3.1.1.3.3 rootDSE Modify Operations

This section specifies the modifiable attributes on the rootDSE of Windows 2000 operating system, Windows Server 2003 operating system, Active Directory Application Mode (ADAM), Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, Windows Server 2016 operating system, and Windows Server operating system DCs (both AD DS and AD LDS).

rootDSE modify operations are used to trigger behaviors on a specific DC. For example, one such operation causes the DC to acquire the Schema Master FSMO. All of these rootDSE attributes are write-only; an LDAP request to read will be treated as if the attribute does not exist.

The following table specifies the set of modifiable rootDSE attributes included in applicable Windows Server releases or ADAM versions.

The table contains information for the following products. See section 3 for more information.

  • A --> Windows 2000

  • B --> Windows 2000 operating system Service Pack 1 (SP1)

  • D --> Windows Server 2003

  • F --> Windows Server 2003 operating system with Service Pack 3 (SP3)

  • H --> ADAM RTW

  • I --> ADAM SP1

  • K --> Windows Server 2008 AD DS

  • L --> Windows Server 2008 AD LDS

  • N --> Windows Server 2008 R2 AD DS

  • P --> Windows Server 2008 R2 AD LDS

  • S --> Windows Server 2012 AD DS

  • T --> Windows Server 2012 AD LDS

  • V --> Windows Server 2012 R2 AD DS

  • W --> Windows Server 2012 R2 AD LDS

  • Y --> Windows Server 2016 AD DS

  • Z --> Windows Server 2016 AD LDS

  • B2 --> Windows Server operating system AD DS

  • C2 --> Windows Server operating system AD LDS

    Attribute name

    A

    B

    D

    F

    H

    I

    K

    L

    N

    P

    S

    T

    V

    W

    Y, B2

    Z, C2

    becomeDomainMaster

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    becomeInfrastructureMaster

    X

    X

    X

    X

    X

    X

    X

    X

    X

    becomePdc

    X

    X

    X

    X

    X

    X

    X

    X

    X

    becomePdcWithCheckPoint

    X

    X

    X

    X

    X

    X

    X

    X

    X

    becomeRidMaster

    X

    X

    X

    X

    X

    X

    X

    X

    X

    becomeSchemaMaster

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    checkPhantoms

    X

    X

    X

    X

    X

    X

    X

    X

    X

    doGarbageCollection

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    dumpDatabase

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    fixupInheritance

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    invalidateRidPool

    X

    X

    X

    X

    X

    X

    X

    X

    X

    recalcHierarchy

    X

    X

    X

    X

    X

    X

    X

    X

    X

    schemaUpdateNow

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    schemaUpgradeInProgress

    X

    X

    X

    X

    X

    X

    X

    removeLingeringObject

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    doLinkCleanup

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    doOnlineDefrag

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    replicateSingleObject

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    updateCachedMemberships

    X

    X

    X

    X

    X

    X

    X

    doGarbageCollectionPhantomsNow

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    invalidateGCConnection

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    renewServerCertificate

    X

    X

    X

    X

    X

    X

    X

    X

    X

    X

    rODCPurgeAccount

    X

    X

    X

    X

    X

    runSamUpgradeTasks

    X

    X

    X

    X

    X

    sqmRunOnce

    X

    X

    X

    X

    X

    runProtectAdminGroupsTask

    X

    X

    X

    X

    disableOptionalFeature

    X

    X

    X

    X

    X

    X

    X

    X

    enableOptionalFeature

    X

    X

    X

    X

    X

    X

    X

    X

    dumpReferences

    X

    X

    sidCompatibilityVersion

    X

    X

    X

    dumpLinks

    X

    X

    X

    X

    schemaUpdateIndicesNow

    X

    X

    X

    X

    null

    X

    X

    X

    X

    dumpQuota

    X

    X

    X

    X

    dumpLinksExtended

    X

    X

    dumpLDAPState

    X

    X

    msDS-ProcessLinksAbandonOperation *

    X

    X

    X

    X

    msDS-ProcessLinksScheduleOperation *

    X

    X

    X

    X

* These rootDSE operations are available in Windows Server 2012 R2 only if [MSKB-3192404] is installed. The operations are available in Windows Server 2016 only if [MSKB-4038801] is installed.

Each of these operations is executed by performing an LDAP Modify operation with a NULL DN for the object to be modified (indicating the rootDSE) and specifying the name of the operation as the attribute to be modified. In [RFC2849] terminology the rootDSE attribute to be modified is the "AttributeDescription" of the "mod-spec" associated with the "change-modify" record. In many of the cases, the type of the modify (add or replace) and the values specified do not matter and are ignored. Whether the type and values matter, and what the client specifies if they do matter, will be indicated for each operation in the following sections. Examples are given as LDAP Data Interchange Format (LDIF) samples, described in [RFC2849]. In Windows, LDIF is implemented by the ldifde.exe command-line tool.

To perform many of these operations, the caller must be authenticated as a user that has a particular control access right or privilege; or, in some cases, as a user that is a member of a particular group. In each section that follows, the rights, privileges, or group membership, if any, that are required of the caller to perform a specific operation are specified. If the caller does not have the required rights, privileges, or group membership, the server returns the error insufficientAccessRights / ERROR_ACCESS_DENIED.

Show: