"The ISTG and the KCC are not the same thing" And there you go again - getting all technical and stuff on us ....
Gee, does that KCC/ISTG diference REALLY matter? :o) Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 9:18 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Branch Office Question As always, I'm late to this thread so I'll chime in with one (hopefully) worthwhile clarification. The ISTG and the KCC are not the same thing though the ISTG is considered a sub-component of the KCC. Disabling the KCC is a quite different thing from merely disabling the ISTG. May I ask inquire as to the OS version here, I don't believe it's been mentioned as yet (apologies if I missed it). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Sunday, August 07, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Yeah. Stop trying to disable the KCC already. The KCC is your friend. :) You do, however, want to disable 'bridge all site links' (located under the properties of "Intersite Transports -> IP"). You need to do this because the network is not fully routable due to your VPN tunnels. With BASL enabled, all site links are treated as transitive, meaning any DC can potentially replicate with any other DC. Since that's not true in your environment you need to disable BASL. ...After reading your response more thoroughly, you mention that you have no "custom site links". I assume that means you only have the DEFAULTIPSITELINK with all sites in it. If true, you need to stop that practice, too, as you're effectively creating a full mesh topology. Since your network isn't a full mesh, that won't work. You need to create individual site links between each site to form the proper topology. Don't disable BASL until you've done this. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 07, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Noah, Just my curiosity - what is the reason for disabling (or, wanting to disable) the KCC? It's not a recommended practice unless you have a very large number of links / sites / replication objects (and the number changes to a significantly larger number in Win2k3 Functional), or the topology is such that the KCC and the ISTG is not able to do its job of creating a proper spanning tree - neither of which are very likely. Companies with 200k plus users and 150 sites don't normally run into this problem. The normal remedy is to take a look at everything else and eliminate *IT* (meaning everything else) as a potential reason for why the KCC/ISTG isn't working to expectations. Then when everything else has been eliminated, reviewing what the impact will be of killing off the KCC. Specifically, the first realization of killing the KCC - all of the replication objects between servers - will have to be manually maintained. The ISTG will no longer do it. In all but the smallest shops, this would likely take most of the time of one very adept admin. So - think carefully on this move. As I said - it's not recommended. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Sunday, August 07, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Thanks, Jorge. So the KCC is on at all sites. In my situation, I want to disable the KCC. A few questions: - Is the command to do so: repadmin /siteoptions branch1dc.company.com /site:branch1 +IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED - Do I have to run this against each DC? - I believe I only want to disable the INTER_SITE, not the INTRA_SITE, right? - Do I think need to manually create the connection objects or can I just leave the auto generated ones in place? - Does all this change if the VPN topology allows for a fully routed network? Thanks. -- nme P.S. I checked the questions you asked. DCs and GCs are correct; no custom site links or connections; site membership is correct. > -----Original Message----- > From: Almeida Pinto, Jorge de > [mailto:[EMAIL PROTECTED] > Sent: Saturday, August 06, 2005 11:59 AM > To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Branch Office Question > > I expected that.. in a few words hub-and-spoke topology in a non fully > routed network. For this to work you need a site for each location and > a site link between each spoke (the > bracnhes) and the hub and auto site link bridging is off > > The other thing I can think of: > * Is each DC/GC in the correct site? > * Do you have custom site link bridges? > * Do you have custom connections (auto connections are visible as > automatic connections and custom connections are visible as GUIDs) > * Check the site membership of the site links. Is it correct > * Other site links connecting the branches somehow > * etc > > By the way. To see if the KCC/ISTG for a site has been disabled open > up the properties of the NTDS Site Settings object of each site. If > you see yellow exclamation marks at the bottom with text explaining > it, the KCC is disabled. If you don't see anything it is enabled > > You can also check it with: > repadmin /siteoptions <DC> /site:<SITE> > > Default-First-Site-Name > Current Site Options: (none) -> means the KCC is not disabled > > > Default-First-Site-Name > Current Site Options: IS_AUTO_TOPOLOGY_DISABLED > IS_INTER_SITE_AUTO_TOPOLOGY_DISA BLED -> means the KCC is disabled for > intrasite and intersite > > Cheers > #JORGE# > > ________________________________ > > From: Noah Eiger [mailto:[EMAIL PROTECTED] > Sent: Sat 8/6/2005 6:38 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Branch Office Question > > > Thanks, Jorge. > > The topology is as follows: > - Each office connects to the hub via a point-to-point VPN. > That is, there is no bridging at the hub -- this is a bandwidth > consideration. > - As for AD: we have three sites Hub, B1, B2, and B3. > - Each has a single DC that is also a GC. > - There are three IP site links: Hub-B1, Hub-B2, and Hub-B3. > I am not sure, but at one point there may have been a single site link > containing all sites. If there was, it is gone now. > The ISTG created a "web" topology. However, we were getting > replication errors. I manually deleted the connection objects that > connected the hubs to eachother. Those connection objects have not > regenerated. There are no manually created connections. Finally, I > recall that there is a setting (reg > edit?) that tells the ISTG to _not_ automatically create connections. > To my knowledge, this setting is not enabled. > > Anything else I should check? > > -- nme > > > ________________________________ > > From: Almeida Pinto, Jorge de > [mailto:[EMAIL PROTECTED] > Sent: Friday, August 05, 2005 6:36 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Branch Office Question > > > May look as I silly question but can you point out (just to be sure) > how your site and replication topology looks like? How many sites and > how many site links do you have and how are those connected? I assume > one domain and each DC = GC... > > #JORGE# > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Noah Eiger > Sent: Sat 8/6/2005 3:22 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Branch Office Question > > > > Hi Jorge: > > Thanks for the suggestion. That checkbox was indeed checked. I have > unchecked it and waited longer that a day. Replication seems to have > worked > and the box is unchecked at all branch sites. The errors persist at > all > branch sites. > > Any further thoughts? > > -- nme > > > -----Original Message----- > > From: Almeida Pinto, Jorge de > > [mailto:[EMAIL PROTECTED] > > Sent: Thursday, August 04, 2005 10:21 AM > > To: ActiveDir@mail.activedir.org; > ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Branch Office Question > > > > so, your network is not fully routed? is auto site link > > bridging enabled or disabled. If it is enabled, disable it! > > > > To to so: > > * start sites and services > > * goto to Inter site transports > > * right click IP and uncheck "bridge all sitre links" > > > > wait until this has replicated to the other DCs > > > > Cheers > > #JORGE# > > > > ________________________________ > > > > From: [EMAIL PROTECTED] on behalf of Noah Eiger > > Sent: Thu 8/4/2005 6:41 PM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] Branch Office Question > > > > > > Hi - > > > > Ok. Finally, one of my questions is ON topic ;-) > > > > I have three branch office sites that connect to a single > > hub. VPN connectivity, Site links, and connection objects > > only allows each branch to see the hub. Replication is > > working smoothly and consistently. Yet, I am still seeing > > repeated errors in the Event Viewers of the branches > > complaining that they cannot see one another. > > > > The options offered in the errors all seem to point to trying > > to get the branches to see one another (e.g., "publish > > sufficient site connectivity information..."). I want to tell > > it not to look for the other branches at all. > > > > Specifically, I see: > > > > Event Type: Warning > > Event Source: NTDS KCC > > Event Category: (1) > > Event ID: 1566 > > Date: 7/29/2005 > > Time: 11:45:08 AM > > User: N/A > > Computer: BRANCHDC1 > > > > Event Type: Error > > Event Source: NTDS KCC > > Event Category: (1) > > Event ID: 1311 > > Date: 7/29/2005 > > Time: 11:45:08 AM > > User: N/A > > Computer: BRANCHDC1 > > > > Thanks. > > > > -- nme > > > > > > This e-mail and any attachment is for authorised use by the > > intended recipient(s) only. It may contain proprietary > > material, confidential information and/or be subject to legal > > privilege. It should not be copied, disclosed to, retained or > > used by, any other party. If you are not an intended > > recipient then please promptly delete this e-mail and any > > attachment and all copies and inform the sender. Thank you. > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
