You are an administrator at vceguide.com.
Company has a RODC (read-only domain controller) server at a remote location.
The remote location doesn’t have proper physical security.
You need to activate nonadministrative accounts passwords on that RODC server.
Which of the following actions should be considered to populate the RODC server with non- administrative accounts passwords?
A. Delete all administrative accounts from the RODC’s group
B. Configure the permission to Deny on Receive for administrative accounts on the security tab for Group Policy Object (GPO)
C. Configure the administrative accounts to be added in the Domain RODC Password Replication Denied group
D. Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators.
E. None of the above
Correct Answer: C
Explanation/Reference:
http://technet.microsoft.com/en-us/library/cc770320%28v=ws.10%29.aspx
Advantages That an RODC Can Provide to an Existing Deployment
Branch office server administration. RODCs provide Administrator Role Separation (ARS), which you can use to delegate administration of an RODC to a nonadministrative user or group. This means that it is not necessary for a highly privileged administrator to log on to the domain controller in the branch office to perform routine server maintenance.
http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx
Password Replication Policy
When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.
The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.
Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password Replication Group.
..
The combination of the Allowed List and Denied List attributes for each RODC and the domain-wide Denied RODC Password Replication Group and Allowed RODC Password Replication Group give administrators great flexibility. They can decide precisely which accounts can be cached on specific RODCs.
