Your network contains an Active Directory forest. The forest contains an Active Directory site
for a remote office. The remote site contains a read-only domain controller (RODC).
You need to configure the RODC to store only the passwords of users in the remote site.
What should you do?
A.
Create a Password Settings object (PSO).
B.
Modify the Partial-Attribute-Set attribute of the forest.
C.
Add the user accounts of the remote site users to the Allowed RODC Password
Replication Group.
D.
Add the user accounts of users who are not in the remote site to the Denied RODC
Password Replication Group.
Explanation:
http://technet.microsoft.com/en-us/library/cc730883.aspx
Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to
support RODC operations. These are the Allowed RODC Password Replication Group and
Denied RODC Password
Replication Group.
These groups help implement a default Allowed List and Denied List for the RODC
Password Replication Policy. By default, the two groups are respectively added to the
msDS-RevealOnDemandGroup and msDSNeverRevealGroup
Active Directory attributes mentioned earlier.