Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com. The domain contains three domain controllers. The domain controllers are configured as
shown in the following table.
The domain contains two global groups. The groups are configured as shown in the following table.
You need to ensure that the RODC is configured to meet the following requirements:
Cache passwords for all of the members of Branch1Users. Prevent the caching of passwords for the members of Helpdesk.
What should you do?
A.
Modify the password replication policy of RODC1.
B.
Modify the delegation settings of RODC1.
C.
Modify the membership of the Allowed RODC Password Replication group.
D.
Modify the membership of the Denied RODC Password Replication group.
E.
Modify the delegation settings of DC1 and DC2.
F.
Install the BranchCache feature on RODC1.
G.
Create a Password Settings object (PSO) for the Helpdesk group.
H.
Create a Password Settings object (PSO) for the Branch1Users group.
Explanation:
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives
an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached.
Password Replication Policy
I think it should be D. Modify the membership of the Denied RODC Password Replication group.
By adding the helpdesk group to the Denied RODC Password Replication group we prevent helpdesk members from having their passwords stored on the RODC.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc730883(v=ws.10)
0
0
This is kinda a funny one. Yes you would modify the denied RODC password replication group but these are under the password replication policy. I would assume the given answer is correct because of this but I am not positive.
0
0
Even in the link in qwfi@flw.lf‘s comment it shows that you edit this under the password replication policy tab.
0
0
More comments here: https://www.briefmenow.org/microsoft/you-need-to-ensure-that-the-rodc-is-configured-to-meet-the-following-requirements-cache-passwords-for-all-of-the-members-of-branch1users-7/
This version of question has many answer options. I would stick with C. Modify the membership of the Allowed RODC Password Replication group, because adding Branch1Users to members of Allowed group would complete both tasks: Branch1Users members’ passwords would be cached on RODC and Helpdesk would not be cached, since default Password Replication Policy allows to cache only Allowed group members and denies caching all the rest. Look at the diagram:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc730883(v=ws.10)
0
0
To add, A. Modify the password replication policy of RODC1 could be the option if C would not be available. You could add Branch1Users to PRP and set Allowed setting. This would also do the job.
0
0