You install a read-only domain controller (RODC) named RODC1.
You need to ensure that a user named User1 can administer RODC1. The solution must
minimize the number of permissions assigned to User1.
Which tool should you use?
A.
Active Directory Administrative Center
B.
Active Directory Users and Computers
C.
Dsadd
D.
Dsmgmt
Explanation:
Reference 1)
http://technet.microsoft.com/en-us/library/cc755310.aspx
Delegating local administration of an RODC
Administrator Role Separation (ARS) is an RODC feature that you can use to delegate the
ability to administer an RODC to a user or a security group. When you delegate the ability to
log on to an RODC to a user or a security group, the user or group is not added the Domain
Admins group and therefore does not have additional rights to perform directory service
operations.
Steps and best practices for setting up ARS
You can specify a delegated RODC administrator during an RODC installation or after it.
To specify the delegated RODC administrator after installation, you can use either of the
following options:
Modify the Managed By tab of the RODC account properties in the Active Directory Users
and Computers snap-in, as shown in the following figure. You can click Change to changewhich security principal is the delegated RODC administrator. You can choose only one
security principal. Specify a security group rather than an individual user so you can control
RODC administration permissions most efficiently. This method changes the managedBy
attribute of the computer object that corresponds to the RODC to the SID of the security
principal that you specify. This is the recommended way to specify the delegated RODC
administrator account because the information is stored in AD DS, where it can be centrally
managed by domain administrators.
Use the ntdsutil local roles
command or the
dsmgmt local roles
command. You can
use this command to view,
add, or remove members
from the Administrators
group and other built-in
groups on the RODC. [See
also the second reference
for more information on
how to use dsmgmt.]
Using ntdsutil or dsmgmt
to specify the
delegated RODC
administrator
account is not
recommended
because the
information is
stored only locally on the
RODC. Therefore, when
you use ntdsutil local roles
to delegate an
administrator for the
RODC, the account that
you specify does not
appear on the Managed By
tab of the RODC account
properties. As a result, using the Active Directory Users and Computers snap-in or a similar
tool will not reveal that the RODC has a delegated administrator.
In addition, if you demote an RODC, any security principal that you specified by using
ntdsutil local roles remains stored in the registry of the server. This can be a security
concern if you demote an RODC in one domain and then promote it to be an RODC again in
a different domain. In that case, the original security principal would have administrative
rights on the new RODC in the different domain.
Reference 2)
http://technet.microsoft.com/en-us/library/cc732301.aspx
Administrator Role Separation Configuration
This section provides procedures for creating a local administrator role for an RODC and for
adding a user to that role.
To configure Administrator Role Separation for an RODCClick Start, click Run, type cmd, and then press ENTER.
At the command prompt, type dsmgmt.exe, and then press ENTER.
At the DSMGMT prompt, type local roles, and then press ENTER.
For a list of valid parameters, type ?, and then press ENTER.
By default, no local administrator role is defined on the RODC after AD DS installation. To
add the local administrator role, use the Add parameter.
Type add <DOMAIN>\<user><administrative role>
For example, type add CONTOSO\testuser administrators
