A. The ForestDNSZones directory partition is replicated among all domain controllers (DCs) in a forest that have the DNS service installed. When you replicate ForestDNSZones, you might see an error message similar to the following (the error-message text is enclosed in quotes):
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1311
Time: 10:43:45 AM
User: NT AUTHORITY\ANONYMOUS LOGON
The Knowledge Consistency Checker (KCC) has detected problems
with the following directory partition.
There is insufficient site connectivity information in
Active Directory Sites and Services for the KCC to create
a spanning tree replication topology. Or, one or more domain
controllers with this directory partition are unable to
replicate the directory partition information. This is probably
due to inaccessible domain controllers.
Use Active Directory Sites and Services to perform one of
the following actions:
- Publish sufficient site connectivity information so that
the KCC can determine a route by which this directory partition
can reach this site. This is the preferred option.
- Add a Connection object to a domain controller that contains
the directory partition in this site from a domain controller
that contains the same directory partition in another site.
If neither of the Active Directory Sites and Services tasks
correct this condition, see previous events logged by the KCC
that identify the inaccessible domain controllers.
For more information, see Help and Support Center at
This error can occur when you have several sites that don't have a site link between them, site-link bridging is disabled (and no site-link bridge has been manually created), and some sites have a DC that runs DNS and is connected to a site that has DCs that don't run DNS. The ForestDNSZones partition, which replicates only between DCs that have DNS installed, can't replicate across the DCs that don't have DNS installed. The figure at Figure shows a scenario in which this problem will occur. The error appears on DCs in sites A and C, assuming that no DCs in site B have DNS installed, site-link bridging is disabled, and no site-link bridge was manually created.
To solve this problem, you must either create a site-link bridge between sites A and C or, if sites A and C aren't connected because of routing restrictions, install DNS on a DC in the central site (B). Using either method allows replication through the DC in site B. You don't need to configure any zones on the DC; merely having DNS installed is enough to add the DC to the ForestDNSZones partition's replication set.