Your network contains an Active Directory domain named contoso.com. All domain
controllers run Windows Server 2012 R2.
In a remote site, a support technician installs a server named DC10 that runs Windows
Server 2012 R2. DC10 is currently a member of a workgroup.
You plan to promote DC10 to a read-only domain controller (RODC).
You need to ensure that a user named Contoso\User1 can promote DC10 to a RODC in the
contoso.com domain. The solution must minimize the number of permissions assigned to
User1.
What should you do?
A.
From Active Directory Users and Computers, run the Delegation of Control Wizard on the
contoso.com domain object.
B.
From Active Directory Administrative Center, pre-create an RODC computer account.
C.
From Ntdsutil, run the local roles command.
D.
Join DC10 to the domain. Run dsmod and specify the /server switch.
Explanation:
A staged read only domain controller (RODC) installation works in two discrete phases:
1. Staging an unoccupied computer account
2. Attaching an RODC to that account during promotion
Reference: Install a Windows Server 2012 R2 Active Directory Read-Only Domain Controller (RODC)
http://technet.microsoft.com/en-us/library/jj574152.aspx
you can’t do this using domain user account even if you create a computer account first
you have to promote the RODC with a DOMAIN ADMIN account
“Your current credentials are used by default. If they do not include membership in the Domain Admins group, click Alternate Credentials, and click Set to provide the wizard with a user name and password that is a member of Domain Admins.”
source:
https://technet.microsoft.com/en-us/library/jj574152.aspx
Nope.
“You can perform a staged installation of an RODC in which the installation is completed in two stages by different individuals. The first stage of the installation, which requires domain administrative credentials, creates an account for the RODC in AD DS. The second stage of the installation attaches the actual server that will be the RODC in a remote location, such as a branch office, to the account that was previously created for it. You can delegate the ability to attach the server to the account to a nonadministrative group or user in the remote location. ”
https://technet.microsoft.com/en-us/library/cc754629%28v=ws.10%29.aspx
B
C: is the correct answer
User1 has no permission to deploy RODC.
the question need you to give him the appropriate permission
“The solution must minimize the number of permissions assigned to User1.”
so, you should use command Ntdsutil.exe to make User1 Local Administrator
I agree Ahmed I test answer B is incorrect。because user1 has no permission to deploy RODC.
Use this option to delegate branch office administration without granting the branch administrator membership to the Domain Admins group.
Can someone please axplain me what is the answer?
This MS article displays the workflow of RODC deployment: https://technet.microsoft.com/windows-server-docs/identity/ad-ds/deploy/rodc/install-a-windows-server-2012-active-directory-read-only-domain-controller–rodc—level-200-
The question states: “how do you proceed?” – not “what is the entire technical correct answer”
The Answer is “B”, as we need to prestage the RODC Computer Account in AD first.
B
https://technet.microsoft.com/en-us/library/jj574152.aspx
…..The Delegation of RODC Installation and Administration dialog enables you to configure a user or group containing users who are allowed to attach the server to the RODC computer account. Click Set to browse the domain for a user or group. The user or group specified in this dialog gains local administrative permissions to the RODC. The specified user or members of the specified group can perform operations on the RODC with privileges equivalent to the computer’s Administrators group. They are not members of the Domain Admins or domain built-in Administrators groups.
Use this option to delegate branch office administration without granting the branch administrator membership to the Domain Admins group. Delegating RODC administration is not required.
The equivalent ADDSDeployment Windows PowerShell argument is:
-delegatedadministratoraccountname
No, it’s B.
If you pre-create the RODC account in ADDS the user can promote it to a domain controller without having admin rights.
Use the ntdsutil local roles command or the dsmgmt local roles command. You can use this command to view, add, or remove members from the Administrators group and other built-in groups on the RODC. For more information about syntax and examples for using this command, see local roles (http://go.microsoft.com/fwlink/?LinkId=120147).
Very few internet sites that occur to be comprehensive beneath, from our point of view are undoubtedly effectively really worth checking out.
Below youll obtain the link to some web-sites that we assume you should visit.
Check below, are some completely unrelated websites to ours, however, they’re most trustworthy sources that we use.
very few websites that come about to be detailed beneath, from our point of view are undoubtedly nicely worth checking out
usually posts some quite fascinating stuff like this. If you are new to this site
that would be the finish of this write-up. Right here you will uncover some web pages that we think youll appreciate, just click the hyperlinks over
the time to read or check out the subject material or web sites we’ve linked to beneath the
one of our guests not too long ago suggested the following website
very couple of internet sites that come about to be detailed beneath, from our point of view are undoubtedly nicely really worth checking out
we came across a cool web page that you simply may well enjoy. Take a look for those who want
very handful of sites that take place to be in depth below, from our point of view are undoubtedly nicely really worth checking out
Wonderful story, reckoned we could combine a few unrelated information, nevertheless definitely worth taking a search, whoa did a single master about Mid East has got far more problerms as well
usually posts some incredibly intriguing stuff like this. If youre new to this site
although internet sites we backlink to below are considerably not connected to ours, we really feel they’re actually really worth a go by, so possess a look
Here is a good Weblog You may Come across Intriguing that we Encourage You
although internet websites we backlink to beneath are considerably not connected to ours, we really feel they may be basically really worth a go by way of, so have a look
very handful of sites that happen to be comprehensive beneath, from our point of view are undoubtedly very well really worth checking out
just beneath, are a lot of totally not associated web sites to ours, however, they’re surely worth going over
Wonderful story, reckoned we could combine some unrelated data, nevertheless seriously worth taking a appear, whoa did a single master about Mid East has got extra problerms too
just beneath, are a lot of totally not associated internet sites to ours, having said that, they are surely worth going over