Ravindra Pamidi's BlogTHOUGHTS FROM A DIRECTORY SERVICES SUPPORT ENGINEER @ MShttp://blogs.technet.com/b/ravindrapamidi/atom.aspxTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)2008-10-15T00:45:00ZKerberos fallback to NTLMhttp://blogs.technet.com/b/ravindrapamidi/archive/2009/03/19/kerberos-fallback-to-ntlm.aspx2009-03-19T13:26:00Z2009-03-19T13:26:00ZScenario: Case where NTLM is chosen instead of Kerberos as the authentication protocol and how SPNego Logging was used to trace the source of the problem.
Environment: Windows Server 2008 / IIS 7.0 / SharePoint 2007 all running on the same server.
All the App pools on IIS are running under the identity of a single service account which is part of apac.contoso.com domain where the IIS webserver is located.
FQDN of Web server: Websrv1.apac.contoso.com
The default website on...(<a href="http://blogs.technet.com/b/ravindrapamidi/archive/2009/03/19/kerberos-fallback-to-ntlm.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3215342" width="1" height="1">Ravindra Pamidihttp://blogs.technet.com/ravindrapamidi/ProfileUrlRedirect.ashxDcdiag NcSecDesc test failure on Windows 2008 Domain Controllers KB publishedhttp://blogs.technet.com/b/ravindrapamidi/archive/2009/02/04/dcdiag-ncsecdesc-test-failure-on-windows-2008-domain-controllers-kb-published.aspx2009-02-04T18:41:00Z2009-02-04T18:41:00ZWe now have a KB article 967482 published regarding the NcSecDesc error described in my earlier post.
Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;EN-US;967482...(<a href="http://blogs.technet.com/b/ravindrapamidi/archive/2009/02/04/dcdiag-ncsecdesc-test-failure-on-windows-2008-domain-controllers-kb-published.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3197024" width="1" height="1">Ravindra Pamidihttp://blogs.technet.com/ravindrapamidi/ProfileUrlRedirect.ashxWindows Server 2008 Domain Controllers fail NcSecDesc (Naming Context Security Descriptors) test when dcdiag is runhttp://blogs.technet.com/b/ravindrapamidi/archive/2008/10/15/windows-server-2008-domain-controllers-fail-ncsecdesc-naming-context-security-descriptors-test-when-running-dcdiag.aspx2008-10-15T02:45:00Z2008-10-15T02:45:00Z<SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'"><SPAN style="FONT-SIZE: 11pt"><FONT face=Calibri>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3>We are increasingly beginning to see customers calling us regarding the following error . I thought it would be best to blog it for benefit of others.</FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3></FONT></SPAN> </P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3>Scenario:</FONT></SPAN></FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></FONT></SPAN> <o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3>You have a minimum on one Windows 2008 Domain Controller deployed in a Windows 2003 Domain. When you run dcdiag on or against a Windows Server 2008 domain controller, the Naming Context Security Descriptors (NcSecDesc) test fails. The test passes for Windows Server 2003 domain controllers in the same domain.<o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><FONT size=3> <o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"> </SPAN><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">Starting test: NCSecDesc<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"> Replicating Directory Changes In Filtered Set<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"> access rights for the naming context:<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"> DC=DomainDnsZones,DC=CONTOSO,DC=COM</SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"> Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"> Replicating Directory Changes In Filtered Set<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"> access rights for the naming context:<o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"> DC=ForestDnsZones,DC=CONTOSO,DC=COM</SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"> ......................... DC2K8001 failed test NCSecDesc</SPAN><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"> </SPAN><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"> </SPAN><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"><o:p> </o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3>If you have not run <B>adprep /rodcprep</B>, dcdiag.exe returns an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions. <o:p></o:p></FONT></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"><o:p><FONT size=3> </FONT></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Arial"><o:p><FONT size=3></FONT></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><SPAN style="mso-fareast-font-family: 'Times New Roman'">If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run <B>adprep /rodcprep</B>.</SPAN><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><B><SPAN style="COLOR: black; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Arial; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin"></SPAN></B></FONT> </P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><B><SPAN style="COLOR: black; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Arial; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin">More Information:</SPAN></B><SPAN style="mso-fareast-font-family: 'Times New Roman'; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><B><SPAN style="COLOR: black; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Arial; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin"> </SPAN></B><SPAN style="mso-fareast-font-family: 'Times New Roman'; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><SPAN>Known Issues for Installing and Removing AD DS<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin"><A href="http://technet.microsoft.com/en-us/library/cc754463.aspx" mce_href="http://technet.microsoft.com/en-us/library/cc754463.aspx"><SPAN style="COLOR: blue"><FONT size=3>http://technet.microsoft.com/en-us/library/cc754463.aspx</FONT></SPAN></A></SPAN><SPAN style="FONT-SIZE: 11pt; mso-fareast-font-family: 'Times New Roman'; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin"><o:p></o:p></SPAN></P>
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><FONT size=3> </FONT></SPAN></FONT></SPAN></SPAN><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></P></o:p></SPAN><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3136580" width="1" height="1">Ravindra Pamidihttp://blogs.technet.com/ravindrapamidi/ProfileUrlRedirect.ashx