Microsoft KB Archive/911604

= Delegating DFS replication in Windows Server 2003 R2 =

Article ID: 911604

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
 * Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
 * Microsoft Windows Server 2003 R2 Standard x64 Edition
 * Microsoft Windows Server 2003 R2 Enterprise x64 Edition
 * Microsoft Windows Server 2003 R2 Datacenter x64 Edition

-





INTRODUCTION
Distributed File System (DFS) replication uses the Active Directory directory service to store configuration objects. When you use Active Directory, you can delegate user rights more exactly. The DFS Management feature provides high-level delegation support. This support lets you grant users the ability to create a replication group. This support also lets you grant users administrative rights on a replication group that has already been created. This article describes how to directly modify the permissions on the configuration objects for each replication group.



Configuration objects
It is useful to have an overview of all objects before you view each object in detail. This section describes the objects that are used to configure DFS replication. The permissions to these objects determine which users can perform specific operations on replication groups.

Global objects
Global objects configure the replica set as a whole. For example, global objects configure the number of replicated folders. Global objects also configure the connections between each member of the replication group.

msDFSR-GlobalSettings
This object is created at the following times:
 * When the first replication group in a domain is created
 * The first time that a user is delegated rights to create replication groups in a domain

This object is created in the system container. By default, only the domain administrator can create this object.

The only security modification to this object that we recommend is to grant users the right to create msDFSR-ReplicationGroup child objects in this container. To use DFS Management for this task, perform the Delegate Management Permissions action on the Replication node.

msDFSR-ReplicationGroup
This object contains all the global settings that are specific to a single replication group. To modify the permissions on this container in DFS Management, perform the Delegate Management Permissions action on a replication group. You can grant a user administration rights on a replication group. You can also grant the user control of the msDFSR-ReplicationGroup object and of all the child objects for a replication group. The following attributes are stored in this object:
 * 1) Description

The replication group description.
 * 1) msDFSR-Topology

The default schedule.

msDFSR-Content
This object is created under the msDFSR-ReplicationGroup object when the replication group is created. The msDFSR-Content object contains an msDFSR-ContentSet object for each replicated folder in the replication group.

Note No important attributes are stored in this object.

msDFSR-ContentSet
An msDFSR-ContentSet object is created for each replicated folder in the replication group. The following attributes are stored in this object:
 * Description

The description of the replicated folder.
 * msDFSR-FileFilter

File filter for files is excluded from replication.
 * msDFSR-DirectoryFilter

Directory filter for folders is excluded from replication.
 * msDFSR-DfsPath

Path of DFS folder when the replicated folder is published to a DFS namespace.

msDFSR-Topology
This object is created under the msDFSR-ReplicationGroup object when the replication group is created. The msDFSR-Topology object contains an msDFSR-Member object for each member of the replication group.

Note No important attributes are stored in this object.

msDFSR-Member
An msDFSR-Member object is created for each member of the replication group. This object references the computer object for the member. This object contains an msDFSR-Connection object for each connection where this member is the receiving member of the connection. The following attributes are stored in this object:
 * msDFSR-ComputerReference

A reference to the computer object for the member.

msDFSR-Connection
An msDFSR-Connection is created as a child of an msDFSR-Member object for each incoming replication connection to that member. The following attributes are stored in this object:
 * msDFSR-Enabled

The enabled state of the connection.
 * msDFSR-Schedule

The custom schedule of the connection.
 * msDFSR-Keywords

Keywords for the connection.
 * msDFSR-RdcEnabled

The enabled state of the rRemote Differential Compression.

Server-local objects
Server-local objects exist in the computer account for each server that participates in a replication. These objects configure individual members of the replication group.

msDFSR-LocalSettings
This object is the top level container for DFS replication objects on a computer account.

msDFSR-Subscriber
An msDFSR-Subscriber object is created for each replication group to which a server belongs. This object contains an msDFSR-Subscription object for each replicated folder in the replication group that is specified by the msDFSR-Subscriber object. The following attributes are stored in this object:
 * msDFSR-MemberReference

A reference to the msDFSR-Member object.

msDFSR-Subscription
The msDFSR-Subscription object contains settings that are unique to each replicated folder on the server. The following attributes are stored in this object:
 * msDFSR-RootPath

The local path of the replicated folder.
 * msDFSR-StagingPath

The staging path of the replicated folder.
 * msDFSR-StagingSizeInMb

The size of the staging folder.
 * msDFSR-ConflictSizeInMb

The size of the conflict folder.
 * msDFSR-Enabled

The enabled state of the subscription.
 * msDFSR-Flags

A flag that controls whether deleted files are moved to the conflict folder.

Grant permissions to create a replication group
This action is one of the two delegation actions that are available in DFS Management. To manually perform this action in Active Directory Users and Computers, follow these steps:
 * 1) Start Active Directory Users and Computers.
 * 2) Right-click the  \System\DFSR-GlobalSettings node, and then click Properties.
 * 3) Click the Security tab, and then click Advanced.
 * 4) Grant the desired users or groups the Create All Child objects permission, and then click to select This object only in the Apply onto area.

Delegate administrative rights to a replication group
This is the other delegation action that is available in DFS Management. To manually perform this action in Active Directory Users and Computers, follow these steps:
 * 1) Start Active Directory Users and Computers.
 * 2) Right-click the  \System\DFSR-GlobalSettings node, and then click Properties.
 * 3) Click the Security tab, and then click Advanced.
 * 4) Grant the desired users or groups the Full Control permission, and then click to select This object and all child objects in the Apply onto area.
 * 5) Add the users or groups to each member's local Administrators group.

Manage local system settings without being a local administrator
Typically, the user must be an administrator to manage local computer settings. To enable a user who is not an administrator to manage local computer settings, grant the user direct control of the required objects in Active Directory. To do this, follow these steps:
 * 1) Start Active Directory Users and Computers.
 * 2) Right-click the computer node, and then click Properties.

By default, the path of the computer node is one of the following:
 * 1) * Member servers

\Computer\ \DFSR-LocalSettings
 * 1) * Domain controllers

\Domain Controllers\ \DFSR-LocalSettings
 * 1) Click the Security tab, and then click Advanced.
 * 2) Grant the desired users or groups the Full Control permission, and then click to select This object and all child objects in the Apply onto area.

Control of all replication groups
To grant a user control of all existing and future replication groups in a domain, follow these steps:  Start Active Directory Users and Computers. Right-click the following node, and then click Properties:

\System\DFSR-GlobalSettings

 Click the Security tab, and then click Advanced. Grant the desired users or groups the Full Control permission, and then click to select This object and all child objects in the Apply onto area. Add the users or groups to each member's local Administrators group. Or, grant the Full Control permission for the computer objects of each server in the replication groups.

Add/Remove/Modify replicated folders
To grant a user rights only to modify, to add, or to delete a replicated folder, follow these steps:  Start Active Directory Users and Computers.</li> Right-click the following node, and then click Properties:

\System\DFSR-GlobalSettings\ \Content

</li> Click the Security tab, and then click Advanced.</li> Grant the desired users or groups the Full Control permission, and then click to select This object and all child objects in the Apply onto area.</li> Add the users or groups to each member's local Administrators group. Or, grant the Full Control permission for the computer objects of each server in the replication groups.</li></ol>

Add/Remove/Modify members and connections
To grant a user rights only to modify, to add, or to delete members and connections, follow these steps:  Start Active Directory Users and Computers.</li> Right-click the following node, and then click Properties:

\System\DFSR-GlobalSettings\ \Topology

</li> Click the Security tab, and then click Advanced.</li> Grant the desired users or groups the Full Control permission, and then click to select This object and all child objects in the Apply onto area.</li> Add the users or groups to each member's local Administrators group. Or, grant the Full Control permission for the computer objects of each server in the replication groups.</li></ol>

Generate a report on a replication group
To generate a diagnostic report, a user must be a local administrator of the servers that are part of the report.

Keywords: kbhowto kbinfo KB911604

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.