You need to ensure that the RODC is configured to meet the following requirements:  Cache passwords for all of the members of Branch1Users

Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com. The domain contains three
domain controllers. The domain controllers are configured as shown in the following table.

The domain contains two global groups. The groups are configured as shown in the following table.

You need to ensure that the RODC is configured to meet the following requirements:
 Cache passwords for all of the members of Branch1Users.
 Prevent the caching of passwords for the members of Helpdesk.
What should you do?

Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com. The domain contains three
domain controllers. The domain controllers are configured as shown in the following table.

The domain contains two global groups. The groups are configured as shown in the following table.

You need to ensure that the RODC is configured to meet the following requirements:
 Cache passwords for all of the members of Branch1Users.
 Prevent the caching of passwords for the members of Helpdesk.
What should you do?

A.
Modify the membership of the Denied RODC Password Replication group.

B.
Install the BranchCache feature on RODC1.

C.
Modify the delegation settings of RODC1.

D.
Create a Password Settings object (PSO) for the Helpdesk group.

Explanation:
Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support
RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password
Replication Group.
These groups help implement a default Allowed List and Denied List for the RODC Password Replication
Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and
msDS-NeverRevealGroup Active Directory attributes.
Password Replication Policy
https://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx

Show Hint

Leave a Reply 1

Your email address will not be published. Required fields are marked *

CMAN

CMAN

Here is why: When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner.

The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.

The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.

Reply