Installation Management Tasks

Article
08/09/2010

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The following table lists the installation management tasks.

Task	Permissions Required to Perform Task
Create the first domain in a new tree in a new/existing forest	User must be member of Administrators group on member server being promoted
Create a child domain in an existing domain tree	User must be member of Administrators group on member server being promoted. The crossRef object under CN=Partitions, CN=Configuration, DC=<forestRootDomain> must be pre-created Inheritable RP on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> Inheritable CC on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> CC on OU=Domain Controllers,DC=<domain> to create Computer objects Full Control on the Computer object for the server that is being promoted Full Control to “Creator Owner” on CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>
Create a replica (additional Domain Controller)	User must be member of Administrators group on member server being promoted User Right “Enable computer and user accounts to be trusted for delegation” Inheritable RP on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> Inheritable CC on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> CC on OU=Domain Controllers,DC=<domain> to create Computer objects Full Control on the Computer object for the server that is being promoted Full Control to “Creator Owner” on CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> Extended Right DS-Install=Replica on DC=<domain> Extended Right DS-Replication-Get-Changes on DC=<domain> Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on DC=<domain> Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on DC=<domain> Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on DC=<domain> Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on DC=<domain> Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>
Remove a replica	User must be member of Administrators group on member server being promoted User must have User Right “Allow Log on Locally” Full Control on the NTDS-Settings object CN=NTDS Settings, CN=<Server>, CN=<Site>,CN=Sites, CN=Configuration, DC=<forestRootDomain> where <Server> is the DC being demoted Full Control on the Computer object for the server that is being promoted Extended Right DS-Replication-Get-Changes on DC=<domain> Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on DC=<domain> Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on DC=<domain> Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on DC=<domain> Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on DC=<domain> Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>
Demote the last Domain Controller in a child domain	User must be member of Administrators group on member server being promoted User must have User Right “Allow Log on Locally” Full Control on CN=<crossRef>,CN=Partitions, CN=Configuration, DC=<forestRootDomain> where <crossRef> is the crossRef for this domain Full Control on the NTDS-Settings object CN=NTDS Settings, CN=<Server>, CN=<Site>,CN=Sites, CN=Configuration, DC=<forestRootDomain> where <Server> is the DC being demoted Full Control on the Computer object for the server that is being promoted Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>
Demote the last Domain Controller in a tree-root domain	User must be member of Administrators group on member server being promoted User must have User Right “Allow Log on Locally” Full Control on CN=<crossRef>,CN=Partitions, CN=Configuration, DC=<forestRootDomain> where <crossRef> is the crossRef for this domain Full Control on the NTDS-Settings object CN=NTDS Settings, CN=<Server>, CN=<Site>,CN=Sites, CN=Configuration, DC=<forestRootDomain> where <Server> is the DC being demoted Full Control on the Computer object for the server that is being promoted Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>
Demote the last Domain Controller in a forest	User must be member of Administrators group on member server being Promoted
Designate a Domain Controller as a Global Catalog	WP on the corresponding NTDS Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the options attribute NOTE: These permissions are sufficient to perform the task. However they are insufficient when using the Active Directory UI tools to perform the task. The repadmin tool can be used with these permissions to perform the task.
Undesignate a Domain Controller as a Global Catalog	WP on the corresponding NTDS Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the options attribute NOTE: These permissions are sufficient to perform the task. However they are insufficient when using the Active Directory UI tools to perform the task. The repadmin tool can be used with these permissions to perform the task.
Raise Forest Functionality Level	WP on the object cn=Partitions, cn=Configuration, dc=<forestRootDomain> to modify ms-DS-Behavior-Version attribute
Raise Domain Functionality Level	WP on the object dc=<domain> to modify ms-DS-Behavior-Version attribute
Migrate SID-History	The extended right Migrate-SID-History is required on dc=<Domain> (root of domain directory partition)
Create the first domain in a new tree in a new/existing forest	User must be member of Administrators group on member server being Promoted
Create a child domain in an existing domain tree	User must be member of Administrators group on member server being Promoted The crossRef object under CN=Partitions, CN=Configuration, DC=<forestRootDomain> must be pre-created Inheritable RP on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> Inheritable CC on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> CC on OU=Domain Controllers,DC=<domain> to create Computer objects Full Control on the Computer object for the server that is being Promoted Full Control to “Creator Owner” on CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>
Create a replica (additional Domain Controller)	User must be member of Administrators group on member server being Promoted User Right “Enable computer and user accounts to be trusted for delegation” Inheritable RP on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> Inheritable CC on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> CC on OU=Domain Controllers,DC=<domain> to create Computer objects Full Control on the Computer object for the server that is being Promoted Full Control to “Creator Owner” on CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain> Extended Right DS-Install=Replica on DC=<domain> Extended Right DS-Replication-Get-Changes on DC=<domain> Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on DC=<domain> Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on DC=<domain> Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on DC=<domain> Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on DC=<domain> Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain> Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>