Directory Service Configuration Management Tasks
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Task | Permissions Required to Perform Task |
---|---|
Designate a DC as a Global Catalog |
WP on the corresponding NTDS Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the options attribute |
Force the directory service to do garbage collection |
Add the doGarbageCollection attribute on the rootDSE object, and set its value equal to any value Extended Right Do-Garbage-Collection on NTDS-Settings object CN=NTDS Settings, CN=<Server>, CN=<Site>,CN=Sites, CN=Configuration, DC=<forestRootDomain> |
Specify the directory service garbage collection period |
WP on the NTDS-Service object cn=Directory Service,cn=Windows NT,cn=Services,CN=Configuration, DC=<forestRootDomain> to modify the Garbage-Coll-Period attribute |
Force the directory service to recalculate the Exchange Address Book information hierarchy |
Add the recalcHierarchy attribute on the rootDSE object, and set its value equal to any value Extended Right Recalculate-Hierarchy on NTDS-Settings object CN=NTDS Settings, CN=<Server>, CN=<Site>,CN=Sites, CN=Configuration, DC=<forestRootDomain> |
Update the Schema cache on demand |
Add and modify the schemaUpdateNow attribute on the rootDSE object, and set its value equal to 1 Extended Right Update-Schema-Cache on cn=Schema, cn=Configuration, dc=<ForestRootDomain> |
Force directory service to recompute ACL inheritance on a naming context |
Add the recalcHierarchy attribute on the rootDSE object and set its value equal to ‘forceupdate’ Extended Right Recalculate-Security-Inheritance on NTDS-Settings object CN=NTDS Settings, CN=<Server>, CN=<Site>,CN=Sites, CN=Configuration, DC=<forestRootDomain> |
Force the directory service to check stale phantom objects |
On the rootDSE object, add the checkPhantoms attribute to the object and set its value equal to any value Extended Right DS-Check-Stale-Phantoms on NTDS-Settings object CN=NTDS Settings, CN=<Server>, CN=<Site>,CN=Sites, CN=Configuration, DC=<forestRootDomain> |
Force the directory service to immediately refresh the group cache by contacting an available GC |
on the rootDSE object, add the updateCachedMemberships attribute to the object and set its value equal to any value Extended Right Refresh-Group-Cache on NTDS-Settings object CN=NTDS Settings, CN=<Server>, CN=<Site>,CN=Sites, CN=Configuration, DC=<forestRootDomain> |
Force the directory service to remove lingering objects from a Domain Controller |
Add the removeLingeringObject attribute on the rootDSE object and set its value equal to the object to remove in the following form: DN_OF_THE_SOURCE_NTDS_SETTINGS_OBJECT:DN_OF_THE_OBJECT_TO_REMOVE Extended right Manage Replication Topology needed on the cn=configuration, dc=<forestRootDomain> |
Reanimate Tombstones |
Extended Right Reanimate Tombstones on CN=Schema, CN=Configuration, DC=<forestRootDomain> |
Force the directory service to perform an online defrag on a Domain Controller |
Add the doOnlineDefrag attribute on the rootDSE object and set its value equal to any value. Extended Right Do-Garbage-Collection on NTDS-Settings object CN=NTDS Settings, CN=<Server>, CN=<Site>,CN=Sites, CN=Configuration, DC=<forestRootDomain> |
Specify the default amount of time a dynamic object will exist in the directory |
WP on the NTDS-Service object cn=Directory Service,cn=Windows NT,cn=Services,CN=Configuration, DC=<forestRootDomain> to modify the ms-DS-Other-Settings attribute |
Specify the minimum amount of time a dynamic object will exist in the directory |
WP on the NTDS-Service object cn=Directory Service,cn=Windows NT,cn=Services,CN=Configuration, DC=<forestRootDomain> to modify the ms-DS-Other-Settings attribute |
Specify the delay between deleting a server object and it being permanently removed from the replication topology |
WP on the NTDS-Service object cn=Directory Service,cn=Windows NT,cn=Services,CN=Configuration, DC=<forestRootDomain> to modify the Repl-Topology-Stay-Of-Execution attribute |
Specify the number of days before a deleted object is removed from the directory (tombstone lifetime) |
WP on the NTDS-Service object cn=Directory Service,cn=Windows NT,cn=Services,CN=Configuration, DC=<forestRootDomain> to modify the Tombstone-Lifetime attribute |
Adjust ANR searching behavior |
WP on the NTDS-Service object cn=Directory Service,cn=Windows NT,cn=Services,CN=Configuration, DC=<forestRootDomain> to modify the DS-Heuristics attribute |
Put the directory in the special “List Object” mode |
WP on the NTDS-Service object cn=Directory Service,cn=Windows NT,cn=Services,CN=Configuration, DC=<forestRootDomain> to modify the DS-Heuristics attribute |
Restrict anonymous operations (other than rootDSE searches and binds) through LDAP |
WP on the NTDS-Service object cn=Directory Service,cn=Windows NT,cn=Services,CN=Configuration, DC=<forestRootDomain> to modify the DS-Heuristics attribute |
Control the behavior of the userPassword attribute |
WP on the NTDS-Service object cn=Directory Service,cn=Windows NT,cn=Services,CN=Configuration, DC=<forestRootDomain> to modify the DS-Heuristics attribute |
Specify which SPN types are mapped to “host” |
WP on the NTDS-Service object cn=Directory Service,cn=Windows NT,cn=Services,CN=Configuration, DC=<forestRootDomain> to modify the SPN-mappings attribute |
Increase the level of detail logged by the KCC in the event log |
Modify the 1 Knowledge Consistency Checker entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged for Security Events |
Modify the 2 Security Events entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by events related to communication between Active Directory and Exchange clients |
Modify the 3 ExDS Interface Events entry and the 4 MAPI Interface Events entry under KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged when objects marked for deletion are actually deleted |
Modify the 6 Garbage Collection entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by directory service operations |
Modify the 7 Internal Configuration entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by directory access events |
Modify the 8 Directory Access entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by internal operation of directory service code |
Modify the 9 Internal Processing entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by events related to loading and unloading the NTDS performance object and performance counters |
Modify the 10 Performance Counters entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by events related to starting and stopping the directory service |
Modify the 11 Initialization/Termination entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by directory service events |
Modify the 12 Service Control entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by the events related to address resolution and Active Directory names |
Modify the 13 Name Resolution entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by the events related to the backup of Active Directory |
Modify the 14 Backup entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by events related to LDAP |
Modify the 16 LDAP Interface entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by events related to running the Active Directory Installation wizard |
Modify the 17 Setup entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by events related to the Global Catalog |
Modify the 18 Global Catalog entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Modify the level of detail logged by events the Inter-site messaging service |
Modify the 19 Inter-site Messaging entry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics Thus, appropriate permissions required to modify this registry key will be required to delegate the operation |
Designate a DC as a Global Catalog |
WP on the corresponding NTDS Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the options attribute |