http://blogs.technet.com/b/ravindrapamidi/THOUGHTS FROM A DIRECTORY SERVICES SUPPORT ENGINEER @ MSen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/ravindrapamidi/archive/2009/03/19/kerberos-fallback-to-ntlm.aspxThu, 19 Mar 2009 13:26:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3215342Ravindra Pamidi3http://blogs.technet.com/b/ravindrapamidi/rsscomments.aspx?WeblogPostID=3215342http://blogs.technet.com/b/ravindrapamidi/archive/2009/03/19/kerberos-fallback-to-ntlm.aspx#commentsScenario: Case where NTLM is chosen instead of Kerberos as the authentication protocol and how SPNego Logging was used to trace the source of the problem. Environment: Windows Server 2008 / IIS 7.0 / SharePoint 2007 all running on the same server...(<a href="http://blogs.technet.com/b/ravindrapamidi/archive/2009/03/19/kerberos-fallback-to-ntlm.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3215342" width="1" height="1">Windows 2008KerberosAuthenticationNTLMhttp://blogs.technet.com/b/ravindrapamidi/archive/2009/02/04/dcdiag-ncsecdesc-test-failure-on-windows-2008-domain-controllers-kb-published.aspxWed, 04 Feb 2009 18:41:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3197024Ravindra Pamidi2http://blogs.technet.com/b/ravindrapamidi/rsscomments.aspx?WeblogPostID=3197024http://blogs.technet.com/b/ravindrapamidi/archive/2009/02/04/dcdiag-ncsecdesc-test-failure-on-windows-2008-domain-controllers-kb-published.aspx#commentsWe now have a KB article 967482 published regarding the NcSecDesc error described in my earlier post. Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers http://support.microsoft.com/default.aspx?scid=kb;EN-US;967482...(<a href="http://blogs.technet.com/b/ravindrapamidi/archive/2009/02/04/dcdiag-ncsecdesc-test-failure-on-windows-2008-domain-controllers-kb-published.aspx">read more</a>)<img src="http://blogs.technet.com/aggbug.aspx?PostID=3197024" width="1" height="1">http://blogs.technet.com/b/ravindrapamidi/archive/2008/10/15/windows-server-2008-domain-controllers-fail-ncsecdesc-naming-context-security-descriptors-test-when-running-dcdiag.aspxWed, 15 Oct 2008 02:45:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3136580Ravindra Pamidi5http://blogs.technet.com/b/ravindrapamidi/rsscomments.aspx?WeblogPostID=3136580http://blogs.technet.com/b/ravindrapamidi/archive/2008/10/15/windows-server-2008-domain-controllers-fail-ncsecdesc-naming-context-security-descriptors-test-when-running-dcdiag.aspx#comments<SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'"><SPAN style="FONT-SIZE: 11pt"><FONT face=Calibri> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3>We are increasingly beginning to see customers&nbsp;calling&nbsp;us regarding the following&nbsp;error . I thought&nbsp;it would be best to blog it for benefit of others.</FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3></FONT></SPAN>&nbsp;</P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3>Scenario:</FONT></SPAN></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></FONT></SPAN>&nbsp;<o:p></o:p></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3>You have a minimum on one Windows 2008 Domain Controller deployed in a Windows 2003 Domain. When you run dcdiag on&nbsp;or against a Windows Server 2008 domain controller, the Naming Context Security Descriptors&nbsp; (NcSecDesc) test fails. The test passes for Windows Server 2003 domain controllers in the same domain.<o:p></o:p></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><FONT size=3>&nbsp;<o:p></o:p></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">&nbsp;</SPAN><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">Starting test: NCSecDesc<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Replicating Directory Changes In Filtered Set<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access rights for the naming context:<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DC=DomainDnsZones,DC=CONTOSO,DC=COM</SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Replicating Directory Changes In Filtered Set<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access rights for the naming context:<o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; DC=ForestDnsZones,DC=CONTOSO,DC=COM</SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ......................... DC2K8001 failed test NCSecDesc</SPAN><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">&nbsp;</SPAN><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'">&nbsp;</SPAN><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"><o:p>&nbsp;</o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'"><FONT size=3>If you have not run <B>adprep /rodcprep</B>, dcdiag.exe returns an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions. <o:p></o:p></FONT></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'"><o:p><FONT size=3>&nbsp;</FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-FAMILY: 'Verdana','sans-serif'; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Arial"><o:p><FONT size=3></FONT></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><SPAN style="mso-fareast-font-family: 'Times New Roman'">If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run <B>adprep /rodcprep</B>.</SPAN><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><o:p></o:p></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><B><SPAN style="COLOR: black; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Arial; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin"></SPAN></B></FONT>&nbsp;</P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><B><SPAN style="COLOR: black; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Arial; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin">More Information:</SPAN></B><SPAN style="mso-fareast-font-family: 'Times New Roman'; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin"><o:p></o:p></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><B><SPAN style="COLOR: black; mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: Arial; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin">&nbsp;</SPAN></B><SPAN style="mso-fareast-font-family: 'Times New Roman'; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin"><o:p></o:p></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><SPAN>Known Issues for Installing and Removing AD DS<o:p></o:p></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="mso-fareast-font-family: 'Times New Roman'; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin"><A href="http://technet.microsoft.com/en-us/library/cc754463.aspx" mce_href="http://technet.microsoft.com/en-us/library/cc754463.aspx"><SPAN style="COLOR: blue"><FONT size=3>http://technet.microsoft.com/en-us/library/cc754463.aspx</FONT></SPAN></A></SPAN><SPAN style="FONT-SIZE: 11pt; mso-fareast-font-family: 'Times New Roman'; mso-ascii-font-family: Calibri; mso-ascii-theme-font: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-font: minor-latin"><o:p></o:p></SPAN></P> <P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; mso-fareast-font-family: 'Times New Roman'"><FONT size=3>&nbsp;</FONT></SPAN></FONT></SPAN></SPAN><SPAN style="FONT-SIZE: 8pt; FONT-FAMILY: 'Verdana','sans-serif'"><o:p></P></o:p></SPAN><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3136580" width="1" height="1">RODCWindows 2008dcdiagNcSecDesc