RODC contains the read only copy of Active Directory Domain database. RODC is designed for locations where Administrators have less knowledge of the Active Directory. A user or domain administrator can not perform LDAP write operations on the RODC. This write operation is meant only for Domain database or NTDS.DIT file but RODC still needs to be managed by a user for maintenance purpose such as installing patches, updating antivirus etc. These tasks can be performed only by a local administrator on a member server but RODCs do not have the local administrators as they are part of the Active Directory domain.
You can designate a domain user to perform the maintenance tasks on the RODC by running the following commands on RODC computer:
- Dsmgmt and then press Enter
- Type Add user_name Administrators
The above command will report a message "Command completed successfully". The above entry adds the entry at the following location in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RODCRoles
The above registry entry (RODCRoles) contains the list of user accounts who can manage RODC for maintenance purpose.