Implementing the Replication Monitoring Operators Role

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use the following procedure to implement the replication monitoring operators role.

Procedures

To implement the one recommended instance of the Replication Monitoring Operators role

1. Create a Domain Local Group called <Forest-Name> Replication Monitoring Ops in the Service Management OU (ou=Service Management, dc=<Forest Root Domain>).

2. In a Windows 2000 Active Directory environment grant this group the following permissions:

   1. Grant the DS-Replication-Manage-Topology (Manage Replication Topology) extended right on CN=Configuration, DC=<Forest Root Domain>

   2. Grant the DS-Replication-Manage-Topology (Manage Replication Topology) extended right on CN=Schema, CN=Configuration, DC=<Forest Root Domain>

   3. Grant the DS-Replication-Manage-Topology (Manage Replication Topology) extended rights on all domain partition heads including forest root domain

      Note

      In Windows 2000, the Monitor Replication Topology right does not exist. Thus the Manage Replication Topology right needs to be granted to delegate the ability to monitor replication. Note that an individual who is granted the Manage Replication Topology extended right is sufficiently privileged to perform many security-sensitive operations including forcing topology regeneration etc. Thus, it is recommended that an organization put in place policies that govern the specific operations that delegated administrators in the Replication Monitoring Operators role are legally authorized to carry out. Alternatively, you could just implement the Replication Management Administrators role and assign responsibility for managing and monitoring replication to the same set of delegated administrators.

3. In a Windows Server 2003 Active Directory environment grant this group the following permissions:

   1. Grant the DS-Replication-Monitor-Topology (Monitor Replication Topology) extended right on CN=Configuration, DC=<Forest Root Domain>

   2. Grant the DS-Replication-Monitor-Topology (Monitor Replication Topology) extended right on CN=Schema, CN=Configuration, DC=<Forest Root Domain>

   3. Grant the DS-Replication-Monitor-Topology (Monitor Replication Topology) extended right on all domain partition heads including forest root domain