Your network contains an Active Directory domain named contoso.com. The domain contains a
read-only domain controller (RODC) named RODC1.
You create a global group named RODC_Admins.
You need to provide the members of RODC_Admins with the ability to manage the hardware and
the software on RODC1.
The solution must not provide RODC_Admins with the ability to manage Active Directory objects.
What should you do?
A.
From a command prompt, run the dsadd computer command.
B.
From Active Directory Users and Computers, run the Delegation of Control Wizard.
C.
From Active Directory Users and Computers, configure the Member Of settings of the RODC1
account.
D.
From a command prompt, run the dsmgmt local roles command.
Explanation:
http://technet.microsoft.com/en-us/library/cc731885.aspx
http://technet.microsoft.com/en-us/library/cc732473.aspx
Manages Administrator Role Separation for a read-only domain controller (RODC). Administrator
role separation provides a nonadministrative user with the permissions to install and administer an
RODC, without granting that user permissions to do any other type of domain administration.
D is correct.
http://technet.microsoft.com/en-us/library/cc731885.aspx
Actually think that B: is the proper answer.
https://technet.microsoft.com/en-us/library/cc755310(v=ws.10).aspx
Scroll to -> Steps and best pratices for setting up ARS.
Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommended because the information is stored only locally on the RODC
So you can choose D: it will work but I will choose B: as first option.
b:
Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the ability to administer an RODC to a user or a security group. When you delegate the ability to log on to an RODC to a user or a security group, the user or group is not added the Domain Admins group and therefore does not have additional rights to perform directory service operations.
However, the user or group can perform local administration of the server, including any tasks that can be performed by a member of the Administrators group on a member server. For example, a delegated RODC administrator can do the following on the RODC:
Install hardware devices, such as network adapters and disk drives
Manage disk drives and other devices
Install software updates and drivers
Stop and start Active Directory Domain Services (AD DS)
Install and remove other server roles and features
View logs in Event Viewer
Manage shares and other applications and services
Using ntdsutil or dsmgmt to specify the delegated RODC administrator account is not recommended because the information is stored only locally on the RODC. Therefore, when you use ntdsutil local roles to delegate an administrator for the RODC, the account that you specify does not appear on the Managed By tab of the RODC account properties. As a result, using the Active Directory Users and Computers snap-in or a similar tool will not reveal that the RODC has a delegated administrator.
In addition, if you demote an RODC, any security principal that you specified by using ntdsutil local roles remains stored in the registry of the server. This can be a security concern if you demote an RODC in one domain and then promote it to be an RODC again in a different domain. In that case, the original security principal would have administrative rights on the new RODC in the different domain.
source as above: https://technet.microsoft.com/en-us/library/cc755310%28v=ws.10.aspx