As the Company administrator you had installed a read-only domain controller (RODC)
server at remote location.
The remote location doesn’t provide enough physical security for the server.
What should you do to allow administrative accounts to replicate authentication information
to Read-Only Domain Controllers?
A.
Remove any administrative accounts from RODC’s group
B.
Add administrative accounts to the domain Allowed RODC Password Replication group
C.
Set the Deny on Receive as permission for administrative accounts on the RODC
computer account
Security tab for the Group Policy Object (GPO)
D.
Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled.
Link the GPO to the remote location. Activate the Read Allow and the Apply group policy
Allow permissions for the administrators on the Security tab for the GPO.
E.
None of the above
http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx
Password Replication Policy
When you initially deploy an RODC, you must configure the Password Replication Policy on
the writable domain controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an
RODC should be permitted to cache a password. After the RODC receives an authenticated
user or computer logon request, it refers to the Password Replication Policy to determine if
the password for the account should be cached. The same account can then perform
subsequent logons more efficiently.
The Password Replication Policy lists the accounts that are permitted to be cached, and
accounts that are explicitly denied from being cached. The list of user and computer
accounts that are permitted to be cached does not imply that the RODC has necessarily
cached the passwords for those accounts. An administrator can, for example, specify in
advance any accounts that an RODC will cache. This way, the RODC can authenticate
those accounts, even if the WAN link to the hub site is offline.
..
Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to
support RODC operations. These are the Allowed RODC Password Replication Group and
Denied RODC Password Replication Group.These groups help implement a default Allowed List and Denied List for the RODC
Password Replication Policy. By default, the two groups are respectively added to the
msDS-RevealOnDemandGroup and msDSNeverRevealGroup
Active Directory attributes mentioned earlier.
By default, the Allowed RODC Password Replication Group has no members. Also by
default, the Allowed List attribute contains only the Allowed RODC Password Replication
Group.
By default, the Denied RODC Password Replication Group contains the following members:
Enterprise Domain Controllers
Enterprise Read-Only Domain Controllers
Group Policy Creator Owners
Domain Admins
Cert Publishers
Enterprise Admins
Schema Admins
Domain-wide krbtgt account
By default, the Denied List attribute contains the following security principals, all of which are
built-in groups:
Denied RODC Password Replication Group
Account Operators
Server Operators
Backup Operators
Administrators
The combination of the Allowed List and Denied List attributes for each RODC and the
domain-wide Denied
RODC Password Replication Group and Allowed RODC Password Replication Group give
administrators great flexibility. They can decide precisely which accounts can be cached on
specific RODCs.
The following table summarizes the three possible administrative models for the Password
Replication Policy.