Force KCC (Knowledge Consistency Checker) to run on a domain controller

Sometimes after demoting domain controllers you may be left with inconsistent NTDS connection objects in Active directory. In my case there was an NTDS connection object listed under one of the domain controllers at our central site which referenced a recently demoted domain controller at a remote site. I needed an NTDS connection object pointing pointing to the newly installed DC at the remote site instead. To fix this i simply deleted the incorrect NTDS connection object in the ‘Sites and Services’ console, from the central site domain controller, and then forced KCC to run on the same domain controller by running:

repadmin /kcc

This forces the domain controller that you run the command on to check its inbound replication topology immediately and generate any missing connections. After running this command a new NTDS connection object was generated from the new DC at the remote site. This can either be verified by checking under the Domain Controllers NTDS Settings, in the ‘Sites and Services’ Console or by running:

repadmin /showrepl


Event ID 5153 Source WAS after IIS install on a Windows Server 2008 DC

I ran into this issue today while installing WSUS components on a new branch office Windows Server 2008 Domain Controller. After installing the WSUS role I spotted a warning in the event log as follows:

Event 5153 Source WAS

This error occurs when you promote a Windows 2008 Server to become a domain controller in a domain that is lower than 2008 functional level, and the server is also running IIS. Fortunately, this is documented in Microsoft KB 946139 and the fix is simple.

Copy and past the text for the script given in the KB article into notepad and save the file as samupgrade.js. Then from the command line run:

cscript samupgrade.js

The output is shown below:

Sam Upgrade Task Output

Reboot the server and you’re done