RE: NTDS KCC Event ID: 1311

I'm not sure if you are doing anything wrong but on a different approach, KCC
events are usually cause by network connectivity issues. AD is quite good at
establish intersite links to communicate with each other. Unless there is
site link problem or necessary ports being blocked, there usually aren't much
KCC errors. What type of setup do you have between the two sites? Here is
an article for reference on port requirement if you have a firewall setup in
each site.

http://technet.microsoft.com/en-us/library/Bb727063.aspx

Both pepadmin and replmon tool can help you further diagnose connectivity
issues between domain controllers.

As for logon being slow, check if you have the correct subnet assigned to
each site in your domain by checking Site and Services\Subnet. Users should
always use the domain controller local to their network. Slowlogons can
happen if they are trying to authenticate to the domain controller at the
remote site.



"Anderson" wrote:

Hi All,

I have recently added a 2nd site to our network, with a DC in each location.
The setup seemed to be correct, but users were taking a long time to login.

After a reboot of one of our DCs, I have now started to receive the
following error in the Event Log every 15 minutes.

"""
Type: Warning
Source: NTDS KCC
Category: Knowledge Consistency
Event ID: 1311
User: NT AUTHORITY\ANONYMOUS LOGON
Description:
The Knowledge Consistency Checker (KCC) has detected problems with the
following directory partition.

Directory partition:
CN=Configuration,DC=APAC,DC=local

There is insufficient site connectivity information in Active Directory
Sites and Services for the KCC to create a spanning tree replication
topology. Or, one or more domain controllers with this directory partition
are unable to replicate the directory partition information. This is
probably due to inaccessible domain controllers.

User Action
Use Active Directory Sites and Services to perform one of the following
actions:
- Publish sufficient site connectivity information so that the KCC can
determine a route by which this directory partition can reach this site.
This is the preferred option.
- Add a Connection object to a domain controller that contains the directory
partition in this site from a domain controller that contains the same
directory partition in another site.

If neither of the Active Directory Sites and Services tasks correct this
condition, see previous events logged by the KCC that identify the
inaccessible domain controllers.
"""



Along with the following warning:



"""
Type: Warning
Source: NTDS KCC
Category: Knowledge Consistency
Event ID: 1865
User: NT AUTHORITY\ANONYMOUS LOGON
Description:
The Knowledge Consistency Checker (KCC) was unable to form a complete
spanning tree network topology. As a result, the following list of sites
cannot be reached from the local site.

Sites:
CN=BNEHQ,CN=Sites,CN=Configuration,DC=APAC,DC=local
"""




I have been following the instructions here:

http://technet2.microsoft.com/WindowsServer/en/library/fa4c9981-5749-4e5a-a216-38f9faed53441033.mspx

I get down to this part, searching in Ldap.

"""
8. On the Browse menu, click Search.

9. In Base dn, type:

CN=Sites,CN=Configuration,DC=Forest_Root_Domain

10. In Filter, type:

(CN=NTDS Site Settings)

11. For Scope, click Subtree.

12. Click Options, and in the Attributes box, scroll to the end of the
list, type:

;interSiteTopologyGenerator

and then click OK.

13. In the Search dialog box, click Run.
"""



The page tells me to "Review the interSiteTopologyGenerator entries in the
output, and make a note of the domain controller names"

But, instead of getting a list of DC names, I get:

"""
***Searching...
ldap_search_s(ld, "CN=Sites,CN=Configuration,DC=APAC", 2, "(CN=NTDS Site
Settings)", attrList, 0, &msg)
Error: Search: Referral. <10>
Server error: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
ref 1: 'walltech'

Result <10>: 0000202B: RefErr: DSID-031006E0, data 0, 1 access points
ref 1: 'APAC'

Matched DNs:
Getting 0 entries:
"""


What have I done wrong?







.

Relevant Pages

  • Re: server 2003 [error_netname_deleted]
    ... Domain Controller Diagnosis ... Starting test: Connectivity ... can replicate the directory partition over this ...
    (microsoft.public.windows.server.active_directory)
  • Re: active directory replication
    ... Domain Controller Diagnosis ... Starting test: Connectivity ... replicas and are not verifiably latent, or dc's no longer replicating this ... can replicate the directory partition over this ...
    (microsoft.public.windows.server.active_directory)
  • RE: DC Kerberos Errors
    ... Source: NTDS KCC ... Directory partition: ... There is insufficient site connectivity information in Active Directory ... Add a Connection object to a domain controller that contains the directory ...
    (microsoft.public.windows.server.active_directory)
  • Re: Replication errors - NTDS KCC
    ... EventID 1925 is connectivity related problems: ... Attempt to establish a replication link failed due to ... following directory partition. ... Add a Connection object to a domain controller that contains the ...
    (microsoft.public.windows.server.active_directory)
  • Re: active directory windows cannot set the the password for user...
    ... Also have a look at your Active directory sites and services configuration. ... The machine I'm using is a domain controller and I'm logged in as the domain ... The Knowledge Consistency Checker (KCC) has detected problems with the ... following directory partition. ...
    (microsoft.public.windows.server.active_directory)
Loading