Q: How can I delegate the administrator role for a given RODC to a single administrator account?

A: Starting with Windows Server 2008 and its read-only domain controllers (RODCs), delegation of administrative rights for a single RODC is possible, thanks to a feature called administrator role separation (ARS). This feature lets you easily separate server administrators from domain administrators, but only on an RODC. When you deploy an RODC on a branch office file server, you can grant the local staff administrative rights to manage that file server without extending those rights to other domain controllers (DCs). Administrator role separation isn't available on writeable DCs.

Prior to Windows Server 2008, delegating the administrator role of a Windows DC to a single administrative account was basically impossible. On earlier Windows Server OSs, every administrator right or service-level role granted to a user on a DC is valid for all DCs in the domain. For example, if you give a user administrator rights to a file server that's on a DC or assign him or her a service-level role on that DC, such as Server Operators or Backup Operators, those rights also let that user manage other DCs on the same domain.

You can also use ARS for delegating part of the RODC installation process. Because of administrator role separation, an RODC can be promoted in two phases. First, a domain administrator can pre-create an account in Active Directory (AD) for the computer that's going to be promoted as an RODC. During this process, the domain administrator can specify the account of the delegated site or branch office administrator that will have the right to promote and subsequently administer the RODC. Then, in the site where the RODC is going to be located, the delegated administrator that the domain administrator specified in the first phase can attach the computer that is going to be the RODC to the pre-created RODC AD account. This process is also referred to as staged RODC installation. For more information on staged RODC installation, I advise you to take a look at the Microsoft article "Performing a Staged RODC Installation."

You can set up ARS and the RODC administrator account during the RODC installation in the Active Directory Domain Services Installation Wizard, at the command line, or in an answer file. In the Installation Wizard, you can set the RODC administrator account on the Delegation of RODC Installation and Administration page. If you're performing a staged RODC installation, this page appears when you pre-create the RODC account. If you're installing an RODC at the command line or by using an answer file, you must add the /DelegatedAdmin parameter to specify the RODC administrator account.

To set up administrator role separation for an RODC after the RODC has been installed, you can use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and the Managed By tab in the RODC computer object's properties to configure the ManagedBy AD attribute of the RODC. You can also configure role separation locally on the RODC after installation by using the Ntdsutil or Dsmgmt command line tools' local roles option. For example, to define user Jan as a local administrator on an RODC, you'd run the command

dsmgmt "local roles" "add Jan administrators"

This command enables the local branch administrator Jan to administer that one RODC. Jan can create file shares or add printer queues, upgrade a driver or an application, perform offline defragmentation of the disks, and so on—but he won't have any administrative rights on other DCs. Note that this permission level won't hinder Jan (if he's a malicious administrator) from performing offline attacks against the AD database on the RODC server. However, because the RODC doesn't replicate any changes out to any other DCs, the damage done by a malicious branch administrator is limited to that one RODC server.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.