|
Task
|
Permissions Required to Perform Task
|
|
Create a Site / Add a Site
|
CC on cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to create objects of class Site)
|
|
Specify the location of a Site
|
WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the Location attribute
|
|
Associate a Group Policy with a Site
|
WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the GP-Link attribute
WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the GP-Options attribute
|
|
Modify Site Group Policy Options
|
WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the GP-Options attribute
|
|
Disable automatic topology generation for a site
|
WP on cn=NTDSSiteSettings, cn=<SiteName>, cn=Sites, cn=Configuration, dc=ForestRootDomain where the <SiteName> is the name of the site, to modify the options attribute
|
|
Disable automatic topology cleanup for a site
|
WP on cn=NTDSSiteSettings, cn=<SiteName>, cn=Sites, cn=Configuration, dc=ForestRootDomain where the <SiteName> is the name of the site, to modify the options attribute
|
|
Disable minimum hops topology for a site
|
WP on cn=NTDSSiteSettings, cn=<SiteName>, cn=Sites, cn=Configuration, dc=ForestRootDomain where the <SiteName> is the name of the site, to modify the options attribute
|
|
Disable automatic stale server detection for a site
|
WP on cn=NTDSSiteSettings, cn=<SiteName>, cn=Sites, cn=Configuration, dc=ForestRootDomain where the <SiteName> is the name of the site, to modify the options attribute
|
|
Disable automatic inter-site topology generation for a site
|
WP on cn=NTDSSiteSettings, cn=<SiteName>, cn=Sites, cn=Configuration, dc=ForestRootDomain where the <SiteName> is the name of the site, to modify the options attribute
|
|
Disable Inbound Replication on a DC
|
WP on the corresponding NTDS Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the options attribute
|
|
Disable Outbound Replication on a DC
|
WP on the corresponding NTDS Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the options attribute
|
|
Delete a Site
|
SD on the site object itself OR DC on cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to delete objects of class Site).
.gif) Note |
|
DC on parent will grant permission to delete all objects under the parent (and if class is specified, then only all objects of specified class). |
|
|
Create a Subnet / Add a Subnet
|
CC on cn=Subnets, cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to create objects of type Subnet)
|
|
Specify the location of a Subnet
|
WP on the corresponding subnet object, cn=<Subnet>, cn=Subnets, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the Location attribute
|
|
Associate a Subnet with a Site
|
WP on the corresponding subnet object cn=<SubnetName>, cn=Subnets, cn=Sites, cn=Configuration, dc=<ForestRootDomain> to modify the siteObject attribute
|
|
Delete a Subnet
|
DC on cn=Subnets, cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to delete objects of class Subnet)
|
|
Create a Site Link
|
CC on cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to create objects of class siteLink)
|
|
Add/Remove sites to/from a Site Link
|
WP on cn=<siteLink>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=<siteLink>, cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where <siteLink> is the site link to/from which a new site is being added/removed, to modify the site-list attribute
|
|
Modify the cost associated with a site link
|
WP on the siteLink object cn=<SiteLink>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on the siteLink object cn=<SiteLink>, cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where the <SiteLink> identifies the associated site link, to modify the cost attribute.
|
|
Modify the replication period associated with a site link / Control link availability
|
WP on the siteLink object cn=<SiteLink>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where the <SiteLink> identifies the associated site link, to modify the Repl-Interval attribute
|
|
Modify the replication schedule for a site link
|
WP on the corresponding site link object cn=<siteLink>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=<siteLink>,cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain>, to modify the schedule attribute
|
|
Delete a Site Link
|
DC on cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to delete objects of class siteLink)
|
|
Create a Site Link bridge (object)
|
CC on cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to create objects of class siteLinkBridge)
|
|
Add/Remove sites to/from a Site Link Bridge
|
WP on cn=<siteLinkBridge>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=<siteLinkBridge>, cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where <siteLinkBridge> is the site link ridge to/from which a new site is being added/removed, to modify the site-link-list attribute
|
|
Create a single bridge for the entire network / Turn off the “Bridge all site links” option for IP/SMTP transport
|
WP on the corresponding (IP/SMTP) interSiteTransport object cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain>, to modify the options attribute
|
|
Enable Reciprocal Replication between sites (only for IP transport links)
|
WP on cn=<SiteLink>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where <SiteLink> identifies the associated site link, to modify the options attribute
|
|
Enable Change Notification between sites (only for IP transport links)
|
WP on cn=<SiteLinkName>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where the SiteLinkName identifies the associated site link, to modify the options attribute
|
|
Delete a Site Link bridge (object)
|
DC on cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to delete objects of class siteLinkBridge)
|
|
Create a Connection (object)
|
CC on cn=NTDSSettings, cn =<ServerName>, cn=Servers, cn=<SiteName>, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where ServerName is the name of the DC to which the connection in inbound (to create objects of class NTDS-Connection)
|
|
Take ownership of a KCC-generated connection object
|
WP on cn=<ConnectionName>, cn=NTDSSettings, cn =<ServerName>, cn=Servers, cn=<SiteName>, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where <ConnectionName> is the name of the KCC-generated connection, to modify the options attribute
|
|
Manually set a schedule for connection objects
|
WP on cn=<ConnectionName>, cn=NTDSSettings, cn =<ServerName>, cn=Servers, cn=<SiteName>, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where <ConnectionName> is the name of the KCC-generated connection, to modify the options attribute
|
|
Enable/disable data compression for intersite replication
|
WP on cn=<ConnectionName>, cn=NTDSSettings, cn =<ServerName>, cn=Servers, cn=<SiteName>, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where <ConnectionName> is the name of the KCC-generated connection, to modify the options attribute
|
|
Delete a Connection (object)
|
DC on cn=NTDSSettings, cn =<ServerName>, cn=Servers, cn=<SiteName>, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where ServerName is the name of the DC to which the connection in inbound (to delete objects of class NTDS-Connection)
|
Note |
|
An NTDS-Connection object created by the KCC should not be deleted. If it is, the KCC will regenerate it. Only a manually created NTDS-Connection object might be deleted. |
|
|
Change the default setting for the intra-site replication schedule within a site
|
WP on cn=NTDSSiteSettings, cn=<SiteName>, cn=Sites, cn=Configuration, dc=ForestRootDomain where the <SiteName> is the name of the site, to modify the schedule attribute
|
|
Designate / Remove a preferred bridgehead server
|
WP on cn =<ServerName>, cn=Servers, cn=<SiteName>, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where ServerName is the name of the server being designated as a Preferred Bridgehead server, to modify the Bridgehead-Transport-List attribute
|
|
Replace a failed Preferred Bridgehead Server
|
Do one of the following?:
Add new domain controllers as preferred bridgehead servers for the corresponding directory partitions, site and transport
- OR -
Remove all preferred bridgehead designations made for the corresponding site and transport (for the corresponding directory partition), in which case KCC selects new ones automatically; remove them for each domain directory partition and for each transport on a DC in each affected site
|
|
Specify a fixed-port for RPC-based replication
|
WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDS\Parameters to modify the registry entry TCP/IP Port
|
|
Adjust default size of packets that transport Active Directory replication data
|
The following registry entries (with registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDS\Parameter) are added/modified (with the REG_DWORD data type):
-
For RPC replication within a site: Replicator intra site packet size (objects) & Replicator intra site packet size (bytes)
-
For RPC replication between sites: Replicator inter site packet size (objects) & Replicator inter site packet size (bytes)
-
For SMTP replication within a site: Replicator async inter site packet size (objects) & Replicator async inter site packet size (bytes)
Thus, appropriate permissions required to Create and/or modify these registry keys will be required to delegate the operation
|
|
Increase the level of detail logged by the KCC in the event log
|
WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics to modify the 1 Knowledge Consistency Checker entry
|
|
Modify the interval at which the KCC runs its first replication topology after the DC starts
|
WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to modify the registry entry Repl topology update delay (secs)
|
|
Modify the interval at which the KCC checks the replication topology (after it has run the first time)
|
WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to modify the registry entry Repl topology update period (secs)
|
|
Force Replication Topology Generation
|
Extended right Manage Replication Topology needed on cn=configuration, dc=<forestRootDomain>
|
|
Modify the holdback timer that determines the interval between the time a change is made and the time that the source server notifies its replication partners within a site
|
WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to modify the registry entry Replicator notify pause after modify (secs)
|
|
Modify the default delay between notifications to all the replication partners of a DC
|
WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to modify Replicator notify pause between DSAs (secs)
|
|
Force replication between two servers
|
Extended right Replication Synchronization needed on cn=configuration, dc=<forestRootDomain>
|
|
Force a synchronization between two servers
|
Extended right Replication Synchronization needed on cn=configuration, dc=<forestRootDomain>
|
|
Set a DC not to contact the PDC emulator if the PDC emulator role owner is not in the current site
|
WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\NTDS\Parameters to modify the registry entry AvoidPdcOnWan
|
|
Modify the thresholds that make the KCC exclude non-responding servers when it recognizes that a DC has failed or is unresponsive
|
The following registry entries (with registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameter) are added/modified (with the REG_DWORD data type):
For replication between sites:
-
IntersiteFailuresAllowed and MaxFailureTimeForIntersiteLink (secs)
-
For optimizing connections within a site: NonCriticalLinkFailuresAllowed and MaxFailureTimeForNonCriticalLink
-
For immediate neighbor connections within a site: CriticalLinkFailuresAllowed and MaxFailureTimeForCriticalLink
Thus, appropriate permissions required to Create and/or modify these registry keys will be required to delegate the operation
|
|
Get Replication Latency Information
|
In Windows 2000, Extended right Manage Replication Topology needed on domain NC head
In Windows Server 2003, Extended right Monitor Replication Topology or Manage Replication Topology needed on domain NC head
|
|
Get Pending operations on DC ( Queue Length )
|
In Windows 2000, Extended right Manage Replication Topology needed on domain NC head
In Windows Server 2003, Extended right Monitor Replication Topology or Manage Replication Topology needed on domain NC head
|
|
Check Replication Status
|
In Windows 2000, Extended right Manage Replication Topology needed on domain NC head
In Windows Server 2003, Extended right Monitor Replication Topology or Manage Replication Topology needed on domain NC head
|