I'm trying to cleanup our domain to eliminate errors and warnings when running DCDIAG and other tools. Following is one problem I had and the associated resolution:
Running DCDIAG on any of our domain controllers (all are Windows Server 2008 R2) resulted in the following error:
Starting test: NCSecDesc
Error OURDOMAIN\Enterprise Read-only Domain Controllers doesn't have
Replicating Directory Changes
access rights for the naming context:
DC=ourdomain,DC=com
Verifying the Problem:
Using Active Directory Users and Computers (ADUC) and navigating to \Users, verify the existence of a Security Group called "Enterprise Read-only Domain Controllers". In our case, that group already existed. Exit ADUC.
Using ADSIEDIT, right-click on Naming Context "DC=ourdomain,DC=com", choose "Properties", click the "Security" tab and verify that "Enterprise Read-only Domain Controllers" shows in the "Group or user names" pane. In our case, that group was missing.
Resolution:
In ADSIEDIT, click the "Add" button, type the group name "Enterprise Read-only Domain Controllers" and click "OK". Next, highlight "Enterprise Read-only Domain Controllers" in the "Group or user names:" pane and then scroll down in the "Permissions:" pane to find "Replicating Directory Changes". Enable (check) the box in the "Allow" column to the right of "Replicating Directory Changes" and Press "OK".
Exit ADSIEDIT and re-run DCDIAG. This solved the problem in our case.