You need to ensure that the RODC is configured to meet the following requirements: Cache passwords for all of the members of Branch1Users

Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com. The domain contains
three domain controllers. The domain controllers are configured as shown in the following
table.
The domain contains two global groups. The groups are configured as shown in the
following table.
You need to ensure that the RODC is configured to meet the following requirements:
Cache passwords for all of the members of Branch1Users.
Prevent the caching of passwords for the members of Helpdesk.
What should you do?

Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com. The domain contains
three domain controllers. The domain controllers are configured as shown in the following
table.
The domain contains two global groups. The groups are configured as shown in the
following table.
You need to ensure that the RODC is configured to meet the following requirements:
Cache passwords for all of the members of Branch1Users.
Prevent the caching of passwords for the members of Helpdesk.
What should you do?

A.
Modify the password replication policy of RODC1.

B.
Modify the delegation settings of RODC1.

C.
Modify the membership of the Allowed RODC Password Replication group.

D.
Modify the membership of the Denied RODC Password Replication group.

E.
Modify the delegation settings of DC1 and DC2.

F.
Install the BranchCache feature on RODC1.

G.
Create a Password Settings object (PSO) for the Helpdesk group.

H.
Create a Password Settings object (PSO) for the Branch1Users group.



Leave a Reply 9

Your email address will not be published. Required fields are marked *


Johan

Johan

Domain Controller Name Location Type
DC1 main office Writable DC
DC2 main office Writable DC
RODC1 branch office RODC

Group Name Description
Helpdeksk Support users throughout the company
Branch1Users Contains users that work in the branch office only

Chriss

Chriss

Correct answer: A

The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached.

jimilives

jimilives

I think C: is correct. The Password Replication Policy is a generic term for the overall scope of managing what accounts are Allowed or Denied.

https://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy%28v=ws.10%29.aspx

Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group.
These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDS-NeverRevealGroup Active Directory attributes mentioned earlier.
By default, the Allowed RODC Password Replication Group has no members. Also by default, the Allowed List attribute contains only the Allowed RODC Password Replication Group.
By default, the Denied RODC Password Replication Group contains the following members:

Enterprise Domain Controllers

Enterprise Read-Only Domain Controllers

Group Policy Creator Owners

Domain Admins

Cert Publishers

Enterprise Admins

Schema Admins

Domain-wide krbtgt account

puck

puck

Okay so basically, there are two options here.. A and D…

The given answer – A – is correct though.

The question asks us to prevent the members of helpdesk from caching passwords on RODC1… therefore we modify the password replication policy of RODC1.

D could be correct, but then we would be preventing the members of Helpdesk from caching passwords on ALL RODCs instead of only RODC1, which is not best practice, and is not required from this scenario.

David

David

IMO it should be
D – Modify the membership of Denied RODC Password Replication Group

A is generic term for the overall scope of managing what accounts are Allowed or Denied.

Branch1Users who work in branch office should have their passwords cached automatically. we only need to prevent the caching of passwords for HelpDesk users which could be achieved by adding them to Denied ROdc passwords replication group.

sdquirra

sdquirra

The default administrative model for RODC is “No accounts cached”.
“This model provides the most secure option. No passwords are replicated to the RODC, except for the RODC computer account and its special krbtgt account.”
https://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx

So the actions should be two (not an option for this question):
C. Modify the membership of the Allowed RODC Password Replication group.
and
D. Modify the membership of the Denied RODC Password Replication group.

So, a more generic
A. Modify the password replication policy of RODC1.

including the Allowed and Denied groups, should be the correct answer.

Wei

Wei

In case someone still don’t get it:

1. “Helpdesk” group contains account throughout the company, so it may contain accounts that in “Branch1Users”.

2. “Allowed list” and “Denied list” of PRP are lists, they can contain more than just “Allowed RODC Password Replication” Group and “Denied RODC Password Replication” Group.
Actually you can use any global group to control the access, just as normal scenario.

So, either simply editing “Allowed RODC Password Replication” is not enough, or editing both built-in groups are not enough.

A is the correct answer.