You are an administrator at ABC.com. Company has a RODC (read-only domain controller)
server at a remote location. The remote location doesn’t have proper physical security.
You need to activate nonadministrative accounts passwords on that RODC server.
Which of the following action should be considered to populate the RODC server with nonadministrative accounts passwords?
A.
Delete all administrative accounts from the RODC’s group
B.
Configure the permission to Deny on Receive for administrative accounts on the security
tab for Group Policy Object (GPO)
C.
Configure the administrative accounts to be added in the Domain RODC Password
Replication Denied group
D.
Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server
and on the security tab on GPO, check the Read Allow and the Apply group policy
permissions for the administrators.
E.
None of the above
http://technet.microsoft.com/en-us/library/cc770320%28v=ws.10%29.aspx
Advantages That an RODC Can Provide to an Existing Deployment Branch office server
administration. RODCs provide Administrator Role Separation (ARS), which you can use to
delegate administration of an RODC to a nonadministrative user or group. This means that it
is not necessary for a highly privileged administrator to log on to the domain controller in the
branch office to perform routine server maintenance.
http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx
Password Replication Policy
When you initially deploy an RODC, you must configure the Password Replication Policy on
the writable domain controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an
RODC should be permitted to cache a password. After the RODC receives an authenticated
user or computer logon request, it refers to the Password Replication Policy to determine ifthe password for the account should be cached. The same account can then perform
subsequent logons more efficiently.
The Password Replication Policy lists the accounts that are permitted to be cached, and
accounts that are explicitly denied from being cached. The list of user and computer
accounts that are permitted to be cached does not imply that the RODC has necessarily
cached the passwords for those accounts. An administrator can, for example, specify in
advance any accounts that an RODC will cache. This way, the RODC can authenticate
those accounts, even if the WAN link to the hub site is offline.
Password Replication Policy Allowed and Denied lists Two new built-in groups are
introduced in Windows Server 2008 Active Directory domains to support RODC operations.
These are the Allowed RODC Password Replication Group and Denied RODC Password
Replication Group.
The combination of the Allowed List and Denied List attributes for each RODC and the
domain-wide Denied RODC Password Replication Group and Allowed RODC Password
Replication Group give administrators great flexibility. They can decide precisely which
accounts can be cached on specific RODCs.