Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers

Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers

View products that this article applies to.

Source: Microsoft Support

↑ Back to the top

Rapid publishing

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

↑ Back to the top

Symptom



When you run DCDIAG on a Windows Server 2008 Domain Controller the process might fail the Naming Context Security Descriptors Test (NcSecDesc), and you may see a message similar to the following:





Starting test: NCSecDesc

������� Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

���������� Replicating Directory Changes In Filtered Set

������� access rights for the naming context:

������� DC=DomainDnsZones,DC=CONTOSO,DC=COM

������� Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

���������� Replicating Directory Changes In Filtered Set

������� access rights for the naming context:

������� DC=ForestDnsZones,DC=CONTOSO,DC=COM

������� ......................... Contoso-DC1 failed test NCSecDesc

↑ Back to the top

Cause



If you have not run adprep/rodcprep, Dcdiag.exe will return an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions.

↑ Back to the top

Resolution



If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

↑ Back to the top

More information



For more information, see the document �Known Issues for Installing and Removing AD DS� at the following Microsoft Web site: http://technet.microsoft.com/en-us/library/cc754463.aspx





↑ Back to the top

Disclaimer

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE �MATERIALS�) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.

↑ Back to the top

Keywords: KB967482, kbrapidpub, kbnomt

↑ Back to the top

Article Info
Article ID : 967482
Revision : 1
Created on : 2/3/2009
Published on : 2/3/2009
Exists online : False
Views : 401