Implementing the Replication Management Admins Role

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use the following procedure to implement the replication management admins role.

  1. Create a Domain Local Group called <Forest-Name> Replication Management Admins in the Service Management OU (ou=Service Management, dc=<Forest Root Domain>).

  2. Grant this group the following extended rights:

    1. Grant the DS-Replication-Manage-Topology (Manage Replication Topology) extended right on CN=Configuration, DC=<Forest Root Domain>

    2. Grant the DS-Replication-Manage-Topology (Manage Replication Topology) extended right on CN=Schema, CN=Configuration, DC=<Forest Root Domain>

    3. Grant the DS-Replication-Manage-Topology (Manage Replication Topology) extended right on all domain partition heads including forest root domain

  3. Grant this group the following permissions on the Sites container (CN=Sites, CN=Configuration, DC=<Forest-Root-Domain>:

    • Create Site objects (non-inheritable)

    • Delete Site objects (non-inheritable)

    • Create Connection objects (inheritable)

    • Delete Connection objects (inheritable)

    • Write All Properties on this object and all child objects (inheritable)

  4. Grant this group the following permissions on the Subnets container (CN=Subnets, CN=Sites, CN=Configuration, DC=<Forest-Root-Domain>:

    • Create Subnet objects (inheritable)

    • Delete Subnet objects (inheritable)

    • Write All Properties on Subnet objects (inheritable)

  5. Grant this group the following permissions on the Inter-Site Transports container (CN= Inter-Site Transports , CN=Sites, CN=Configuration, DC=<Forest-Root-Domain>:

    • Create Site Link objects (non-inheritable)

    • Delete Site Link objects (non-inheritable)

    • Write All Properties on Site Link objects (inheritable)

Note

In Active Directory, the creator of an object also becomes the owner of the object. The owner of the object has the implicit permission to give away ownership and to control access to the object. Thus, a delegated administrator who can create objects can grant other users permissions on the object created and can additionally use inheritance to grant him/her self or another user permissions on all child objects in the sub-tree rooted at this object. Administrators delegating responsibility should be aware of this issue. An organization could consider the creation and implementation of script that runs in Enterprise Admin credentials in the Configuration partition and takes ownership of objects that were created by delegated administrators. However the script should be careful enough to ensure that it only takes ownership of those objects that were created by administrators and not take ownership of objects created y the system or by Domain Controller computer accounts.