Information Technology Reference
In-Depth Information
5. Click the
Display users and computers that meet the following criteria
list arrow and click
Accounts that have been authenticated to this Read-only Domain Controller
. Notice that
each user you have logged on as and the two domain controller accounts are listed.
6. If needed, you can add a user's or computer's password to the RODC (but not a group
account) by clicking the Prepopulate Passwords button. By doing so, you transfer the pass-
word from a writeable DC to the RODC for the selected user. This transfer prevents the
RODC from having to retrieve the password from a DC when the user first logs on to the
RODC. Click
Close
, and then click
OK
.
7. Close Active Directory Users and Computers, but stay logged on for the next activity.
As mentioned, you might want to install an RODC because your branch office has no IT admin-
istrator to manage Active Directory. All Active Directory management takes place elsewhere on
a writeable DC, and changes are replicated to the RODC. However, you still need someone at
the branch office to log on to the RODC to perform maintenance operations, such as system
backup and software updates. A writeable DC doesn't have local users and requires a domain
account to log on. However, an RODC maintains a local user database, which allows users to
log on to perform administrative tasks on the server without needing broader domain-wide per-
missions. A user logging on with a local user account has administrative capabilities only on the
RODC. This feature is called
administrator role separation
and is configured with the
Dsmgmt.exe command-line program.
Activity 12-8: Configuring Administrator Role Separation
Time Required:
20 minutes
Objective:
Add a domain user as an RODC administrator.
Description:
You have set up an RODC at a branch office and have a trusted employee there
who you want to handle local administrator tasks on the RODC. However, you don't want to
give this user broader administrative permissions in the domain, so you decide to add this user
to the Administrators role on the RODC.
1. Log on to
Server1XX
as Administrator, if necessary.
2. Open a command prompt window, and then type
dsmgmt
and press
Enter
.
3. At the dsmgmt prompt, type
local roles
and press
Enter
.
4. At the local roles prompt, type
list roles
and press
Enter
. The roles you can assign to a user,
including Administrators, Backup Operators, and so forth, are displayed.
5. Type
add salesperson1 administrators
and press
Enter
.
6. Type
show role administrators
and press
Enter
. The w2k8ADXX\Salesperson1 account
should be listed.
7. Type
quit
and press
Enter
, and then type
quit
and press
Enter
again. Salesperson1 is now a
local administrator for the RODC.
8. Close the command prompt window.
If you install DNS on an RODC, all Active Directory-integrated DNS zones are read only on the
RODC. This is a departure from standard terminology because the zone is still considered a pri-
mary zone, even though it's read only. Zone information is replicated from other DNS servers,
but zone changes can't be made on the RODC. Client workstations can still perform name res-
olution queries to the RODC, but workstations in the branch office using Dynamic DNS can't
create or update their DNS records on the RODC. Instead, the RODC sends a referral record to
the client with the address of a DNS server that can handle the update. To maintain a current
DNS database, the RODC requests a single-record replication from the DNS server that updated
Search WWH ::
Custom Search