none
An Active Directory Domain Services error has occurred, Event ID 1164

    Question

  • Hi, Am Having Error on my AD. Currently i have 9 AD Servers, 4 of them are RODC that spread in different region

    ++++++++++++++++++++++++++++++++++++

    This is the event that happens on my DC Servers:

    ++++++++++++++++++++++++++++++++++++

    Internal error: An Active Directory Domain Services error has occurred.
    Additional Data Error value (decimal):6 Error value (hex):6 Internal ID:124044b

    This is Part of DCDIAG result:

    Directory Server Diagnosis
    Performing initial setup:
       Trying to find home server...
       Home Server = SERVER-000002
       * Identified AD Forest.
       Done gathering initial info.
    Doing initial required tests
       Testing server: Default-First-Site-Name\SERVER-000002
          Starting test: Connectivity ......................... SERVER-000002 passed test Connectivity
    Doing primary tests
       Testing server: Default-First-Site-Name\SERVER-000002
          Starting test: Advertising ......................... SERVER-000002 passed test Advertising
          Starting test: FrsEvent ......................... SERVER-000002 passed test FrsEvent
          Starting test: DFSREvent.........................SERVER-000002 passed test DFSREvent
     Starting test: SysVolCheck ......................... SERVER-000002 passed test SysVolCheck
    Starting test: KccEvent              An error event occurred.  EventID: 0xC0000490
     Time Generated: 04/25/2018   10:01:36 Event String: Internal error: An Active Directory Domain Services error has occurred.

    ++++++++++++++++++++++++++++++++++++++++

    This is the event that happens on my RODC Servers:

    ++++++++++++++++++++++++++++++++++++++

    Event Viewer Error:

    The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
    Directory partition:CN=Configuration,DC=MYDC,DC=SERVER,DC=com
     
    There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
     
    User Action
    Perform one of the following actions:
    - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
    - Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
     
    If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.

    Event Viewer log (additional):

    This event documents additional REPAIR PROCEDURES to resolve the NTDS KCC Event 1311 on a read-only Active Directory Domain Controller.

    This cause several of my user computer's having problem with domain (loose domain)

    Kindly Please help with my problem,

    Regards

    Hesiro


    • Edited by Hesiro Wednesday, April 25, 2018 6:46 AM Privacy
    Wednesday, April 25, 2018 4:32 AM

All replies

  • Hi,

    What is your AD site topology (Hub and Spoke ? Full mesh ?)

    Did you create a dedicated AD site for your RODC ?

    Did you create a site link between your RODC site and the hub site ?

    Best Regards,


    Wednesday, April 25, 2018 6:42 AM
  • Hi Dokoh, thank you

    My AD Site topology Using Mesh, yes i create Dedicated AD site for each RODC and yes 1 create site link between RODS site and the hub site.

    help me please

    Regards

    Hesiro

    Wednesday, April 25, 2018 7:11 AM
  • Ok so to sum up

    Topology :

    One main AD site named "Main" with 5 Read/Write DC (let's named them DC01, DC02, DC03, DC04 and DC05), 4 branch site with one RODC in each.

    RODC01 is located in a site named BranchSite01, RODC02 is located in a site named BranchSite02, RODC03 is located in a site named BranchSite03 and RODC04 in a site named BranchSite04

    You have 4 site links :

    • Main-BranchSite01 --> Which include AD site main and BranchSite01
    • Main-BranchSite02 --> Which include AD site main and BranchSite02
    • Main-BranchSite03 --> Which include AD site main and BranchSite03
    • Main-BranchSite04 --> Which include AD site main and BranchSite04

    Am I right ?

    Make sure that you don't have a site link which include all AD site (Because in your output I saw that you have "Default-First-Site-Name")

    Best Regards,

    Wednesday, April 25, 2018 7:35 AM
  • Hi Dokoh,

    Actually am new playing with AD,

    Topology :

    One main AD site named "Default-First-Site-Name" with 4 Read/Write DC, 1 Branch with read/write, 4 branch site with one RODC in each

    RODC01 is located in a site named BranchSite01, RODC02 is located in a site named BranchSite02, RODC03 is located in a site named BranchSite03 and RODC04 in a site named BranchSite04

    I have 1 site  links :

    • Defaultipsitelink --> Which include AD site main and BranchSite01, BranchSite02, BranchSite03, BranchSite04, BranchSite05

    Your Questions "Make sure that you don't have a site link which include all AD site (Because in your output I saw that you have "Default-First-Site-Name")"  yes youre right. but lately this configuration runs normally without error on KCC test. i also attach snapshoot from my AD structure

    Best Regards,

    Hesiro,
    Wednesday, April 25, 2018 8:49 AM
  • Ok,

    So normally the recommandation (I've seen in Microsoft AD RaaS) is to have only 2 sites in one site link. So in your case I think you should have :

    • A site link with "Default-First-Site-Name" and Branch (The site with the other read/write DC)
    • A site link with "Default-First-Site-Name" and "BranchSite01"
    • A site link with "Default-First-Site-Name" and "BranchSite02"
    • A site link with "Default-First-Site-Name" and "BranchSite03"
    • A site link with "Default-First-Site-Name" and "BranchSite04"

    Note : You can use the defaultipsitelink for one of these site links but make sure that you will have 2 sites in this site link

    Because you are new with AD topology what did you declare regarding the AD subnet configuration ?

    Best Regards,

    Wednesday, April 25, 2018 9:03 AM
  • Hi, Dokoh

    so the  recommendation  is to create 5 site link to solve my case?

    can you explain about your question regarding AD Subnet configuration? as far as know each of my  RODC and DC using diffrent subnet, each subnet assigned to each Branch site RODC and main site DC.

    Regards

    Hesiro

    Wednesday, April 25, 2018 10:59 AM
  • Hello,

    Yes like that the KCC will be able to identify a clear path to create the replication topology.

    Regarding the AD subnet configuration, what i mean is that you have to create a subnet for each AD site in order for the logon traffic to be limited to the site where you have a DC

    Best Regards,

    Wednesday, April 25, 2018 11:03 AM
  • Hi Dokoh,

    Ok, i'll try that. 

    Considering this is production environment, so i have to set up maintenance schedule for my AD case.

    Do you have any suggestion for me before i do this?

    And if something bad happen after i  change the configuration can i just revert it by creat 1 site link for all (just like the old one) ?

    Regards

    Hesiro


    • Edited by Hesiro Thursday, April 26, 2018 2:45 AM typo
    Thursday, April 26, 2018 2:44 AM
  • Hi Hesiro,

    Yes if something bad happen you can revert easily by adding all your AD site in one site link.

    My last suggestion can be on site where you have RODC do you allow computer account password to be cached on the RODC ?

    Best Regards,

    Thursday, April 26, 2018 6:24 AM
  • Hi Dokoh,

    I Have try the recomendation, but comes with no luck.

    Before i change the site link, All My DC was able to replicate except  replicate to RODC.  After i change the site link  using this config :

    • A site link with "Default-First-Site-Name" and Branch (The site with the other read/write DC)
    • A site link with "Default-First-Site-Name" and "BranchSite01"
    • A site link with "Default-First-Site-Name" and "BranchSite02"
    • A site link with "Default-First-Site-Name" and "BranchSite03"
    • A site link with "Default-First-Site-Name" and "BranchSite04"

    All my DC and RODC unable to replicate. So i revert using the old config.

    Any Sugestion?

    Regards

    Hesiro

    Monday, April 30, 2018 2:50 AM
  • Hi,

    Even in the same site you had replication issue ?

    You can revert and I think you should check if every ports needed for AD DS are open, below a link with all ports needed:

    https://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

    https://support.microsoft.com/en-us/help/832017/service-overview-and-network-port-requirements-for-windows

    Best Regards,

    Monday, April 30, 2018 6:50 AM
  • Still no update ?

    Best Regards,

    Thursday, May 17, 2018 4:36 PM