Which of the following action should be considered to populate the RODC server with non-administrative accounts passwords?

You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remote location. The remote location doesn’t have proper physical security. You need to activate nonadministrative accounts passwords on that RODC server. Which of the following action should be considered to populate the RODC server with non-administrative accounts passwords?

You are an administrator at ABC.com. Company has a RODC (read-only domain controller) server at a remote location. The remote location doesn’t have proper physical security. You need to activate nonadministrative accounts passwords on that RODC server. Which of the following action should be considered to populate the RODC server with non-administrative accounts passwords?

A.
Delete all administrative accounts from the RODC’s group

B.
Configure the permission to Deny on Receive for administrative accounts on the security tab for Group Policy Object (GPO)

C.
Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group

D.
Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators.

E.
None of the above

Show Hint

Leave a Reply 4

Your email address will not be published. Required fields are marked *

John

John

C does nothing to populate the RODC password cache with non-admin passwords, it only prevents admin passwords from being populated. Wouldn’t the answer be E?

Reply

Me

Me

Answers: C
_ Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group

Explanation:
To populate the RODC server with non-administrative accounts passwords, you should configure the administrative accounts to be added in the Domain RODC Password Replication Denied Group.
The password replication policy is like an access control list. It verifies if the RODC is permitted to cache a password. When the RODC receives a user or computer logon request, it forwards the request to Password Replication Policy to determine if the password for that account should be cached. When the Password Replication Policy allows RODC to cache a password, the same account can perform subsequent logon in a more efficient manner.
For non-administrative passwords, you have to add the administrative accounts in the RODC password replication denied group so that the password could not be cached. The Password Replication policy lists the accounts that are permitted to be cached and the account that are denied from being cached.

Reply

Bruno Silva

Bruno Silva

Correct answer is “E”.

Reply