locked
KCC could not add this REPLICA LINK due to error. RRS feed

  • Question

  • Dear Team

    Few Hours ago I created a new AD Site in USA using VPN and installed a new AD. installation was just completed without any error.

    Simply I created Site, Subnet and pushed that DC to new Site called USA-AWS. When I check replication using repadmin /showrepl I'm getting below mentioned error. But when I create object they are getting reflected in all sites.

     

    Any suggestions.

    Source: USA-GVA\USADC01
    ******* 2 CONSECUTIVE FAILURES since 2011-06-17 15:09:04
    Last error: 1722 (0x6ba):
                The RPC server is unavailable.

    Naming Context: CN=Configuration,DC=ramzon,DC=net
    Source: USA-GVA\USADC01
    ******* WARNING: KCC could not add this REPLICA LINK due to error.

    Naming Context: DC=ramzon,DC=net
    Source: USA-GVA\USADC01
    ******* WARNING: KCC could not add this REPLICA LINK due to error.


    Regards Suman B. Singh
    Friday, June 17, 2011 2:09 PM

Answers

All replies

  • >> new AD Site in USA using VPN

    Do you have a dedicated VPN between these 2 sites?

    >> pushed that DC to new Site called

    What do you mean by “push that DC” ?

    Did you wait enough time for the replication?  Can you access this DC?

     


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX

    Blogs - http://blogs.sivarajan.com/
    Articles - http://www.sivarajan.com/publications.html
    Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara
    This posting is provided AS IS with no warranties,and confers no rights.
    Friday, June 17, 2011 2:25 PM
  • Hi Santosh

    I created Site-to Site VPN from Amazon to one of our Site where I used Juniper Firewall then routed traffic to USA using another windows RAS server. Some sort of Dedicated.

    Pushed that DC means I created site-subnet and In server folder/container I moved the new DC.

    My all objects were reflecting after 2-3 hours. Do you think this is expected time to complete all replication. Infact Latency is really high from Amazon Cloud (USA) approx 500 + ms. Some time it reaches to 600+.

     

    Any suggestions?


    Regards Suman B. Singh
    Friday, June 17, 2011 2:31 PM
  • Hello Suman,

    Did you create Site Links? If so which site(s) are linking the USA-AWS to? Also if you do a DCdiag on the new AD server, do you get any errors, or message about still initializing?


    Isaac Oben MCITP:EA, MCSE,MCC View my MCP Certifications
    Friday, June 17, 2011 2:39 PM
  • Yes

    Its to Switzerland where all 5 FSMO are kept.


    Regards Suman B. Singh
    Friday, June 17, 2011 2:48 PM
  • Hi Issac

    here is the DCDIAG report


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = usadc01

       * Identified AD Forest.
       Done gathering initial info.


    Doing initial required tests

      
       Testing server: USA-GVA\usadc01

          Starting test: Connectivity

             ......................... usadc01 passed test Connectivity



    Doing primary tests

      
       Testing server: USA-GVA\usadc01

          Starting test: Advertising

             Warning: DsGetDcName returned information for \\eu-gva-dc1.ramzon.net,

             when we were trying to reach usadc01.

             SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

             ......................... usadc01 failed test Advertising

          Starting test: FrsEvent

             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems.
             ......................... usadc01 passed test FrsEvent

          Starting test: DFSREvent

             ......................... usadc01 passed test DFSREvent

          Starting test: SysVolCheck

             ......................... usadc01 passed test SysVolCheck

          Starting test: KccEvent

             ......................... usadc01 passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... usadc01 passed test KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... usadc01 passed test MachineAccount

          Starting test: NCSecDesc

             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

                Replicating Directory Changes In Filtered Set
             access rights for the naming context:

             DC=ForestDnsZones,DC=ramzon,DC=net
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

                Replicating Directory Changes In Filtered Set
             access rights for the naming context:

             DC=DomainDnsZones,DC=ramzon,DC=net
             ......................... usadc01 failed test NCSecDesc

          Starting test: NetLogons

             Unable to connect to the NETLOGON share! (\\usadc01\netlogon)

             [usadc01] An net use or LsaPolicy operation failed with error 67,

             The network name cannot be found..

             ......................... usadc01 failed test NetLogons

          Starting test: ObjectsReplicated

             ......................... usadc01 passed test ObjectsReplicated

          Starting test: Replications

             ......................... usadc01 passed test Replications

          Starting test: RidManager

             ......................... usadc01 passed test RidManager

          Starting test: Services

             ......................... usadc01 passed test Services

          Starting test: SystemLog

             A warning event occurred.  EventID: 0x000003F6

                Time Generated: 06/17/2011   15:15:21

                Event String:

                Name resolution for the name ramzon.net timed out after none of the configured DNS servers responded.

             ......................... usadc01 passed test SystemLog

          Starting test: VerifyReferences

             ......................... usadc01 passed test VerifyReferences

      
      
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

      
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

      
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

      
       Running partition tests on : ramzon

          Starting test: CheckSDRefDom

             ......................... ramzon passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ramzon passed test CrossRefValidation

      
       Running enterprise tests on : ramzon.net

          Starting test: LocatorCheck

             ......................... ramzon.net passed test LocatorCheck

          Starting test: Intersite

             ......................... ramzon.net passed test Intersite


    Regards Suman B. Singh
    Friday, June 17, 2011 3:02 PM
  •    Testing server: USA-GVA\usadc01

          Starting test: Advertising

             Warning: DsGetDcName returned information for \\eu-gva-dc1.ramzon.net,

             when we were trying to reach usadc01.

             SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

             ......................... usadc01 failed test Advertising


          Starting test: NetLogons

             Unable to connect to the NETLOGON share! (\\usadc01\netlogon)

             [usadc01] An net use or LsaPolicy operation failed with error 67,

             The network name cannot be found..

             ......................... usadc01 failed test NetLogons

    If you see above error, you can find Netlogon share is not accessible it might be due to netlogon share is missing or not present in the location or access permission is missing. A DC to advertise itself to DC & make sure its able to server request of the client it has to have shared Sysvol & Netlogon folder on DC with read access to all the domain users in the domain. Until & unless, US DC shares a working Netlogon/Sysvol share it will not work properly.

    Perform the non authoritative restore of sysvol using another DC.Don't worry below article works for windows 2008 R2.

    http://support.microsoft.com/kb/840674

    http://msdn.microsoft.com/en-us/library/cc507518%28v=vs.85%29.aspx

    Make sure you have proper connectivity between both the AD sites & all the AD ports are opened on the firewall. Verify the network connectivity either using ping or telnet & for ports use portquery tool.

    For removing below error, you can run Adprep /rodcprep or you can ignore this error as this is due to cmd has been not run for preparing to add RODC in the environment.

    DC=ForestDnsZones,DC=ramzon,DC=net  

    Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context:

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, June 18, 2011 7:24 AM
  • Hi Ashwani

    Actually I was creating site in Amazon cloud so required inbound ports were not opened. Simply I opened all ports (which is not recommended) and all those errors are erased.

    Can you helpme to find all required ports for replication and authentication over VPN (intersite replication)

     

    Thankx for everyone efforts..I didn't check required ports...


    Regards Suman B. Singh
    Saturday, June 18, 2011 7:38 AM
  • Refer the below article.

    Active Directory and Active Directory Domain Services Port Requirements

    http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

    Take a look & Ned says it can be restricted, but prior to production you want to test in a lab first, more at below.

    http://support.microsoft.com/kb/224196

    http://blogs.technet.com/b/askds/archive/2007/08/24/dynamic-client-ports-in-windows-server-2008-and-windows-vista-or-how-i-learned-to-stop-worrying-and-love-the-iana.aspx

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, June 18, 2011 7:47 AM
  • Hey I know this is insanely late but any chance you could list the ports that ended up being required? Running into this same issue now. 
    Tuesday, December 4, 2018 4:02 PM