An LDAP Modify of the runSamUpgradeTasks attribute causes the default groups and memberships (as specified in [MS-SAMR] section 126.96.36.199) to be created in the domain if they are not already created. This operation is useful in a domain with different versions of domain controllers where the default groups and memberships are not yet created.
If a partial set of these modifications has already been performed in the domain through this task, the Modify operation of this attribute MUST cause the rest of the operations to be performed. If all such modifications have already been performed, the Modify operation of this attribute MUST NOT make any changes in the domain.
The requester MUST be a member of the "Domain Admins" group in the domain to perform this operation.
The DC, on receiving this request, MUST verify that the otherWellKnownObjects attribute on the object "CN=Server, CN=System, DC=<domain>" on the DC with the PDC role contains "B:32: 6ACDD74F3F314AE396F62BBE6B2DB961:X", where <domain> is the domain NC DN, and X is the DN of the nTDSDSA object of the DC receiving the request. If this condition is not satisfied, the LDAP Modify returns operationsError / ERROR_DS_GENERIC_ERROR.
If these conditions are satisfied, the default groups and memberships (as specified in [MS-SAMR] section 188.8.131.52) are created in the domain.
The type of modification and values specified in the LDAP Modify operation do not matter. The following shows an LDIF sample that performs this operation. This sample triggers the default groups and memberships created on the target domain.
dn: changetype: modify add: runSamUpgradeTasks runSamUpgradeTasks: 1 -