Implementing the Domain Configuration Operators Role

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use the following procedure to implement the domain configuration operators role.

To implement the one required instance of the Domain Configuration Operators role

  1. Create an OU called Service Management in every domain (CN=Service Management, DC=<domain>)

  2. Create a Domain Local Group called <Domain-Name> Domain Config Ops in this domain’s Service Management OU (ou=Service Management, dc=<Domain>).

  3. Grant this group permissions required to perform assigned Installation management tasks

    1. Grant this group the Install Replica extended right on the following objects:

      • DC=<domain>

    2. Grant this group the DS-Replication-Get-Changes extended right on the following objects:

      • DC=<domain>

      • CN=Configuration, DC=<Forest-Root-Domain>

      • CN=Schema, CN=Configuration, DC=<Forest-Root-Domain>

    3. Grant this group the DS-Replication-Manage Topology extended right on the following objects:

      • DC=<domain>

      • CN=Configuration, DC=<Forest-Root-Domain>

      • CN=Schema, CN=Configuration, DC=<Forest-Root-Domain>

    4. In a Windows 2000 Active Directory environment, additionally grant this group the DS-Replication-Get-Changes-All extended right on the following objects:

      • DC=<domain>

      • CN=Configuration, DC=<Forest-Root-Domain>

      • CN=Schema, CN=Configuration, DC=<Forest-Root-Domain>

    5. In an Windows 2000 Active Directory environment, additionally grant this group the DS-Replication-Monitor-Topology extended right on the following objects:

      • DC=<domain>

      • CN=Configuration, DC=<Forest-Root-Domain>

      • CN=Schema, CN=Configuration, DC=<Forest-Root-Domain>

    6. Grant this group the following permissions:

      • Read All Properties on CN=Sites, CN=Configuration, DC=<Forest-Root-Domain> (Inheritable – apply onto this object and all child objects)

      • Create All Child Objects on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<Forest-Root-Domain> (Inheritable – apply onto this object and all child objects)

      • Create Computer objects on OU=Domain Controllers,DC=<domain>

      • Full Control to “Creator Owner” on CN=Sites, CN=Configuration, DC=<Forest-Root-Domain> (Inheritable – apply onto this object and all child objects)

    7. Grant this group the “Enable computer and user accounts to be trusted for delegation” user right by modifying the default domain controller security policy for this domain.

      Note

      This is a very powerful user right and in general should be granted with care.

    8. Finally, when a member of this group needs to add a replica DC, that member must be granted full control on the computer object representing the server that is being Promoted and must be made a member of the Local Administrators group on that computer.

  4. Grant this group permissions required to perform assigned Operations Master Role management tasks.

    1. Grant this group the Change-RID-Master extended right on cn=RID Manager$, cn=System, dc=<Domain>

    2. Grant this group the Change-PDC extended right on dc=<Domain>

    3. Grant this group the Change-Infrastructure-Master on dc=<Domain>

    4. Grant this group Write-Property permissions to write the fSMORoleOwner property on cn=RID Manager$, cn=System, dc=<Domain>

    5. Grant this group Write-Property permissions to write the fSMORoleOwner property on dc=<Domain>

    6. Grant this group Write-Property permissions to write the fSMORoleOwner property on cn=Infrastructure, dc=<Domain>

  5. Grant this group permissions required to protect and manage the Domain Controllers OU

    • Grant the group Full-Control over the Domain Controllers OU, CN=Domain Controllers, DC=<domain>

  6. Grant this group permissions required to protect and manage content stored in the System container

    • Grant the group Full-Control over the System container, CN=System, DC=<domain> (Inheritable – apply onto this object and all child objects)

  7. Grant this group permissions required to raise the Domain Functionality level:

    • Grant this group Write-Property permissions to write the ms-DS-behavior-version property on dc=<Domain>

  8. Grant this group permissions required to restore Active Directory from backup if and when necessitated

    1. Grant this group the “Restore Files and Directories” user right by modifying the default domain controller security policy for this domain.

    2. To perform and authoritative restore, a member of this group will require the credentials of the special Administrator account available only in DS Restore mode.

      Note

      As one alternative to the above, the pre-defined Domain Admins security group (CN=Domain Admins, CN=Users, DC=<Forest-Root-Domain>) can be used to represent this role. The Enterprise Admins security group has sufficient permissions required to carry out all the responsibilities assigned to this role. As another alternative to the above, an organization could choose to delegate a customized version of this role. All the permissions required to delegate an Active Directory administrative task are specific in Appendix A: Active Directory Administrative Tasks.