7,023 questions
All DC's do not necessarily create kcc links to all other DC's in other sites.
-
--please don't forget to upvote and Accept as answer if the reply is helpful--
Domain Controller replication errors and rogue connections
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 70%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWR%3C/text%3E%3C/svg%3E)
Wojciech Rozanski
75
Reputation points
Hello,
We have recently recovered a domain from a major diaster, and I'm performing some troubleshooting on the domain controllers. I've encountered some errors I'm not certain how to deal with.
Different tests (repadmin, dcdiag) show some errors. What is at this moment the most intriguing, is are the NTDS settings in the AD Sites and Services. We have a site, let's call it SiteZ, with one DC inside it. SiteZ is included in only one IP Site Link. The second site in that link is what we can call SiteAzure. When I look at the NTDS settings of the DC in SiteZ, I see connections not only to SiteAzure, but also <automatically generated> connections to 5 other sites. Sites that SiteZ is not linked to. And there are some mysteries:
- why are those connections <automatically generated> when there is no site link in place?
- can those link be safely deleted?
I also noticed that some connections appear to be "missing". For example, if I have SiteA with one DC, which is linked to SiteAzure which has 2 DCs, I would assume that there would be two connections - one for each server in SiteAzure. Instead, I have one connection to a DC in SiteAzure, and one connection to a DC in another site, not linked to SiteA. Some pretty weird stuff is going on and I'm trying to figure out how to clean this up...
I tried running repadmin /kcc but it did not make any changes.
Any help is greatly appreciated.
Kind regards,
Wojciech
Windows for business Windows Client for IT Pros Directory services Active Directory
4 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2023-03-13T15:29:06.66+00:00 -
Wojciech Rozanski 75 Reputation points
2023-03-13T17:06:56.7866667+00:00 And another question.
I see frequent 1865 events:
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
Sites:
CN=SiteX,CN=Sites,CN=Configuration,DC=xxx,DC=xxx,DC=com
The thing is, the DC where those events appear is not in link with that site. The topology is:
SiteAzure <----link----> SiteB
SiteB <----link----> SiteX
Interestingly enough, when I run repadmin /showrepl on a DC in SiteAzure, all looks ok and I do not see any reference to SiteX. But if on the same DC I perform a repadmin /replsummary I get this error:
Experienced the following operational errors trying to retrieve replication information:
58 - DC.from.siteX
Is this normal?
Best regards,
Wojciech
-
Anonymous
2023-03-13T17:16:47.74+00:00 We have recently recovered a domain from a major diaster
Any details here?
-
Wojciech Rozanski 75 Reputation points
2023-03-13T17:24:15.6+00:00 Ransomware attack. Domain was restored from backup.
-
Anonymous
2023-03-13T17:31:56.04+00:00 Domain was restored from backup.
domain or domain controller?
-
Wojciech Rozanski 75 Reputation points
2023-03-13T17:45:19.93+00:00 From what I was told it was an authoritative domain restore. Unfortunately I wasn't involved, I'm just doing cleanup.
Sign in to comment -
-
Anonymous
2023-03-13T18:01:57.1466667+00:00 Ok, well it still is unclear what was done, but this one could help.
if it was a single domain controller in a domain that was restored then this is not a recommended method. Better option is to seize roles to a healthy one (if necessary)
then perform cleanup to remove remnants
Clean up Active Directory Domain Controller server metadata
Step-By-Step: Manually Removing A Domain Controller Server
then stand up a new one for replacement.
-
--please don't forget to
upvoteandAccept as answerif the reply is helpful---
Wojciech Rozanski 75 Reputation points
2023-03-13T18:37:34.8+00:00 It was sadly not just one DC that crashed. Which is why a decision was made to restore to an earlier point in time, from before the ransomware attack.
From what I can tell it was done ok, there are no orphaned DCs, DNS is clean etc.
We are currently struggling with the replication not working 100% properly. That's why I'm browsing through the events and I need to know if the error I pasted earlier about KCC is something to worry about, and if yes if it's easily fixable.
The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
It is worth mentioning that indeed the communication between those sites (more precisely between DCs in them) is blocked on the firewall, but from what I understand this should not be a problem as long as there is another site link created, in which this communication is allowed. Personally I'd prefer all DCs to be able to talk to each other with a mesh-like topology but I need to work with what I have.
-
Anonymous
2023-03-13T18:52:35.6666667+00:00 Ok, well restoring multiple domain controllers can create a hodgepodge of active directory issues and is not a recommended method. Changing the current to mesh opens up another can of issues, but I'll let you ferret out that one. I'd suggest closing this thread here by marking answer and open a case here with product support.
https://support.serviceshub.microsoft.com/supportforbusiness
-
--please don't forget to
upvoteandAccept as answerif the reply is helpful-- -
Anonymous
2023-03-13T21:17:10.11+00:00 Please don't forget to close up the thread here by marking answer.
Sign in to comment -