A. Windows Server 2008 introduced the Read Only Domain Controller (RODC), which allows administrator role separation—so a user can be delegated management rights for an RODC without giving them any Active Directory domain administrator privileges. These delegated administrators can not only manage the RODC, they can also promote a server to an RODC, as long as a standard domain admin has pre-provisioned the DC. Note that a user who's delegated management permissions on one RODC doesn't have privileges for other RODCs or DCs.

Users can be made delegated administrators during RODC account provisioning, or after creation by adding users or groups to the administrators group. You can add them from the command line using the command

<p><strong>dsmgmt.exe</strong><strong><br><strong>local roles</strong><br><strong>add <domain>\<user> administrators</strong></strong></p>

If you want to do this on a remote RODC, use

<p><strong>dsmgmt.exe</strong><strong><br><strong>connections</strong><br><strong>connect to server <RODC></strong><br><strong>quit</strong><br><strong>local roles</strong><br><strong>add <domain>\<user> administrators</strong></strong></p>

You can also run the command

<p><strong>show role administrators</strong></p>

to see who the delegated administrators are.