Dear Customer,
Thanks for your post.
From your post, my understanding of this issue is: you got Event ID 1311 on your DC. If this is not correct, please feel free to let me know.
As you may know, the Knowledge Consistency Checker (KCC) constructs and maintains the Active Directory replication topology automatically. Every 15 minutes, the KCC examines the sum of all directory partition replicas that reside on domain controllers in the forest, as well as administrator-defined settings for connections, sites, and site links.
Although generation of the replication topology occurs automatically, administrative configuration errors can result in an Active Directory replication topology that is inconsistent with the physical connections that are available. In Active Directory it is possible to create objects for which there is no physical network support. For example, Active Directory Sites and Services allows you to create a site object and assign subnet addresses that do not exist. The KCC will attempt to use these objects to create connections between domain controllers, but replication cannot occur because the network does not exist to support the replication topology as it is configured.
Event ID 1311 is logged in the Directory Service log when configuration errors or unavailable domain controllers prevent replication of a directory partition between domain controllers in different sites.
Cause
===============
This problem can have the following causes:
- Site link bridging is enabled on a network that does not support physical network connectivity between two domain controllers in different sites that are connected by a site link.
- Bridge all site links is enabled in Active Directory Sites and Services, but the network does not allow network connectivity between any two domain controllers in the forest.
- One or more sites are not contained in a site link.
- Site links contain all sites, but the site links are not interconnected. This condition is known as disjointed site links.
- One or more domain controllers are offline.
- Bridgehead domain controllers are online, but errors occur when they try to replicate a required directory partition between Active Directory sites.
- Administrator-defined preferred bridgehead servers are online, but they do not host the required directory partition. The most common misconfiguration is to define non-global catalog servers as bridgehead servers.
- Preferred bridgeheads are defined correctly by the administrator, but they are currently offline.
- The bridgehead server is overloaded because the server is undersized, too many branch sites are trying to replicate changes from the same hub domain controller, or the replication schedules on site links or connection objects are too frequent.
- The Knowledge Consistency Checker (KCC) has built an alternate path around an intersite connection failure, but it continues to retry the failing connection every 15 minutes.
Solution
===============
Use the following procedures for troubleshooting event ID 1311:
1. Identify the scope of the problem.
2. Check site link bridging.
3. Determine whether the network is fully routed.
4. Verify that all sites are connected.
5. Check preferred bridgehead servers.
Identify the Scope of the Problem
--------------------------
Identify the scope of the problem by determining whether event ID 1311 is being logged on all domain controllers in the forest that hold the intersite topology generator (ISTG) role or just on site-specific domain controllers.
First, use the following procedure to locate the ISTG role holders for all sites.
Requirements
- Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group in a domain in the forest.
- Tool: Ldp (Windows Support Tools)
To locate the ISTG role holders for all sites
1. Click Start, click Run, type Ldp, and then click OK.
2. On the Connection menu, click Connect.
3. In the Connect dialog box, leave the Server box empty.
4. In Port, type 389, and then click OK.
5. On the Connection menu, click Bind.
6. In the Bind dialog box, provide Enterprise Admins credentials. Click Domain if it is not already selected.
7. In Domain, type the name of the forest root domain, and then click OK.
8. On the Browse menu, click Search.
9. In Base dn, type:
CN=Sites,CN=Configuration,DC=Forest_Root_Domain
10. In Filter, type:
(CN=NTDS Site Settings)
11. For Scope, click Subtree.
12. Click Options, and in the Attributes box, scroll to the end of the list, type:
;interSiteTopologyGenerator
and then click OK.
13. In the Search dialog box, click Run.
14. Review the interSiteTopologyGenerator entries in the output, and make a note of the domain controller names.
Determine the scope of the event by checking the Directory Service event logs of all ISTG role holders in the forest, or check at least a significant number of ISTG role holders.
If event ID 1311 continues to be logged on ISTG role holders, continue with the next step.
Check Site Link Bridging
--------------------------
Use the following procedure to determine if site link bridging is enabled.
Determine if site link bridging is enabled
1. Open Active Directory Sites and Services.
2. In the console tree, double-click the Sites container, and then double-click the Inter-Site Transports container.
3. Right-click the IP container. If Bridge all site links is selected, site link bridging is enabled.
The Bridge all site links setting requires a fully routed network. If the network is not fully routed, you must create site link bridges manually.
Determine Whether the Network Is Fully Routed
--------------------------
Determine whether a fully routed network connection exists between two sites. If the network is fully routed, continue by verifying that the sites are connected.
If the network is not fully routed and site link bridging is enabled, either make the network fully routed, or disable site link bridging and then create the necessary site links and site link bridges. For information about creating site links, see Linking Sites for Replication.
Note:
Site link bridging is enabled by default. As a best practice, leave site link bridging enabled for fully routed networks.
Create a Site Link Bridge
--------------------------
If the network is not fully routed, be sure that you have created site links to connect all sites. When all site links are created, use the following procedure to create a site link bridge.
To create a site link bridge
1. Open Active Directory Sites and Services.
2. In the console tree, double-click the Sites container, and then expand the Inter-Site Transports container.
3. Right-click the IP container, and then click New Site Link Bridge.
4. In Name, type a name for the site link bridge.
5. Click two or more site links to be bridged, and then click Add.
Wait for a period of time that is twice as long as the longest replication interval in the forest. If event ID 1311 continues to be logged on ISTG role holders, continue with the next step.
Verify That All Sites Are Connected
--------------------------
If the network is fully routed, use the Repadmin command-line tool to view site links to ensure that intersite replication can occur between domain controllers in different sites.
Requirements
- Administrative credentials.
- Tool: Repadmin.exe (Windows Support Tools)
To view site links
1. At a command prompt, type the following command, and then press ENTER:
repadmin /showism "CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=Forest_Root_Domain"
2. In the output, review the information for the sites that are listed. For each site, the output of the command shows a string of three numbers separated by colons. The numbers represent <cost>:<replication interval>:<options>. Strings with a value of "-1:0:0" indicate a possible missing site link.
Check Preferred Bridgehead Servers
--------------------------
If you have designated preferred bridgehead servers, the ISTG selects bridgehead servers only from that list of servers. If no servers in the list for the site can replicate a domain directory partition that has domain controllers in other sites, the ISTG selects a bridgehead server that can replicate the domain, if one is available in the site. However, if at least one server in the list can replicate a domain but the server is unavailable, the ISTG does not select an alternate bridgehead server and replication of updates to that domain does not occur in the site. In this case, you might have domain controllers that are capable of replicating the domain, but replication does not occur because preferred bridgehead servers have been selected and none is available for the domain.
Check the list of preferred bridgehead servers in the site, and ensure that preferred bridgehead servers for the domain in question are available. Use the following procedure to check the list of preferred bridgehead servers.
To see all servers that have been selected as preferred bridgehead servers in a forest, you can use ADSI Edit to view the bridgeheadServerListBL attribute on the IP container object.
To view the list of preferred bridgehead servers
1. Click Start, click Run, type adsiedit.msc, and then click OK.
2. In the console tree, double-click Configuration Container, and then double-click CN=Configuration,DC=ForestRootDomainName, CN=Sites, and CN=Inter-Site Transports.
3. Right-click CN=IP, and then click Properties.
4. In Attributes, double-click bridgeheadServerListBL.
5. If any preferred bridgehead servers are selected in any site in the forest, the Values box displays the distinguished name for each server object that is currently selected as a preferred bridgehead server.
Verify that all domain controllers in the list are online and functioning as domain controllers.
--------------------------
To determine whether a domain controller is functioning
- To confirm that a domain controller is running Active Directory and is accessible on the network, at a command prompt type the following command, and then press ENTER:
net view \\DomainControllerName
where DomainControllerName is the network basic input/output system (NetBIOS) name of the domain controller
This command displays the Netlogon and SYSVOL shares, indicating that the server is functioning as a domain controller. If this test shows that the domain controller is not functioning on the network, determine the nature of the disconnection and whether the domain controller can be recovered.
Hope the above information helps. If anything is unclear or you have any concerns, please feel free to post back. I am glad to be of assistance.
Sincerely,
Tom Zhang
