How To Designate A Domain User To Manage A RODC?

by Nirmal Sharma [Published on 14 Jan. 2010 / Last Updated on 31 May 2009]

This article explains how you can delegate administration of RODC to a domain user.

RODC contains the read only copy of Active Directory Domain database. RODC is designed for locations where Administrators have less knowledge of the Active Directory. A user or domain administrator can not perform LDAP write operations on the RODC. This write operation is meant only for Domain database or NTDS.DIT file but RODC still needs to be managed by a user for maintenance purpose such as installing patches, updating antivirus etc. These tasks can be performed only by a local administrator on a member server but RODCs do not have the local administrators as they are part of the Active Directory domain.

You can designate a domain user to perform the maintenance tasks on the RODC by running the following commands on RODC computer:

  • Dsmgmt and then press Enter
  • Type Add user_name Administrators

The above command will report a message "Command completed successfully". The above entry adds the entry at the following location in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RODCRoles

The above registry entry (RODCRoles) contains the list of user accounts who can manage RODC for maintenance purpose.

Featured Links