Greetings, Have a network that even after 3 calls to PSS in 1 week is still not having KCC working properly. Replication has been forced to "work" so the network could be upgraded to R2. But to me and a couple of others KCC is just not working properly. I could use your help in resolving this puzzle.
Summary: 4 sites with 1 DC at each site. Each DC is running Windows 2000 Server Std SP4 with all updates available as of August 6th. All firewalls have been replaced with 3 PIX 506E and 1 ASA 5510. There are VPN connections between all site combinations and the network is fully meshed and fully routed. Originally each DC pointed to itself for primary DNS and the Forest Root PDCE for secondary. The Forest Root PDCE pointed only to itself. I was brought in to put in a new R2 DC and Exchange 2003 Std server. While cleaning up the Exchange system I looked at all the event logs on all the DCs. There were numerous KCC errors in the Directory Services event log. Initial Troubleshooting: >From any DC I could ping any other DC by IP, NetBIOS name, FQDN and DSA Address. Verified that subnets had been defined in S&S for each site and that each Site was assigned to the correct subnet and that the correct DC was in each site. The sites are LR, LV1, LV2 and LV3. Here are the original links: LR -> LV2 LV1 -> LR LV3 -> LR LV2 -> LR, LV1, LV3 Nothing I could do would get KCC to generate the other links. The errors were all 1311s and 1566s. PSS Call #1: PSS1 changed all the DCs to point to the LR DC (Forest Root PDCE) only for DNS. He then deleted all site links on all 4 DCs and reran "check site topology". This just recreated the original site links. PSS1 then found that not all the DSA Addresses existed in DNS on each DC. So PSS1 went on the usual trip to get each DC to reregister in DNS. He couldn't get the DCs at LV1 or LV3 to register themselves so he manually created all the missing entries on all 4 DCs. PSS1 said we were good to go because having each Windows 2000 DC point to itself had created DNS Islands and it would take awhile for KCC to recalculate and regenerate. Now ever since he manually created the entries I get 1226 errors from NTDS Replication. Also only the original site links still existed. R2 Prep: I checked all 4 DCs and was getting 1264s but still only the original site links existed.. I then ran adprep /forestprep and /domainprep from the 1st R2 CD on the LR DC. After the domain prep ran I started getting error 1265 from NTDS KCC "access denied" and replication stopped. PSS Call #2: PSS2 found, after 2.5 hours that Authenticated Users and Everyone were missing from the Default DC Policy in Access the computer from the network. When they were added the access denied errors stopped. R2 DC DCPROMO: When I went to run dcpromo on the new R2 server I got "a full replication cycle has not completed" even though 48 hours had passed since the adprep and 36 hours since PSS call #2. When I checked the event logs were clean but replmon was still reporting the access denied errors when trying to replicate. PSS Call #3: PSS3 had me use KB 244474 to enable Kerberos authentication over TCP and reboot each DC. Still had the access denied errors only in replmon. PSS3 had me then add the ENTERPRISE DOMAIN CONTROLLERS to the Default DC Policy in Access this computer from the network on each DC and reboot each DC. Still had the access denied errors only in replmon. PSS3 then had me do a secedit /refreshpolicy machine_policy and user_policy on each DC. We got the required 1704 but replmon still reported access denied and the original site links still existed. PSS3 said all the DNS settings on all the DCs were totally wrong. PSS3 said since we had less than 5 sites, 5 DCs and since there was only 1 DC at each site that each site should have a link to the other 3 DCs and that each DC should point to the LR DC as primary, itself as secondary, and the other two DCs as 3rd and 4th. PSS3 then went and deleted from all 4 DCs all the site links that had been created. PSS3 then used replmon to replicate and check replication topology and still got access denied. After 206 minutes on the phone PSS3 went and manually created all the missing site links on all 4 DCs. Replmon then ran with no errors. PSS3 had me then run adprep from the 2nd R2 CD. Replmon was used to force replication and the new R2 server was then successfully dcpromoed. WHEW!!! So I have 5 questions: 1. Why does every PSS person handle DNS server settings differently? 2. Why did the 1st PSS person think that sites were done when only 1 Site/DC had the other 3 DCs as replication links and the other 3 only pointed to the PDC emulator? 3. Why do Replmon and the Directory Service event logs show different results? The PSS1 only looked in the event logs and saw no errors. PSS3 only used Replmon and noticed all the access denied errors. 4. What in the world was keeping a fully meshed IP network with VPN connections between all sites from letting KCC develop a fully replicating site topology? 5. Why did PSS2 not put the ENTERPISE DCs in the Default DC Policy for access this computer from the network when PSS3 lady said they had to be there? Thanks for your time and patience. Webster I'll shut up now Laura :) p.s. If anyone needs any of the PSS case #s I'll provide those off list. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
