Dcdiag检测错误:錯誤 NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

这几天公司在迁移AD服务器到windows 2008,在迁移完后使用dcdiag命令来观察健康状态发现提示如下错误:
正在啟動測試: NCSecDesc
錯誤 NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS 沒有
Replicating Directory Changes In Filtered Set
命名內容的存取權限:
CN=Schema,CN=Configuration,DC=chicheng,DC=com
……………………. ADSERVER-1 未通過測試 NCSecDesc
经过查询官方文档才知道原因是没有做RODC的拓展,如果你的网域中没有或将来也没打算安装只读DC,也就是RODC的话,那么这个错误你可以不用管他。
官方原解释如下 :
NCSecDesc in DCDIAG is to check that the security descriptors on the application directory partition heads have appropriate permissions for replication.
It is an expected issue when you promote a Windows Server 2008 domain controller in a Windows Server 2003 domain without preparing RODC (read-only domain controller) in the forest by running ‘adprep /rodcprep’. If you do not plan to add an RODC to the forest, it is safe to ignore it. Otherwise, please run “adprep /rodcprep”.
More information about Known Issues for Installing and Removing Windows Server 2008 AD DS
http://technet2.microsoft.com/windowsserver2008/en/library/6c438941-f9b5-4edb-a9ee-1781526389e51033.mspx?mfr=true
By the way, try to turn off the firewall on the DC to check the problem is related to firewall or not.

发表评论

电子邮件地址不会被公开。 必填项已用*标注