Administrator Role Separation

Applies To: Windows Server 2008, Windows Server 2012

This topic explains how you can use Administrator Role Separation (ARS) on a read-only domain controller (RODC) to delegate RODC administration to a user who is not a member of the Domain Admins group.

One problem encountered by administrators of domain controllers in perimeter networks is that domain controllers typically have to be set up and administered by domain administrators. Administrative operations, such as applying software updates, performing an offline defragmentation, or backing up the system, cannot be delegated.

With the introduction of RODCs, domain administrators can delegate both the installation and the administration of RODCs to any domain user, without granting them any additional rights in the domain. The ability to perform this delegation is called ARS.

You can use ARS for two different purposes:

  • RODC installation. You can promote an RODC in two stages:

    1. A domain administrator creates an account in the domain for the computer that is going to be promoted as an RODC. During this process, the domain administrator can specify the Password Replication Policy (PRP) for this RODC and the security principal (user or group) that, using this account, will have the right to promote and subsequently administer the RODC.

    2. In the site where the RODC is going to be located, the delegated administrator that the domain administrator specifies during the first stage can attach the computer that is going to be the RODC to the precreated RODC account.

  • RODC maintenance. The delegated administrator for the RODC can log on to it to perform maintenance work, such as upgrading a driver or an application, installing other server roles, performing offline defragmentation of the disks, and so on. But the delegated administrator cannot log on to any other domain controller—including other RODCs—or perform any other administrative task in the domain. In this way, a member of the Domain Admins group can delegate the ability to effectively manage the RODC without compromising the security of the rest of the domain.

For more information about how to configure ARS for an RODC, see RODC Administration (