NCSecDesc and DCdiag

G

Guest

I have been experiencing some very strange issues with member servers falling
off of the domain, rebooting these boxes reconnects them, during the time the
machine fall of of the domain, no domain authentication occurs for the apps,
which causes production applications to fail. In an attempt to diagnose the
issue I ran DCDiag against all of our Windows 2000 Domain controllers.
Initially I ran the tool from my XP pro SP2 wrkstn and on two of the five DCs
i recieved the following failures:

Starting test: NCSecDesc
Error XXXXX\Domain Controllers doesn't have
Replicating Directory Changes All
access rights for the naming context:
DC=XXXXXX,DC=net
......................... BRSPDC2 failed test NCSecDesc

the error is the same on both DC's. I then ran the same tool locally on the
DCs to confirm this..... of course they then passed the test!

Does anyone know why it failed from my workstation and not when it ran
locally on the server? which one is correct? why did three of the DCs pass
this test when run from the workstation? could the NCSecDesc be responsible
for my AD domain problems?
 
C

Chriss3 [MVP]

Yes it looks like you having a security issue that prevents the domain
controllers from talking to each other.

I suggest you to restore the default permission for your naming contexts,
well if you have customized permission at this level you need to re-assign
tem.

Install Windows Support Tools from your Windows Server CD. Use the dsacls
tool to restore the default permission, se syntax below:

dsacls DC=domainname,DC=com /S
dsacls CN=Configuration,DC=domainname,DC=com /S

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
G

Guest

Thanks Christoffer,

can you tell me the implications are of this action, will it undo any
Delegations that have been assigned to the OU hierachy? are there any other
side effects which I need to be aware of?

secondly, do you know why I am getting different results when using DCdiag
as discribed in the original posting?

Regards

Ben
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

dcdiag fails with NCSecDesc error 1
dcdiag problems 1
Failed DCDiag NCSecDesc test 1
Dcdiag failed test NCSecDesc 2
running DCDIAG prior to installing new Exchange 2003 server 6
dcdiag 2
DCDiag 1
Dcdiag Error 1

Top