This article explains how you can delegate administration of the RODC controller (read-only controller) to domain users.
The RODC contains a read-only copy of the Active Directory database. The RODC is designed for places where administrators have little knowledge of Active Directory. The user or even the domain administrator cannot perform LDAP write operations on the RODC. It is understood that the write operation is only for the domain database or the Ntds.dit RODC file, but the server itself still needs to be managed by a person for maintenance and such purposes, as installing patches, updating anti-virus databases, etc. These tasks can only be performed with local administrator privileges on a member server, but RODC controllers do not have local administrators, since they are part of an Active Directory domain.
You can assign domain user rights to perform maintenance tasks on the RODC by executing the following commands on the RODC server:
- Type Dsmgmt and press Enter.
- Type Add user_name Administrators
This command will end with the message “The command completed successfully.” The above actions add an entry to the following address in the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA \ RODCRoles
The registry value (RODCRoles) contains a list of user accounts that can manage the RODC for maintenance purposes.