A.D. Design help

C

Chris Hall

Good morning,

I had posted previously on 1/8/04, but it seems I lost the person who was
helping me. I'm getting error messages in Directory Service in the Event
Viewer on the LEXINGTON server. The source is NTDS KCC. And here are the
errors:

Event Type: Error
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1311
Date: 1/14/2004
Time: 11:50:03 AM
User: N/A
Computer: LEXINGTON
Description:
The Directory Service consistency checker has determined that either (a)
there is not enough physical connectivity published via the Active Directory
Sites and Services Manager to create a spanning tree connecting all the
sites containing the Partition
CN=Configuration,DC=securityfederalbank,DC=com, or (b) replication cannot be
performed with one or more critical servers in order for changes to
propagate across all sites (most often due to the servers being
unreachable).

For (a), please use the Active Directory Sites and Services Manager to do
one of the following:
1. Publish sufficient site connectivity information such that the system can
infer a route by which this Partition can reach this site. This option is
preferred.
2. Add an ntdsConnection object to a Domain Controller that contains the
Partition CN=Configuration,DC=securityfederalbank,DC=com in this site from a
Domain Controller that contains the same Partition in another site.

For (b), please see previous events logged by the NTDS KCC source that
identify the servers that could not be contacted.


Event Type: Warning
Event Source: NTDS KCC
Event Category: (1)
Event ID: 1566
Date: 1/14/2004
Time: 11:50:03 AM
User: N/A
Computer: LEXINGTON
Description:
All servers in site
CN=Operations,CN=Sites,CN=Configuration,DC=securityfederalbank,DC=com that
can replicate partition CN=Configuration,DC=securityfederalbank,DC=com over
transport CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=securityfederalbank,DC=com are
currently unavailable.

We have two servers in two sites located in two physical locations. Pretty
simple setup. Here's how I have it setup in AD Sites & Services:

SITES: Operations, Lexington
SERVERS: SYSTEMS_SERVER (in Operations site), LEXINGTON
SUBNETS: 100.200.102.0 (Operations), 100.200.132.0 (Lexington)
SITE LINKS: Inter-Site Transport (IP) setup to link Operations to Lexington
BRIDGEHEAD Server: SYSTEMS_SERVER

FSMO: SYSTEMS_SERVER
GC Server: both set as GC

DNS: Both have SYSTEMS_SERVER set as the primary DNS server in the TCP/IP
properties. Both have DNS setup with Active Directory Integrated zones, with
the appropriate reverse lookup zones and RRs.

I'm not sure where else to look. Suggestions?
 
D

David Brandt [MSFT]

Don't know what info you might have gotten earlier, so sorry if offering
something that you already have, but verify the 102 and 132 subnets are
associated with the appropriate site and that your site links are ok.
The following articles should help, especially the second one.

214745 Troubleshooting Event ID 1311: Knowledge Consistency Checker
http://support.microsoft.com/?id=214745

307593 How to Troubleshoot Event ID 1311 Messages on a Windows 2000 Domain
http://support.microsoft.com/?id=307593

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
C

Chris Hall

David,

Thanks for the quick reply! I have looked at the first article, but will
review the second and will post the results. I have verified the subnets are
associated with the appropriate sites, but will double-check. Since I only
have the two sites, I would only need one site link, correct? I checked the
site link in the AD Site & Serv. snap-in and both sites (Operations and
Lexington) are in the site link. The cost is set to 100 and replicates every
180 minutes (the default).
 
D

David Brandt [MSFT]

If both sites are in that site link should be ok. Hopefully the second
article will be helpful as it goes into more detail on troubleshooting.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
C

Chris Hall

Question, probably no-brainer, but don't want to take anything for granted:

The DEFAULT-FIRST-SITE is still in sites & services, since I'm not using
that, should I remove it? Will that harm anything? It shows up in the AD
REPLMON utility, when I generate a report.
 
C

Chris Hall

Okay, looking at the second article you recomended, I typed repadmin
/showism and got the following:


==== TRANSPORT CN=IP,CN=Inter-Site
Transports,CN=Sites,CN=Configuration,DC=secur
ityfederalbank,DC=com CONNECTIVITY INFORMATION FOR 3 SITES: ====

0, 1, 2
1. ( 0)
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=securityfederalbank
,DC=com
0:0:0, -1:0:0, -1:0:0

2. All DCs in site
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=security
federalbank,DC=com (with trans & hosting NC) are bridgehead
candidates.
( 1)
CN=Lexington,CN=Sites,CN=Configuration,DC=securityfederalbank,DC=com
-1:0:0, 0:0:0, 100:180:0

3. All DCs in site
CN=Lexington,CN=Sites,CN=Configuration,DC=securityfederalbank,DC
=com (with trans & hosting NC) are bridgehead candidates.
( 2)
CN=Operations,CN=Sites,CN=Configuration,DC=securityfederalbank,DC=com
-1:0:0, 100:180:0, 0:0:0

Shouldn't number 2 (numbered for convenience) say something like All DCs in
site CD=Operations, CN=Sites, blah, blah, blah, instead of:
Default-First-Site-Name, blah, blah, blah?
 
D

David Brandt [MSFT]

There is no problem with deleting the default first site as it is just
another site like any other you've created. Most people just rename it to
whatever they want and then create new ones as needed, but since it's empty,
I'd go ahead and delete it, and then see if your repadmin results don't
clear up.

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
C

Chris Hall

David,

I'm still getting the same errors...DNS errors, File Replication errors,
etc...I'm going to move the FSMO roles to the other server and rename the
first server. Presently, the server name is SYSTEMS_SERVER, which is not RFC
compliant...I think that would fix the dsn errors, which may solve the other
problems. I'll post the results.
 
C

Chris Hall

I tried to transfer roles to the other server but got this message:

The transfer of the pperations master role can
not be performed because: The requested FSMO operation failed. The current
FSMO holder could not be contacted.

Not sure where to turn at this point. Suggestions?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Active Directory Replication Problem... 0
Slow Logons and Can't open files 0
AD Replication Problem 2
active directory replication not worked 4
Unable to local DC ......... URGENT 1
Event ID 1566 - NTDS KCC 1
KCC event ID 1567 3
remove sub-domain on root domain 2

Top