Hi,
Open command prompt and run "net share" on each DC to confirm the SYSVOL and NETLOGON shares are available.
Run "repadmin /replsum" and "ipconfig /all" of problem DC and post the result.
Ensure the following on each DC:
Each DC / DNS server points to its private IP address as primary DNS server and other internal/remote DNS servers as secondary DNS in TCP/IP property.
Each DC has just one IP address, if multiple NICs are present, disable unused NICs. Active NIC should be on top in NIC bind order.
Once you are done with above, open command prompt and run "ipconfig /flushdns & ipconfig /registerdns", restart DNS server and NETLOGON service on each DC.
Dcdiag fails for NCSecDesc test :
If you have not run adprep/rodcprep, Dcdiag.exe will return an error when it runs the NCSecDesc test. If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.
http://support.microsoft.com/kb/967482
DCDIAG another error message regarding the Group Policy :
"The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description."
As per Microsoft:
"This problem occurs on new 2008 DC in to a 2003 domain because the version number of the KRBTGT account increases when you perform an authoritative restoration. The KRBTGT account is a service account that is used by the Kerberos Key Distribution Center (KDC) service".
See KB939820 for a hotfix applicable to Microsoft Windows Server 2003 : http://support.microsoft.com/kb/939820
Reference: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/3fdc100f-16cb-4d4d-b1ca-4ce00bc7bbcc/
reference:https://social.technet.microsoft.com/Forums/lync/en-US/3a1dde0e-f49b-4909-baa3-1832ddb8f47b/windows-2008-r2-error-events-with-ldap-sysvol-and-group-policy?forum=winserverDS
Regards,
Vicky