Windows Server 2008 Domain Controllers fails NcSecDesc with DCDIAG
One of my firends just introduced Windows 2008 DC in Existing Windows 2003 Domain, by following all the prerequisites mentioned on technet website http://technet.microsoft.com/en-us/library/cc754670(WS.10).aspx and succeeded. Then to make it sure he ran dcdiag on Windows Server 2008 domain controller and ended up with error the Naming Context Security Descriptors (NcSecDesc) test fails. The test passes for Windows Server 2003 domain controllers in the same domain.
The Error comes when you dont run adprep /rodcprep while preparing the Forest. In his case he did not ran the command because he never wanted to implement RODC in the future.
According to the KB article http://support.microsoft.com/kb/967482
If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.
Conclusion: Please ignore the error in case you havent the run adprep /rodcprep.See below the log
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn’t have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=DomainDnsZones,DC=Goodies,DC=COM
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn’t have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=Goodies,DC=COM
……………………. Server2k8 failed test NCSecDesc
Home