none
DCDIAG - NCSecDesc error

    Question

  • When running: "DCDiag /test:NCSecDesc" I get the following.

    Doing primary tests

       Testing server: Domain\DC1
          Starting test: NCSecDesc
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
                Replicating Directory Changes In Filtered Set
             access rights for the naming context:
             DC=Domain,DC=com
             ......................... <DC1> failed test NCSecDesc


       Running partition tests on : ForestDnsZones

       Running partition tests on : DomainDnsZones

       Running partition tests on : Schema

       Running partition tests on : Configuration

       Running partition tests on : Domain

       Running enterprise tests on : Domain.com

    I recently just added two windows 2012 R2 DC's into the environment, one of thoses holds the FSMO roles as well as the NTP server information, below is the ADPREP change information taken from ADSI.

    Schema Version
    69
    ForestPrep Version
    15
    RODCPrep Version
    2
    DomainPrep Version
    10

    So besides running "ADPrep /rodcprep" is there any other way to fix this issue? What am I missing?

    Note: Replication, DNS, sysvol, etc. all come back good, this is the only error. Also the "enterprise domain controllers" group has full control set for "this object only"


    Thursday, June 18, 2015 4:49 PM

Answers

  • OK I resolved it... It was a permissions issue.

    The Enterprise Domain Controllers group was set to full control on "dc=domain,dc=com" I removed it and gave it the following permissions to match the rest of the security settings across the board.

    Manage replication topology

    • Replicating Directory Changes
    • Replicating Directory Changes All
    • Replicating Directory Changes In Filtered Set
    • Replication Synchronization

    DCDiag came back as passed.

    Thursday, June 18, 2015 8:08 PM

All replies

  • https://support.microsoft.com/en-us/kb/967482

    Cause: If you have not run adprep/rodcprep, Dcdiag.exe will return an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions.

    Resolution:If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

    Thursday, June 18, 2015 5:06 PM
  • I ran the ADPrep /rodcprep command and that did not resolve the issue.
    Thursday, June 18, 2015 5:29 PM
  • Just to confirm as I had an issue with dcdiag the other day.. you are using an elevated command prompt right?
    Thursday, June 18, 2015 5:31 PM
  • yes, and all adprep debug logs are looking good meaning it did its stuff correctly.
    Thursday, June 18, 2015 5:34 PM


  • Applied at the root of the forest "DC=domain,DC=com"

    Thursday, June 18, 2015 5:44 PM
  • Using ADSI Edit I verified that the "Enterprise Domain Controllers" group has the "replicating directory changes in filtered set" enabled on the  following. (Note: This is what was already there aka default, no manual changes were made in regards to this.)

    CN=Schema,CN=Configuration,DC=domain,DC=com
    DC=domain,DC=com (Full control enables this setting)
    CN=Configuration,DC=domain,DC=com

    And to re-emphasize I already ran the ADPrep /rodcprep command and it did not resolve the error in DCDiag.


    I also ran net stop ntds && net start ntds issue still remains.
    Thursday, June 18, 2015 6:16 PM
  • A more detailed scan is below:

    Starting test: NCSecDesc

             * Security Permissions check for all NC's on DC DC1.
             * Security Permissions Check for

               DC=ForestDnsZones,DC=domain,DC=com
                (NDNC,Version 3)
             * Security Permissions Check for

               DC=DomainDnsZones,DC=domain,DC=com
                (NDNC,Version 3)
             * Security Permissions Check for

               CN=Schema,CN=Configuration,DC=domain,DC=com
                (Schema,Version 3)
             * Security Permissions Check for

               CN=Configuration,DC=domain,DC=com
                (Configuration,Version 3)
             * Security Permissions Check for

               DC=domain,DC=com
                (Domain,Version 3)
             Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

                Replicating Directory Changes In Filtered Set
             access rights for the naming context:

             DC=domain,DC=com
             ......................... DC1 failed test NCSecDesc

    Thursday, June 18, 2015 6:28 PM
  • Hi,

    You will see this error message when you promote a domain controller in a domain without preparing the AD Schema for RODC (read-only domain controller) using adprep /rodcprep command. If you do not plan to add an RODC to the forest, you can safely ignore this error message. Otherwise, run adprep /rodcprep to update the AD schema.

    This is mentioned in the Microsoft site also.
    https://technet.microsoft.com/en-us/library/cc754463%28WS.10%29.aspx?f=255&MSPPError=-2147217396

    Thursday, June 18, 2015 6:40 PM
  • I stated earlier that this did not resolve the issue, thank you for your input though.
    Thursday, June 18, 2015 7:50 PM
  • OK I resolved it... It was a permissions issue.

    The Enterprise Domain Controllers group was set to full control on "dc=domain,dc=com" I removed it and gave it the following permissions to match the rest of the security settings across the board.

    Manage replication topology

    • Replicating Directory Changes
    • Replicating Directory Changes All
    • Replicating Directory Changes In Filtered Set
    • Replication Synchronization

    DCDiag came back as passed.

    Thursday, June 18, 2015 8:08 PM
  • hi,

    Thanks for updating.

    Friday, June 19, 2015 3:09 AM