Archived from groups: microsoft.public.win2000.active_directory,microsoft.public.windows.server.active_directory (
More info?)
I think that should read:
Replicating Directory Changes; and
Replication Synchronization
As mentioned earlier, these permissions will need to be set on the Schema
and Domain partitions as well, as a single connection object generally
replicates both enterprise and domain partitions.
I'm not in front of a 2003 DC now, but assume that you will also need to set
this on any application partitions you are using, e.g. forest-wide DNS.
There's also a Manage Replication Topology permission, if you want to grant
additional permissions to certain admins.
--
Paul Williams
http://www.msresource.net
http://forums.msresource.net
"<Shiny Bob>" <parris@newsguy,com> wrote in message
news:cstr780g0h@news4.newsguy.com...
Force replication between two servers
Extended right Replication Synchronization needed on cn=configuration,
dc=<forestRootDomain>
Force a synchronization between two servers
Extended right Replication Synchronization needed on cn=configuration,
dc=<forestRootDomain>
this is extracted from
Best Practices for Delegating Active Directory Administration: Appendices
Regards
Mark
"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:%23rko4HHAFHA.3824@TK2MSFTNGP10.phx.gbl...
> The permissions you need to set depend on your replication topology. But
> most connection objects piggy bank together. That is, the enterprise
> partitions usually tag along with the domain partitions. There will be
> instances whereby there are different connections for different
> connections,
> especially in multi-site multi-domain environments, where the GC has to
> pull
> from either another GC or a domain partition, etc. So, as Glen stated,
> the
> best 'catch all' is to set these on all partitions.
>
> I guess, in 2003, you also have to take the application partitions into
> consideration as well.
>
> --
>
> Paul Williams
>
>
http://www.msresource.net
>
http://forums.msresource.net
>
>
> "Glenn L" <the.only(delete)@gmail dot com> wrote in message
> news:eLOKiKEAFHA.2180@TK2MSFTNGP10.phx.gbl...
> There are specific ACLs you must set on each partition
> (domain,config,schema) to allow a non admin to force replication.
> They are:
> replicate directory changes
> replicate directory changes all
> replication synchronization
>
> I am not sure which one you need to set or if they all need to be set.
> You
> will need to test this out to figure out which ones are required. Make it
> easy on yourself and enable them all.
>
> You should also consider the "Monitor Active Directory Replication" ACL so
> the delegated user can utilize repadmin and replmon to monitor replication
> status.
>
>
>
>
> --
> Glenn L
> CCNA, MCSE 2000/2003 + Security
>
> "Allen Firouz" <AllenFirouz@discussions.microsoft.com> wrote in message
> news:12EEADBD-5A84-47E7-8A2E-21333B441C86@microsoft.com...
>> Tim:
>> "You do have the ability to delegate the administration of the actual
>> replication object in Active Directory, but I don't believe, in Sites and
>> Services, [there is] the ability to delegate the ability for a
>> non-administrative user to actually force the replication. So in other
>> words,
>> they may be able to manage the schedule around that replication
>> connection
>> or
>> the frequency, but not actually force the replication connection itself."
>>
>> -Allen Firouz
>> (excerpt from Technet Webcast transcript)
>>
>> "Tim Kalligonis" wrote:
>>
>>> I need to delegate the ability to force AD replication between sites to
>>> a
>>> specific group of Admins. I haven't found and KB articles telling me
>>> what I
>>> need to delegate to do this.
>>>
>>> All I want them to be able to do is choose "replicate now" and nothing
>>> else
>>> within Sites and Services.
>>>
>>> I have tried delegating Full Control on Site Replication Service
>>> objects,
>>> but it isn't enough. They are still not able to force replication.
>>>
>>> Can anyone point me in the right direction or know exactly which items I
>>> need to delegate?
>>>
>>> Thanks,
>>> Tim
>>>
>>>
>>>
>
>
>