[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers

Published on
20,002 Points
2 Endorsements
Last Modified:
Brief Introduction of Dcdiag in Windows Server 2008 and Windows Server 2008 R2 servers:

Dcdiag allows you to test your Domain Controllers state of functionality within your domain environment for troubleshooting and health check procedures. The Dcdiag tool is a command line tool that is run from the command line and outputs data from the Dcdiag tests to the command prompt. You can add parameters to the Dcdiag command line which allows you to add syntax to these parameters for deeper troubleshooting of domain functionality. Now Dcdiag is built-in the above versions unlike in prior versions you would have to install Dcdiag from the support tools.

Common test that you might see "Fail" in a Dcdiag:

When you run a dcdiag on Windows 2008 servers you might see the below error that seems like you have major problems with your Domain but actually this error doesn't impact you in any type of way unless you plan to use Read-Only Domain Controllers (RODC).

Starting test: NCSecDesc


           Replicating Directory Changes In Filtered Set

        access rights for the naming context:



           Replicating Directory Changes In Filtered Set

        access rights for the naming context:


        ......................... Domain.com-DC1 failed test NCSecDesc

The error actual states you have failed a part of the dcdiag test but really the failed part of the test is only for Read-Only Domain Controllers (RODC) use. RODC is a new feature in Windows 2008 Server which requires Domain Schema prep by using the adprep or adprep32 with the switch /rodcprep.

Now if you haven't run the /rodcprep you will get the failed portion of the dcdiag every time you run a dcdiag. There is not a way currently to bypass this part of the dcdiag test either so you can deal with the failed portions of the dcdiag which many Admins including myself do or you can run the /rodcprep which will add the appropriate security descriptors to the naming heads.

If you don't plan using RODCs you can safely ignore this error in your dcdiag.

Additional information on this error:


Featured Post

PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Join & Write a Comment

This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month