DCdiag fails for NCSecDesc test on Windows 2008 Domain Controllers

Ran into this error this morning while running DCdiag on one of our Windows 2008 Domain Controllers.

Starting test: NCSecDesc
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        DC=DomainDnsZones,DC=CONTOSO,DC=COM
        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
           Replicating Directory Changes In Filtered Set
        access rights for the naming context:
        DC=ForestDnsZones,DC=CONTOSO,DC=COM
        ......................... Contoso-DC1 failed test NCSecDesc

After a little research (967482, Known Issues for Installing and Removing AD DS & Ravindra Pamidi's Blog) I found the cause of this issue is:

If you have not run adprep/rodcprep, Dcdiag.exe will return an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions.

So here’s Microsoft’s resolution to the issue:

If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

So here we are again… another warning message because I’m not using a “feature” of the product!

Additional Note:

This bug is for any Windows Server 2008 domain controller with Active Directory installed in Windows 2003 mode, ie a default Windows 2008 domain.

That could be a single Windows 2008 Server domain, only Windows 2008 domain or a mix of Windows 2008/2003.

Posted by Brian 11/07/2009 Categories: Support System Administration Windows