Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers

Published on
19,354 Points
1 Endorsement
Last Modified:
Brief Introduction of Dcdiag in Windows Server 2008 and Windows Server 2008 R2 servers:

Dcdiag allows you to test your Domain Controllers state of functionality within your domain environment for troubleshooting and health check procedures. The Dcdiag tool is a command line tool that is run from the command line and outputs data from the Dcdiag tests to the command prompt. You can add parameters to the Dcdiag command line which allows you to add syntax to these parameters for deeper troubleshooting of domain functionality. Now Dcdiag is built-in the above versions unlike in prior versions you would have to install Dcdiag from the support tools.

Common test that you might see "Fail" in a Dcdiag:

When you run a dcdiag on Windows 2008 servers you might see the below error that seems like you have major problems with your Domain but actually this error doesn't impact you in any type of way unless you plan to use Read-Only Domain Controllers (RODC).

Starting test: NCSecDesc


           Replicating Directory Changes In Filtered Set

        access rights for the naming context:



           Replicating Directory Changes In Filtered Set

        access rights for the naming context:


        ......................... Domain.com-DC1 failed test NCSecDesc

The error actual states you have failed a part of the dcdiag test but really the failed part of the test is only for Read-Only Domain Controllers (RODC) use. RODC is a new feature in Windows 2008 Server which requires Domain Schema prep by using the adprep or adprep32 with the switch /rodcprep.

Now if you haven't run the /rodcprep you will get the failed portion of the dcdiag every time you run a dcdiag. There is not a way currently to bypass this part of the dcdiag test either so you can deal with the failed portions of the dcdiag which many Admins including myself do or you can run the /rodcprep which will add the appropriate security descriptors to the naming heads.

If you don't plan using RODCs you can safely ignore this error in your dcdiag.

Additional information on this error:


Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Join & Write a Comment

This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month