How do I delegate extended rights?

[Guest]

Hi

I would like to delegate the right to replicate active directory to a group
of users. Could anyone tell me what extended rights I need to delegate and
how I should go about giving these rights i.e What tool to use?

I have already tried using ADSIedit to delegate the Replicating Directory
Changes extended right at the Configuration and schema level but this did not
seem to work. Is there something else I should be doing?

Thanks

 

[Deji Akomolafe]

Start with "replicate directory changes", "Replication Synchronization" and
"Manage replication topology". In ADUC, you will need to do a "Custom task".

See
http://msdn.microsoft.com/library/d...y/en-us/adschema/adschema/c_configuration.asp
for reference.

HTH
Deji

 

[Guest]

Deji

I have gone to delegate a custom task in Active Directory User & Computers
but the tasks to delegate do not seem to include Replicate Directory Changes,
Replication Synchronization and Manage Replication Topology. Is there
something else I should be doing?

Thanks

Ian

 

[Jorge de Almeida Pinto [MVP]]

For that you need ADSIEdit.


Force replication between two servers
Extended right Replication Synchronization needed on cn=configuration,
dc=<forestRootDomain>

Force a synchronization between two servers
Extended right Replication Synchronization needed on cn=configuration,
dc=<forestRootDomain>




taken from "Best Practices for Delegating Active Directory Administration
Appendices.doc" page 24
http://www.microsoft.com/downloads/...88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Guest]

I have already tried using ADSIEdit to delegate the Replication
Synchronization and Replicate Changes extended rights but this does not seem
to have worked. Is there anything else I should be doing?

Thanks

Ian

 

[Jorge de Almeida Pinto [MVP]]

where did you try to delegate it? what object?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Guest]

In ADSIedit I went to the properties tab of
CN=Configuration,DC=domain,DC=gov,DC=uk and then on the security tab I
allowed the Replicate Directroy Changes and Replication Synchronization
permissions to the relevant group.

Thanks

 

[Jorge de Almeida Pinto [MVP]]

can you explain WHAT is not working?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx

 

[Guest]

I have delegated the extended rights using ADSI edit. When one of the users
then goes into AD Sites and Services and attempts to replicate the domain an
access denied error message pops up.

Thanks

Ian

 

[Jorge de Almeida Pinto [MVP]]

I guess you are using sites and services to force replication. In that case
you need to delegate permissions on each partition as it is not possible to
choose which partition to replicate. Using REPADMIN or REPLMON it is
possible to choose a partition to replicate.

For information on how to it step by step see:
http://www.eksternkompetanse.no/blog/PermaLink,guid,79ac9dc7-1f5f-492a-95bc-a11bbb53aae3.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto #
MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx