Your network contains an Active Directory domain named contoso.com. The domain
contains a read-only domain controller (RODC) named RODC1.
You create a global group named RODC_Admins.
You need to provide the members of RODC_Admins with the ability to manage the hardware
and the software on R0DC1. The solution must not provide RODC_Admins with the ability to
manage Active Directory objects.
What should you do?
A.
From Active Directory Site and Services, configure the Security settings of the RODC1
server object.
B.
From Windows PowerShell, run the Set-ADAccountControlcmdlet.
C.
From a command prompt, run the dsmgmt local roles command.
D.
From Active Directory Users and Computers, configure the Member Of settings of the
RODC1 account.
Explanation:
RODC: using the dsmgmt.exe utility to manage local administrators
One of the benefits of RODC is that you can add local administrators who do not have full
access to the domain administration. This gives them the ability to manage the server but
not add or change active directory objects unless those roles are delegated. Adding this type
of user is done using the dsmdmt.exe utility at the command prompt.
to define user Jan as a local administrator on an RODC, you’d run the command
dsmgmt “local roles” “add Jan administrators”
This command enables the local branch administrator Jan to administer that one RODC. Jan can create file shares or add printer queues, upgrade a driver or an application, perform offline defragmentation of the disks, and so on (http://windowsitpro.com/security/q-how-can-i-delegate-administrator-role-given-rodc-single-administrator-account)
RODC: USING THE DSMGMT.EXE UTILITY TO MANAGE LOCAL ADMINISTRATORS
One of the benefits of of RODC is that you can add local administrators who do not have full access to the domain administration. This gives them the abiltiy to manage the server but not add or change active directory objects unless those roles are delegated. Adding this type of user is done using the dsmdmt.exe utility at the command prompt (http://blogs.msmvps.com/jeffloucks/2009/11/28/rodc-using-the-dsmgmt-exe-utility-to-manage-local-administrators/)
This question got updated in the exam. Instead ob dsmgmt, there is used the “managed by” property:
Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommended because the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator.
D
The goup shoud be member of server operators
In fact there are three options :
Managed by tab
ntdsutil local roles command
the dsmgmt local roles command.
Modify the Managed By tab of the RODC account properties in the Active Directory Users and Computers snap-in, as shown in the following figure. You can click Change
to change which security principal is the delegated RODC administrator. You can choose only one security principal. Specify a security group rather than an
individual user so you can control RODC administration permissions most efficiently. This method changes the managedBy attribute of the computer object that
corresponds to the RODC to the SID of the security principal that you specify. This is the recommended way to specify the delegated RODC administrator account
because the information is stored in AD DS, where it can
be centrally managed by domain administrators.
More info : https://technet.microsoft.com/en-us/library/cc755310(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/cc731885.aspx
Use the ntdsutil local roles command or the dsmgmt local roles command. You can use this command to view, add, or remove members from the Administrators group and
other built-in groups on the RODC.
Correct answer is C.
No, the correct answers is: D.
From Active Directory Users and Computers, configure the Member Of settings of the
RODC1 account.
Bro, it says “The solution must NOT provide RODC_Admins with the ability to manage Active Directory objects.”
Doing anything in ADUC is off limits.
answer “d” confirmed all please go to this link and clear your doubts. this question had come previously in this site with answer d as answer
https://technet.microsoft.com/en-us/library/cc755310(v=ws.10).aspx
The answer is NOT D, look closely they say “configure the Member of settings of the RODC1 account.” You would edit the **Managed By** tab. So it’s a tricky question. C is correct