none
AD Replication Issues - Event ID's 1865, 1311, 1566

    Question

  • I have a small domain: joneswaldo.com 

    I have 3 domain controllers in main office: JWPDC, JWCMS, JWISP

    I have 4 domain controllers offsite connected over IPSEC VPN tunnels back to main office: JWSTG, JWPC, JWCM, and JWUC

    One of my domain controllers offsite JWCM is having AD Replication issues, and I cannot browse to any other domain controller from JWCM with UNC when I do I get a Logon Failure: the target account name is incorrect. If I stop the Kerberos Key Distribution Center Service and set it to manual, reboot the server I can browse the other DC's. HELP!

    Directory Service Logs:

            

    EVENT 1865:

    The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site. 

    Sites: 
    CN=StGeorge,CN=Sites,CN=Configuration,DC=joneswaldo,DC=com 
    CN=ParkCity,CN=Sites,CN=Configuration,DC=joneswaldo,DC=com 
    CN=SaltLakeCity,CN=Sites,CN=Configuration,DC=joneswaldo,DC=com 
    CN=UtahCounty,CN=Sites,CN=Configuration,DC=joneswaldo,DC=com 

    EVENT 1311:

    The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition. 

    Directory partition:
    CN=Configuration,DC=joneswaldo,DC=com 

    There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology. Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers. 

    User Action 
    Use Active Directory Sites and Services to perform one of the following actions: 
    - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option. 
    - Add a Connection object to a domain controller that contains the directory partition in this site from a domain controller that contains the same directory partition in another site. 

    If neither of the Active Directory Sites and Services tasks correct this condition, see previous events logged by the KCC that identify the inaccessible domain controllers.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    EVENT 1566:

    All domain controllers in the following site that can replicate the directory partition over this transport are currently unavailable. 

    Site:
    CN=UtahCounty,CN=Sites,CN=Configuration,DC=joneswaldo,DC=com 
    Directory partition:
    CN=Configuration,DC=joneswaldo,DC=com 
    Transport:
    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=joneswaldo,DC=com

    FRS logs:

    EVENT 13508:  

    The File Replication Service is having trouble enabling replication from JWPDC to JWCM for c:\windows\sysvol\domain using the DNS name jwpdc.joneswaldo.com. FRS will keep retrying. 
     Following are some of the reasons you would see this warning. 

     [1] FRS can not correctly resolve the DNS name jwpdc.joneswaldo.com from this computer. 
     [2] FRS is not running on jwpdc.joneswaldo.com. 
     [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers. 

    This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

    Friday, May 04, 2012 10:32 PM

Answers

All replies

  • It seems to be DNS name resolution issue or or necessary ports are not fully opened between locations or network connectivity issue.Portquery is free tool from the MS which can be downloaded and installed to verify the necessary ports are opened or not.

    Also, disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
    Disable Windows Firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

    Active Directory and Active Directory Domain Services Port Requirements.
    http://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx

    Ensure the following dns setting on DC:
    1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
    2. Each DC has just one IP address and single network adapter is enabled.
    3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
    4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
    Do not put private DNS IP addresses in forwarder list.
    5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended

    Troubleshooting Event ID 1311: Knowledge Consistency Checker:

    http://support.microsoft.com/kb/214745

    Event ID 1566 — Network Name Resource Availability:

    http://technet.microsoft.com/en-us/library/dd353930(WS.10).aspx

    Event ID 1865 — KCC Replication Path Computation:

    http://technet.microsoft.com/en-us/library/cc756648(WS.10).aspx

    Can you post the following to further help us diagnose this?

    •Unedited ipconfig /all from each DC
    •A PortQry result- (just post any "FILTERED" or "NOT LISTENING" in the results)
    •Dcdiag /q and repadmin /replsum output

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, May 05, 2012 1:36 AM
  • If you are getting target principal name incorrect while accessing the UNC path this indicates that secure channel between the DC are broken.

    Refer below link to fix  the same also as mentioned above ensure required port are open and dns is set correctly on DC.
    http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, May 05, 2012 1:38 AM
  • It looks to be there is connectivity issue or ports being filtered on the firewall. How often you see this error? Is your KCC is allowed to generate connection objects and bridge all site link option is disable(its enabled by default). Hows is the topology being configured.Considering all the DC;s are also DNS and GC server and they are only pointed to local dns server only. You can reset the secure channel password using netdom utility but make sure the account you are going to use reset secure channel is domain admin and above and having static password(not expiring).

    netdom resetpwd /server:server2 /userd:<var>mydomain</var>\administrator /passwordd:*

    http://support.microsoft.com/kb/260575

    Active Directory Sites and Services

    http://technet.microsoft.com/en-us/library/cc730868.aspx

    http://technet.microsoft.com/en-us/library/cc755294.aspx

    Troubleshooting kcc event log errors  http://blogs.technet.com/b/askds/archive/2008/10/31/troubleshooting-kcc-event-log-errors.aspx

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/b038758c-466a-40f4-9823-9dc224a9c3d5

    Also, check the status of the sysvol on the problem DC and try to rectify it first.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Saturday, May 05, 2012 10:02 AM
    Moderator
  • Hello, 

    Hope you are facing similar kind of issue. See the below old thread for more info.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/930b65ac-2f6b-42c0-9bdf-9221d159fcc9


    Regards, Ravikumar P

    Saturday, May 05, 2012 10:36 AM
  • Hello,

    if all above doesn't help please upload the following files:

    ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Saturday, May 05, 2012 1:20 PM
  • Hello,

    To start, check connectivity and that needed ports for AD replication are opened.

    Needed ports for AD replication: http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx

    You use PortQryUI or PortQy V2 for checking. Please check that needed ports are opened in both directions.

    If all is okay then it should be a DNS resolution problem.

    For that, you can proceed like that:

    • Make sure that each DC has one IP address in use and one NIC card enabled (Disable all others ones). All other NICs should be disabled
    • Choose a healthy DC / DNS server
    • Make each DC points to this DC as primary DNS server

    Once done, run ipconfig /registerdns and restart netlogon on each DC you have. That will update DNS records of all DCs on the chosen one and then this DC / DNS server will replicate its updated DNS zones to each DC / DNS server in your AD domain (I suppose here that your domain DNS zones are AD-Integrated). After that, use nslookup to check that all is okay with DNS resolution.

    If all is okay then you make each DC / DNS server points to its private IP address as primary one and other DC / DNS servers as secondary one (That depends of how you want your IP configuration).

    If the problem persists then upload files already suggested by Meinolf.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Saturday, May 05, 2012 2:05 PM
  •  

    Hi,

    I also have similar scenario, where one of my ADDITIONAL DOMAIN CONTROLLER became unresponsive from yesterday.

    After restarting, I am able to connect to server and login sucessfully, but I am getting 1311,1566 and 1865 errors continuously.

    Instead, when I uses repadmin /showrepl command, it doesn't gives any error(replication is sucessful)

    Plz help !

    ============================================================

    Somdeep


    Somdeep Singh Yadav,MCTS

    Tuesday, July 10, 2012 11:31 AM
  • If you are facing similar issue, refer the earlier provided recommendations. If above provided information doesn't help you, then post the issue you are facing as a new thread with details of the environment & problem.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    Tuesday, July 10, 2012 11:33 AM
    Moderator