How to create automatic connection for existing DC in AD Sites and Services ?

Hi All,

How can I create / recreate the Automatic connection of the existing DC from one site to another ?

Because before I decommission one of my DC in the HQ office, I need to allow the connection to reach my newly build DC between the Data center and the new HQ DC.

LVL 11
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Because when I then off one if my domain controller in my HQ office, any changes is not replicated to the Data Centre domain controllers.  

Any idea would be greatly appreciated.
Will SzymkowskiSenior Solution ArchitectCommented:
This is actually quite easy.

- Open Site and Services
- Expand the Site
- Expand the Servers Folder
- Expand the Server you want to make the automatic connections to
- right click NTDS Settings (under the Server Object)
- Select All Tasks, Check Replication Topology

The KCC (Knowledge Consistency Checker) will then calculate the appropriate connections to make based on the network latency and geo location.

After this process is completed you will see the connection to the DC and they will be Automatic.

Note: if you already manual connections to this DC you need to remove them first. If you do not the KCC will ignore these connections and new ones will not be made.

AmitIT ArchitectCommented:
No action required, AD will recreate it automatically.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Ok so in my case here,

If I delete the entire manual connection in all of my data centre Domain Controllers AND headquarter office Domain Controllers, how can they know that it must be connected automatically to the HQ Domain Controllers not to any other AD sites ?

And if the connection is not automatically created, do I just create them manually to prevent AD synchronisation issue ?
Will SzymkowskiSenior Solution ArchitectCommented:
When you promote a new DC into the environment it will automatically create the required connections it needs based on where it resides in Sites and Services and also if the physical network path is in place to make the connection.

If I delete the entire manual connection in all of my data centre Domain Controllers AND headquarter office Domain Controllers, how can they know that it must be connected automatically to the HQ Domain Controllers not to any other AD sites ?

All your connections should be set as Automatic. Manual connections should only ever be used when you do not want the KCC to make the connections for you, (which is a completely dumb idea). The KCC checks its connections on a timed interval every 15 minutes.

More Detail on KCC

The KCC (automatic connections) is the best practice because if your DC is offline or is not reachable due to network connectivity the KCC will automatically re-calculate its connections that are made and create new connections to ensure all DC's that ARE ONLINE get the updates accordingly.

Also another best practice for KCC is to have all of the SItes in the same Default Site Link. This allows the KCC to make redundant connections to all replication partners in the event of a network issue to a DC, it will automatically re-create new connections.

If you want to isolate specific DC's from getting automatic connections made to it then you need to create additional Site Links (still taking advantage of the KCC). When you use different Site Links this allows you to control hub sites.

Site Links should also be created when you have remote sites that do not have connectivity directly to another AD Site. If this is the case and you put all of your Sites in the same Default Site Link you will receive warning events on your DC's stating that the KCC cannot make a connection.

One last point that i will mention is that when you create manual connections these connections are static and will not failover or change in the event there is no network connectivity or the DC is simply powered off.

The is the same outcome when you specify a "preferred bridge head server" it will not automatically fail over in the event the DC is un-reachable.

Also Amit's comment
No action required, AD will recreate it automatically.
Is false as you can see if you have manually created connections the KCC will ignore them and not re-create them.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
So if I delete those connection from all Domain Controllers between DataCentre AD sites and HeadQuarter Office AD sites the connection can be recreated automatically ?

I'm worried about the AD replication between those two AD sites if somehow the automatic connection is not created somehow.
Will SzymkowskiSenior Solution ArchitectCommented:
All you need to do to force the KCC to auto create those connections is follow the steps in my first post. Also you just need to make sure that you have network connectivity to these sites and you'll be fine.

Then in the future if/when you demote a DC the KCC will re-establish new connections automatically. If the are manual connections the KCC will ignore them and you have to manually remove them.

Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, one more last question, does the connection will be made automatically for the Domain Controllers for the different AD site ?

or do I have to manually create for different AD site Domain Controller connection ?
because when I do the steps that you emntioned above, it doesn't automatically create anything to the new Domain Controller in the HQ office AD site.
Will SzymkowskiSenior Solution ArchitectCommented:
If you have proper networking in place the connections will be created automatically. You also need to make sure that your DC's are part of the correct Site as well.

Depending on what your time interval is set as for replication will also determine how fast these connections will be made. You need to check your ISTG settings and also ensure that you do not have and time replicate restrictions.

Take a look at my HowTo Part 1 regarding AD Sites and Services. I will be publishing part 2 shortly. Part 1 should provide enough information to get you going.

AD Sites and Services Part1

Also see if you have disabled the KCC with in your Sites as well

If you did have the KCC disabled you should revert this change as it is always important to have KCC enabled at all times.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Will, somehow the last part of the Microsoft KB article 242780 is not clear:

To determine if these values are set correctly, you can use Active Directory Replication Monitor (also included with the Support Tools installation) to generate a report on the site configuration.

what's the RepAdmin.exe command parameter to show that KCC settings ?
Will SzymkowskiSenior Solution ArchitectCommented:
For for example you can use the following command to recalculate the connections for a specific DC.
repadmin /kcc site:HQ

Open in new window

Senior IT System EngineerIT ProfessionalAuthor Commented:
Will, doing that command, is that the same effect with Right-Clicking replication Topology and then Selecting "Check Replication Topology" from the AD Sites and Services GUI ?

I'm trying to avoid unwanted outage to my domain and Exchange Server email flow as well.
Will SzymkowskiSenior Solution ArchitectCommented:
Checking the Topology will not cause an outage to your Exchange or AD. Yes it is basically the same command but using the cmd line.

Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, do I need to trasnfer the ISTG role to another domain controller before demoting it ?
Will SzymkowskiSenior Solution ArchitectCommented:
No, as long as you have not configured a preferred bridge head server this will automatically be reassigned to another DC from the KCC.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.