Your network contains an Active Directory domain named contoso.com. The domain contains a read-only
domain controller (RODC) named R0DC1.
You create a global group named RODC_Admins.
You need to provide the members of RODC_Admins with the ability to manage the hardware and the software
on R0DC1. The solution must not provide RODC_Admins with the ability to manage Active Directory objects.
What should you do?
A.
From Active Directory Sites and Services, run the Delegation of Control Wizard.
B.
From a command prompt, run the dsadd computer command.
C.
From Active Directory Site and Services, configure the Security settings of the R0DC1 server object.
D.
From a command prompt, run the dsmgmt local roles command.
Explanation:
RODC: using the dsmgmt.exe utility to manage local administrators
One of the benefits of of RODC is that you can add local administrators who do not have full access to the
domain administration. This gives them the abiltiy to manage the server but not add or change active directory
objects unless those roles are delegated. Adding this type of user is done using the dsmdmt.exe utility at the
command prompt.
Well, I was ready to fight hard and heavy against this answer, but I will admit I was wrong.
Here is a good link and I’m CaP the goodies here. Wow, now I’ve got to relearn some of this stuff.
This command is a subcommand of Ntdsutil and Dsmgmt. Ntdsutil and Dsmgmt are command-line tools that are built into Windows Server 2008 and Windows Server 2008 R2. Ntdsutil is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. Dsmgmt is available if you have the Active Directory Lightweight Directory Services (AD LDS) server role installed. These tools are also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813).
To use either of these tools, you must run them from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
https://technet.microsoft.com/en-us/library/aee69f2f-49bf-49cb-ac0b-eccc26423b1f
Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommended because the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator.
https://technet.microsoft.com/en-us/library/cc755310%28v=ws.10%29.aspx
0
0