|
Task
|
Permissions Required to Perform Task
|
|---|
Create a Site / Add a Site | CC on cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to create objects of class Site) |
Specify the location of a Site | WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the Location attribute |
Associate a Group Policy with a Site | WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the GP-Link attribute WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the GP-Options attribute |
Modify Site Group Policy Options | WP on the corresponding site object, cn=<Site>, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the GP-Options attribute |
Disable automatic topology generation for a site | WP on cn=NTDSSiteSettings, cn=<SiteName>, cn=Sites, cn=Configuration, dc=ForestRootDomain where the <SiteName> is the name of the site, to modify the options attribute |
Disable automatic topology cleanup for a site | WP on cn=NTDSSiteSettings, cn=<SiteName>, cn=Sites, cn=Configuration, dc=ForestRootDomain where the <SiteName> is the name of the site, to modify the options attribute |
Disable minimum hops topology for a site | WP on cn=NTDSSiteSettings, cn=<SiteName>, cn=Sites, cn=Configuration, dc=ForestRootDomain where the <SiteName> is the name of the site, to modify the options attribute |
Disable automatic stale server detection for a site | WP on cn=NTDSSiteSettings, cn=<SiteName>, cn=Sites, cn=Configuration, dc=ForestRootDomain where the <SiteName> is the name of the site, to modify the options attribute |
Disable automatic inter-site topology generation for a site | WP on cn=NTDSSiteSettings, cn=<SiteName>, cn=Sites, cn=Configuration, dc=ForestRootDomain where the <SiteName> is the name of the site, to modify the options attribute |
Disable Inbound Replication on a DC | WP on the corresponding NTDS Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the options attribute |
Disable Outbound Replication on a DC | WP on the corresponding NTDS Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the options attribute |
Delete a Site | SD on the site object itself OR DC on cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to delete objects of class Site). .gif) Note |
|---|
|
DC on parent will grant permission to delete all objects under the parent (and if class is specified, then only all objects of specified class). |
|
Create a Subnet / Add a Subnet | CC on cn=Subnets, cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to create objects of type Subnet) |
Specify the location of a Subnet | WP on the corresponding subnet object, cn=<Subnet>, cn=Subnets, cn=Sites, cn=Configuration, dc=<forestRootDomain> to modify the Location attribute |
Associate a Subnet with a Site | WP on the corresponding subnet object cn=<SubnetName>, cn=Subnets, cn=Sites, cn=Configuration, dc=<ForestRootDomain> to modify the siteObject attribute |
Delete a Subnet | DC on cn=Subnets, cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to delete objects of class Subnet) |
Create a Site Link | CC on cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to create objects of class siteLink) |
Add/Remove sites to/from a Site Link | WP on cn=<siteLink>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=<siteLink>, cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where <siteLink> is the site link to/from which a new site is being added/removed, to modify the site-list attribute |
Modify the cost associated with a site link | WP on the siteLink object cn=<SiteLink>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on the siteLink object cn=<SiteLink>, cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where the <SiteLink> identifies the associated site link, to modify the cost attribute. |
Modify the replication period associated with a site link / Control link availability | WP on the siteLink object cn=<SiteLink>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where the <SiteLink> identifies the associated site link, to modify the Repl-Interval attribute |
Modify the replication schedule for a site link | WP on the corresponding site link object cn=<siteLink>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=<siteLink>,cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain>, to modify the schedule attribute |
Delete a Site Link | DC on cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to delete objects of class siteLink) |
Create a Site Link bridge (object) | CC on cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to create objects of class siteLinkBridge) |
Add/Remove sites to/from a Site Link Bridge | WP on cn=<siteLinkBridge>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=<siteLinkBridge>, cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where <siteLinkBridge> is the site link ridge to/from which a new site is being added/removed, to modify the site-link-list attribute |
Create a single bridge for the entire network / Turn off the “Bridge all site links” option for IP/SMTP transport | WP on the corresponding (IP/SMTP) interSiteTransport object cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain>, to modify the options attribute |
Enable Reciprocal Replication between sites (only for IP transport links) | WP on cn=<SiteLink>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where <SiteLink> identifies the associated site link, to modify the options attribute |
Enable Change Notification between sites (only for IP transport links) | WP on cn=<SiteLinkName>, cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where the SiteLinkName identifies the associated site link, to modify the options attribute |
Delete a Site Link bridge (object) | DC on cn=IP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> OR on cn=SMTP, cn=Inter-Site Transports, cn=Sites, cn=Configuration, dc=<ForestRootDomain> (to delete objects of class siteLinkBridge) |
Create a Connection (object) | CC on cn=NTDSSettings, cn =<ServerName>, cn=Servers, cn=<SiteName>, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where ServerName is the name of the DC to which the connection in inbound (to create objects of class NTDS-Connection) |
Take ownership of a KCC-generated connection object | WP on cn=<ConnectionName>, cn=NTDSSettings, cn =<ServerName>, cn=Servers, cn=<SiteName>, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where <ConnectionName> is the name of the KCC-generated connection, to modify the options attribute |
Manually set a schedule for connection objects | WP on cn=<ConnectionName>, cn=NTDSSettings, cn =<ServerName>, cn=Servers, cn=<SiteName>, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where <ConnectionName> is the name of the KCC-generated connection, to modify the options attribute |
Enable/disable data compression for intersite replication | WP on cn=<ConnectionName>, cn=NTDSSettings, cn =<ServerName>, cn=Servers, cn=<SiteName>, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where <ConnectionName> is the name of the KCC-generated connection, to modify the options attribute |
Delete a Connection (object) | DC on cn=NTDSSettings, cn =<ServerName>, cn=Servers, cn=<SiteName>, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where ServerName is the name of the DC to which the connection in inbound (to delete objects of class NTDS-Connection) | Note |
|---|
|
An NTDS-Connection object created by the KCC should not be deleted. If it is, the KCC will regenerate it. Only a manually created NTDS-Connection object might be deleted. |
|
Change the default setting for the intra-site replication schedule within a site | WP on cn=NTDSSiteSettings, cn=<SiteName>, cn=Sites, cn=Configuration, dc=ForestRootDomain where the <SiteName> is the name of the site, to modify the schedule attribute |
Designate / Remove a preferred bridgehead server | WP on cn =<ServerName>, cn=Servers, cn=<SiteName>, cn=Sites, cn=Configuration, dc=<ForestRootDomain> where ServerName is the name of the server being designated as a Preferred Bridgehead server, to modify the Bridgehead-Transport-List attribute |
Replace a failed Preferred Bridgehead Server | Do one of the following?:Add new domain controllers as preferred bridgehead servers for the corresponding directory partitions, site and transport - OR - Remove all preferred bridgehead designations made for the corresponding site and transport (for the corresponding directory partition), in which case KCC selects new ones automatically; remove them for each domain directory partition and for each transport on a DC in each affected site |
Specify a fixed-port for RPC-based replication | WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to modify the registry entry TCP/IP Port |
Adjust default size of packets that transport Active Directory replication data | The following registry entries (with registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameter) are added/modified (with the REG_DWORD data type): -
For RPC replication within a site: Replicator intra site packet size (objects) & Replicator intra site packet size (bytes)
-
For RPC replication between sites: Replicator inter site packet size (objects) & Replicator inter site packet size (bytes)
-
For SMTP replication within a site: Replicator async inter site packet size (objects) & Replicator async inter site packet size (bytes)
Thus, appropriate permissions required to Create and/or modify these registry keys will be required to delegate the operation |
Increase the level of detail logged by the KCC in the event log | WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics to modify the 1 Knowledge Consistency Checker entry |
Modify the interval at which the KCC runs its first replication topology after the DC starts | WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to modify the registry entry Repl topology update delay (secs) |
Modify the interval at which the KCC checks the replication topology (after it has run the first time) | WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to modify the registry entry Repl topology update period (secs) |
Force Replication Topology Generation | Extended right Manage Replication Topology needed on cn=configuration, dc=<forestRootDomain> |
Modify the holdback timer that determines the interval between the time a change is made and the time that the source server notifies its replication partners within a site | WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to modify the registry entry Replicator notify pause after modify (secs) |
Modify the default delay between notifications to all the replication partners of a DC | WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to modify Replicator notify pause between DSAs (secs) |
Force replication between two servers | Extended right Replication Synchronization needed on cn=configuration, dc=<forestRootDomain> |
Force a synchronization between two servers | Extended right Replication Synchronization needed on cn=configuration, dc=<forestRootDomain> |
Set a DC not to contact the PDC emulator if the PDC emulator role owner is not in the current site | WP on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters to modify the registry entry AvoidPdcOnWan |
Modify the thresholds that make the KCC exclude non-responding servers when it recognizes that a DC has failed or is unresponsive | The following registry entries (with registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameter) are added/modified (with the REG_DWORD data type): For replication between sites: -
IntersiteFailuresAllowed and MaxFailureTimeForIntersiteLink (secs)
-
For optimizing connections within a site: NonCriticalLinkFailuresAllowed and MaxFailureTimeForNonCriticalLink
-
For immediate neighbor connections within a site: CriticalLinkFailuresAllowed and MaxFailureTimeForCriticalLink
Thus, appropriate permissions required to Create and/or modify these registry keys will be required to delegate the operation |
Get Replication Latency Information | In Windows 2000, Extended right Manage Replication Topology needed on domain NC head In Windows Server 2003, Extended right Monitor Replication Topology or Manage Replication Topology needed on domain NC head |
Get Pending operations on DC ( Queue Length ) | In Windows 2000, Extended right Manage Replication Topology needed on domain NC head In Windows Server 2003, Extended right Monitor Replication Topology or Manage Replication Topology needed on domain NC head |
Check Replication Status | In Windows 2000, Extended right Manage Replication Topology needed on domain NC head In Windows Server 2003, Extended right Monitor Replication Topology or Manage Replication Topology needed on domain NC head |