As the company administrator you had installed a read-only domain controller (RODC) server at remote location.
The remote location doesn’t provide enough physical security for the server.
What should you do to allow administrative accounts to replicate authentication information to Read- Only Domain Controllers?
A. Remove any administrative accounts from RODC’s group
B. Add administrative accounts to the domain Allowed RODC Password Replication group
C. Set the Deny on Receive as permission for administrative accounts on the RODC computer account Security tab for the Group Policy Object (GPO)
D. Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link the GPO to the remote location. Activate the Read Allow and the Apply group policy Allow permissions for the administrators on the Security tab for the GPO.
E. None of the above
Correct Answer: B
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx
Password Replication Policy
When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.
The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.
..
Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group.
These groups help implement a default Allowed List and Denied List for the RODC Password Replication
Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and msDS- NeverRevealGroup Active Directory attributes mentioned earlier.
By default, the Allowed RODC Password Replication Group has no members. Also by default, the Allowed List attribute contains only the Allowed RODC Password Replication Group.
By default, the Denied RODC Password Replication Group contains the following m
Enterprise Domain Controllers
Enterprise Read-Only Domain Controllers Group Policy Creator Owners
Domain Admins Cert Publishers Enterprise Admins Schema Admins
Domain-wide krbtgt account
By default, the Denied List attribute contains the following security principals, all of which are built-in
Denied RODC Password Replication Group
Account Operators Server Operators Backup Operators Administrators
The combination of the Allowed List and Denied List attributes for each RODC and the domain-wide Denied RODC Password Replication Group and Allowed RODC Password Replication Group give administrators great flexibility. They can decide precisely which accounts can be cached on specific RODCs.
The following table summarizes the three possible administrative models for the Password Replication Policy.