3.1.1.3.4.1.23 LDAP_SERVER_RODC_DCPROMO_OID

  • Article

If this control is specified and the caller does not have the DS-Install-Replica control access right on the root of the default NC, the result is the error insufficientAccessRights / ERROR_ACCESS_DENIED.

If the request is an Add of an object of class user or a subclass of user, the presence of this control has the following effects:

  • The DC generates a value in the range [1 .. 65535] that is not used as a value of the msDS-SecondaryKrbTgtNumber attribute on an object in this domain, and assigns the generated value to the msDS-SecondaryKrbTgtNumber attribute of the created object. If no such value exists, the result is the error other / ERROR_NO_SYSTEM_RESOURCES.

  • The generated value for msDS-SecondaryKrbTgtNumber is appended (in decimal form) to the string "krbtgt", and the resulting string is assigned to the sAMAccountName attribute on the created object.

  • The userAccountControl bits ADS_UF_ACCOUNT_DISABLE and ADS_UF_DONT_EXPIRE_PASSWD (section 2.2.16) are set on the object's userAccountControl attribute.

  • The object's account password is set to a randomly generated value that satisfies all criteria in [MS-SAMR] section 3.1.1.7.2 and is processed as described in [MS-SAMR] section 3.1.1.8.5.

    Note In Windows Server 2008 operating system and later, the DC servicing the request need not be the PDC FSMO role owner.

If the request is an Add of an object of class nTDSDSA, the presence of this control has the following effects:

  • The DC creates the nTDSDSA object using the information provided in the Add request. The only special effect of the control is to perform the checking of the DS-Install-Replica control access right (specified previously in this section) to authorize the nTDSDSA object creation. Without this control, an Add that attempts to create an nTDSDSA object will fail because the class is system-only (section 3.1.1.2.4.8).

When sending this control to a DC, the controlValue field of the Control structure is omitted. Sending this control to a DC does not cause the DC to include any controls in its response.