6.1.1.1.2 Config NC Root
name: Configuration
parent: For AD DS, the forest root NC root object. For AD LDS, no parent.
wellKnownObjects: This attribute holds DN-Binary values. See section 6.1.4 for details.
instanceType: This value can never contain the following flags:
IT_NC_COMING
IT_NC_GOING
IT_UNINSTANT
Let D1 be a DC that is instructed to host a writable replica of the config NC (see section 6.1.2.3 for hosting requirements). In order for D1 to replicate the config NC, D1 MUST be granted the following rights on the config NC root:
DS-Replication-Get-Changes
DS-Replication-Get-Changes-All
DS-Replication-Get-Changes-In-Filtered-Set
Let D2 be a DC that is instructed to host a read-only replica of config NC (see section 6.1.2.3 for hosting requirements) such that the objects in the NC replica will not contain attributes in the filtered attribute set. In order for D2 to replicate the config NC, D2 MUST be granted the following rights on the config NC root:
DS-Replication-Get-Changes
msDS-ReplAuthenticationMode: Present and used on AD LDS only. Specifies the authentication that is used for DC-to-DC communication over RPC ([MS-DRSR]). The msDS-ReplAuthenticationMode values 0, 1, and 2 are valid; if absent, the effect is as if the value was 1. See [MS-DRSR] section 2.2.1 for the effects of these values.
objectSid: Present and used on AD LDS only. This attribute contains the SID that is used in generating objectSid values for new AD LDS security principals residing in the config NC, as specified in section 3.1.1.5.2.4. This attribute is not returned by LDAP queries.