If you need to administer a RODC, do it remotely. Don’t log on locally to a RODC with your domain admin account or you’ll compromise it’s security. Instead, if you MUST log on locally to a RODC, create and use a temporary domain user account for that purpose and add this user to whatever security group you have delegated authority for administering RODCs. Delegation of RODC installation and administration is assigned to a group or user when you run the Active Directory Installation Wizard to promote a server to a RODC, but you can also specify a group or user for delegation afterwards by opening the properties of the computer account for the RODC and selecting the Managed By tab. Then once you’ve finished performing whatever admin tasks you logged on locally to the RODC to perform, you should delete the temporary user account for security reasons. More here:
The above tip was previously published in an issue of WServerNews, a weekly newsletter from TechGenix that focuses on the administration, management and security of the Windows Server platform in particular and cloud solutions in general. Subscribe to WServerNews today by going to http://www.wservernews.com/subscribe.htm and join almost 100,000 other IT professionals around the world who read our newsletter!
Mitch Tulloch is an eleven-time recipient of the Microsoft Most Valuable Professional (MVP) award and a widely recognized expert on Windows Server and cloud computing technologies. Mitch is also Senior Editor of WServerNews. For more information about him see http://www.mtit.com.