Share via

Active Directory: Delegate Replication Rights to Non-Admins

  • Article

This wiki was written in response to a forum post where an individual needed to grant permissions to non-Domain Admins in order to allow those users to replicate changes in Active Directory.  Below you'll find the steps that need to be taken in order to accomplish this task.  Not only could this be used to grant users access to perform replication but potential services as well.

Below is a link to the forum conversation.

Verified on the following platforms

Windows Server 2012

 No
Windows Server 2008 R2

 No
Windows Server 2008

 No
Windows Server 2003

 Yes
Windows Server 2000

 No

Task 1 of 2

  1. Create a Universal Group called <Forest-Name> Replication Management Admins in an OU you’ve chosen to hold groups for delegated access or other security related task.

  2. Open ADSI Edit and connect to the Configuration Naming Context as seen in the image below.  Once you've selected Configuration in "Select a well known Naming Context", click OK

  3. Expand the Configuration Naming context and right click the Naming Context node below it.  See the picture below for the arrow indicating where you should right-click.

     

  4. Next Click Properties

  5. Click the Security Tab

  6. Click the Advanced button

  7. Click Add

  8. Enter the name of the Universal Group you created in Step 1 and click OK

  9. In the Permission Entry for Configuration box scroll to the bottom and tic the Allow box for the Replication Synchronization permission.  Ensure that "This object and all child objects" is selected for the Apply to and click OK

  10. Click Apply, then OK, and then click OK once more and you should be back to ADSI Edit with no open dialog boxes.

Task 2 of 2

After you’ve completed steps 1-10  in Task 1 you'll need to view all the replicated partitions and do the same process for each partition.

  1. Click on CN=Partitions under CN=Configuration, DC=<Forest Root Domain> to view the partitions in the Configuration naming context.  

  2. On each partition right click each object and select New Connection to Naming Context. 

    Note: You don't have to do this for Enterprise Configuration because that was completed above in steps 1-10.

  3. When you have made a new connection to each you'll want to expand each new connection as was done in  Task 1 Step 3. 

  4. Once this is complete you’ll repeat Task 1 Steps 4-10 for each directory partition.

Finally, have a user that is a member of the universal group you’ve created log in and open Active Directory Sites and Services and test that they can replicate changes between domain controllers.

Note: You may need to delegate other permissions to allow users to log on to domain controllers or to open sites and services if you haven’t done so already.