Thanks for the warnings. The thing that is "wrong" and will not be corrected for at least nine months is the speed and stability of the connectivity. That is the links are slow and the routing hardware (such that it is) does not really do the job. VPNs are (I know I know) terminated on the DCs. This is all going away within the next year. The company is moving to a new headquaters and has committed to at least medium-speed (T1 or better) connections to each branch. More robust VPNs and fully routed networks will come with the improved speed. It has been made clear to me that there is zero money until then to purchase new network hardware.
So, these changes are simply a patch job -- keeping the duct tape holding until the move. As I said, replication is working now. The only reason I even began looking into this was the ugly errors in the DS logs. Maybe there is no reason to touch it now and simply focus on the new design. -- nme > -----Original Message----- > From: Almeida Pinto, Jorge de > [mailto:[EMAIL PROTECTED] > Sent: Sunday, August 07, 2005 3:00 PM > To: [email protected] > Subject: RE: [ActiveDir] Branch Office Question > > I did not say or write it that hard as Rick mentioned, but I > totally agree with him. See my "Before you go on with this, > check what is wrong, because this should work" as a summary > of his e-mail. ;-) > > There must be something wrong for this not working as it should be > > Cheers > #JORGE# > > ________________________________ > > From: Almeida Pinto, Jorge de > Sent: Sun 8/7/2005 11:56 PM > To: [email protected] > Subject: RE: [ActiveDir] Branch Office Question > > > To answer your question: > You can use each DC you want. In the end it will replicate to > the location where it applies You need however to this for > the sites you want to disable the KCC/ISTG (inter site) > > Before you go on with this, check what is wrong, because this > should work. Check the event logs again and run DCDIAG again > to see what it says now, after you disabled the auto link bridging. > > So if you would like run the following commands against AD > (just querying) and mail the output to me OFFLINE and I'll > take at look at it to see if I can find anything strange. > post also the ouput of DCDIAG for all DCs (if i remember > correctly you do not have that many DCs, right?) > > ADFIND: http://www.joeware.net/win/free/tools/adfind.htm > > determine sites: > adfind -config -f "(objectClass=site)" -dn > > determine subnets and associated subnets: > adfind -config -f "(objectClass=subnet)" distinguishedname siteobject > > determine properties of the intersite transports adfind > -config -f "(objectClass=interSiteTransport)" > > determine site links and associated sites: > adfind -config -f "(objectClass=sitelink)" distinguishedname sitelist > > determine all Site link bridges and its properties adfind > -config -f "(objectClass=siteLinkBridge)" > > determine all NTDS Site Settings objects for each site and > its properties adfind -config -f "(objectClass=nTDSSiteSettings)" > > determine all NTDS Settings objects for each DC and its > properties adfind -config -f "(objectClass=nTDSDSA)" > > determine all replication connections and its properties > adfind -config -f "(objectClass=nTDSConnection)" > > Cheers > #JORGE# > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of Noah Eiger > Sent: Sun 8/7/2005 11:13 PM > To: [email protected] > Subject: RE: [ActiveDir] Branch Office Question > > > > Thanks, Jorge. > > So the KCC is on at all sites. In my situation, I want to > disable the KCC. A few questions: > - Is the command to do so: > repadmin /siteoptions branch1dc.company.com /site:branch1 > +IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED > - Do I have to run this against each DC? > - I believe I only want to disable the INTER_SITE, not the > INTRA_SITE, right? > - Do I think need to manually create the connection objects > or can I just leave the auto generated ones in place? > - Does all this change if the VPN topology allows for a fully > routed network? > > Thanks. > > -- nme > > P.S. I checked the questions you asked. DCs and GCs are > correct; no custom site links or connections; site membership > is correct. > > > -----Original Message----- > > From: Almeida Pinto, Jorge de > > [mailto:[EMAIL PROTECTED] > > Sent: Saturday, August 06, 2005 11:59 AM > > To: [email protected]; [email protected] > > Subject: RE: [ActiveDir] Branch Office Question > > > > I expected that.. in a few words hub-and-spoke topology in > a non fully > > routed network. For this to work you need a site for each > location and > > a site link between each spoke (the > > bracnhes) and the hub and auto site link bridging is off > > > > The other thing I can think of: > > * Is each DC/GC in the correct site? > > * Do you have custom site link bridges? > > * Do you have custom connections (auto connections are visible as > > automatic connections and custom connections are visible as GUIDs) > > * Check the site membership of the site links. Is it correct > > * Other site links connecting the branches somehow > > * etc > > > > By the way. To see if the KCC/ISTG for a site has been > disabled open > > up the properties of the NTDS Site Settings object of each site. If > > you see yellow exclamation marks at the bottom with text explaining > > it, the KCC is disabled. If you don't see anything it is enabled > > > > You can also check it with: > > repadmin /siteoptions <DC> /site:<SITE> > > > > Default-First-Site-Name > > Current Site Options: (none) -> means the KCC is not disabled > > > > > > Default-First-Site-Name > > Current Site Options: IS_AUTO_TOPOLOGY_DISABLED > > IS_INTER_SITE_AUTO_TOPOLOGY_DISA BLED -> means the KCC is > disabled for > > intrasite and intersite > > > > Cheers > > #JORGE# > > > > ________________________________ > > > > From: Noah Eiger [mailto:[EMAIL PROTECTED] > > Sent: Sat 8/6/2005 6:38 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Branch Office Question > > > > > > Thanks, Jorge. > > > > The topology is as follows: > > - Each office connects to the hub via a point-to-point VPN. > > That is, there is no bridging at the hub -- this is a bandwidth > > consideration. > > - As for AD: we have three sites Hub, B1, B2, and B3. > > - Each has a single DC that is also a GC. > > - There are three IP site links: Hub-B1, Hub-B2, and Hub-B3. > > I am not sure, but at one point there may have been a > single site link > > containing all sites. If there was, it is gone now. > > The ISTG created a "web" topology. However, we were getting > > replication errors. I manually deleted the connection objects that > > connected the hubs to eachother. Those connection objects have not > > regenerated. There are no manually created connections. Finally, I > > recall that there is a setting (reg > > edit?) that tells the ISTG to _not_ automatically create > connections. > > To my knowledge, this setting is not enabled. > > > > Anything else I should check? > > > > -- nme > > > > > > ________________________________ > > > > From: Almeida Pinto, Jorge de > > [mailto:[EMAIL PROTECTED] > > Sent: Friday, August 05, 2005 6:36 PM > > To: [email protected] > > Subject: RE: [ActiveDir] Branch Office Question > > > > > > May look as I silly question but can you point out > (just to be > > sure) how your site and replication topology looks like? How many > > sites and how many site links do you have and how are those > connected? > > I assume one domain and each DC = GC... > > > > #JORGE# > > > > ________________________________ > > > > From: [EMAIL PROTECTED] on behalf of > Noah Eiger > > Sent: Sat 8/6/2005 3:22 AM > > To: [email protected] > > Subject: RE: [ActiveDir] Branch Office Question > > > > > > > > Hi Jorge: > > > > Thanks for the suggestion. That checkbox was indeed > checked. I > > have > > unchecked it and waited longer that a day. > Replication seems to > > have worked > > and the box is unchecked at all branch sites. The > errors persist > > at all > > branch sites. > > > > Any further thoughts? > > > > -- nme > > > > > -----Original Message----- > > > From: Almeida Pinto, Jorge de > > > [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, August 04, 2005 10:21 AM > > > To: [email protected]; > [email protected] > > > Subject: RE: [ActiveDir] Branch Office Question > > > > > > so, your network is not fully routed? is auto site link > > > bridging enabled or disabled. If it is enabled, disable it! > > > > > > To to so: > > > * start sites and services > > > * goto to Inter site transports > > > * right click IP and uncheck "bridge all sitre links" > > > > > > wait until this has replicated to the other DCs > > > > > > Cheers > > > #JORGE# > > > > > > ________________________________ > > > > > > From: [EMAIL PROTECTED] on behalf of Noah > > Eiger > > > Sent: Thu 8/4/2005 6:41 PM > > > To: [email protected] > > > Subject: [ActiveDir] Branch Office Question > > > > > > > > > Hi - > > > > > > Ok. Finally, one of my questions is ON topic ;-) > > > > > > I have three branch office sites that connect to a single > > > hub. VPN connectivity, Site links, and connection objects > > > only allows each branch to see the hub. Replication is > > > working smoothly and consistently. Yet, I am still seeing > > > repeated errors in the Event Viewers of the branches > > > complaining that they cannot see one another. > > > > > > The options offered in the errors all seem to point > to trying > > > to get the branches to see one another (e.g., "publish > > > sufficient site connectivity information..."). I > want to tell > > > it not to look for the other branches at all. > > > > > > Specifically, I see: > > > > > > Event Type: Warning > > > Event Source: NTDS KCC > > > Event Category: (1) > > > Event ID: 1566 > > > Date: 7/29/2005 > > > Time: 11:45:08 AM > > > User: N/A > > > Computer: BRANCHDC1 > > > > > > Event Type: Error > > > Event Source: NTDS KCC > > > Event Category: (1) > > > Event ID: 1311 > > > Date: 7/29/2005 > > > Time: 11:45:08 AM > > > User: N/A > > > Computer: BRANCHDC1 > > > > > > Thanks. > > > > > > -- nme > > > > > > > > > This e-mail and any attachment is for authorised use by the > > > intended recipient(s) only. It may contain proprietary > > > material, confidential information and/or be > subject to legal > > > privilege. It should not be copied, disclosed to, > retained or > > > used by, any other party. If you are not an intended > > > recipient then please promptly delete this e-mail and any > > > attachment and all copies and inform the sender. Thank you. > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: > > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
