Compartilhar via


3.1.1.3.3 rootDSE Modify Operations

This section specifies the modifiable attributes on the rootDSE of Windows 2000 operating system and later DCs (both AD DS and AD LDS).rootDSE modify operations are used to trigger behaviors on a specific DC. For example, one such operation causes the DC to acquire the Schema Master FSMO. All of these rootDSE attributes are write-only; an LDAP request to read will be treated as if the attribute does not exist.

The following table specifies the set of modifiable rootDSE attributes included in applicable Windows Server releases or Active Directory Application Mode (ADAM) versions.

The table contains information for the following products. See section 3 for more information.

  • A --> Windows 2000

  • B --> Windows 2000 operating system Service Pack 1 (SP1)

  • D --> Windows Server 2003 operating system

  • DR2 --> Windows Server 2003 R2 operating system

  • F --> Windows Server 2003 operating system with Service Pack 2 (SP2)

  • H --> ADAM RTW

  • I --> ADAM SP1

  • K --> Windows Server 2008 operating system AD DS

  • L --> Windows Server 2008 AD LDS

  • N --> Windows Server 2008 R2 operating system AD DS

  • P --> Windows Server 2008 R2 AD LDS

  • S --> Windows Server 2012 operating system AD DS

  • T --> Windows Server 2012 AD LDS

  • V --> Windows Server 2012 R2 operating system AD DS

  • W --> Windows Server 2012 R2 AD LDS

  • Y --> Windows Server 2016 operating system AD DS

  • Z --> Windows Server 2016 AD LDS

  • B2 --> Windows Server v1709 operating system AD DS

  • C2 --> Windows Server v1709 AD LDS

  • E2 --> Windows Server v1803 operating system AD DS

  • F2 --> Windows Server v1803 AD LDS

  • H2 --> Windows Server v1809 operating system AD DS

  • I2 --> Windows Server v1809 AD LDS

  • K2 --> Windows Server 2019 operating system AD DS

  • L2 --> Windows Server 2019 AD LDS

  • M2 --> Windows Server v1903 operating system AD DS

  • N2 --> Windows Server v1903 AD LDS

  • R2 --> Windows Server 2022, 23H2 operating system AD DS

  • S2 --> Windows Server 2022, 23H2 AD LDS

    Attribute name

    A

    B

    D

    DR2, F

    H

    I

    K

    L

    N

    P

    S

    T

    V

    W

    Y, B2

    Z, C2

    E2

    F2

    H2, K2

    I2, L2

                                       M2_                                                                                                                                                                                           

    N2_

    R2 , S2

    becomeDomainMaster

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    becomeInfrastructureMaster

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    becomePdc

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    becomePdcWithCheckPoint

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    becomeRidMaster

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    becomeSchemaMaster

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    checkPhantoms

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    doGarbageCollection

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    dumpDatabase

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    fixupInheritance

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    invalidateRidPool

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    recalcHierarchy

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    schemaUpdateNow

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    schemaUpgradeInProgress

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    removeLingeringObject

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    doLinkCleanup

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    doOnlineDefrag

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    replicateSingleObject

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    updateCachedMemberships

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    doGarbageCollectionPhantomsNow

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    invalidateGCConnection

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    renewServerCertificate

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    rODCPurgeAccount

    X

    X

    X

    X

    X

    X

    X

    X

    runSamUpgradeTasks

    X

    X

    X

    X

    X

    X

    X

    X

    sqmRunOnce

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    runProtectAdminGroupsTask

    X

    X

    X

    X

    X

    X

    X

    disableOptionalFeature

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    enableOptionalFeature

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    dumpReferences

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    sidCompatibilityVersion

    X

    X

    X

    X

    X

    X

    dumpLinks

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    schemaUpdateIndicesNow

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    null

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    dumpQuota

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    dumpLinksExtended

    X

    X

    X

    X

    X

    X

    X

    X

    dumpLDAPState

    X

    X

    X

    X

    X

    X

    X

    X

    msDS-ProcessLinksAbandonOperation *

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    msDS-ProcessLinksScheduleOperation *

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    stopService

    X

    X

    X

    X

    X

    X

    msDS-RunDeletedPhantomsWithLinksTask

    X

    X

    X

    X

    dumpDatabaseExtended

    X

    X

    setPriorityBoost

    X

* These rootDSE operations are available in Windows Server 2012 R2 only if [MSKB-3192404] is installed. The operations are available in Windows Server 2016 only if [MSKB-4038801] is installed.

Each of these operations that are described in the subtopics of this section, are executed by performing an LDAP Modify operation with a NULL DN for the object to be modified (indicating the rootDSE) and specifying the name of the operation as the attribute to be modified. In [RFC2849] terminology the rootDSE attribute to be modified is the "AttributeDescription" of the "mod-spec" associated with the "change-modify" record. In many of the cases, the type of the modify (add or replace) and the values specified do not matter and are ignored. Whether the type and values matter, and what the client specifies if they do matter, will be indicated for each operation in the following sections. Examples are given as LDAP Data Interchange Format (LDIF) samples, described in [RFC2849]. In Windows, LDIF is implemented by the ldifde.exe command-line tool.

To perform many of these operations, the caller MUST be authenticated as a user that has a particular control access right or privilege; or, in some cases, as a user that is a member of a particular group. In each section that follows, the rights, privileges, or group membership, if any, that are required of the caller to perform a specific operation are specified. If the caller does not have the required rights, privileges, or group membership, the server returns the error insufficientAccessRights / ERROR_ACCESS_DENIED.