The following is a list of permissions which are supported or not supported for delegation to an RODC delegated administrator. Supported: Active Directory Users and Computers Domain Controller Service Kerberos Key Distribution Center Active Directory Sites and Services Not Supported: Global Catalog Bridgehead server PDC emulator RID Master Jeff LoucksAvailable Technology Subscribe in a reader
One of the benefits of of RODC is that you can add local administrators who do not have full access to the domain administration. This gives them the abiltiy to manage the server but not add or change active directory objects unless those roles are delegated. Adding this type of user is done using the dsmdmt.exe utility at the command prompt. The following graphic shows a few commands including: adding local roles showing local roles Remember, an RODC does not have all of the capabilities of a writeable domain controller. Consequently, an RODC cannot serve as the global catalog, operations … Continue reading RODC: Using the dsmgmt.exe utility to manage local administrators
