One of the benefits of of RODC is that you can add local administrators who do not have full access to the domain administration. This gives them the abiltiy to manage the server but not add or change active directory objects unless those roles are delegated. Adding this type of user is done using the dsmdmt.exe utility at the command prompt. The following graphic shows a few commands including:
- adding local roles
- showing local roles
Remember, an RODC does not have all of the capabilities of a writeable domain controller. Consequently, an RODC cannot serve as the global catalog, operations masters, or bridgehead server.
For more information see this Technet Article: http://technet.microsoft.com/en-us/library/cc772478(WS.10).aspx
Jeff Loucks
Available Technology
Subscribe in a reader