Delegating DFS replication in Windows Server 2003 R2

Distributed File System (DFS) replication uses the Active Directory directory service to store configuration objects. When you use Active Directory, you can delegate user rights more exactly. The DFS Management feature provides high-level delegation support. This support lets you grant users the ability to create a replication group. This support also lets you grant users administrative rights on a replication group that has already been created. This article describes how to directly modify the permissions on the configuration objects for each replication group.

Configuration objects

It is useful to have an overview of all objects before you view each object in detail. This section describes the objects that are used to configure DFS replication. The permissions to these objects determine which users can perform specific operations on replication groups.

Global objects

Global objects configure the replica set as a whole. For example, global objects configure the number of replicated folders. Global objects also configure the connections between each member of the replication group.

msDFSR-GlobalSettings

This object is created at the following times:

• When the first replication group in a domain is created
• The first time that a user is delegated rights to create replication groups in a domain

This object is created in the system container. By default, only the domain administrator can create this object.

The only security modification to this object that we recommend is to grant users the right to create msDFSR-ReplicationGroup child objects in this container. To use DFS Management for this task, perform the Delegate Management Permissions action on the Replication node.

msDFSR-ReplicationGroup

This object contains all the global settings that are specific to a single replication group. To modify the permissions on this container in DFS Management, perform the Delegate Management Permissions action on a replication group. You can grant a user administration rights on a replication group. You can also grant the user control of the msDFSR-ReplicationGroup object and of all the child objects for a replication group. The following attributes are stored in this object:

1. Description
   The replication group description.
2. msDFSR-Topology
   The default schedule.

msDFSR-Content

This object is created under the msDFSR-ReplicationGroup object when the replication group is created. The msDFSR-Content object contains an msDFSR-ContentSet object for each replicated folder in the replication group.

Note No important attributes are stored in this object.

msDFSR-ContentSet

An msDFSR-ContentSet object is created for each replicated folder in the replication group. The following attributes are stored in this object:

• Description
  The description of the replicated folder.
• msDFSR-FileFilter
  File filter for files is excluded from replication.
• msDFSR-DirectoryFilter
  Directory filter for folders is excluded from replication.
• msDFSR-DfsPath
  Path of DFS folder when the replicated folder is published to a DFS namespace.

msDFSR-Topology

This object is created under the msDFSR-ReplicationGroup object when the replication group is created. The msDFSR-Topology object contains an msDFSR-Member object for each member of the replication group.

Note No important attributes are stored in this object.

msDFSR-Member

An msDFSR-Member object is created for each member of the replication group. This object references the computer object for the member. This object contains an msDFSR-Connection object for each connection where this member is the receiving member of the connection. The following attributes are stored in this object:

• msDFSR-ComputerReference
  A reference to the computer object for the member.

msDFSR-Connection

An msDFSR-Connection is created as a child of an msDFSR-Member object for each incoming replication connection to that member. The following attributes are stored in this object:

• msDFSR-Enabled
  The enabled state of the connection.
• msDFSR-Schedule
  The custom schedule of the connection.
• msDFSR-Keywords
  Keywords for the connection.
• msDFSR-RdcEnabled
  The enabled state of the rRemote Differential Compression.

Server-local objects

Server-local objects exist in the computer account for each server that participates in a replication. These objects configure individual members of the replication group.

msDFSR-LocalSettings

This object is the top level container for DFS replication objects on a computer account.

msDFSR-Subscriber

An msDFSR-Subscriber object is created for each replication group to which a server belongs. This object contains an msDFSR-Subscription object for each replicated folder in the replication group that is specified by the msDFSR-Subscriber object. The following attributes are stored in this object:

• msDFSR-MemberReference
  A reference to the msDFSR-Member object.

msDFSR-Subscription

The msDFSR-Subscription object contains settings that are unique to each replicated folder on the server. The following attributes are stored in this object:

• msDFSR-RootPath
  The local path of the replicated folder.
• msDFSR-StagingPath
  The staging path of the replicated folder.
• msDFSR-StagingSizeInMb
  The size of the staging folder.
• msDFSR-ConflictSizeInMb
  The size of the conflict folder.
• msDFSR-Enabled
  The enabled state of the subscription.
• msDFSR-Flags
  A flag that controls whether deleted files are moved to the conflict folder.

Detailed delegation

Grant permissions to create a replication group

This action is one of the two delegation actions that are available in DFS Management. To manually perform this action in Active Directory Users and Computers, follow these steps:

1. Start Active Directory Users and Computers.
2. Right-click the Domain\System\DFSR-GlobalSettings node, and then click Properties.
3. Click the Security tab, and then click Advanced.
4. Grant the desired users or groups the Create All Child objects permission, and then click to select This object only in the Apply onto area.

Delegate administrative rights to a replication group

This is the other delegation action that is available in DFS Management. To manually perform this action in Active Directory Users and Computers, follow these steps:

1. Start Active Directory Users and Computers.
2. Right-click the Domain\System\DFSR-GlobalSettings node, and then click Properties.
3. Click the Security tab, and then click Advanced.
4. Grant the desired users or groups the Full Control permission, and then click to select This object and all child objects in the Apply onto area.
5. Add the users or groups to each member's local Administrators group.

Manage local system settings without being a local administrator

Typically, the user must be an administrator to manage local computer settings. To enable a user who is not an administrator to manage local computer settings, grant the user direct control of the required objects in Active Directory. To do this, follow these steps:

1. Start Active Directory Users and Computers.
2. Right-click the computer node, and then click Properties.
   
   By default, the path of the computer node is one of the following:
   • Member servers
     Domain\Computer\ComputerName\DFSR-LocalSettings
   • Domain controllers
     Domain\Domain Controllers\ComputerName\DFSR-LocalSettings
3. Click the Security tab, and then click Advanced.
4. Grant the desired users or groups the Full Control permission, and then click to select This object and all child objects in the Apply onto area.

Control of all replication groups

To grant a user control of all existing and future replication groups in a domain, follow these steps:

1. Start Active Directory Users and Computers.
2. Right-click the following node, and then click Properties:
   Domain\System\DFSR-GlobalSettings
3. Click the Security tab, and then click Advanced.
4. Grant the desired users or groups the Full Control permission, and then click to select This object and all child objects in the Apply onto area.
5. Add the users or groups to each member's local Administrators group. Or, grant the Full Control permission for the computer objects of each server in the replication groups.

Add/Remove/Modify replicated folders

To grant a user rights only to modify, to add, or to delete a replicated folder, follow these steps:

1. Start Active Directory Users and Computers.
2. Right-click the following node, and then click Properties:
   Domain\System\DFSR-GlobalSettings\ReplicationGroup\Content
3. Click the Security tab, and then click Advanced.
4. Grant the desired users or groups the Full Control permission, and then click to select This object and all child objects in the Apply onto area.
5. Add the users or groups to each member's local Administrators group. Or, grant the Full Control permission for the computer objects of each server in the replication groups.

Add/Remove/Modify members and connections

To grant a user rights only to modify, to add, or to delete members and connections, follow these steps:

1. Start Active Directory Users and Computers.
2. Right-click the following node, and then click Properties:
   Domain\System\DFSR-GlobalSettings\ReplicationGroup\Topology
3. Click the Security tab, and then click Advanced.
4. Grant the desired users or groups the Full Control permission, and then click to select This object and all child objects in the Apply onto area.
5. Add the users or groups to each member's local Administrators group. Or, grant the Full Control permission for the computer objects of each server in the replication groups.

Generate a report on a replication group

To generate a diagnostic report, a user must be a local administrator of the servers that are part of the report.