We are increasingly beginning to see customers calling us regarding the following error . I thought it would be best to blog it for benefit of others.
You have a minimum on one Windows 2008 Domain Controller deployed in a Windows 2003 Domain. When you run dcdiag on or against a Windows Server 2008 domain controller, the Naming Context Security Descriptors (NcSecDesc) test fails. The test passes for Windows Server 2003 domain controllers in the same domain.
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
......................... DC2K8001 failed test NCSecDesc
If you have not run adprep /rodcprep, dcdiag.exe returns an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions.
If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.
Known Issues for Installing and Removing AD DS
Makes Perfect sense. Many Thanks.
Excellent thanks, just one point needs clarifying.
This bug is for any Windows Server 2008 domain controller whose Active Directory is installed in Windows 2003 mode, ie a default Windows 2008 domain.
That could be a single Windows 2008 Server domain, only Windows 2008 domain or a mix of Windows 2008/2003.
I had to read it twice as I couldn't believe something as simple and critical as DCDIAG would be delivered bugged.
Dcdiag bundled with Windows server 2008 and RSAT tools for Vista has the functionality to check the permissions on the Application paritions (in this case DomainDNSZones and ForestDNSZones) for required permissions. If these are not present it flags them accordingly. This is by design and not a deviation from the intended behavior.
Thanks for this update.
It was definitely helpful in a situation I came into.
Thanks for update it is very useful