Your network contains an Active Directory domain named adatum.com. The domain contains two
domain controllers that run Windows Server 2012 R2. The domain controllers are configured as
shown in the following table.
You log on to DC1 by using a user account that is a member of the Domain Admins group, and then
you create a new user account named User1.
You need to prepopulate the password for User1 on DC2.
What should you do first?
A.
Connect to DC2 from Active Directory Users and Computers.
B.
Add DC2 to the Allowed RODC Password Replication Policy group.
C.
Add the User1 account to the Allowed RODC Password Replication Policy group.
D.
Run Active Directory Users and Computers as a member of the Enterprise Admins group.
Explanation:
To prepopulate the password cache for an RODC by using Active Directory Users and Computers (see
step 1 below).
Administrative credentials: To prepopulate the password cache for an RODC, you must be a member
of the Domain Admins group.
Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
Ensure that Active Directory Users and Computers points to the writable domain controller that is
running Windows Server 2008, and then click Domain Controllers.
In the details pane, right-click the RODC computer account, and then click Properties.
Click the Password Replication Policy tab.
Click Advanced.
Click Prepopulate Passwords.
Type the name of the accounts whose passwords you want to prepopulate in the cache for the
RODC, and then click OK.
When you are asked if you want to send the passwords for the accounts to the RODC, click Yes.
Note: You can prepopulate the password cache for an RODC with the passwords of user and
computer accounts that you plan to authenticate to it. When you prepopulate the RODC password
cache, you trigger the RODC to replicate and cache the passwords for users and computers before
the accounts try to log on in the branch office.
Incorrect:
Not C. You don’t need to add User1 to the Allowed RODC Password Replication Policy group. As a
first step you should run Active Directory Users and Computers as a member of the
Domain/Enterprise Admins group.-Password Replication Policy Administration
http://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx#BKMK_pre
“You log on to DC1 by using a user account that is a member of the Domain Admins group…” Than why do I need to use enterprise admin instead of domain admin?
I think this is still “C”.
0
0
You are right. Its definitely C.
0
0
Agree. Answer is C
0
0
Answer is C
0
0
Answer is D. Allowed RODC Password Replication Policy group allows you to cache details not prepopulate.
To prepopulate the password cache for an RODC by using Active Directory Users and Computers
Open Active Directory Users and Computers as a member of Domain Admins. To open Active Directory Users and Computers as a member of Domain Admins, click Start. In Start Search, type runas /user:\, and then press ENTER. Substitute the actual domain name for , and type the name of a user account that is a member of the Domain Admins group for . Type the account password when you are prompted. Type dsa.msc, and then press ENTER. Close the Command Prompt window.
Ensure that you are connected to a writeable domain controller running Windows Server 2008 in the correct domain. To connect to the appropriate domain or domain controller, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain or Change Domain Controller, respectively..
Click Domain Controllers.
Click Domain Controllers.
In the details pane, right-click the RODC computer account, and then click Properties.
Click the Password Replication Policy tab.
Click Advanced.
Click Prepopulate Passwords.
Type the name of the accounts whose passwords you want to prepopulate in the cache for the RODC, and then click OK.
When you are asked if you want to send the passwords for the accounts to the RODC, click Yes.
You can use repadmin aswell. Don’t let the fact that answer D says you need to be in enterprise admins throw you off. It is not wrong in stating that. Study material does point to domain admins group but enterprise admins will work aswell
0
0
based on this link
https://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx#BKMK_pre
the method to perform password replication is D
but if C is not done then D will Fail.
If you try to prepopulate a password of an account that the Password Replication Policy does not allow to be cached, the operation fails.
question ask us what should we do first.
so the first step should be C.
Add the User1 account to the Allowed RODC Password Replication Policy group
without adding the user1 to this group the Steps mentioned for D will fail.
0
0
It’s C. Without doing C nothing else will work.
0
0
Don’t you run ADUC first. Then drill down to Domain Controllers>Read Only DC Properties>Password Replication Policy Tab.
https://www.youtube.com/watch?v=pNExPwNsJTo
Step 1: ADUC
Step 2: Add User 1 to the allowed replication group.
Answer is D
1
0
If you watch the video though, “Allowed RODC Password Replication Policy” and “Deny RODC Password Replication Policy” already exist. The drilling down to the password replication policy tab is only neccesary if you want to allow or deny other custom groups.
0
0
Agree with Mnoble the answer has to be D. The question is asking what you would do first after creating the user1 account. Does not say that ADUC was used to create the user account, could have used PowerShell. Since the PowerShell option is a possibility, you would open up ADUC or use repadmin in PowerShell.
Step 1: Open up ADUC and next is find the RODC and add user1.
https://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy(v=ws.10).aspx#BKMK_POP
0
0
You already logged on as Domain admin, log off and log on as enterprise admin is redundant job, not should be first thing to perform.
0
0
has to be C. u created the user account already. why on earth would u log off and log in again.
0
0
is windows server 2012 not windows server 2008
i think id D
0
0
I am leaning towards A.
Even if the user account was created using powershell, we still have to open ADUC and connect to the RODC. The obvious fact is that when we created User1, it was on the writable DC named DC1. The question asks us “What should you do first?”. Well first we have to connect to DC2 from ADUC. Even if ADUC was already open or not, the act of CONNECTING to DC2 is first.
As per https://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy(v=ws.10).aspx (applies to 2008 and 2012)
1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start. In Start Search, type dsa.msc, and then press ENTER.
2. Ensure that you are connected to the correct domain. To connect to the appropriate domain, in the details pane, right-click the Active Directory Users and Computers object, and then click Change Domain.
3. Expand Domain Controllers, right-click the RODC account object for which you want to modify the PRP, and then click Properties.
4. Click the Password Replication Policy tab. An example is shown in the following illustration.
“C” is a step we do after we open the PRP.
“D” doesnt make sense. You do not need Enterprise Admin to perform this functionality.
“B” is wrong and not necessary.
Does this make sense now?
0
1
c
http://www.rebeladmin.com/2014/10/password-replication-in-rodc/
0
0
I go with answer C
Step 1. Open Active Directory User and Computer MMC Snap-in and make sure you are connected to writeable DC
Step 2. Expand domain node and click Domain Controllers
Step 3. In the right-pane Right-click the RODC computer account -> click Properties
Step 4. Click Password Replication Policy tab
Step 5. Click Advanced
Step 6. Click Prepopulate Passwords and enter the desired user or computer account
Step 7. When you are asked for confirmation, click Yes
0
0