Home » Microsoft » 70-647 » What should you do?
Your network consists of one Active Directory domain.
All domain controllers run either Windows Server 2008 R2 or Windows Server 2003 SP2. A custom application stores passwords in Active Directory.
You plan to deploy read-only domain controllers (RODCs) on the network.
You need to prevent custom application passwords from being replicated to the RODCs.
What should you do?
A. Upgrade the schema master to Windows Server 2008 R2. Configure a fine-gained password policy.
B. Upgrade the infrastructure master to Windows Server 2008 R2. Mark the custom application password attribute as confidential.
C. Upgrade all domain controllers to Windows Server 2008 R2. Add the custom application password attribute to the RODC filtered attribute set and mark the attribute as confidential.
D. Upgrade all domain controllers to Windows Server 2008 R2. Set the functional level of the forest and the domain to Windows Server 2008 R2. Configure a fine-grained password policy
Correct Answer: C
Explanation/Reference:
A read-only domain controller (RODC) is a new type of domain controller in the Windows Server 2008 operating system.
The RODC FAS is a dynamic set of attributes that is not replicated to any RODCs in the forest. These attributes are not replicated to RODCs because they contain sensitive data. Because they are not replicated to RODCs, a malicious user who has managed to compromise an RODC cannot expose them.
A malicious user who compromises an RODC can attempt to replicate attributes that are defined in the RODC FAS. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request could succeed. Therefore, as a security precaution, you should ensure that the forest functional level is Windows Server 2008 if you plan to configure the RODC FAS. correct, but the forest functional level should also be set to 2008 or higher to prevent comprimise. -CRA