This was a real pain and we ended up having to call Microsoft and spend several hours to resolve what seem to be a simple issue.  When running dcdiag you get an error that the NCSecDesc test failed with:
 Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn’t have     Replicating Directory Changes In Filtered Set  access rights for the naming context:  DC=cosgro,DC=com
Normally running adprep /rodcprep at the command line would correct… Continue reading