If this control is specified and the caller does not have the DS-Install-Replica control access right on the root of the default NC, the result is the error insufficientAccessRights / ERROR_ACCESS_DENIED.
The DC generates a value in the range [1 .. 65535] that is not used as a value of the msDS-SecondaryKrbTgtNumber attribute on an object in this domain, and assigns the generated value to the msDS-SecondaryKrbTgtNumber attribute of the created object. If no such value exists, the result is the error other / ERROR_NO_SYSTEM_RESOURCES.
The generated value for msDS-SecondaryKrbTgtNumber is appended (in decimal form) to the string "krbtgt", and the resulting string is assigned to the sAMAccountName attribute on the created object.
If the request is an Add of an object of class nTDSDSA, the presence of this control has the following effects:
The DC creates the nTDSDSA object using the information provided in the Add request. The only special effect of the control is to perform the checking of the DS-Install-Replica control access right (specified previously in this section) to authorize the nTDSDSA object creation. Without this control, an Add that attempts to create an nTDSDSA object will fail because the class is system-only (section 126.96.36.199.4.8).
When sending this control to a DC, the controlValue field of the Control structure is omitted. Sending this control to a DC does not cause the DC to include any controls in its response.