PrepAway - Latest Free Exam Questions & Answers

You need to ensure that the user’s password is stored on RODC1 when he logs on to a branch office site c

Your network contains an Active Directory domain named contoso.com.
The network has a branch office site that contains a read-only domain controller (RODC)
named RODC1.
RODC1 runs Windows Server 2008 R2.
A user logs on to a computer in the branch office site.
You discover that the user’s password is not stored on RODC1.
You need to ensure that the user’s password is stored on RODC1 when he logs on to a
branch office site computer.
What should you do?

PrepAway - Latest Free Exam Questions & Answers

A.
Modify the RODC s password replication policy by removing the entry for the Allowed
RODC Password
Replication Group.

B.
Modify the RODC’s password replication policy by adding RODC1’s computer account to
the list of allowed users, groups, and computers.

C.
Add the user’s user account to the built-in Allowed RODC Password Replication Group on
RODC1.

D.
Add RODC1’s computer account to the built-in Allowed RODC Password Replication
Group on RODC1.

Explanation:
MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012) pages 416-417
Password Replication Policy
Password Replication Policy (PRP) determines which users’ credentials can be cached on a
specific RODC. If PRP allows an RODC to cache a user’s credentials, authentication and
service ticket activities of that user can be processed by the RODC. If a user’s credentials
cannot be cached on an RODC, authentication and service ticket activities are referred by
the RODC to a writable domain controller.
An RODC’s PRP is determined by two multivalued attributes of the RODC’s computer
account. These attributes are commonly known as the Allowed List and the Denied List. If a
user’s account is on the Allowed List, the user’s credentials are cached. You can include
groups on the Allowed List, in which case all users who belong to the group can have their

credentials cached on the RODC. If the user is on both the Allowed List and the Denied List,
the user’s credentials will not be cached—the Denied List takes precedence.
Configuring Domain-Wide Password Replication Policy
To facilitate the management of PRP, Windows Server 2008 R2 creates two domain local
security groups in the Users container of Active Directory. The first group, Allowed RODC
Password Replication Group, is added to the Allowed List of each new RODC. By default,
the group has no members. Therefore, by default, a new RODC will not cache any user’s
credentials. If you have users whose credentials you want to be cached by all domain
RODCs, add those users to the Allowed RODC Password Replication Group.


Leave a Reply