2.5.3.2 Create a Directory Object for a DFS Replication Group Using Server Credentials
Goal
To create an Active Directory object that is used by the DFS-R Service.
Context of Use
The administrator creates Active Directory objects that have configuration information for DFS replication.
Actors
Admin tool
The admin tool is the primary actor that triggers this use case. The admin tool is a program that offers management functionality to the administrator through the admin client. Typical admin tools are command-line tools and graphical shells, management utilities, and graphical management programs. The purpose of the admin tool is to correctly interpret, execute, and display the results of the commands that are issued by the administrator.
DFS-R Service
The DFS-R Service is a supporting actor that provides the interfaces to create, modify, and delete configuration objects in Active Directory by using the server's machine account. It also provides the interface to monitor DFS-R on the computer and to collect statistics about the DFS-R operation.
Admin client
The admin client is a supporting actor that implements client-side protocol components and consumes the file server administration services that are offered by the file server. The admin client is internal to the File Services Management system.
Active Directory system
The Active Directory system is a supporting actor. The File Services Management system stores all configuration data that is related to the replication members in Active Directory.
Stakeholders
Administrator
The administrator is the person who administers the file server. The administrator has administrative rights and uses the File Services Management system to provide the SMB File Service.
Preconditions
The administrator has identified an SMB File Service. A DFS-R Service is present on the SMB File Service, as described in [MS-FRS2].
Main Success Scenario
Trigger: The admin tool receives a request from the administrator to create an Active Directory object.
The admin tool establishes a communication channel to the DFS-R Service, as described in [MS-DFSRH] section 2.1.
The DFS Service authenticates the administrator through the mechanisms as described in [MS-AUTHSOD].
The admin tool contacts DFS-R Service to create an Active Directory object with a specified distinguished name and attributes.
The DFS-R Service authorizes the administrator through the mechanisms described in [MS-DFSRH] section 3.1.5.2.1 IADProxy::CreateObject or section 3.1.5.3.1 IADProxy2::CreateObject).
The DFS-R Service executes a Lightweight Directory Access Protocol (LDAP) command under machine security credentials to create an Active Directory object.
Postcondition
The requested Active Directory object is created.
Extensions
The following results occur if the communication channel for the DFS Replication Helper Protocol, as described in [MS-DFSRH], cannot be established, or it becomes disconnected:
The admin tool can attempt to establish connection multiple times; ultimately, the use case ends with failure. Depending on when the connection failed, the namespace could or could not have been created.