Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set

The other day I came across an error while troubeshooting a problem I had from a run of dcdiag:

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
   Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=my,DC=domain
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
   Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=my,DC=domain

This indicates a permission problem with the ENTERPRISE DOMAIN CONTROLLERS security group and it's ability to replicate directorty changes in a filtered set.

 To resolve this issue we go to adsiedit on our PDC >> Action >> "Connect to..." >> "Select a type or a Distinguished Name or Naming Context" and enter (replacing the obvious):

DC=ForestDnsZones,DC=my,DC=domain

Expand the new tree node and right hand-click on "DC=ForestDnsZones,DC=my,DC=domain" >> Properties >> Security

and identify the security group "ENTERPRISE DOMAIN CONTROLLERS" and ensure that the "Replicating Directory Changes In Filtered Set" is ticked / set to allowed.

We should then do exactly the same for the "DC=DomainDnsZones,DC=my,DC=domain" partition.

Ensure dcdiag now returns OK and then....




We then proceed by going onto the DC with the permission issues and syncing the changes while specifying the source sever as our PDC:

repadmin /syncall myPDC /APed