Your network contains an Active Directory domain named contoso.com. The domain contains a
read-only domain controller (RODC) named RODC1.
You create a global group named RODC_Admins.
You need to provide the members of RODC_Admins with the ability to manage the hardware and
the software on R0DC1. The solution must not provide RODC_Admins with the ability to manage
Active Directory objects.
What should you do?
A.
From Active Directory Site and Services, configure the Security settings of the RODC1 server
object.
B.
From Windows PowerShell, run the Set-ADAccountControlcmdlet.
C.
From a command prompt, run the dsmgmt local roles command.
D.
From Active Directory Users and Computers, configure the Member Of settings of the RODC1
account.
Explanation:
RODC: using the dsmgmt.exe utility to manage local administrators
One of the benefits of RODC is that you can add local administrators who do not have full access to
the domain administration. This gives them the ability to manage the server but not add or change
active directory objects unless those roles are delegated. Adding this type of user is done using the
dsmdmt.exe utility at the command prompt.
explanation anyone?How does changing FSMO roles help with this question?i think the answer is wrong. Also B looks weird as changing UAC settings doesnt look like an answer. Am not sure about A either which leaves D as an answer?
Found an answer, C is correct
https://technet.microsoft.com/en-us/library/cc731885(v=ws.11).aspx
Answer should be A “managed by” will do the trick
https://technet.microsoft.com/en-us/library/cc755310(v=ws.10).aspx
ntdsutil or dsmaint are not recommended
The answer is not A. A says From AD SITES and SERVICES. If A stated ADUC, then that would be the best answer. Since configure security settings in ADUC is not an option, then the next best answer is C, using the DSMGMT command.