locked
DCDiag Error Enterprise Read-only Domain Controllers doesn't have Replicating Directory Changes access rights for the naming context: RRS feed

  • Question

  • I'm trying to cleanup our domain to eliminate errors and warnings when running DCDIAG and other tools.  Following is one problem I had and the associated resolution:

    Running DCDIAG on any of our domain controllers (all are Windows Server 2008 R2) resulted in the following error:

    Starting test: NCSecDesc
       Error OURDOMAIN\Enterprise Read-only Domain Controllers doesn't have
          Replicating Directory Changes
       access rights for the naming context:
       DC=ourdomain,DC=com

    Verifying the Problem:

    Using Active Directory Users and Computers (ADUC) and navigating to \Users, verify the existence of a Security Group called "Enterprise Read-only Domain Controllers".   In our case, that group already existed.  Exit ADUC.

    Using ADSIEDIT, right-click on Naming Context "DC=ourdomain,DC=com", choose "Properties", click the "Security" tab and verify that "Enterprise Read-only Domain Controllers" shows in the "Group or user names" pane.  In our case, that group was missing.

    Resolution:

    In ADSIEDIT, click the "Add" button, type the group name "Enterprise Read-only Domain Controllers" and click "OK".  Next, highlight "Enterprise Read-only Domain Controllers" in the "Group or user names:" pane and then scroll down in the "Permissions:" pane to find "Replicating Directory Changes".  Enable (check) the box in the "Allow" column to the right of "Replicating Directory Changes" and Press "OK". 

    Exit ADSIEDIT and re-run DCDIAG.  This solved the problem in our case.


    • Edited by Ken Morley Sunday, May 19, 2013 7:13 PM
    • Changed type Vivian_Wang Tuesday, May 21, 2013 7:15 AM
    • Changed type Awinish Wednesday, March 26, 2014 2:52 AM
    Sunday, May 19, 2013 7:11 PM

All replies

  • Hi,

    Thanks for your posting.

    It seems like your issus was resolved. And thanks for your good sharing.

    Thanks.


    Vivian Wang
    TechNet Community Support

    Tuesday, May 21, 2013 7:15 AM
  • Thank you for your excellent documentation.
    Thursday, November 21, 2013 8:24 PM
  • Nice Document. Thanks for sharing.
    Thursday, December 5, 2013 11:24 AM
  • Hi,

    I have the same error

    Error OURDOMAIN\Enterprise Read-only Domain Controllers doesn't have
          Replicating Directory Changes
       access rights for the naming context:
       DC=ourdomain,DC=com

    but, when I searched the security group called "Enterprise Read-only Domain Controller in ADUC, it not appear. I need follow the instruction using ADSIEDIT to fix the problem?

    Tuesday, March 25, 2014 7:18 PM