"Mark, I've Made A Huge Mistake..."

Problems and sometimes solutions from a premier field engineer

You Are Not Smarter Than The KCC

You Are Not Smarter Than The KCC

  • Comments 19
  • Likes

I had this discussion with a fellow PFE David Gregory , who use to be out of Chicago but now has moved to a better place (read Southern California), at a Polo Loco in Compton, CA. The same one 2Pac rapped about, you know the one I'm talking about. This is what us PFEs do sometimes, eat at fast food places (In-N-Out) and discuss odd technology issues. The topic came up was how often do we see customers that have manually configure connections objects for their DCs? The answer was way too much. If you have properly defined your AD sites and site costing, you shouldn't have to create manual connection objects. Most of the time you just end up making more of a problem for yourself by defining this. Let the KCC automatically create and remove connection objects as it needs to. A manual created connection object is not managed by the KCC at all. If you really want to know how the KCC does decide what to connect I highly recommend you read this, http://technet.microsoft.com/en-us/library/cc755994(WS.10).aspx.

(This is what it should look like if you would just stop monkeying with it)

 

Ok so what does it look like if "someone" actually made a manual connection object?

 

(It's horrible looking)

 

Ok so the next thing we discussed was how do help customers fix this is the best way possible. The easiest way is pretty straight forward, right click the connection object, delete. Seems pretty simple. But there is a better way to do this. And this is what David and I talked about. What if that manual connection object was correct? The KCC will then see that it needs a connection and re-make one. So what. The problem is that when a new connection object is made a VVJoin has to be done http://technet.microsoft.com/en-us/library/cc758169(WS.10).aspx. This can be a semi-painful process. If you have to do it thats fine but why do it if you dont have to do it? So the solution you really want to do is make that manual connection object to be managed by the KCC.

To do this follow these steps

1.) Open ADSIEdit and go to the Configuration partition.

2.) Drill down to Sites, the site where the manual connection object is, Servers, the server where the manual connection object is created, NTDS Settings

3.) Right click on the manual connection object and go to properites

4.) Go to the Options attribute and change it from 0 to 1

5.) Either wait 15 minutes (that's how often the KCC runs) or run repadmin /kcc to manually kick it off

 

Just like that it will be managed by the KCC. If that is the best connection object it will continue to use it with no VVJoin, if not it will tear it down and then make the best connection object.

 

UPDATE: Fellow PFE Tom Moser blogs.technet.com/b/tommos let me know that if you have an RODC manual connection object the options attribute will need to be changed from decmial value 64 to 65. It will then show up as IS_GENERATED | RODC_TOPOLOGY 

 

Mark "Insert Your Favorite 2 Pac Lyric" Morowczynski 

Comments
  • Nice blog Mark.  

  • Thanks Santhosh

  • Thanks for sharing

  • Nice tip! Thank You Mark :)

  • No problem Mr. X. Keep posting in the forums. I wish I had more time to.

  • Yes, it's a Great tip to fix certain Replication issues. THANKS a LOT Mark.

  • Tremendous, but is this not an incorrect generalisation as some organisations use manual connections because they don’t have a fully routable network.

  • How are your sites set up? What are you making a manual connection to?

  • Mark,

    I have a client forcing a hub and spoke replication with MANY manually created connection objects. At the center of this hub and spoke is a server that was probably upgraded from 2000 to 2003 (the windir is WINNT) and reporting many kerberose errors. This was the FSMO master until recently when it was moved to a new 2003 dc, but while all the other dcs say "yep, the fmso master is moved to this new server", they all get their time (I cycled the service) from the old FSMO master.

    What say you about all these shenanigans?

  • Michael,

    Lot going on there. Sounds to me like manual COs are not the biggest concern. What types of kerberos errors? I'm also confused you say that all servers see the new FSMO role master but are still getting time from the old one?

  • Mark,

    Well, all the fsmo roles were moved from server 02 to 02A . Looking at the fsmo role report (aduc/addt) at each domain controller, they all report that server 02A is now the fsmo master. I restart the time service on each of the domain controllers and they all want to sync on 02, even server 02A (the pdc emul) will sync to 02. They should all sync to 02A the new PDC emulator and server 02A will get time from clock until you configure it for external ntp source. There will also be a warning in system event log about configuring the server to external time.

    Hope that resolves confusion with that.

    What is the best method for deleting the manual connection object and then forcing the KCC to generate a new connection object. I've had the most luck doing it at the server console I am modifying sites and services for. For example, if i were to destroy the manual connection objects on server 4, I would RDP onto server 4 and do this work. What's your technique?

  • Kerberos error ID 3, error code 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN, error text: "File:9 Line:b22 Error Data is in record data."

    This link says I can ignore, but I'm not certain I like that answer

    social.technet.microsoft.com/.../dd811c65-fe12-4113-868f-60bbc1cde995

  • Michael,

    If you follow this post, if you flip them from Manual to managed by the KCC, the KCC will then delete them if they are not necessary. However if you do want to delete them your method is fine. The KCC runs every 15 minutes or you can force it by running repadmin /kcc. The time issue you state is correct if the time source is set to NT5DS for domain hierarchy these may not be configured this way. I'm not familiar with that kerberos error.  You may want to open a case.

  • Thanks Mark. There are a lot if issues at play. The big plan is to move to fresh 2012 dcs and stop mucking with the settings so much.

    As they upgrade the DCs to 2012, (because thats the big plan here), should we make the first new 2012 the FSMO master?

  • That's how I like to do it but you don't have to.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment