There is admin role separation. The problem now is if you put a DC out in your field office, so on a server running AD on [Windows servers] 2000 or 2003, you need to buy another server to run your file and print, for example. The other option is to put file and print on your DC, but then you either have to give a ton of access to the local IT admin so he can administer [file and print], or you’re bringing that responsibility back into your central group which is generally not their core focus. With 2008, they’ve made it so you can define people who can log into these read-only DCs but they won’t have any access to AD. They’ll only have access to whatever is theirs locally, like file and print.
Advertisements