Friday, January 19, 2018 12:40:36 AM

NCSecDesc error in dcdiag

3 years ago
#35 Quote
Hi,
please help
I cant seem to solve this problem:
Starting test: NCSecDesc
     Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
        Replicating Directory Changes In Filtered Set
     access rights for the naming context:
     DC=mysite, DC=com
  Thanks John
0
3 years ago
#36 Quote
John,
I had a similar problem with my server. Here is what I had to do. This was a real pain and I spend several hours to resolve what seem to be a simple issue.  When running dcdiag you get an error that the NCSecDesc test failed with:


Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn’t have
     Replicating Directory Changes In Filtered Set
     access rights for the naming context:
    DC=pcwizardsrus, DC=com

Normally running adprep /rodcprep at the command line would correct the issues but in this case we kept getting the same response when running adprep.


Adprep detected the operation on partition DC=ForestDnsZones,DC=pcwizardsrus,DC=com  has been performed. Skipping to next partition.

Adprep detected the operation on partition DC=DomainDnsZones,DC=pcwizardsrus,DC=com  has been performed. Skipping to next partition.

Adprep detected the operation on partition DC=pcwizardsrus,DC=com has been performed. Skipping to next partition.

Adprep completed without errors. All partitions are updated. See the ADPrep.log in directory C:\Windows\debug\adprep\logs\20130213141646 for more information.

And when we re ran DCDiag we would still get the same error. All the online documents say this should of resolved the issues but it had not.



The problem was not the ADPrep /rodcprep but the permissions were seem
  to be to “open” for the Enterprise Domain Controllers Group.
The security permissions for this group was set to “full” on the main domain partition.
This set of permissions needed to be more restrictive for the group.
To fix we needed to open ADSI Edit and reset the permissions on the domain partition.

Its the one just below Default Naming Context
right click the partition and select properties.
it looks like this: + DC=pcwizardsrus, DC=com

Then on the pop up windows select the security tab. In the Groups and Users box find the “Enterprise Domain Controllers” group and then uncheck all permissions.

Now  re-add only the list below to the allow column.


1.Manage replication topology
2.Replicating Directory Changes
3.Replicating Directory Changes All
4.Replicating Directory Changes In Filtered Set
5.Replication Synchronization



Apply the changes and rerun DCDiag to verify that the changes are working.

Hope this
0