This section specifies the modifiable attributes on the rootDSE of Windows 2000, Windows Server 2003, and Windows Server 2008 DCs (both AD DS and AD LDS).
rootDSE modify operations are used to trigger behaviors on a specific DC. For example, one such operation causes the DC to acquire the Schema Master FSMO. All of these rootDSE attributes are write-only; an LDAP request to read will be treated as if the attribute does not exist.
The following table specifies the set of modifiable rootDSE attributes included in each Windows version.
Each of these operations is executed by performing an LDAP modify operation with a NULL DN for the object to be modified (indicating the rootDSE) and specifying the name of the modify operation as the attribute to be modified. In many of the cases, the type of the modify (add values, replace values, delete values) and the values specified do not matter and are ignored. Whether the type and values matter, and what the client specifies if they do matter, will be indicated for each operation in the following sections. Examples are given as LDAP Data Interchange Format (LDIF) samples, described in [RFC2849]. In Windows, LDIF is implemented by the ldifde.exe command-line tool.
To perform many of these operations, the caller must be authenticated as a user that has a particular control access right or privilege; or, in some cases, as a user that is a member of a particular group. In each section that follows, the rights, privileges, or group membership, if any, that are required of the caller to perform a specific operation are specified. If the caller does not have the required rights, privileges, or group membership, the server returns insufficientAccessRights.