Home » Microsoft » 70-640 » What should you do?
Your network contains an Active Directory forest.
The forest contains an Active Directory site for a remote office. The remote site contains a read-only domain controller (RODC).
You need to configure the RODC to store only the passwords of users in the remote site.
What should you do?
A. Create a Password Settings object (PSO).
B. Modify the Partial-Attribute-Set attribute of the forest.
C. Add the user accounts of the remote site users to the Allowed RODC Password Replication Group.
D. Add the user accounts of users who are not in the remote site to the Denied RODC Password Replication Group.
Correct Answer: C
Explanation/Reference:
Reference:
http://technet.microsoft.com/en-us/library/cc730883.aspx
Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group.
These groups help implement a default Allowed List and Denied List for the RODC Password Replication Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDS- NeverRevealGroup Active Directory attributes mentioned earlier.