это сервер не RODC.

C:\Users\administrator.domen>dcdiag

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
Home Server = SERVER02
* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SERVER02
Starting test: Connectivity
......................... SERVER02 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SERVER02
Starting test: Advertising
......................... SERVER02 passed test Advertising
Starting test: FrsEvent
......................... SERVER02 passed test FrsEvent
Starting test: DFSREvent
......................... SERVER02 passed test DFSREvent
Starting test: SysVolCheck
......................... SERVER02 passed test SysVolCheck
Starting test: KccEvent
......................... SERVER02 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SERVER02 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SERVER02 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=domen,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=domen,DC=local
......................... SERVER02 failed test NCSecDesc
Starting test: NetLogons
......................... SERVER02 passed test NetLogons
Starting test: ObjectsReplicated
......................... SERVER02 passed test ObjectsReplicated
Starting test: Replications
......................... SERVER02 passed test Replications
Starting test: RidManager
......................... SERVER02 passed test RidManager
Starting test: Services
......................... SERVER02 passed test Services
Starting test: SystemLog
......................... SERVER02 passed test SystemLog
Starting test: VerifyReferences
......................... SERVER02 passed test VerifyReferences


Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation

Running partition tests on : domen
Starting test: CheckSDRefDom
......................... domen passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domen passed test CrossRefValidation

Running enterprise tests on : domen.local
Starting test: LocatorCheck
......................... domen.local passed test LocatorCheck
Starting test: Intersite
......................... domen.local passed test Intersite

C:\Users\administrator.domen>

mvohid, посмотрите http://social.technet.microsoft.com/Forums/ru-RU/ws2008r2ru/thread/a92e30d3-cf44-4e86-b020-3899ca2880f6?prof=required&ppud=4 не Ваш случай?

Имеется ввиду поднятие уровней леса и домена до 2008

уровень леса поднят у меня до 2008,
по поводу adprep /rodcprep, правильно ли будет если я основной сервер сделаю его RODC ?

вот результаты repadmin /showreps
C:\Users\administrator.domen>repadmin /showreps
Default-First-Site-Name\SERVER02
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 93def85f-04fe-4c5a-a1cb-1ee6a4412782
DSA invocationID: c5da453f-e8c3-4370-b32b-44598c5bf242

==== INBOUND NEIGHBORS ======================================

DC=domen,DC=local
Default-domen-Site-Name\SERVER05 via RPC
DSA object GUID: 885712f9-9d83-48d4-a81b-fb4d0065f012
Last attempt @ 2012-11-08 19:45:31 was successful.

CN=Configuration,DC=domen,DC=local
Default-First-Site-Name\SERVER05 via RPC
DSA object GUID: 885712f9-9d83-48d4-a81b-fb4d0065f012
Last attempt @ 2012-11-08 18:57:21 was successful.

CN=Schema,CN=Configuration,DC=domen,DC=local
Default-First-Site-Name\SERVER05 via RPC
DSA object GUID: 885712f9-9d83-48d4-a81b-fb4d0065f012
Last attempt @ 2012-11-08 18:57:21 was successful.

DC=DomainDnsZones,DC=domen,DC=local
Default-First-Site-Name\SERVER05 via RPC
DSA object GUID: 885712f9-9d83-48d4-a81b-fb4d0065f012
Last attempt @ 2012-11-08 18:57:21 was successful.

DC=ForestDnsZones,DC=domen,DC=local
Default-First-Site-Name\SERVER05 via RPC
DSA object GUID: 885712f9-9d83-48d4-a81b-fb4d0065f012
Last attempt @ 2012-11-08 18:57:21 was successful.

mvohid, пока не надо
Покажите вывод команды
netdom query fsmo

C:\Users\administrator.domen>netdom query fsmo
Schema master SERVER02.domen.local
Domain naming master SERVER02.domen.local
PDC SERVER02.domen.local
RID pool manager SERVER02.domen.local
Infrastructure master SERVER02.domen.local
The command completed successfully.


C:\Users\administrator.domen>

adprep /rodcprep
После этого проведите репликацию и посмотрите появится ли ошибка NCSecDesc при выполнении dcdiag. Если все пройдет гладко, перегрузите SERVER02. Посмотрим появится ли 4013

adrep /rodcrep если не ошибаюсь то он мне основной сервер сделает для чтения, правильно ли это?

Нет. Не сделает.
Эта команда выполняет обновление дескрипторов безопасности для разделов каталога приложений, чтобы предоставить контроллерам доменов только для чтения разрешения на репликацию обновлений в разделах.
http://technet.microsoft.com/ru-ru/library/dd464018(v=ws.10).aspx

при выполнении adrep /rodcrep выводиться ошибка, Adprep could not contact a replica for partition
нашел статью http://support.microsoft.com/kb/949257/ru
где сказано:
Эта проблема возникает, если команда Adprep/rodcprep пытается связаться с хозяином инфраструктуры для каждого раздела приложений в лесу. Команда выполняет это задание разрешений, необходимых для репликации контроллера домена только для чтения (RODC). Команда Adprep/rodcprep завершается ошибкой, если выполняется одно из следующих условий:

Раздел или разделы, на которые имеются ссылки в сообщении об ошибке больше не существует.
Хозяин инфраструктуры для указанный раздел или разделы принудительно понижена или находится в автономном режиме.


хозяином инфраструктуры является сам сервер следуя из результатов команды netdom query fsmo, получается есть разделы на которые имеются ссылки которые не существуют. а какие разделы ? и как исправить не могу понять?

C:\Users\administrator.domen>netdom query fsmo
Schema master SERVER02.domen.local
Domain naming master SERVER02.domen.local
PDC SERVER02.domen.local
RID pool manager SERVER02.domen.local
Infrastructure master SERVER02.domen.local
The command completed successfully.

результаты adprep /rodcprep

C:\Users\administrator.domen\adprep32 /rodcprep
Adprep connected to the domain FSMO: SERVER02.domen.local.


==============================================================================
Adprep found partition DC=DomainDnsZones,DC=domen,DC=local, and is about to upda
te the permissions.


Adprep could not contact a replica for partition DC=DomainDnsZones,DC=domen,DC=l
ocal.

Adprep encountered an LDAP error.
Error code: 0x0. Server extended error code: 0x0, Server error message: (null).



Adprep failed the operation on partition DC=DomainDnsZones,DC=domen,DC=local. Sk
ipping to next partition.
==============================================================================


==============================================================================
Adprep found partition DC=ForestDnsZones,DC=domen,DC=local, and is about to upda
te the permissions.


Adprep could not contact a replica for partition DC=ForestDnsZones,DC=domen,DC=l
ocal.

Adprep encountered an LDAP error.
Error code: 0x0. Server extended error code: 0x0, Server error message: (null).



Adprep failed the operation on partition DC=ForestDnsZones,DC=domen,DC=local. Sk
ipping to next partition.
==============================================================================


Adprep detected the operation on partition DC=domen,DC=local has been performed.
Skipping to next partition.
==============================================================================


Adprep completed with errors. Not all partitions are updated. See the ADPrep.log
in the C:\Windows\debug\adprep\logs\20121109122754 directory for more informati
on.

To successfully update all partititions, the current logged on user needs to be
a member of Enterprise Admins group. If that is not the case, please correct th
e problem, and then restart Adprep.

http://support.microsoft.com/kb/967482/en-us
так что волноваться, в общем-то, не о чём.
To successfully update all partititions, the current logged on user needs to be
a member of Enterprise Admins group. If that is not the case, please correct th
e problem, and then restart Adprep. »
покажите вывод
whoami /groups

Учетная запись под которой выполняете должна входить в группу "Администраторы предприятия"

выполняю по админом.
результаты whoami /groups

C:\Users\administrator.domen\adprep 2008R2>whoami /groups

GROUP INFORMATION
-----------------

Group Name Type SID
Attributes

============================================ ================ ==================
========================== =====================================================
==========
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group

BUILTIN\Administrators Alias S-1-5-32-544
Mandatory group, Enabled by default, Enabled group, G
roup owner
BUILTIN\Remote Desktop Users Alias S-1-5-32-555
Mandatory group, Enabled by default, Enabled group

BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group

BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554
Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group

LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group

domen\Group Policy Creator Owners Group S-1-5-21-146794427
9-327693325-4125921288-520 Mandatory group, Enabled by default, Enabled group

domen\Domain Admins Group S-1-5-21-146794427
9-327693325-4125921288-512 Mandatory group, Enabled by default, Enabled group

domen\Schema Admins Group S-1-5-21-146794427
9-327693325-4125921288-518 Mandatory group, Enabled by default, Enabled group

domen\Enterprise Admins Group S-1-5-21-146794427
9-327693325-4125921288-519 Mandatory group, Enabled by default, Enabled group

domen\Denied RODC Password Replication Group Alias S-1-5-21-146794427
9-327693325-4125921288-572 Mandatory group, Enabled by default, Enabled group

Mandatory Label\High Mandatory Level Unknown SID type S-1-16-12288
Mandatory group, Enabled by default, Enabled group, L
ocal Group

C:\Users\