You network consists of one Active Directory domain. All domain controllers run either Windows
Server 2008 R2 or Windows Server 2003 SP2. A custom application stores passwords in Active
Directory. You plan to deploy read-only domain controllers (RODCs) on the network. You need to
prevent custom application passwords from being replicated to the RODCs. What should you do?
A.
Upgrade the schema master to Windows Server 2008 R2. Configure a fine-grained password
policy.
B.
Upgrade the infrastructure master to Windows Server 2003 Service Pack 2 (SP2). Mark the custom
application password attribute as confidential.
C.
Upgrade all domain controllers to Windows Server 2008 R2. Add the custom application password
attribute to the RODC filtered attribute set and mark the attribute as confidential.
D.
Upgrade all domain controllers to Windows Server 2008 R2. Set the functional level of the forest
and the domain to Windows Server 2008 R2. Configure a fine-grained password policy.
Explanation:
To deploy read-only domain controllers (RODCs) on the network, you need to upgrade all domain
controllers to Windows Server 2008. To make sure that the custom application passwords are not
replicated to the RODCs, you need to add the custom application password attribute to the RODC
filtered attribute set and mark the attribute as confidential. The RODC filtered attribute set is a
dynamic set of attributes that is not replicated to any RODCs in the forest. You can configure the
RODC filtered attribute set on a schema master that runs Windows Server 2008. When the attributes
are prevented from replicating to RODCs, that data cannot be exposed unnecessarily if an RODC is
stolen or compromised. In addition, it is recommended that you also mark as confidential any
attributes that you configure as part of the RODC filtered attribute set. Marking the attribute asconfidential provides an additional safeguard against an RODC that is compromised by removing the
permissions that are necessary to read the credential-like data.
RODC Features / Adding attributes to the RODC filtered attribute set
http://technet2.microsoft.com/windowsserver2008/en/library/0e8e874f-3ef4-43e6-b496-
302a47101e611033.mspx?mfr=true