      For data center domain controllers, do not edit the policy setting. Allow the domain controllers to register all records.


Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Thanks for the Reply...

In sites and services in Sites - Inter-Site-Transport - IP
The bridge all sites was already cleared or disabled.

So like I mentioned I have Several Hundred sites.
Each site is linked with the Data-Center site.
Cost 45 Replication Interval 15

When looking in Sites and Services - Sites - Site Name - Server - DC - NTDS Settings
it has servers that are not Datacenter DCS... and some sites don't even have the Data Center DCS in them. Like weird random partners. Like one in Michigan has a partner in New York and One in San fransico and DataCenter is in Atlanta.

So my question.
When you setup Site links - Is it suppose to only sync with the DCs at the Datacenter in my case, and /kcc would only automatically generate partners to the datacenter.... I am confused alittle, since some don't have the Datacenter in its ntds settings, and some sites have all the partners. Hundreds of them...

Looking further into one of the sites.
I saw HQ - Datacenter, had all the sites in its site-link.
I removed all sites, except that of HQ-Datacenter.
Running repadmin /kcc *

Will this fix the issues?
will partners only be the actual site and the datacenter in KCC or is it still random generated and could replicate with other sites. Is this Okay?

If you run repadmin /kcc does it remove all previous connections and recreate new connections?  how can you remove all connections from every site, then run repadmin /kcc if needed?

you said DNS configuration is fine, Do yuou mean that all DCs point to the Datacenter DNS, and only that DNS server?  What are the pros and cons of this?
How Do I check for network delay.

I am also needing confirmation on proper GPO and if SRV records should or should not get generated? Like I said hundreds of ADS/DNS servers all across North America at remote branches. Not 100% sure how they are connected.. vpn, etc.

You mention that All DNS servers should point to theirselves, then secondary DNS would go to the Datacenter DCs.
What are some of the benefits of this, and what are the Cons. Also if it points to itself and the GPO is applied to keep certain srv records from registering, would this cause a problem?

I just want to make sure all DCS, DNS, Sites, Links, ADS, is setup properly..
I really appreciate your time, suggestions, and willingness to help.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Awarding points, still reasearching issue -- thanks for your help EE Experts.