Ravindra Pamidi's Blog

THOUGHTS FROM A DIRECTORY SERVICES SUPPORT ENGINEER @ MS

Windows Server 2008 Domain Controllers fail NcSecDesc (Naming Context Security Descriptors) test when dcdiag is run

Windows Server 2008 Domain Controllers fail NcSecDesc (Naming Context Security Descriptors) test when dcdiag is run

  • Comments 5
  • Likes

We are increasingly beginning to see customers calling us regarding the following error . I thought it would be best to blog it for benefit of others.

 

Scenario:

 

You have a minimum on one Windows 2008 Domain Controller deployed in a Windows 2003 Domain. When you run dcdiag on or against a Windows Server 2008 domain controller, the Naming Context Security Descriptors  (NcSecDesc) test fails. The test passes for Windows Server 2003 domain controllers in the same domain.

 

 

Starting test: NCSecDesc

        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

           Replicating Directory Changes In Filtered Set

        access rights for the naming context:

        DC=DomainDnsZones,DC=CONTOSO,DC=COM

        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

           Replicating Directory Changes In Filtered Set

        access rights for the naming context:

        DC=ForestDnsZones,DC=CONTOSO,DC=COM

        ......................... DC2K8001 failed test NCSecDesc

 

 

 

If you have not run adprep /rodcprep, dcdiag.exe returns an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions.

 

If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

 

More Information:

 

Known Issues for Installing and Removing AD DS

http://technet.microsoft.com/en-us/library/cc754463.aspx

 

Comments
  • Makes Perfect sense.  Many Thanks.

  • Excellent thanks, just one point needs clarifying.

    This bug is for any Windows Server 2008 domain controller whose Active Directory is installed in Windows 2003 mode, ie a default Windows 2008 domain.

    That could be a single Windows 2008 Server domain, only Windows 2008 domain or a mix of Windows 2008/2003.

    I had to read it twice as I couldn't believe something as simple and critical as DCDIAG would be delivered bugged.

  • Hi Geedoubleu

    Dcdiag bundled with Windows server 2008 and RSAT tools for Vista has the functionality to check the permissions on the Application paritions (in this case DomainDNSZones and ForestDNSZones) for required permissions. If these are not present it flags them accordingly. This is by design and not a deviation from the intended behavior.

  • Thanks for this update.

    It was definitely helpful in a situation I came into.

  • Thanks for update it is very useful

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment