NCSecDesc and DCdiag

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have been experiencing some very strange issues with member servers falling
off of the domain, rebooting these boxes reconnects them, during the time the
machine fall of of the domain, no domain authentication occurs for the apps,
which causes production applications to fail. In an attempt to diagnose the
issue I ran DCDiag against all of our Windows 2000 Domain controllers.
Initially I ran the tool from my XP pro SP2 wrkstn and on two of the five DCs
i recieved the following failures:

Starting test: NCSecDesc
Error XXXXX\Domain Controllers doesn't have
Replicating Directory Changes All
access rights for the naming context:
DC=XXXXXX,DC=net
......................... BRSPDC2 failed test NCSecDesc

the error is the same on both DC's. I then ran the same tool locally on the
DCs to confirm this..... of course they then passed the test!

Does anyone know why it failed from my workstation and not when it ran
locally on the server? which one is correct? why did three of the DCs pass
this test when run from the workstation? could the NCSecDesc be responsible
for my AD domain problems?

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes it looks like you having a security issue that prevents the domain
controllers from talking to each other.

I suggest you to restore the default permission for your naming contexts,
well if you have customized permission at this level you need to re-assign
tem.

Install Windows Support Tools from your Windows Server CD. Use the dsacls
tool to restore the default permission, se syntax below:

dsacls DC=domainname,DC=com /S
dsacls CN=Configuration,DC=domainname,DC=com /S

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"DespairUK" <DespairUK@discussions.microsoft.com> skrev i meddelandet
news:12B73FA6-2ECE-4583-B4EF-66C4ED9307B5@microsoft.com...
>I have been experiencing some very strange issues with member servers
>falling
> off of the domain, rebooting these boxes reconnects them, during the time
> the
> machine fall of of the domain, no domain authentication occurs for the
> apps,
> which causes production applications to fail. In an attempt to diagnose
> the
> issue I ran DCDiag against all of our Windows 2000 Domain controllers.
> Initially I ran the tool from my XP pro SP2 wrkstn and on two of the five
> DCs
> i recieved the following failures:
>
> Starting test: NCSecDesc
> Error XXXXX\Domain Controllers doesn't have
> Replicating Directory Changes All
> access rights for the naming context:
> DC=XXXXXX,DC=net
> ......................... BRSPDC2 failed test NCSecDesc
>
> the error is the same on both DC's. I then ran the same tool locally on
> the
> DCs to confirm this..... of course they then passed the test!
>
> Does anyone know why it failed from my workstation and not when it ran
> locally on the server? which one is correct? why did three of the DCs
> pass
> this test when run from the workstation? could the NCSecDesc be
> responsible
> for my AD domain problems?

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks Christoffer,

can you tell me the implications are of this action, will it undo any
Delegations that have been assigned to the OU hierachy? are there any other
side effects which I need to be aware of?

secondly, do you know why I am getting different results when using DCdiag
as discribed in the original posting?

Regards

Ben

"Chriss3 [MVP]" wrote:

> Yes it looks like you having a security issue that prevents the domain
> controllers from talking to each other.
>
> I suggest you to restore the default permission for your naming contexts,
> well if you have customized permission at this level you need to re-assign
> tem.
>
> Install Windows Support Tools from your Windows Server CD. Use the dsacls
> tool to restore the default permission, se syntax below:
>
> dsacls DC=domainname,DC=com /S
> dsacls CN=Configuration,DC=domainname,DC=com /S
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Tips
>
> "DespairUK" <DespairUK@discussions.microsoft.com> skrev i meddelandet
> news:12B73FA6-2ECE-4583-B4EF-66C4ED9307B5@microsoft.com...
> >I have been experiencing some very strange issues with member servers
> >falling
> > off of the domain, rebooting these boxes reconnects them, during the time
> > the
> > machine fall of of the domain, no domain authentication occurs for the
> > apps,
> > which causes production applications to fail. In an attempt to diagnose
> > the
> > issue I ran DCDiag against all of our Windows 2000 Domain controllers.
> > Initially I ran the tool from my XP pro SP2 wrkstn and on two of the five
> > DCs
> > i recieved the following failures:
> >
> > Starting test: NCSecDesc
> > Error XXXXX\Domain Controllers doesn't have
> > Replicating Directory Changes All
> > access rights for the naming context:
> > DC=XXXXXX,DC=net
> > ......................... BRSPDC2 failed test NCSecDesc
> >
> > the error is the same on both DC's. I then ran the same tool locally on
> > the
> > DCs to confirm this..... of course they then passed the test!
> >
> > Does anyone know why it failed from my workstation and not when it ran
> > locally on the server? which one is correct? why did three of the DCs
> > pass
> > this test when run from the workstation? could the NCSecDesc be
> > responsible
> > for my AD domain problems?
>
>
>