Your network contains an Active Directory domain named adatum.com. The domain
contains two domain controllers that run Windows Server 2012 R2. The domain controllers
are configured as shown in the following table.
You log on to DC1 by using a user account that is a member of the Domain Admins group,
and then you create a new user account named User1.
You need to prepopulate the password for User1 on DC2.
What should you do first?
A.
Connect to DC2 from Active Directory Users and Computers.
B.
Add DC2 to the Allowed RODC Password Replication Policy group.
C.
Add the User1 account to the Allowed RODC Password Replication Policy group.
D.
Run Active Directory Users and Computers as a member of the Enterprise Admins group.
Explanation:
http://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx#BKMK_pre
Answer = C
http://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx#BKMK_POP
Answer is D.
Open Active Directory Users and Computers as a member of Domain/Enterprise Admins. To open Active Directory Users and Computers as a member of Domain Admins, click Start. In Start Search, type runas /user:\, and then press ENTER. Substitute the actual domain name for , and type the name of a user account that is a member of the Domain Admins group for . Type the account password when you are prompted. Type dsa.msc, and then press ENTER. Close the Command Prompt window.
Domain Admins is NOT the same as Enterprise Admins! The answer must be C, unless it’s mis-written in this question and should be “Domain Admin” instead of Enterprise Admin.
Domain admins is sufficient enough privs to do this
(bottom of this link under heading Prepopulating the password cache for an RODC)
https://technet.microsoft.com/en-us/library/83a6daba-cdde-4606-97a3-6ebb9d7fa6bf(v=ws.10)#BKMK_POP
Prepopulating the password for a user account will succeed only if the account is included in the allowed list of passwords that can be cached on the RODC.
So as Bobsmith indicated answer C is correct as it is the first thing you must do
I tried this in my lab and was given the warning message before I tried to prepopulate an account. I continued anyway and as the account had not been added to the necessary group it failed saying “the specific server could not perform the requested operation”
I agree with C.
Shakir you must have misread D, it says run ADUC as enterprise admin whereas your explanation says run it as domain/enterprise admins. You are already a domain admin so just run it as normal and then add the user to the group.
Its a clever Microsoft question…
In order for you/me/anybody to add the User1 to Allowed RODC Password Replication Policy Group. You need to run the Active Directory Users and Computers first!
Just like the end of the Step1 in the Explanation picture says.
However, you are already in it. You are already running it on the DC1, as a Domain Admin. You just created a User1 [unless you used PowerShell :)]. So you might as well add him to the right RODC Group, while you are in it.
From the link provided by bobsmith above “Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures.”
Why launch it again as the Enterprise Admin?
So answer C appears to be correct.
You answered your own question and then supplied the wrong answer.
And I quote “You need to run the Active Directory Users and Computers FIRST!”
Exactly, the exam question asks what should you do first. And what question is in line with your statement? “A.”
We need to do “A.” first, NOT “C.”.
Unfortunately you are right but also wrong..:-)
Indeen yoiu need to logon to ADUC at first.
But the information thats been given tells us:
“You log on to DC1 by using a user account that is a member of the Domain Admins group,
and then you create a new user account named User1.”
So we are already logged on as a Domain admin, otherwise we couldn’t create thuis user1.
That leaves us step 2 , assign user1 to the corecyt AD Group as mentioned in Answer C.
Therfore the correct answer is C.
Answer is D.
You can prepopulate the password cache for an RODC with the passwords of users and computer accounts that you plan to authenticate to it. When you prepopulate the RODC password cache, you trigger the RODC to replicate and cache the passwords for users and computers before the accounts try to log on.
You don’t need to add user1 to the Allowed RODC Password Replication Policy Group. As a first step you should run ADUC as a member of the domain admins group and follow step 1 to 8, see explanation.
Reference see also explanation.
@PK : From the original link:
Open Active Directory Users and Computers as a member of Domain Admins. To open Active Directory Users and Computers as a member of Domain Admins, click Start. In Start Search, type runas /user:\, and then press ENTER. Substitute the actual domain name for , and type the name of a user account that is a **member of the Domain Admins group** for . Type the account password when you are prompted. Type dsa.msc, and then press ENTER. Close the Command Prompt window.
Answer D states you have to run ADUC as an ENTERPRISE admin, which is NOT the case!
I go with D.
question asks that ” you need to prepopulate the password for user1″
to do that
we open Active Dir Users & Computers > Domain Controllers > RODC
then properties of RODC
Select the password replication policy tab.
click on advanced button.
then click on prepopulate password…
With A -> kind of same thing
B -> is not going to prepopulate the password in any way
C -> is not going to prepopulate the password in any way
I go with C
Am I the only one who says A?
No, I agree. read my comment below.
I thinks it’s A. Because the first step is to connect to RDOC.
Add user to that group is made for allow that user to password replication policy
I am also leaning towards A.
Even if the user account was created using powershell, we still have to open ADUC and connect to the RODC. The obvious fact is that when we created User1, it was on the writable DC named DC1. The question asks us “What should you do first?”. Well first we have to connect to DC2 from ADUC. Even if ADUC was already open or not, the act of CONNECTING to DC2 is first.
As per https://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy(v=ws.10).aspx (applies to 2008 and 2012)
1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER.
2. Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain.
3. Expand Domain Controllers, right-click the RODC account object for which you want to modify the PRP, and then click Properties.
4. Click the Password Replication Policy tab. An example is shown in the following illustration.
“C” is a step we do after we open the PRP.
“D” doesnt make sense. You do not need Enterprise Admin to perform this functionality.
“B” is wrong and not necessary.
Does this make sense now?
It says ‘correct domain’, not correct DC. Both DCs are in the same domain. Although it’s tricky, I wouldn’t say you connect to DC2, just that you click on properties of it (which isn’t connecting)
In my opinion, If you make the assumption that you created uers1 using ADUC and you have it still open, the first step to do next is to connect to DC2, answer A.
(See step 2 of the explanation)
talk about people over thinking and over complicating matters.
Read this from MS
https://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx
How on earth is the answer not C?
Stop fluffing things up FFS!