Windows Server DCDIAG returns

Hi,

In my Schema master today, somehow I go the following error message:

Starting test: NCSecDesc
   Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context:
   DC=ForestDnsZones,DC=domain,DC=com
   Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context:
   DC=DomainDnsZones,DC=domain,DC=com

Open in new window


is that normal or what do I need to do to fix it ?

Note: Windows Server 2008 R2 SP1 and the DFL/FFL is still on Windows Server 2003
LVL 9
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
If you are not planning to have RODC in your domain, this error can be ignored. Otherwise run adprep /rodcprep.

Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers
https://support.microsoft.com/en-us/kb/967482
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Toni, no I do not plan for RODC.

So yes I'll ignore the issue then.

Regarding the command above, where should I run it ? Is it going to cause any outage or do I need to restart the DC server ?
0
Toni UranjekConsultant/TrainerCommented:
You can run adprep /rodcprep on any computer. You have to be a member of Enterprise admins group.
It shouldn't prompt you for restart.
1
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Senior IT System EngineerIT ProfessionalAuthor Commented:
Ok so in this case I assume that it will just extend or modify the AD attributes ?

No outage required.
0
Toni UranjekConsultant/TrainerCommented:
Yes.
1
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Toni
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.