Manages Administrator Role Separation for a read-only domain controller (RODC). Administrator role separation provides a non-administrative user with the permissions to install and administer an RODC, without granting that user permissions to do any other type of domain administration.

Ntdsutil is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ntdsutil, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

Note

You can use this subcommand only with the AD DS server role because AD LDS does not include RODCs.

For examples of how to use this command, see Examples.

Syntax

connections
{add %s1 %s2 | remove %s1 %s2} [list roles] [show roles]

Parameters

Parameter Description

add %s1 %s2

Adds an account %s1 to the local role %s2.

connections

Invokes the server connections submenu.

list roles

List defined local roles. These roles correspond to the various Built-in groups, such as Administrators, Backup Operators, Server Operators, and so on. Each RODC stores in its Registry a list of accounts that should be considered members of those groups (roles) on that RODC. This list of accounts supplements any members of those groups stored in the directory. For example, suppose the BUILTIN\Administrators group stored in the directory contains a single member, the Domain Admins group. Suppose also that on a particular RODC, fabrikam\MikeDan is listed in the Administrators local role. Then on that RODC, both MikeDan and anyone in the Domain Admins group are considered to be Administrators.

remove %s1 %s2

Removes an account %s1 to the local role %s2.

show roles

Shows local role members

quit

Takes you back to the previous menu or exits the utility.

?

Displays help at the command prompt.

Help

Displays help at the command prompt.

Remarks

  • To initially configure Administrator Role Separation for an RODC, you must be a member of the Domain Admins group.

  • By default, no local administrator role is defined on the RODC after AD DS installation.

  • By default, the local roles subcommand is performed on the RODC where you run the command. If you need to connect to a different RODC, use the connections parameter.

Examples

To add a user account named MikeDan from the Contoso domain to the administrators local role on an RODC, type:

add CONTOSO\MikeDan administrators

Additional references

Command-Line Syntax Key

Ntdsutil

authoritative restore

configurable settings

DS behavior

files

group membership evaluation

ifm

LDAP policies

metadata cleanup

partition management

roles

security account management

semantic database analysis

set DSRM password

snapshot


  • LDAP policies
  • metadata cleanup
  • LDAP policies
  • metadata cleanup