Windows Server 2008 Domain Controllers fail NcSecDesc (Naming Context Security Descriptors) test when dcdiag is run

We are increasingly beginning to see customers calling us regarding the following error . I thought it would be best to blog it for benefit of others.

Scenario:

You have a minimum on one Windows 2008 Domain Controller deployed in a Windows 2003 Domain. When you run dcdiag on or against a Windows Server 2008 domain controller, the Naming Context Security Descriptors (NcSecDesc) test fails. The test passes for Windows Server 2003 domain controllers in the same domain.

Starting test: NCSecDesc

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set

access rights for the naming context:

DC=DomainDnsZones,DC=CONTOSO,DC=COM

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set

access rights for the naming context:

DC=ForestDnsZones,DC=CONTOSO,DC=COM

......................... DC2K8001 failed test NCSecDesc

If you have not run adprep /rodcprep, dcdiag.exe returns an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions.

If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

More Information:

Known Issues for Installing and Removing AD DS

https://technet.microsoft.com/en-us/library/cc754463.aspx

Comments

• Anonymous
  January 01, 2003
  Hi Geedoubleu Dcdiag bundled with Windows server 2008 and RSAT tools for Vista has the functionality to check the permissions on the Application paritions (in this case DomainDNSZones and ForestDNSZones) for required permissions. If these are not present it flags them accordingly. This is by design and not a deviation from the intended behavior.

• Anonymous
  March 05, 2009
  Makes Perfect sense.  Many Thanks.

• Anonymous
  July 06, 2009
  Excellent thanks, just one point needs clarifying. This bug is for any Windows Server 2008 domain controller whose Active Directory is installed in Windows 2003 mode, ie a default Windows 2008 domain. That could be a single Windows 2008 Server domain, only Windows 2008 domain or a mix of Windows 2008/2003. I had to read it twice as I couldn't believe something as simple and critical as DCDIAG would be delivered bugged.

• Anonymous
  November 02, 2009
  Thanks for this update. It was definitely helpful in a situation I came into.

• Anonymous
  May 12, 2010
  Thanks for update it is very useful