Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1311 Source: NTDSKCC

The Directory Service consistency checker has determined that there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a Spanning Tree connecting all the sites containing the Naming Context DC=mycorp,DC=com.

Please use the Active Directory Sites and Services Manager to do one of the following:
Publish sufficient site connectivity information such that the system can infer a route by which this Naming Context can reach this site. This option is preferred.

Add an ntdsConnection object to a Domain Controller that contains the Naming Context DC=mycorp,DC=com in this site from a Domain Controller that contains the same Naming Context in another site.
This event sometimes may be logged along with event id 1988 which identifies "lingering objects" on one or more DCs. In our case, replication wasn''t occurring as a result of the lingering object and after removing the lingering object (see T736571 for syntax) the replication problems were gone.
I was receiving this event followed by EventID 1312 from source NTDS KCC. The Intersite Messaging service was disabled on one of my domain controllers. Enabling and starting this service cleared up the issue.
Our environment was a mixed one, with 2k and 2k3 DCs. We installed ME913446 on the Win2k3 DCs and ME893066 on the Win2k DCs. Then, we added the following DWORD values under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP\Parameters:
Value name:  EnablePMTUBHDetect
Value:  1

Value name:  MTU
Value:  1360

After a reboot, the problem was solved.
In my case, I had to modify the ISTG (Inter-Site Topology Generator) role in Active Directory. The ISTG role was not hold by the bridge-head server. After assigning it to the bridge-head server, the problem was gone. In the Microsoft knowledgebase there is an article concerning ISTG (ME224815).
This problem can have multiple causes. See the link to "Fixing replication topology problems" for troubleshooting.

In my case, the problem was caused by hotfix ME893066. Uninstalling the hotfix fixed the problem for me.
This event sometime occurs in an environment with large number of sites and domain controllers when connectivity to one or more sites is lost. ISTG tries to reach that site through alternate routes available and creates new connections for this purpose. By design in Windows 2003, these connections should be deleted automatically when original connectivity is restored, but in Windows 2000 these links are not deleted. You have to go to NTDS Settings of all the servers in affected site and delete all connections, and initiate "Check Replication Topology". ISTG will create all the links from scratch for all of these servers and problem will disappear.
In our case, this error came up after we deleted a server from Active Directory. When you open up Active Directory Sites and Services, look for the server that may have been deleted. If it is still in the site, and you are SURE it was taken out of AD via DCPROMO, go ahead and delete it. The errors will clear up shortly thereafter.
See the link to "Upgrading Windows NT 4.0 Domains to Windows Server 2003" for information on this problem.
From a newsgroup post: "In certain rare conditions, the error will appear erroneously. This is more typical in environments with large numbers of sites, domain controllers, and domains. The steps from ME214745 will very likely resolve the issue. If all steps from the article have been exhausted but the error still appears, you can open a free MS support case to obtain the fix referenced in ME819249".

See the link to "EventID 1311 from source Active Directory" for additional information on this event.
In our case, every weekend a domain controller in a branch office had to be shut down (for maintenance on a temporary electricity generator). As soon as it went down the event logs on other DCs started filling up with these events. Once the DC was back online, everything went back to normal.
I have also found that if the time on the servers has become out of sync (by 5 minutes either way) this error will appear. I had this issue and found that my domain controllers were out of sync. Changed the times and the errors went away.
ME307593 provides an approach in troubleshooting Event ID 1311 Messages on a Windows 2000 Domain.

There is also now a hotfix available for one instance of this problem. See ME819249.
This behavior can occur if the Knowledge Consistency Checker (KCC) has determined that a site has been orphaned from the replication topology. See ME214745, ME244368 and ME271997 for troubleshooting.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.