Delegate the right to start/stop replication

Let’s say you want to isolate a domain controller for a certain time, you would issue the command:

repadmin /options +DISABLE_INBOUND_REPL or/and +DISABLE_OUTBOUND_REPL

normally this command requires Domain Admin/Enterprise Admin privileges.
Why and how to change that below.. first the usual warnings:
Playing with ADSIEDIT could damage your domain, please test everything in a lab environment first blabla.


NOTE1:Although we can stop the replication for a single domain controller (or multiple) issuing repadmin /replicate will not look at the connection object and therefore replication will still occur, so disabling replication this way does not guarantee inbound/outbound replication is halted completely..

NOTE2:The instructions below are ONLY for those circumstances where it might be required.. in my case a domain controller had to be isolated for a short period of time where two scripts run to export and import pre-staged AD data. And while the export/import was running we did not want any changes going in or out of the DC. Only after verification of the exported/imported data, replication for this domain controller is resumed. In my case I delegate the rights to a service account (that I do not want to make Domain Admin). Delegating to persons is not advisable! Also make sure you have enough monitoring to see whether replication is halted/resumed.

WARNING: If replication is not re-enabled within the tombstone lifetime the DC will not automatically replicate anymore and will be treated as unsecure by other DC’s to avoid lingering objects, please check http://technet.microsoft.com/en-us/library/cc757610.aspx

The replication of a domain controller is handled through a connection object, that object is created by the KDC (or manually when the KDC is disabled.. ). The connection object defines the from server, the interval of replication, etc etc.. through the options attribute of this object replication can be disabled or enabled. So the security of the object (or more specific the security on the options attribute of the object) defines who can enable/disable replication for a specific connection. In normal conditions only SYSTEM, Domain Administrators and Enterprise Administrators have the full control rights on these objects.

Now how to change it: Open Adsiedit and browse to the CN=<DC>,CN=Servers,CN=<SITE>,CN=SITES,CN=Configuration,DC=<DOMAIN>,DC=<EXT>

below the server entry you will see the connection object with it’s GUID . Right click that and select properties, then select the security tab, click Advanced, click add and add the account you like, now do not click OK yet, click properties and select Read Options, Write Options and click OK, OK, OK.

NOTE3: The options attribute is not soley used for disable/enable replication, it is also used to make a DC a GC etc.. delegating the rights to this attribute also gives the delegated account these rights!

And a big thanks to: ActiveDir.org and Spat for the info!

Tagged