The question of delegating permissions to manually replicate Active Directory has cropped up in the news groups quite a few times. Therefore this article will discuss how to achieve this, and provide a little extra information, as it's not quite as simple as simply "replicating Active Directory".
Directory Replication - Summarised
Without going into the ins and outs of how Active Directory replicates -the Windows 2000 Resource Kit Distributed Systems Guide covers this in substantial detail (well over 100 pages)- the following is a brief description of what is needed in order to understand how to actually delegate the ability for a user to right-click on a connection object and choose Replicate Now.
Within Active Directory there are multiple directory partitions, or naming contexts, that are required to be replicated. There are enterprise partitions and domain partitions. Windows 2003 Active Directory also introduces Application partitions into this as well.
Enterprise partitions are the Schema and Configuration partitions. These are replicated forest wide; that is, all DCs in the forest hold a copy of these partitions. Domain partitions are the actual domain. These are only replicated amongst Domain Controllers in the same domain and Global Catalog servers.
Note. The Global Catalog doesn't replicate the domain partition in the same way as another Domain Controller. The Global Catalog server replicates each domain partition, but with only a subset of attributes for each object -those attributes that are flagged to be included within the Global Catalog server. The Global Catlog is also read-only, which means that updates cannot be performed against any of the partial replicas that it holds.
When you select Replicate Now from the context-sensitive menu produced by a right-click on a connection object in Active Directory Sites and Services you are generating a notification trigger outside of normal replication. Doing this triggers replication of each directory partition that that connection object is responsible for. However, you do not know which partition that connection object is responsible for. In almost all circumstances that connection object will be being used to replicate both the enterprise and domain partitions. Unless of course the replication partner resides in a different domain, in which case it will only be the enterprise partitions. If the Domain Controller in question is also a Global Catalog server and the connection is with a Domain Controller from another domain then this connection object will also likely be pulling the Global Catalog specific attributes from the domain partition of the other Domain Controller as well.
In order to therefore be able to use Replicate Now, you must have the following permissions on each directory partition:
- Replicating Directory Changes (DS-Replication-Get-Changes)
- Replicating Directory Changes All (DS-Replication-Get-Changes-All)
- Replication Synchronization (DS-Replication-Synchronize)
Note. For more information on what these permissions do, please refer to the Further Reading section at the end of this article.
Delegating Replicate Now (configuring the permissions)
In order to allow a user to replicate connection objects, the following must be performed on each Directory Partition in the forest.
- Load ADSIEdit by typing ADSIEDIT.MSC in the Run command/ dialog
- Click on the Partition in question, and then right-click on the Directory Partition in question and choose properties. For example, if this were the Configuration partition, you would expand Configuration [] and right-click on CN=Configuration,DC= and choose properties
- In the properties Window, select the Security tab and then click Advanced
- In the Advanced Security Settings for Window, click Add... and type the name of the group the you wish to grant this delegation to into the Object Picker, and choose OK
- In the Permission Entry for Window, select This object and all child objects from the Apply onto drop-down list and then check the Allow tick box next to the following permissions:
- Replicating Directory Changes
- Replicating Directory Changes All
- Replication Synchronization
- Click OK, OK, and OK again
As stated above, this must be performed for each partition in the forest for this to work without any problems. To do this, you will need to be a member of the Enterprise Admins group, or the Domain Admins group in each domain.
Further reading
ADSIEdit Overview: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/ebca3324-5427-471a-bc19-9aa1decd3d40.mspx
Replicating Directory Changes (DS-Replication-Get-Changes): http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/r_ds_replication_get_changes.asp
Replicating Directory Changes All (DS-Replication-Get-Changes-All): http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/r_ds_replication_get_changes.asp
Replication Synchronization (DS-Replication-Synchronize): http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/r_ds_replication_get_changes.asp
Document Information
Author: Paul Williams
Written: 21-11-2006
Version: 2.0
Last updated: 25-07-2007
Last updated by: Paul Williams |
How-To 
