The Active Directory® directory service was unable to correctly create the default security descriptor for a newly created application directory partition.
Active Directory was unable to correctly create the default security descriptor for the following application directory partition.
Application directory partition: %3
Error value: %1 %2
Review the access control list (ACL) on the newly created application directory partition. Ensure that the Replication Get Changes All access right is assigned to the Enterprise Domain Controllers group, and then remove that right from the Domain Controllers group for the domain.
For more information, see:
Microsoft Help and Support for Microsoft Windows Server 2008 and above
Microsoft Knowledge Base