Windows 2016 RODC in DMZ KCC Errors

We have a WIndows 2016 server core RODC in our DMZ. The RODC restricted on which DC is can replicate with. REplication is working between the R/W DC and RODC. The event logs on the DC are flood with KCC errors. Some of which are for Site the RODC does not have access to. We have manual connection define but is there any way to stop these warning message like

Event ID 2847 or 2904
LVL 20
compdigit44Asked:
Who is Participating?
 
MaheshConnect With a Mentor ArchitectCommented:
so, all internal dcs are in same location?
if not, being single ad site, user can authenticate to any dc out of six or even with rodc
to stream line , if dcs are separated by wan links, create new ad sites and site links and latch there subnets as well
after that untick site link bridging and add only required sites to site link
OR
U can set new site and site link only for dmz along with disabling site link bridging
OR
manually create connection objects between dcs with required once only and ignore automatically created connection objects
0
 
MaheshArchitectCommented:
you need to ensure that AD ports are opened as appropriate from writable dc to rodc and vice versa
u can use portquerygui tool for same
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
Run this command and post out.txt
repadmin /showrepl * > out.txt

Open in new window

0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
compdigit44Author Commented:
repadmin shows that replication is 100% successfull for the DC's the RODC is allowed to replicate with in the firewall. But see errors for other DC which is it blocked from replicating with: "KCC Could not add this replica Link..." I know KCC wants to create links automatically but in our situation with firewall restrictions this will not work. How can we stop KCC from trying to add this links and flooding the event logs
0
 
MaheshArchitectCommented:
this needs to be controlled on site link level
untick bridge all site links in ip site link properties
then ensure that correct sites are added in every site link
this will ensure that replication is happening between only those sites and no unnecessary connection object will be created
0
 
compdigit44Author Commented:
Just to cofirm I only have the default site link. I should create another one correct
0
 
MaheshArchitectCommented:
Correct
in that case tick / untick setting won,t help

do you have all DC's in same location?

if not ideally you need to setup sites and site links and then only scenario would work
0
 
compdigit44Author Commented:
Here is my setup
6 DC's internal
2 RODC DMZ that can only talk to two internal DC
1 DC at remote vendor site that can only talk to two DC

Also my subnet contacts a broad IP range that covers all IP in our organization both internal and external. I know a subnet is assigned to a site but it the broad IP range is assigned to the internal site would the DMZ range which is cover by this IP range get mixed up into the internal site as well
0
 
MaheshArchitectCommented:
or one more way u can open ports between rodc and all other 6 dcs bi-directionally
0
 
compdigit44Author Commented:
is there value is change to a hub spoke replication setup???
0
 
MaheshArchitectCommented:
you are talking about which value?

site link cost or what?

no need to change it
0
 
compdigit44Author Commented:
in regards to value I am referring to better / more efficient replication
0
 
MaheshArchitectCommented:
nothing has changed since 2008 server from network port stand point
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.