The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following domain controller has consistently failed. Attempts:%1 Domain controller:%2 Period of time (minutes):%3 The Connection object for this domain controller will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this domain controller resumes, the temporary connection will be removed. Additional Data Error value:%5 %4

Details
Product: Windows Operating System
Event ID: 1308
Source: NTDS KCC
Version: 5.2
Symbolic Name: DIRLOG_KCC_REPLICA_LINK_DOWN
Message: The Knowledge Consistency Checker (KCC) has detected that successive attempts to replicate with the following domain controller has consistently failed.

Attempts:%1
Domain controller:%2
Period of time (minutes):%3

The Connection object for this domain controller will be ignored, and a new temporary connection will be established to ensure that replication continues. Once replication with this domain controller resumes, the temporary connection will be removed.

Additional Data
Error value:%5 %4

   
Explanation

Despite several attempts, the Knowledge Consistency Checker (KCC) could not replicate with the domain controller. Therefore, the KCC has created a new temporary connection object. When the KCC can replicate with the domain controller again, the temporary connection object will be removed.

If there are other bridgeheads available, this situation is not a problem. However, if an eligible bridgehead does not exist, the whole site will be unreachable. In that case, related NTDS KCC 1311 events are logged.

   
User Action

This is probably a temporary situation. No user action is required.

However, if the domain controller was removed from the site topology and it will not be replaced, use ntdsutil.exe to remove references to it from the forest. This program is located in the Winnt\System32 folder.

Related:

The attempt to establish a replication link for the following writable directory partition failed. Directory partition: %1 Source domain controller: %4 Source domain controller address: %2 Intersite transport (if any): %5 This domain controller will be unable to replicate with the source domain controller until this problem is corrected. User Action Verify if the source domain controller is accessible or network connectivity is available. Additional Data Error value: %6 %3

Details
Product: Windows Operating System
Event ID: 1925
Source: NTDS KCC
Version: 5.2
Symbolic Name: DIRLOG_CHK_LINK_ADD_MASTER_FAILURE
Message: The attempt to establish a replication link for the following writable directory partition failed.

Directory partition: %1
Source domain controller: %4
Source domain controller address: %2
Intersite transport (if any): %5

This domain controller will be unable to replicate with the source domain controller until this problem is corrected.

User Action
Verify if the source domain controller is accessible or network connectivity is available.

Additional Data
Error value: %6 %3

   
Explanation

The Knowledge Consistency Checker (KCC) could not create a replication link between this domain controller and the remote domain controller.

Possible causes include:

  • The computer is disconnected from the network.
  • DNS could not resolve the server name.
  • The target account could not be found.
  • Access was denied.
  • A database error exists.
   
User Action

Verify that there is connectivity between the two domain controllers. The KCC will try to create a link automatically the next time it runs.

Related:

Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13

Details
Product: Windows Operating System
Event ID: 536
Source: Security
Version: 5.0
Symbolic Name: SE_AUDITID_NETLOGON_NOT_STARTED
Message: Logon Failure: Reason: The NetLogon component is not active User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Caller User Name: %7 Caller Domain: %8 Caller Logon ID: %9 Caller Process ID: %10 Transited Services: %11 Source Network Address: %12 Source Port: %13
   
Explanation

The logon attempt failed because the Netlogon service is not running.

  • The code in the Logon Type field specifies the logon method used. The following table explains the logon type code:
Logon Type
Logon Title
Description
2 Interactive A user logged on to this computer at the console.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user’s direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This computer was unlocked.
8 NetworkCleartext A user logged on to a network and the user password was passed to the authentication package in its unhashed (plain text) form. It is possible that the unhashed password was passed across the network, for example, when IIS performed basic authentication.
9 NewCredentials A caller (process, thread, or program) cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
  • The Authentication Package field values are specified in the following table:
Authentication Package
Description
MSV1_0 and Microsoft_Authentication_Package_MV_1 Both refer to the MSV1_0 authentication package in the NTLM SSP (Security Support provider), which supports the NTLMv2, NTLM, and LM authentication protocols and local SAM lookups.
Kerberos Refers to the Kerberos authentication package in the Kerberos SSP, which supports the Kerberos protocol.
  • The Workstation name field specifies the NetBIOS name of the remote computer that originated the logon request. If no information is displayed in this field, either a Kerberos logon attempt failed because the ticket could not be decrypted, or a non-Windows NetBIOS implementation or utility did not supply the remote computer name in the logon request.
  • The Caller fields specify the process that received the logon request.
  • The Transited Services field specifies the services or programs in order through which the user’s credentials have been authenticated by using constrained delegation.
  • The Source Network Address and Source Port fields specify the source IP address and source port number for the remote computer that sent the logon request.
   
User Action

No user action is required.

Related:

Successful Network Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15

Details
Product: Windows Operating System
Event ID: 540
Source: Security
Version: 5.0
Symbolic Name: SE_AUDITID_NETWORK_LOGON
Message: Successful Network Logon: User Name: %1 Domain: %2 Logon ID: %3 Logon Type: %4 Logon Process: %5 Authentication Package: %6 Workstation Name: %7 Logon GUID: %8 Caller User Name: %9 Caller Domain: %10 Caller Logon ID: %11 Caller Process ID: %12 Transited Services: %13 Source Network Address: %14 Source Port: %15
   
Explanation

A logon session was created for the user. The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Logon ID that is assigned to a logon session is unique to that logon session until the computer is restarted, at which point the Logon ID may be reused. The Logon ID can be used to correlate a logon message with other messages, such as object access messages.

This message includes the user name and the domain information of the user account that was logged on, the name of the logon process that logged the user on, the type of authentication credentials that were presented, and a logon GUID (globally unique identifier).

For logons that use Kerberos, the logon GUID can be used to associate a logon event on this computer with an account logon event on an authenticating computer, such as a domain controller.

This message also includes a logon type code. The logon type code indicates the manner in which the user logged on. The following table explains the logon type value:

Logon type
Logon title
Description
2 Interactive A user logged on to this computer at the console.
3 Network A user or computer logged on to this computer from the network.
4 Batch Batch logon type is used by batch servers, where processes might run on behalf of a user without the user’s direct intervention.
5 Service A service was started by the Service Control Manager.
7 Unlock This workstation was unlocked.
8 NetworkCleartext A user logged on to a network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
   
User Action

No user action is required.

Related:

The attempt to establish a replication link to a read-only directory partition with the following parameters failed. Directory partition: %1 Source domain controller: %4 Source domain controller address: %2 Intersite transport (if any): %5 Additional Data Error value: %6 %3

Details
Product: Windows Operating System
Event ID: 1926
Source: NTDS KCC
Version: 5.2
Symbolic Name: DIRLOG_CHK_LINK_ADD_REPLICA_FAILURE
Message: The attempt to establish a replication link to a read-only directory partition with the following parameters failed.

Directory partition: %1
Source domain controller: %4
Source domain controller address: %2
Intersite transport (if any): %5

Additional Data
Error value: %6 %3

   
Explanation

The Knowledge Consistency Checker (KCC) created a connection object between two global catalogs or between a global catalog and a domain controller, but the KCC could not turn the connection object into a replica link because the remote server is not responding.

Possible causes include:

  • The computer is disconnected from the network.
  • DNS could not resolve the server name.
  • The target account could not be found.
  • Access was denied.
  • A database error exists.
   
User Action

Verify that there is connectivity between the two global catalogs or the global catalog and the domain controller. The KCC will try to create a link automatically the next time it runs.

Related:

This computer was not able to set up a secure session with a domain controller in domain %1 due to the following: %2 This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.

Details
Product: Windows Operating System
Event ID: 5719
Source: NetLogon
Version: 5.2
Symbolic Name: NELOG_NetlogonAuthNoDomainController
Message: This computer was not able to set up a secure session with a domain controller in domain %1 due to the following: %2 This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
   
Explanation

The computer could not connect to the domain controller.

   
User Action

Do one or all of the following:

  • Review the Windows error code in the original message. This information might help you determine what caused the problem.
  • Verify that general network connectivity is available. For instance, check file shares, network printers, or availability of the Internet to verify that your computer has network connectivity.

Related:

Which Ports need to be accessible on a Domain Controller for Clients to logon?

We are currently segmenting our network. We will move the servers in another subnet than the clients. Of course the clients still need access to the domain controller to authenticate against it.

I found various articles about the ports that need to be accessible between the domain controllers to allow replication but none about the ports that are important for the clients. I’m pretty sure the client won’t directly access the LDAP database for example and I want to reduce the attack surface as much as possible.

So which ports are needed for a client to be able to work with a domain controller?

Related: