次の方法で共有

Installation Management Tasks

  • [アーティクル]

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The following table lists the installation management tasks.

Task Permissions Required to Perform Task

Create the first domain in a new tree in a new/existing forest

User must be member of Administrators group on member server being promoted

Create a child domain in an existing domain tree

User must be member of Administrators group on member server being promoted.

The crossRef object under CN=Partitions, CN=Configuration, DC=<forestRootDomain> must be pre-created

Inheritable RP on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>

Inheritable CC on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>

CC on OU=Domain Controllers,DC=<domain> to create Computer objects

Full Control on the Computer object for the server that is being promoted

Full Control to “Creator Owner” on CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>

Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Create a replica (additional Domain Controller)

User must be member of Administrators group on member server being promoted

User Right “Enable computer and user accounts to be trusted for delegation”

Inheritable RP on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>

Inheritable CC on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>

CC on OU=Domain Controllers,DC=<domain> to create Computer objects

Full Control on the Computer object for the server that is being promoted

Full Control to “Creator Owner” on CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>

Extended Right DS-Install=Replica on DC=<domain>

Extended Right DS-Replication-Get-Changes on DC=<domain>

Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on DC=<domain>

Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on DC=<domain>

Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on DC=<domain>

Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on DC=<domain>

Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Remove a replica

User must be member of Administrators group on member server being promoted

User must have User Right “Allow Log on Locally”

Full Control on the NTDS-Settings object CN=NTDS Settings, CN=<Server>, CN=<Site>,CN=Sites, CN=Configuration, DC=<forestRootDomain> where <Server> is the DC being demoted

Full Control on the Computer object for the server that is being promoted

Extended Right DS-Replication-Get-Changes on DC=<domain>

Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on DC=<domain>

Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on DC=<domain>

Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on DC=<domain>

Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on DC=<domain>

Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Demote the last Domain Controller in a child domain

User must be member of Administrators group on member server being promoted

User must have User Right “Allow Log on Locally”

Full Control on CN=<crossRef>,CN=Partitions, CN=Configuration, DC=<forestRootDomain> where <crossRef> is the crossRef for this domain

Full Control on the NTDS-Settings object CN=NTDS Settings, CN=<Server>, CN=<Site>,CN=Sites, CN=Configuration, DC=<forestRootDomain> where <Server> is the DC being demoted

Full Control on the Computer object for the server that is being promoted

Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Demote the last Domain Controller in a tree-root domain

User must be member of Administrators group on member server being promoted

User must have User Right “Allow Log on Locally”

Full Control on CN=<crossRef>,CN=Partitions, CN=Configuration, DC=<forestRootDomain> where <crossRef> is the crossRef for this domain

Full Control on the NTDS-Settings object CN=NTDS Settings, CN=<Server>, CN=<Site>,CN=Sites, CN=Configuration, DC=<forestRootDomain> where <Server> is the DC being demoted

Full Control on the Computer object for the server that is being promoted

Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Demote the last Domain Controller in a forest

User must be member of Administrators group on member server being Promoted

Designate a Domain Controller as a Global Catalog

WP on the corresponding NTDS Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the options attribute

NOTE: These permissions are sufficient to perform the task. However they are insufficient when using the Active Directory UI tools to perform the task. The repadmin tool can be used with these permissions to perform the task.

Undesignate a Domain Controller as a Global Catalog

WP on the corresponding NTDS Settings object with distinguished name cn=NTDS Settings, cn=<Computer-Name>, cn=Servers, cn=<SiteName>,cn=Sites,cn=Configuration, dc=<forestRootDomain> to modify the options attribute

NOTE: These permissions are sufficient to perform the task. However they are insufficient when using the Active Directory UI tools to perform the task. The repadmin tool can be used with these permissions to perform the task.

Raise Forest Functionality Level

WP on the object cn=Partitions, cn=Configuration, dc=<forestRootDomain> to modify ms-DS-Behavior-Version attribute

Raise Domain Functionality Level

WP on the object dc=<domain> to modify ms-DS-Behavior-Version attribute

Migrate SID-History

The extended right Migrate-SID-History is required on dc=<Domain> (root of domain directory partition)

Create the first domain in a new tree in a new/existing forest

User must be member of Administrators group on member server being Promoted

Create a child domain in an existing domain tree

User must be member of Administrators group on member server being Promoted

The crossRef object under CN=Partitions, CN=Configuration, DC=<forestRootDomain> must be pre-created

Inheritable RP on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>

Inheritable CC on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>

CC on OU=Domain Controllers,DC=<domain> to create Computer objects

Full Control on the Computer object for the server that is being Promoted

Full Control to “Creator Owner” on CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>

Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Create a replica (additional Domain Controller)

User must be member of Administrators group on member server being Promoted

User Right “Enable computer and user accounts to be trusted for delegation”

Inheritable RP on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>

Inheritable CC on CN=Servers, CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>

CC on OU=Domain Controllers,DC=<domain> to create Computer objects

Full Control on the Computer object for the server that is being Promoted

Full Control to “Creator Owner” on CN=<Site>, CN=Sites, CN=Configuration, DC=<foestRootDomain>

Extended Right DS-Install=Replica on DC=<domain>

Extended Right DS-Replication-Get-Changes on DC=<domain>

Extended Right DS-Replication-Get-Changes on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on DC=<domain>

Extended Right DS-Replication-Get-Changes-All on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Get-Changes-All on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on DC=<domain>

Extended Right DS-Replication-Manage-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Manage-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on DC=<domain>

Extended Right DS-Replication-Monitor-Topology on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Monitor-Topology on CN=Schema, CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on DC=<domain>

Extended Right DS-Replication-Synchronize on CN=Configuration, DC=<forestRootDomain>

Extended Right DS-Replication-Synchronize on CN=Schema, CN=Configuration, DC=<forestRootDomain>