You work as an enterprise administrator at Domain.com. The Domain.com network consists of a single Active Directory domain named Domain.com. All servers on the Domain.com network run Windows Server 2008.
Domain.com contains a RODC (read-only domain controller) server named CERTKILLER-DC01 that resides in a remote location. The remote location lack suitable physical security. You have received instructions from the CIO to activate and populate non-administrative accounts passwords on CERTKILLER-DC01.
What should you do?
A.
The best option is to add the administrative accounts in the Domain RODC Password Replication Denied group.
B.
The best option is to delete all administrative accounts from the RODC’s group
C.
The best option is to configure the permission to Deny on Receive for administrative accounts on the security tab for Group Policy Object (GPO)
D.
The best option is to add a new GPO and enable Account Lockout settings. Thereafter you should link it to the remote RODC server and on the security tab on GPO. You should also check the Read Allow and the Apply group policy permissions for the administrators.
Explanation:
You need to configure the administrative accounts to be added in the Domain RODC Password Replication Denied Group, to populate CERTKILLER-DC01 with non-administrative accounts passwords. The password replication policy will act as a access control list. For non- administrative passwords, you have to add the administrative accounts in the RODC password replication denied group so that the password could not be cached. The Password Replication policy lists the accounts that are permitted to be cached and the account that are denied from being cached.
A