Your network contains an Active Directory domain named contoso.com.
The network has a branch office site that contains a read-only domain controller (RODC) named
RODC1.
RODC1 runs Windows Server 2008 R2.
A user logs on to a computer in the branch office site.
You discover that the user’s password is not stored on RODC1.
You need to ensure that the user’s password is stored on RODC1 when he logs on to a branch office site computer.
What should you do?
A. Modify the RODC s password replication policy by removing the entry for the Allowed RODC Password Replication Group.
B. Modify the RODC’s password replication policy by adding RODC1’s computer account to the list of allowed users, groups, and computers.
C. Add the user’s user account to the built-in Allowed RODC Password Replication Group on RODC1.
D. Add RODC1’s computer account to the built-in Allowed RODC Password Replication Group on RODC1.
Correct Answer: C
Explanation/Reference:
Reference:
MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)
pages 416-417
Password Replication Policy
Password Replication Policy (PRP) determines which users’ credentials can be cached on a specific RODC. If PRP allows an RODC to cache a user’s credentials, authentication and service ticket activities of that user can be processed by the RODC. If a user’s credentials cannot be cached on an RODC, authentication and service ticket activities are referred by the RODC to a writable domain controller.
An RODC’s PRP is determined by two multivalued attributes of the RODC’s computer account. These attributes are commonly known as the Allowed List and the Denied List. If a user’s account is on the Allowed List, the user’s credentials are cached. You can include groups on the Allowed List, in which case all users who belong to the group can have their credentials cached on the RODC. If the user is on both the Allowed List and the Denied List, the user’s credentials will not be cached–the Denied List takes precedence.
Configuring Domain-Wide Password Replication Policy
To facilitate the management of PRP, Windows Server 2008 R2 creates two domain local security groups in the Users container of Active Directory. The first group, Allowed RODC Password Replication Group, is added to the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a new RODC will not cache any user’s credentials. If you have users whose credentials you want to be cached by all domain RODCs, add those users to the Allowed RODC Password Replication Group.
