You install a read-only domain controller (RODC)named RODC1.
You need to ensure that a user named User1 can administer RODC1.
The solution must minimize the number of permissions assigned to User1.
Which tool should you use?
A.
Active Directory Administrative Center
B.
Active Directory Users and Computers
C.
Dsadd
D.
Dsmgmt
Explanation:
Many thanks to Luffy for pointing me in the right direction with this question!
There are a couple of ways to achieve this and two of them are mentioned in the listed answers, Active
Directory Usersand Computers and Dsmgmt.
Referenced below are two Technet articles. The first explains the different ways to implement Administrator
Role Separation on an RODC, and why the use of Active Directory Users is recommended over Dsmgmt. The
second reference is now a kind of bonus, explaininghow to use dsmgmtfor this task. (In version 1 of this dump
I used it to explain why dsmgmtshould be the answer.)
Reference 1:
http://technet.microsoft.com/en-us/library/cc755310.aspx
Delegating local administration of an RODC
Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the ability to administer
an RODC to a user or a security group. When you delegate the ability to log on to an RODC to a user ora
security group, the user or group is not added the Domain Admins group and therefore does not have additional
rights to perform directory service operations.
Steps and best practices for setting up ARS
You can specify a delegated RODC administrator during an RODC installation or after it.
To specify the delegated RODC administrator after installation, you can use either of the following options:
Modify the Managed By tab of the RODC account properties in the Active Directory Users and
Computerssnap-in, as shown in the following figure. You can click Change to change which security
principal is the delegated RODC administrator. You can choose only one security principal. Specify a
security group rather than an individual user so you can control RODC administration permissions most
efficiently. This method changes the managedBy attribute of the computer object that corresponds to the
RODC to the SID of the security principal that you specify. This is the recommended way to specify the
delegated RODC administrator account because the information is stored in AD DS, where it can be
centrally managed by domain administrators.
Use the ntdsutil local roles command or the dsmgmtlocal roles command. You can use this command to
view, add, or remove members from the Administrators group and other built-in groups on the RODC. [See
also the second reference for more information on how to use dsmgmt.]
Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommended
because the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to
delegate an administrator for the RODC, the accountthat you specify does not appear on the Managed Bytab
of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in ora
similar tool will not reveal that the RODC has a delegated administrator.
In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local roles
remains stored in the registry of the server. This can be a security concern if you demote an RODC in one
domain and then promote it to be an RODC again in adifferent domain. In that case, the original security
principal would have administrative rights on the new RODC in the different domain.
Reference 2:
http://technet.microsoft.com/en-us/library/cc732301.aspx
Administrator Role Separation Configuration
This section provides procedures for creating a local administrator role for an RODC and for adding a user to
that role.
To configure Administrator Role Separation for an RODC
1. Click Start, click Run, type cmd, and then press ENTER.
2. At the command prompt, type dsmgmt.exe, and then press ENTER.
3. At the DSMGMT prompt, typelocal roles, and then press ENTER.
4. For a list of valid parameters, type ? and then press ENTER.
By default, no local administrator role is defined on the RODC after AD DS installation. To add the local
administrator role, use the Add parameter.
5. Type add <DOMAIN>\<user> <administrative role>
For example, type add CONTOSO\testuser administrators
