Manages Administrator Role Separation for a read-only domain controller (RODC). Administrator role separation provides a non-administrative user with the permissions to install and administer an RODC, without granting that user permissions to do any other type of domain administration.

Ntdsutil is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ntdsutil, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.


You can use this subcommand only with the AD DS server role because AD LDS does not include RODCs.

For examples of how to use this command, see Examples.


{add %s1 %s2 | remove %s1 %s2} [list roles] [show roles]


Parameter Description

add %s1 %s2

Adds an account %s1 to the local role %s2.


Invokes the server connections submenu.

list roles

List defined local roles. These roles correspond to the various Built-in groups, such as Administrators, Backup Operators, Server Operators, and so on. Each RODC stores in its Registry a list of accounts that should be considered members of those groups (roles) on that RODC. This list of accounts supplements any members of those groups stored in the directory. For example, suppose the BUILTIN\Administrators group stored in the directory contains a single member, the Domain Admins group. Suppose also that on a particular RODC, fabrikam\MikeDan is listed in the Administrators local role. Then on that RODC, both MikeDan and anyone in the Domain Admins group are considered to be Administrators.

remove %s1 %s2

Removes an account %s1 to the local role %s2.

show roles

Shows local role members


Takes you back to the previous menu or exits the utility.


Displays help at the command prompt.


Displays help at the command prompt.


  • To initially configure Administrator Role Separation for an RODC, you must be a member of the Domain Admins group.

  • By default, no local administrator role is defined on the RODC after AD DS installation.

  • By default, the local roles subcommand is performed on the RODC where you run the command. If you need to connect to a different RODC, use the connections parameter.


To add a user account named MikeDan from the Contoso domain to the administrators local role on an RODC, type:

add CONTOSO\MikeDan administrators