You are an Enterprise administrator for contoso.com. The company consists of a head office and a branch office. The corporate network of the company consists of a single Active Directory domain.

Because the branch office was comparatively less secure, you decided to deploy a Read-only Domain Controller (RODC) in the branch office so that branch office support technicians cannot manage domain user accounts on the RODC. However, they should be able to maintain drivers and disks on the RODC.

Which of the following options would you choose to manage the RODC to meet the desired goal?

A.
Configure Administrator Role Separation on the RODC.

B.
For the branch office support technicians, set NTFS permissions on the Active Directory database to Read & Execute.

C.
Configure the RODC to replicate the password for the branch office support technicians.

D.
For the branch office support technicians, set NTFS permissions on the Active Directory database to Deny Full Control.

E.
None of the above

Explanation:
To ensure that branch office support technicians would not manage domain user accounts on the RODC and should be able to maintain drivers and disks on the RODC, you need to configure the RODC for Administrator Role Separation.

Administrator Role Separation specifies that any domain user or security group can be delegated to be the local administrator of an RODC without granting that user or group any rights for the domain or other domain controllers. Accordingly, a delegated administrator can log on to an RODC to perform maintenance work on the server such as upgrading a driver. But the delegated administrator would not be able to log on to any other domain controller or perform any other administrative task in the domain.

Reference: RODC Features/ Administrator role separation http://technet.microsoft.com/en-us/library/cc753223.aspx#bkmk_separation