This was a real pain and we ended up having to call Microsoft and spend several hours to resolve what seem to be a simple issue. When running dcdiag you get an error that the NCSecDesc test failed with:
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn’t have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=cosgro,DC=com
Normally running adprep /rodcprep at the command line would correct the issues but in this case we kept getting the same response when running adprep.
Adprep detected the operation on partition DC=ForestDnsZones,DC=cosgro,DC=com has been performed. Skipping to next partition. ============================================================================== Adprep detected the operation on partition DC=DomainDnsZones,DC=cosgro,DC=com has been performed. Skipping to next partition. ============================================================================== Adprep detected the operation on partition DC=cosgro,DC=com has been performe d. Skipping to next partition. ============================================================================== Adprep completed without errors. All partitions are updated. See the ADPrep.log in directory C:\Windows\debug\adprep\logs\20130213141646 for more information.
And when we re ran DCDiag we would still get the same error. All the online documents say this should of resolved the issues but it had not.
The problem was not the ADPrep /rodcprep but the permissions were seen to be to “open” for the Enterprise Domain Controllers Group. The security permissions for this group was set to “full” on the main domain partition. This set of permissions needed to be more restrictive for the group. To fix we needed to open ADSI Edit and reset the permissions on the domain partition.
The picture below shows you where the domain partition resides, right click the partition and select properties.
Then on the pop up windows select the security tab. In the Groups and Users box find the “Enterprise Domain Controllers” group and then uncheck all permissions.
Now re-add only the list below to the allow column.
- Manage replication topology
- Replicating Directory Changes
- Replicating Directory Changes All
- Replicating Directory Changes In Filtered Set
- Replication Synchronization
Apply the changes and rerun DCDiag to verify that the changes are working.
Thats it.
Enjoy Cubert 😎
Great article! Thank you!
Thank You for this article. This has cleared the error!
Verified. Works on my 2008 enviroment.
Well Done! worked on my 2012 R2 server
I see the same message but on Configuration partition and I do see Enterprise domain controllers has Full control.
But how was that applied in first place, isn’t that a default setting ??
Just want to make sure I don’t break something else before restricting the permissions
starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn’t have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Configuration,DC=xxxxx,DC=xx
Worked perfectly in my environment!
Thank you SO much.
Unfortunately changed nothing for me.
Eureka! Thank you so much! Worked demoting 2003 using dcpromo and the “domain controller not found” after moving FSMO to 2008 (interim server to 2016).
Thanks for this it fixed it perfectly…I owe you a drink.