One of the remote branch offices is running a Windows Server 2008 read only domain
controller (RODC). For security reasons you don’t want some critical credentials like
(passwords, encryption keys) to be stored on RODC.
What should you do so that these credentials are not replicated to any RODC’s in the forest?
(Select 2)
A.
Configure RODC filtered attribute set on the server
B.
Configure RODC filtered set on the server that holds Schema Operations Master role.
C.
Delegate local administrative permissions for an RODC to any domain user without
granting that user any user rights for the domain
D.
Configure forest functional level server for Windows server 2008 to configure filtered
attribute set.
E.
None of the above
Explanation:
http://technet.microsoft.com/en-us/library/cc753223.aspx
Adding attributes to the RODC filtered attribute set
The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any
RODCs in the forest. You can configure the RODC filtered attribute set on a schema master
that runs Windows Server
2008. When the attributes are prevented from replicating to RODCs, that data cannot be
exposed unnecessarily if an RODC is stolen or compromised.
A malicious user who compromises an RODC can attempt to configure it in such a way that
it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC
tries to replicate those attributes from a domain controller that is running Windows Server
2008, the replication request is denied. However, if the RODC tries to replicate those
attributes from a domain controller that is running Windows Server 2003, the replication
request could succeed.
Therefore, as a security precaution, ensure that forest functional level is Windows Server
2008 if you plan to configure the RODC filtered attribute set. When the forest functional level
is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner
because domain controllers that are running Windows Server 2003 are not allowed in the
forest.