Jonathan Jones
asked on
Fixing Security Perms on Domain Controller
Does anyone know where I can fix the below permission issues? I changed it on the Domain Controller
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=prsdn j,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=prsdn j,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration ,DC=prsdnj ,DC=org
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replication Synchronization
Manage Replication Topology
access rights for the naming context:
CN=Schema,CN=Configuration ,DC=prsdnj ,DC=org
Error PRSDNJ\Enterprise Read-only Domain Controllers doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration ,DC=prsdnj ,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Configuration,DC=prsdnj ,DC=org
Error PRSDNJ\Enterprise Read-only Domain Controllers doesn't have
Replicating Directory Changes
access rights for the naming context:
CN=Configuration,DC=prsdnj ,DC=org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=prsdnj,DC=org
......................... PR-DC01 failed test NCSecDesc
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=prsdn
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=prsdn
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replication Synchronization
Manage Replication Topology
access rights for the naming context:
CN=Schema,CN=Configuration
Error PRSDNJ\Enterprise Read-only Domain Controllers doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Configuration,DC=prsdnj
Error PRSDNJ\Enterprise Read-only Domain Controllers doesn't have
Replicating Directory Changes
access rights for the naming context:
CN=Configuration,DC=prsdnj
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=prsdnj,DC=org
......................... PR-DC01 failed test NCSecDesc
I just went back and looked at some of my older scripts and it may be that you will have to resort to dsacls.exe
Some NCs arent accessible to powershell and standard tools. I just ran across a script where I used dsacls to grant access to an NC and the comments indicate it was my only option.
dsacls is old, but tried and true. heres an article on how to use it:
dsacls.exe syntax (Techcnet)
Some NCs arent accessible to powershell and standard tools. I just ran across a script where I used dsacls to grant access to an NC and the comments indicate it was my only option.
dsacls is old, but tried and true. heres an article on how to use it:
dsacls.exe syntax (Techcnet)
ASKER
:sAMAccountName,
Thanks for the info! I recently had a problem with the Schema role and had to redo a lot of the permissions, this one eludes me, can you point in the right direction of the dacls.exe command? I am not sure if /resetDefaultDACLS and SACL will do the trick?
Thanks for the info! I recently had a problem with the Schema role and had to redo a lot of the permissions, this one eludes me, can you point in the right direction of the dacls.exe command? I am not sure if /resetDefaultDACLS and SACL will do the trick?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome! Thanks so much for the article and guidance, life saver!
Im curious if this is a single DC which exhibits this or if all of your DCs have the same permissions issue? Im also curious if you know how this happened?
If you know how this happened and dont need to keep the DC for forensics, your quickest solution is to nuke and pave it. Build a new DC to replace it
Edit:
I covered permissions via powershell in this example: Delegating AD rights to Helpdesk Group but the cocncept will be the same. You will need to get to the ACL on the NCs you want to edit and you will need to look at the two hashtables you create to find the right guids and AD rights. Theres a little alteration to do, but you can use the link as a place to start