I'm not sure of a way to link a GPO to a SID as they're all randomly created for your domain.
Windows Server 2008 Domain Controllers fail NcSecDesc (Naming Context Security Descriptors) test when dcdiag is run - Ravindra Pamidi's Blog - Site Home - TechNet Blogs
Says if I don't plan to run RODC then disregard this message
That's correct. Server 2008 or later allow you to have Read Only Domain Controllers as an option.
By inserting your installation disc and running:
You can do this live on your FSMO role holder without restarting the server. This will then replicate out to your other DCs. When you run dcdiag that error should no longer appear.Code:
even without this i shouldn't be getting this error when doing a gp-update on the printserver..
May have to flatten it and build it again.
Still having problems with this, I don't really want to flatten the server and start again
Bump. Hitting a wall with this
If everything else runs OK on the server and depending what other services you're running on it, you could run dcpromo, demote it as a DC reboot then re-promote it as a DC. Any bad info would be lost as it would replicate from the remaining good DCs.
If DNS etc... is correct then in theory you should be able to demote. If it isn't correct you will get errors that's for certain.