You Are Not Smarter Than The KCC

re: You Are Not Smarter Than The KCC

Server Engineer — Sun, 06 Jan 2013 11:18:19 GMT

Excellent Post!.. Title is catchy.. ;)

Mohan R

Server Engineer

re: You Are Not Smarter Than The KCC

Mark Morowczynski [MSFT] — Wed, 28 Nov 2012 14:55:34 GMT

@Megoon

This would be expected behavior as the KCC will remove any of your converted manual site links that are not needed. If they are needed it will continue to use them.

re: You Are Not Smarter Than The KCC

megoon — Wed, 28 Nov 2012 11:43:58 GMT

@megoon

without running repadmin /kcc the connection had been changed to <automatically created>.

re: You Are Not Smarter Than The KCC

megoon — Wed, 28 Nov 2012 11:40:36 GMT

For one site where the dc a w2k3 this works. For the other site with the dc w2k8r2 the manually created connection disappears after running repadmin /kcc. Any idea? Thanks!

re: You Are Not Smarter Than The KCC

Mark Morowczynski [MSFT] — Mon, 29 Oct 2012 14:25:21 GMT

That's how I like to do it but you don't have to.

re: You Are Not Smarter Than The KCC

MichaelHynek — Mon, 29 Oct 2012 14:17:20 GMT

Thanks Mark. There are a lot if issues at play. The big plan is to move to fresh 2012 dcs and stop mucking with the settings so much.

As they upgrade the DCs to 2012, (because thats the big plan here), should we make the first new 2012 the FSMO master?

re: You Are Not Smarter Than The KCC

Mark Morowczynski [MSFT] — Mon, 29 Oct 2012 14:03:57 GMT

Michael,

If you follow this post, if you flip them from Manual to managed by the KCC, the KCC will then delete them if they are not necessary. However if you do want to delete them your method is fine. The KCC runs every 15 minutes or you can force it by running repadmin /kcc. The time issue you state is correct if the time source is set to NT5DS for domain hierarchy these may not be configured this way. I'm not familiar with that kerberos error. You may want to open a case.

re: You Are Not Smarter Than The KCC

MichaelHynek — Mon, 29 Oct 2012 13:15:44 GMT

Kerberos error ID 3, error code 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN, error text: "File:9 Line:b22 Error Data is in record data."

This link says I can ignore, but I'm not certain I like that answer

social.technet.microsoft.com/.../dd811c65-fe12-4113-868f-60bbc1cde995

re: You Are Not Smarter Than The KCC

MichaelHynek — Mon, 29 Oct 2012 13:04:50 GMT

Mark,

Well, all the fsmo roles were moved from server 02 to 02A . Looking at the fsmo role report (aduc/addt) at each domain controller, they all report that server 02A is now the fsmo master. I restart the time service on each of the domain controllers and they all want to sync on 02, even server 02A (the pdc emul) will sync to 02. They should all sync to 02A the new PDC emulator and server 02A will get time from clock until you configure it for external ntp source. There will also be a warning in system event log about configuring the server to external time.

Hope that resolves confusion with that.

What is the best method for deleting the manual connection object and then forcing the KCC to generate a new connection object. I've had the most luck doing it at the server console I am modifying sites and services for. For example, if i were to destroy the manual connection objects on server 4, I would RDP onto server 4 and do this work. What's your technique?

re: You Are Not Smarter Than The KCC

Mark Morowczynski [MSFT] — Fri, 26 Oct 2012 20:04:16 GMT

Michael,

Lot going on there. Sounds to me like manual COs are not the biggest concern. What types of kerberos errors? I'm also confused you say that all servers see the new FSMO role master but are still getting time from the old one?