<

Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers

Published on
21,261 Points
13,561 Views
2 Endorsements
Last Modified:
Approved
Brief Introduction of Dcdiag in Windows Server 2008 and Windows Server 2008 R2 servers:

Dcdiag allows you to test your Domain Controllers state of functionality within your domain environment for troubleshooting and health check procedures. The Dcdiag tool is a command line tool that is run from the command line and outputs data from the Dcdiag tests to the command prompt. You can add parameters to the Dcdiag command line which allows you to add syntax to these parameters for deeper troubleshooting of domain functionality. Now Dcdiag is built-in the above versions unlike in prior versions you would have to install Dcdiag from the support tools.

Common test that you might see "Fail" in a Dcdiag:

When you run a dcdiag on Windows 2008 servers you might see the below error that seems like you have major problems with your Domain but actually this error doesn't impact you in any type of way unless you plan to use Read-Only Domain Controllers (RODC).

Starting test: NCSecDesc

        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

           Replicating Directory Changes In Filtered Set

        access rights for the naming context:

        DC=DomainDnsZones,DC=DOMAIN,DC=COM

        Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

           Replicating Directory Changes In Filtered Set

        access rights for the naming context:

        DC=ForestDnsZones,DC=DOMAIN,DC=COM

        ......................... Domain.com-DC1 failed test NCSecDesc

The error actual states you have failed a part of the dcdiag test but really the failed part of the test is only for Read-Only Domain Controllers (RODC) use. RODC is a new feature in Windows 2008 Server which requires Domain Schema prep by using the adprep or adprep32 with the switch /rodcprep.

Now if you haven't run the /rodcprep you will get the failed portion of the dcdiag every time you run a dcdiag. There is not a way currently to bypass this part of the dcdiag test either so you can deal with the failed portions of the dcdiag which many Admins including myself do or you can run the /rodcprep which will add the appropriate security descriptors to the naming heads.

If you don't plan using RODCs you can safely ignore this error in your dcdiag.

Additional information on this error:

http://support.microsoft.com/kb/967482
2
Enjoy this complimentary article view.

Get unlimited access to our entire library of technical procedures, guides, and tutorials written by certified industry professionals.

Get 7 days free
Click here to view the full article

Using this article for work? Experts Exchange can benefit your whole team.

Learn More
COLLABORATE WITH CERTIFIED PROFESSIONALS
Experts Exchange is a tech solutions provider where users receive personalized tech help from vetted certified professionals. These industry professionals also write and publish relevant articles on our site.
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Learn from the best.