Home » Microsoft » 70-647 » What should you do?
You network consists of one Active Directory domain. All domain controllers run either Windows Server 2008 R2 or Windows Server 2003 SP2. A custom application stores passwords in Active Directory.
You plan to deploy read-only domain controllers (RODCs) on the network.
You need to prevent custom application passwords from being replicated to the RODCs.
What should you do?
A. Upgrade the schema master to Windows Server 2008 R2. Configure a fine-grained password policy.
B. Upgrade the infrastructure master to Windows Server 2003 Service Pack 2 (SP2). Mark the custom application password attribute as confidential.
C. Upgrade all domain controllers to Windows Server 2008 R2. Add the custom application password attribute to the RODC filtered attribute set and mark the attribute as confidential.
D. Upgrade all domain controllers to Windows Server 2008 R2. Set the functional level of the forest and the domain to Windows Server 2008 R2. Configure a fine-grained password policy.
Correct Answer: C
Explanation/Reference:
Explanation:
To deploy read-only domain controllers (RODCs) on the network, you need to upgrade all domain controllers to Windows Server 2008. To make sure that the custom application passwords are not replicated to the RODCs, you need to add the custom application password attribute to the RODC filtered attribute set and mark the attribute as confidential.
The RODC filtered attribute set is a dynamic set of attributes that is not replicated to any RODCs in the forest. You can configure the RODC filtered attribute set on a schema master that runs Windows Server 2008. When the attributes are prevented from replicating to RODCs, that data cannot be exposed unnecessarily if an RODC is stolen or compromised.
In addition, it is recommended that you also mark as confidential any attributes that you configure as part of the RODC filtered attribute set. Marking the attribute as confidential provides an additional safeguard against an RODC that is compromised by removing the permissions that are necessary to read the credential-like data.
Reference: RODC Features / Adding attributes to the RODC filtered attribute set
http://technet2.microsoft.com/windowsserver2008/en/library/0e8e874f-3ef4-43e6-b496- 302a47101e611033.mspx?mfr=true