compdigit44
asked on
Windows 2016 RODC in DMZ KCC Errors
We have a WIndows 2016 server core RODC in our DMZ. The RODC restricted on which DC is can replicate with. REplication is working between the R/W DC and RODC. The event logs on the DC are flood with KCC errors. Some of which are for Site the RODC does not have access to. We have manual connection define but is there any way to stop these warning message like
Event ID 2847 or 2904
Event ID 2847 or 2904
Run this command and post out.txt
repadmin /showrepl * > out.txt
ASKER
repadmin shows that replication is 100% successfull for the DC's the RODC is allowed to replicate with in the firewall. But see errors for other DC which is it blocked from replicating with: "KCC Could not add this replica Link..." I know KCC wants to create links automatically but in our situation with firewall restrictions this will not work. How can we stop KCC from trying to add this links and flooding the event logs
this needs to be controlled on site link level
untick bridge all site links in ip site link properties
then ensure that correct sites are added in every site link
this will ensure that replication is happening between only those sites and no unnecessary connection object will be created
untick bridge all site links in ip site link properties
then ensure that correct sites are added in every site link
this will ensure that replication is happening between only those sites and no unnecessary connection object will be created
ASKER
Just to cofirm I only have the default site link. I should create another one correct
Correct
in that case tick / untick setting won,t help
do you have all DC's in same location?
if not ideally you need to setup sites and site links and then only scenario would work
in that case tick / untick setting won,t help
do you have all DC's in same location?
if not ideally you need to setup sites and site links and then only scenario would work
ASKER
Here is my setup
6 DC's internal
2 RODC DMZ that can only talk to two internal DC
1 DC at remote vendor site that can only talk to two DC
Also my subnet contacts a broad IP range that covers all IP in our organization both internal and external. I know a subnet is assigned to a site but it the broad IP range is assigned to the internal site would the DMZ range which is cover by this IP range get mixed up into the internal site as well
6 DC's internal
2 RODC DMZ that can only talk to two internal DC
1 DC at remote vendor site that can only talk to two DC
Also my subnet contacts a broad IP range that covers all IP in our organization both internal and external. I know a subnet is assigned to a site but it the broad IP range is assigned to the internal site would the DMZ range which is cover by this IP range get mixed up into the internal site as well
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
or one more way u can open ports between rodc and all other 6 dcs bi-directionally
ASKER
is there value is change to a hub spoke replication setup???
you are talking about which value?
site link cost or what?
no need to change it
site link cost or what?
no need to change it
ASKER
in regards to value I am referring to better / more efficient replication
nothing has changed since 2008 server from network port stand point
u can use portquerygui tool for same