Event Error –>
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=cry,DC=in
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
User Action
Perform one of the following actions:
– Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
– Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
_____________________________________________________________________________________________
Solutions –>
Run CMD :–> “repadmin /showrepl” and check result If The destination server is currently rejecting replication requests then follow below steps
Step :–> 1
Run CMDS
- repadmin /options <DC NAME> +DISABLE_OUTBOUND_REPL
- repadmin /options <DC NAME> -DISABLE_OUTBOUND_REPL
- repadmin /options <DC NAME> +DISABLE_INBOUND_REPL
- repadmin /options <DC NAME> -DISABLE_INBOUND_REPL
There is the output of repadmin / options command
C:\Documents and Settings\Administrator>repadmin /options DC1 +DISABLE_OUTBOUND
_REPL
Current options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
New options : IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
C:\Documents and Settings\Administrator>repadmin /options DC1 -DISABLE_OUTBOUND_REPL
Current options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
New options : IS_GC DISABLE_INBOUND_REPL
C:\Documents and Settings\Administrator>repadmin /options DC1 +DISABLE_INBOUND_REPL
Current options: IS_GC DISABLE_INBOUND_REPL
New options : IS_GC DISABLE_INBOUND_REPL
C:\Documents and Settings\Administrator>repadmin /options DC1 -DISABLE_INBOUND_REPL
Current options: IS_GC DISABLE_INBOUND_REPL
New options : IS_GC
Step :–> 2
1) Identify the ISTG covering each site by running this command:
“repadmin /istg”
The output will list all sites in the forest and the ISTG for each site:
repadmin running command /istg against server localhost
Gathering topology from site Default-First-Site-Name (DC1.contoso.com):
Site ISTG
================== =================
SiteX DC1X
SiteY DC1Y
NOTE: Determine from the output if the DC logging these events (DC1X) is the ISTG or not.
2) If the DC logging the events is the ISTG any one of the DCs in the same site as this ISTG could have connectivity issues to the site identified in the 1566 event. You can identify which DC(s) are failing to replicate from the site identified in the 1566 event by running this command which targets all DCs in the site that the ISTG logging the errors resides in. For example, DC1X is logging the events and it is the ISTG for siteX. To identify which DCs in siteX are failing to replicate from siteY run this command:
repadmin /failcache site:siteX >siteX-failcache.txt
The failcache output shows two DCs in siteX:
repadmin running command /failcache against server DC1X._msdcs.contoso.com
==== KCC CONNECTION FAILURES =========================== (none)
==== KCC LINK FAILURES =============================== SiteY\DC1Y
DC object GUID: 7c2eb482-ad81-4ba7-891e-9b77814f7473
No Failures.
repadmin running command /failcache against server DC2X._msdcs.contoso.com
==== KCC CONNECTION FAILURES =========================== (none)
==== KCC LINK FAILURES =============================== SiteY\DC1Y
DC object GUID: 7c2eb482-ad81-4ba7-891e-9b77814f7473
46 consecutive failures since 2008-08-12 22:14:39.
SiteZ\DC1Z DC object GUID: fh3h8bde-a928-466a-97b0-39a507acbe54
No Failures.
The output above identifies the Destination DC as (DC2X) in siteX that is failing to inbound replicate from siteY. In some cases the DC name is not resolved and shows as a GUID (s9hr423d-a477-4285-adc5-2644b5a170f0._msdcs.contoso.com). If the DC name is not resolved determine the hostname of the Destination DC by pinging the fully qualified CNAME:
ping s9hr423d-a477-4285-adc5-2644b5a170f0._msdcs.contoso.com
NOTE: DC2X may or may not be logging Error events in its Directory Services event log like the DC1X the ISTG is.
3) Logon to the Destination DC identified in the previous step and determine if RPC connectivity from the Destination DC to the Source DC (DC1Y) is working.
repadmin /bind DC1Y.contoso.com
- If “repadmin /bind DC1Y” from the Destination DC succeeds:
Run “repadmin /showrepl <Destination DC>” and examine the output to determine if Active Directory Replication is blocked. The reason for replication failure should be identified in the output. Take the appropriate corrective action to get replication working.
- If “repadmin /bind DC1Y” from the Destination DC fails:
Verify firewall rules are not interfering with connectivity between the Destination DC and the Source DC. If the port blockage between the Destination DC and the Source DC cannot be resolved, configure the other DCs in the site where the errors are logged to be Preferred Bridgeheads and force KCC to build new connection objects with the Preferred Bridgeheads only.
NOTE: Running “repadmin /bind DC1Y” from the ISTG logging the KCC errors may reveal no connectivity issues to DC1Y in the remote site. As noted earlier, the ISTG is responsible for maintaining inter-site connectivity and may not be the DC having the problem. For this reason the command must be run from the Destination DC that repadmin /failcache identified as failing to inbound replicate
A successful bind looks similar to this:
C:\>repadmin /bind DC1Y
Bind to DC1Y succeeded.
NTDSAPI V1 BindState, printing extended members.
bindAddr: DC1Y
Extensions supported (cb=48):
BASE : Yes
ASYNCREPL : Yes
REMOVEAPI : Yes
MOVEREQ_V2 : Yes
GETCHG_COMPRESS : Yes
DCINFO_V1 : Yes
RESTORE_USN_OPTIMIZATION : Yes
KCC_EXECUTE : Yes
ADDENTRY_V2 : Yes
LINKED_VALUE_REPLICATION : Yes
DCINFO_V2 : Yes
INSTANCE_TYPE_NOT_REQ_ON_MOD : Yes
CRYPTO_BIND : Yes
GET_REPL_INFO : Yes
STRONG_ENCRYPTION : Yes
DCINFO_VFFFFFFFF : Yes
TRANSITIVE_MEMBERSHIP : Yes
ADD_SID_HISTORY : Yes
POST_BETA3 : Yes
GET_MEMBERSHIPS2 : Yes
GETCHGREQ_V6 (WHISTLER PREVIEW) : Yes
NONDOMAIN_NCS : Yes
GETCHGREQ_V8 (WHISTLER BETA 1) : Yes
GETCHGREPLY_V5 (WHISTLER BETA 2) : Yes
GETCHGREPLY_V6 (WHISTLER BETA 2) : Yes
ADDENTRYREPLY_V3 (WHISTLER BETA 3): Yes
GETCHGREPLY_V7 (WHISTLER BETA 3) : Yes
VERIFY_OBJECT (WHISTLER BETA 3) : Yes
XPRESS_COMPRESSION : Yes
DRS_EXT_ADAM : No
Site GUID: stn45bf5-f33f-4d53-9b1b-e7a0371f9a3d
Repl epoch: 0
Forest GUID: idk4734-eeca-11d2-a5d8-00805f9f21f5
Security information on the binding is as follows:
SPN Requested: LDAP/DC1Y
Authn Service: 9
Authn Level: 6
Authz Service: 0
With Warm Regards
Kiran Sawant
Read Full Post »