Announcement

Collapse
No announcement yet.

Active Directory Replication Failure (KCC errors 1865, 1311, 1566)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory Replication Failure (KCC errors 1865, 1311, 1566)

    First I hope that my post is in the correct forum and that i am not posting a duplicate thread. If I am please forgive me.

    I have a network with 2 sites connected Via an ipsec VPN. there is a DC at each site. I will call SITE-A the authoritative or original Site. SITE-B the second site (which has ONLY a sharepoint server).

    Site-A is healthy as far as i can tell.
    Site-B suffered the loss of 2 raid members disks and had to be restored from a backup. The Backup was almost a week old and was an acronis True Image image. After restoration it appears that active directory has stopped replicating.

    I noticed this when a user was added at site-a and appears in DSA at site-b but cannot authenticate to the Sharepoint portal.

    the following events appear on Site-B (with corresponding events on Site-A)

    Code:
    Event Type:    Warning
    Event Source:    NTDS KCC
    Event Category:    Knowledge Consistency Checker 
    Event ID:    1865
    Date:        12/3/2009
    Time:        1:10:20 PM
    User:        NT AUTHORITY\ANONYMOUS LOGON
    Computer:    SHAREPOINT
    Description:
    The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. 
     
    Sites: 
    CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Metalico,DC=local 
     
    
    
    Event Type:    Error
    Event Source:    NTDS KCC
    Event Category:    Knowledge Consistency Checker 
    Event ID:    1311
    Date:        12/3/2009
    Time:        1:10:20 PM
    User:        NT AUTHORITY\ANONYMOUS LOGON
    Computer:    SHAREPOINT
    Description:
    The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. 
     
    Directory partition:
    CN=Configuration,DC=Metalico,DC=local 
     
    There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. 
     
    User Action 
    Use Active Directory Sites and Services to perform one of the following actions: 
    - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. 
    - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. 
     
    If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.
    
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    
    
    
    Event Type:    Warning
    Event Source:    NTDS KCC
    Event Category:    Knowledge Consistency Checker 
    Event ID:    1566
    Date:        12/3/2009
    Time:        1:10:20 PM
    User:        NT AUTHORITY\ANONYMOUS LOGON
    Computer:    SHAREPOINT
    Description:
    All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable. 
     
    Site:
    CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Metalico,DC=local 
    Directory partition:
    CN=Configuration,DC=Metalico,DC=local 
    Transport:
    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=Metalico,DC=local
    
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    I have attached the output of DCDIAG for both sites.
    Attached Files

  • #2
    Re: Active Directory Replication Failure (KCC errors 1865, 1311, 1566)

    Don't worry this happens to someone every week. Google USN Rollback.

    Leason learned, don't restore images of a DC.

    Comment


    • #3
      Re: Active Directory Replication Failure (KCC errors 1865, 1311, 1566)

      In the future how should this type of situation be handled?
      I am assuming that an "image" backup is not sufficient.
      Should I just use ntbackup to backup system state?
      Could I then restore the image and then restore AD through the ntbackup?

      If I follow the directions i found after googling "USN rollback" could this potentially harm my "functioning" server? or will it just reload from the "good" ADC?

      Does anything have to be done on the Server at Site-A?

      And finally, can you please shoot me?

      Comment


      • #4
        Re: Active Directory Replication Failure (KCC errors 1865, 1311, 1566)

        Your guess is correct. Take a system state backup daily. If you need to restore a DC from image do it while its isolated from other DCs, restore the system state then connect it to the production network.

        Microsoft released patches long ago to keep USN rollbacks from corrupting functional DCs. You'll just need to demote, metadata cleanup and promote the bad DC.

        Comment


        • #5
          Re: Active Directory Replication Failure (KCC errors 1865, 1311, 1566)

          Few things you can make sure before promoting the DC back in Site B.

          1. Check for any reported events for Directory Services, or FRS (Sysvol/Netlogon Shares)
          2. No stale entries should be left in Active Directory, i.e. after metadata cleanup, all the entries should be erased for Site B's DC.
          3. All the FSMO Roles are up and running on DC in Site A.
          4. Take a System state backup of DC in Site A.
          5. Now go ahead and promote the server as a DC.

          Note: You'll need to use the Force Removal Switch to remove Active Directory from Problem DC.

          Feel free to reply back if you have any queries.
          Best Regards,
          Pledge Technologies

          Comment


          • #6
            Re: Active Directory Replication Failure (KCC errors 1865, 1311, 1566)

            If i demote my server at site-B (which is a sharepoint server) can I keep it as a member server and still expect sharepoint to function properly?

            Comment

            Working...
            X