Modify the Replication Security Level of a Configuration Set

Applies To: Windows Server 2008

You can use this procedure to modify the replication security level of a configuration set.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To modify the replication security level of a configuration set

  1. Open Active Directory Service Interfaces (ADSI) Edit, and then connect and bind to the configuration directory partition of an Active Directory Lightweight Directory Services (AD LDS) instance in the configuration set that you want to modify. For more information, see Manage an AD LDS Instance Using ADSI Edit.

  2. In the console tree, double-click the connection.

  3. In the console tree, right-click the configuration directory partition, and then click Properties.

  4. In Attributes, click msDS-ReplAuthenticationMode, click Edit, and then, in the Value box, set the appropriate value (2, 1, or 0).

Note

If the replication security level is set to two (2), all replicating AD LDS instances must register service principal names (SPNs) in Active Directory.
The default replication security level for a new AD LDS instance is one (1), unless a local workstation user account is specified as the AD LDS service account, in which case the replication security level defaults to zero (0).

The values for msDS-ReplAuthenticationMode and their corresponding replication security levels are described in the following table.

Replication security level Value Description Default environment

Mutual authentication required

2

Kerberos authentication (using SPNs) is required. If Kerberos authentication fails, the AD LDS instances will not replicate.

The configuration set is fully contained within an Active Directory domain, forest, or forest trust.

Negotiated

1

Kerberos authentication (using SPNs) is attempted first. If Kerberos fails, NTLM authentication is attempted. If NTLM fails, the AD LDS instances will not replicate.

The configuration set is fully contained within an Active Directory domain, forest, or forest trust.

Negotiated pass-through

0

All AD LDS instances in the configuration set must use identical service account names and passwords.

The configuration set includes computers that are joined to one or more workgroups or to multiple domains or forests without trust relationships.