Hi, please help I cant seem to solve this problem: Starting test: NCSecDesc Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=mysite, DC=com Thanks John
John, I had a similar problem with my server. Here is what I had to do. This was a real pain and I spend several hours to resolve what seem to be a simple issue. When running dcdiag you get an error that the NCSecDesc test failed with:
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn’t have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=pcwizardsrus, DC=com
Normally running adprep /rodcprep at the command line would correct the issues but in this case we kept getting the same response when running adprep.
Adprep detected the operation on partition DC=ForestDnsZones,DC=pcwizardsrus,DC=com has been performed. Skipping to next partition.
Adprep detected the operation on partition DC=DomainDnsZones,DC=pcwizardsrus,DC=com has been performed. Skipping to next partition.
Adprep detected the operation on partition DC=pcwizardsrus,DC=com has been performed. Skipping to next partition.
Adprep completed without errors. All partitions are updated. See the ADPrep.log in directory C:\Windows\debug\adprep\logs\20130213141646 for more information.
And when we re ran DCDiag we would still get the same error. All the online documents say this should of resolved the issues but it had not.
The problem was not the ADPrep /rodcprep but the permissions were seem to be to “open” for the Enterprise Domain Controllers Group. The security permissions for this group was set to “full” on the main domain partition. This set of permissions needed to be more restrictive for the group. To fix we needed to open ADSI Edit and reset the permissions on the domain partition.
Its the one just below Default Naming Context right click the partition and select properties. it looks like this: + DC=pcwizardsrus, DC=com
Then on the pop up windows select the security tab. In the Groups and Users box find the “Enterprise Domain Controllers” group and then uncheck all permissions.
Now re-add only the list below to the allow column.
1.Manage replication topology 2.Replicating Directory Changes 3.Replicating Directory Changes All 4.Replicating Directory Changes In Filtered Set 5.Replication Synchronization
Apply the changes and rerun DCDiag to verify that the changes are working.