Explanation/Reference:
Explanation:
A read-only domain controller (RODC) offers the possibility of dividing the Administrator role. This means that each domain user or security group can be used as a local administrator of an RODC without the user or group must be granted rights to the domain or other domain controllers. A delegated administrator can log on to an RODC to maintenance work on the Server execute to update z B to a driver. The delegated administrator is not, however, be able to log on to another domain controller, or perform other administrative tasks in the domain. In this way, the effective management of RODCs a branch office to a security group from branch office users, instead of individual members of the Domain Admins group are delegated, without jeopardizing the safety of the rest of the domain. Before you install a read-only domain controller can in the wizard for making a account for a read-only domain controller, a user or a group Wreden defined as delegated RODC Administrator.
To grant a user or a group after you install a read-only domain controller local administrator rights for a read-only domain controller (RODC), the settings on the tab can Maintained by be configured in the properties of the computer account of RODC1 can open the Utilities dsmgmt and Ntdsutil for adding a delegated RODC administrator be used.
Microsoft recommends expressly that utilities dsmgmt and Ntdsutil not to be used for this purpose and instead specify a group which the Administrator Role Separation can be controlled.
The background is that the user, the password have been set with the help of dsmgmt or Ntdsutil as delegated RODC administrator cannot be easily determined in retrospect.
References: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2- and-2008/cc755310(v=ws.10)