RODC errors

I am getting the following error upon running dcdiag:
 Starting test: NCSecDesc
    Error Enterprise Read Only Domain Controllers doesn't have
       Replicating Directory Changes
    access rights for the naming context:
I have run adprep /rodcprep with success.
Is there another reason why this error may continue?
habs1994Asked:
Who is Participating?
 
Darius GhassemCommented:
Are you running adprep32 /rodcprep?
0
 
habs1994Author Commented:
I ran adprep32 as the server I ran it from was 32 bit.  I also ran adprep from one of my 2008R2 domain controllers and in that case it states that that all partitions are ready for RODC.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Darius GhassemCommented:
Run dcdiag post results
0
 
habs1994Author Commented:
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = HT-GBG
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: GBG\HT-GBG
      Starting test: Connectivity
         ......................... HT-GBG passed test Connectivity

Doing primary tests

   Testing server: GBG\HT-GBG
      Starting test: Advertising
         ......................... HT-GBG passed test Advertising
      Starting test: FrsEvent
         ......................... HT-GBG passed test FrsEvent
      Starting test: DFSREvent
         ......................... HT-GBG passed test DFSREvent
      Starting test: SysVolCheck
         ......................... HT-GBG passed test SysVolCheck
      Starting test: KccEvent
         ......................... HT-GBG passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... HT-GBG passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... HT-GBG passed test MachineAccount
      Starting test: NCSecDesc
         Error Enterprise Read Only Domain Controllers doesn't have
            Replicating Directory Changes
         access rights for the naming context:
         xxxxxxxxxxxxxx
         ......................... HT-GBG failed test NCSecDesc
      Starting test: NetLogons
         ......................... HT-GBG passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... HT-GBG passed test ObjectsReplicated
      Starting test: Replications
         ......................... HT-GBG passed test Replications
      Starting test: RidManager
         ......................... HT-GBG passed test RidManager
      Starting test: Services
         ......................... HT-GBG passed test Services
     
      Starting test: VerifyReferences
         ......................... HT-GBG passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
0
 
Darius GhassemCommented:
Make sure you are using elevated permissions on command prompt when running the adprep /rodcprep
0
 
habs1994Author Commented:
I have run that as administrator.  Is there more I can do?
0
 
Darius GhassemCommented:
You can right-click the command prompt then select Run as
0
 
habs1994Author Commented:
That is what I have done.  More info:  running dcdiag on my 2003R2 dcs does not return the same error although I would assume that the dcdiag run there does not include that test.
0
 
Darius GhassemCommented:
No does not include the same test.

What is your DC versions? How many do you have?
0
 
habs1994Author Commented:
I have 4 dcs running Windows Server 2003 R2 standard and 2 running 2008R2 Enterprise.  The 2 newer ones running 2008 R2 Ent. are in remote sites and have one NTDS connection back to the main site which contains 2 2003 R2 servers.  The NTDS connection is to only one of the dcs in the main site.
0
 
Darius GhassemCommented:
Alright on  the main DC at HQ you are running adprep32 /rodcprep. Does any information come back?
0
 
habs1994Author Commented:
Yes, that adprep has detected the operation has been been performed on the partitions:
DC=ForestDnsZones,DC=xx,DC=com
DC=DomainDnsZones,DC=xx,DC=com
DC=xx,DC=Com
and is skipping.  Then it reports completed without errors and that all partitions are updated.  Am I looking at a purely cosmetic error?
0
 
Darius GhassemCommented:
Yes, not really going to cause you an issue unless you want to use RODC servers
0
 
habs1994Author Commented:
My problem is that we may want to use some RODCs in the remote sites.  Not sure if we will yet but it is a possibility and seems risky with this error still showing up.  I do appreciate your input.
0
 
Darius GhassemCommented:
Will not allow you to use if this error is still present.

When you run this are you running as Enterprise Admin?
Run the below post

DCDIAG /TEST:NCSecDes
DCDIAG /TEST:NCSecDesc
0
 
habs1994Author Commented:
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = HT-SHILLS
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: SHills\HT-SHILLS
      Starting test: Connectivity
         ......................... HT-SHILLS passed test Connectivity

Doing primary tests

   Testing server: SHills\HT-SHILLS
      Starting test: NCSecDesc
         Error Enterprise Read Only Domain Controllers doesn't have
            Replicating Directory Changes
         access rights for the naming context:
         DC=xxxxxx,DC=com
         ......................... HT-SHILLS failed test NCSecDesc


   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : xxxxxx

   Running enterprise tests on : xxxxxx.com



Would it be beneficial to pre-create an RODC account un ADUC?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.