Implementing the Forest Configuration Operators Role

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use the following procedure to implement the forest configuration operators role.

To implement the one required instance of the Forest Configuration Operators role

  1. Create a Universal Group called <Domain-Name> Domain Config Ops in this domain’s Service Management OU (ou=Service Management, dc=<Domain>).

    Note

    If Universal groups are not available, create a Global security group.

  2. Grant this group permissions required to perform assigned Installation Management tasks.

    1. Grant this group the DS-Replication-Get-Changes extended right on the following objects:

      • CN=Configuration, DC=<Forest-Root-Domain>

      • CN=Schema, CN=Configuration, DC=<Forest-Root-Domain>

    2. Grant this group the DS-Replication-Manage Topology extended right on the following objects:

      • CN=Configuration, DC=<Forest-Root-Domain>

      • CN=Schema, CN=Configuration, DC=<Forest-Root-Domain>

    3. In a Windows 2000 Active Directory environment, additionally grant this group the DS-Replication-Get-Changes-All extended right on the following objects:

      • CN=Configuration, DC=<Forest-Root-Domain>

      • CN=Schema, CN=Configuration, DC=<Forest-Root-Domain>

    4. In a Windows 2000 Active Directory environment, additionally grant this group the DS-Replication-Monitor-Topology extended right on the following objects:

      • CN=Configuration, DC=<Forest-Root-Domain>

      • CN=Schema, CN=Configuration, DC=<Forest-Root-Domain>

    5. Grant this group the following permissions:

      • Read All Properties on CN=Sites, CN=Configuration, DC=<Forest-Root-Domain> (Inheritable – apply onto this object and all child objects)

      • Create All Child Objects on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<Forest-Root-Domain> (Inheritable – apply onto this object and all child objects)

      • Create Computer objects on OU=Domain Controllers,DC=<domain>

      • Full Control to “Creator Owner” on CN=Sites, CN=Configuration, DC=<Forest-Root-Domain> (Inheritable – apply onto this object and all child objects)

    6. Grant this group the “Enable computer and user accounts to be trusted for delegation” user right by modifying the default domain controller security policy for this domain.

      Note

      This is a very powerful user right and in general should be granted with care.

    7. Finally, when a member of this group needs to add a replica DC, he/she must be granted Full Control on the computer object representing the server that is being promoted and must be made a member of the Local Administrators group on that computer.

  3. Grant this group permissions required to perform assigned Operations Master Role Management tasks.

    1. Grant this group the Change-Schema-Master extended right on cn=Schema, CN=Configuration, DC=<Forest-Root-Domain>

    2. Grant this group the Change-Domain-Master extended right on cn=Partitions, CN=Configuration, DC=<Forest-Root-Domain>

    3. Grant this group Write-Property permissions to write the fSMORoleOwner property on cn=Schema, CN=Configuration, DC=<Forest-Root-Domain>

    4. Grant this group Write-Property permissions to write the fSMORoleOwner property on cn=Partitions, CN=Configuration, DC=<Forest-Root-Domain>

  4. Grant this group permissions required to protect and manage trusts for the entire forest.

    • In each domain, grant this group the following permissions:

      • Create Trusted-Domain objects on CN=System, DC=<domain>

      • Delete Trusted-Domain objects on CN=System, DC=<domain>

      • Write-Property to all attributes on Trusted-Domain objects CN=System, DC=<domain> (Inheritable ACE, applies to Trust objects)

      • Additionally, if members of this group will use Active Directory trust management tools, make this group a member of the BuiltIn Admins group in the domain

      Note

      All trust management tools in Active Directory require that an administrator performing trust management using these tools be a member of the BuiltIn Admins group in the domain.

  5. Grant this group permissions required to perform LDAP policy management:

    1. Grant this group Create Child permissions to create Query-Policy objects in the cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<Forest-Root-Domain> container

    2. Grant this group Delete Child permissions to create Query-Policy objects in the cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<Forest-Root-Domain> container.

    3. Grant this group Write All Properties permissions on Query-Policy objects in the cn=Query-Policies,cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, DC=<Forest-Root-Domain> container. (Inheritable permissions)

    4. To perform advanced LDAP policy administrative tasks such as affecting the LDAP query policies associated with a specific domain controller or with all domain controllers in a specific site, additional permissions might be required – to grant these permissions refer to Appendix A: Active Directory Administrative Tasks.

      Note

      Note that as an alternative to the above, the pre-defined Enterprise Admins security group (CN=Enterprise Admins, CN=Users, DC=<Forest-Root-Domain>) can be used to represent this role. The Domain Admins security group has sufficient permissions required to carry out all the responsibilities assigned to this role. As an alternative, the Domain Admins security group could be used to represent the role instance specific to the domain. Note that as another alternative to the above, an organization could choose to delegate a customized version of this role. All the permissions required to delegate an Active Directory administrative task are specific in Appendix A: Active Directory Administrative Tasks.