Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 HALP! Questions on Windows and Windows Server
 Windows Server 2008
 for those of you NOT planning on read-only DCs...		  New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Pesos
Honorable But Hopeless Addict

USA
2684 Posts
Status: online
Posted - 02/10/2008 :  5:41:41 PM  Show Profile  Reply with Quote
...just a note.

I am not planning on using RODCs, and so I did not do the adprep switch for RODC prep (I figure the less you mess with the schema, the better). However, after bringing my first win2008 DC up, I noticed that DCDIAG would fail the NCSecDesc part of the win2008 dcdiag. Interestingly, this test passed when running the win2003 dcdiag. The 2008 dcdiag.exe would fail this test whether I pointed it at the new win2008 dc or my old win2003 dc. The 2003 dcdiag.exe would pass this test regardless of which server it pointed to. Odd!

Googling wasn't any help because every single post regarding the NCSecDesc error has to do with people installing exchange 2003 in a domain/forest with win2000 DCs. No help!

Finally I dug deep into technet and found the following:

If you have not run adprep /rodcprep, Dcdiag.exe returns an error when it runs the NCSecDesc test. This test checks that the security descriptors on the naming context heads have appropriate permissions for replication. The error indicates that the Enterprise Domain Controllers group does not have Replicating Directory Changes In Filtered Set access rights for the DNS application directory partitions. If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

Aha!

Mark Minasi
Chief cook and bottle washer

USA
9651 Posts
Status: offline
Posted - 02/11/2008 :  06:42:12 AM  Show Profile  Visit Mark Minasi's Homepage  Reply with Quote
Wes, I would strongly consider running the update. If done properly, schema updates are a breeze. Also, I suspect that AD-aware apps -- like DCDIAG -- are going to assume that you're RODC-aware.

Meanwhile, nice troubleshooting!
Mark
tweetin' at mminasi
Go to Top of Page

mitachu
Honorable But Hopeless Addict

United Kingdom
1774 Posts
Status: offline
Posted - 02/11/2008 :  07:08:06 AM  Show Profile  Click to see mitachu's MSN Messenger address  Reply with Quote
Ah, it appears so.
Tim
Go to Top of Page

Pesos
Honorable But Hopeless Addict

USA
2684 Posts
Status: online
Posted - 02/11/2008 :  6:15:30 PM  Show Profile  Reply with Quote
Thanks Mark - I suspect you're right and I did go ahead and run it once I got things set back up!
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2009 Mark Minasi Go To Top Of Page
This page was generated in 0.12 seconds. Snitz Forums 2000