Your Company has one main office and four branch offices. Each branch office has a read-only
domain controller (RODC). The network consists of one Active Directory domain. All domain
controllers run Windows Server 2008 R2. Some branch office users work in a department named
Sales. Sales department users must be able to log on to all computers in their respective branch
offices, even if a wide area network (WAN) link fails. The company security policy has the following
requirements:
• User account passwords must be replicated to the minimum number of locations.
• A minimum number of passwords must be replicated to the branch office domain controllers.
You need to configure a password replication policy that supports the company security policy.
What should you do?
A.
Install a writable domain controller in all branch offices. Create one global group that contains all
Sales department users. Create a fine-grained password policy and apply the policy to the group.
B.
Install a writable domain controller in all branch offices. Create one global group that contains the
computers of all Sales department users. Add the group to the Allowed RODC Password Replication
Group in the domain.
C.
Create one global group for each branch office that contains the Sales department users and
computers in the corresponding branch office. Add all groups to Windows Authorization Access
Group in the domain.
D.
Create one global group for each branch office that contains the Sales department users and
computers in the corresponding office. Add each group to the Password Replication Policy in the
corresponding branch office.
Explanation:
To configure a password replication policy for the company keeping in mind the security policy of
the company, you need to create one global group for each branch office that contains the Sales
department users and computers in the corresponding office. This is because the password
replication policy must include the appropriate user, computer, and service accounts in order to
allow the RODC to satisfy authentication and service ticket requests locally. You need to then add
each group to the Password Replication Policy in the corresponding branch office. The Password
Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted
to cache a password. After the RODC receives an authenticated user or computer logon request, it
refers to the Password Replication Policy to determine if the password for the account should be
cached. The same account can then perform subsequent logons more efficiently
Password Replication Policy
http://technet2.microsoft.com/windowsserver2008/en/library/977fff54-0c7e-46cd-838b-
1161aa09a46c1033.mspx?mfr=true