Your network contains an Active Directory domain named adatum.com. The domain contains two domain
controllers that run Windows Server 2012 R2. The domain controllers are configured as shown in the following
table.
You log on to DC1 by using a user account that is a member of the Domain Admins group, and then you create
a new user account named User1.
You need to prepopulate the password for User1 on DC2.
What should you do first?
A.
Connect to DC2 from Active Directory Users and Computers.
B.
Add DC2 to the Allowed RODC Password Replication Policy group.
C.
Add the User1 account to the Allowed RODC Password Replication Policy group.
D.
Run Active Directory Users and Computers as a member of the Enterprise Admins group.
Explanation:
http://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx http://technet.microsoft.com/en-us/library/
cc753470(v=ws.10).aspx#BKMK_pre
Answer: D
You are pre-populating the password, not just enabling it to be cached. This is done in ADUC as shown in the explanation.
Incorrect…
Nowhere is any documentation does it state you have to be a member of the Enterprise Admins group to pre-populate passwords: “Domain Administrators” have the ability to do this, as you have logged into the DC as a Domain Admin and already created “user 1”. You would need to add them to the Allowed RODC group, then do the process of pre-populating the passwords. You can then Select the account to pre-populate, for this to occur “User1” would also have to already be in the Allowed RODC list.
You have to be a member of at least domain admin. Enterprise Admin has all of the required rights.
Step1: Launch ADUC
Step2: Add ID to PRP (via ADUC)
Step3: Prepopulate password via ADUC
An alternative view would be that you could add the ID to the PRP, then launch ADUC & pre-populate the password.
I think I will go with D, but technically it could be C or D.