Your company has a main office and a branch office.You plan to deploy a Readonly Domain Controller
(RODC) in the branch office.
You need to plan a strategy to manage the RODC. Your plan must meet the following requirements:
Allow branch office support technicians to maintaindrivers and disks on the RODC.
Prevent branch office support technicians from managing domain user accounts.
What should you include in your plan?
A.
Configure the RODC for Administrator Role Separation.
B.
Configure the RODC to replicate the password for the branch office support technicians.
C.
Set NTFS permissions on the Active Directory database to Read & Execute for the branch office support
technicians.
D.
Set NTFS permissions on the Active Directory database to Deny Full Control for the branch office support
technicians.
Explanation:
ADMINISTRATOR ROLE SEPARATION (ARS)
ARS is an RODC feature that domain administrators can delegate a user or a security group as the local
administrator for installation and administration of RODC, without granting them any additional rightsin the
domain.
To specify a delegated RODC administrator,
During RODC installation, setting up the account in
1. Active Directory Domain Services Installation Wizard
2. dcpromo command with the parameter /DelegatedAdmin.
3. In an answer file (adding the parameter /DelegatedAdmin).
After installation of RODC,
1. In the Active Directory Users and Computers snap-in, modify the Managed By tab of the RODC account
properties
2. Use ntdsutil local roles command (not recommended as information is saved locally on the RODC).
3. Use dsmgmt local roles command (not recommended as information is saved locally on the RODC).
http://technet.microsoft.com/en-us/library/cc755310(v=WS.10).aspx