As the company administrator you had installed a read-only domain controller (RODC) server at remote
location.
The remote location doesn’t provide enough physical security for the server.
What should you do to allow administrative accounts to replicate authentication informationto ReadOnly Domain Controllers?

A.
Remove any administrative accounts from RODC’s group

B.
Add administrative accounts to the domain AllowedRODC Password Replication group

C.
Set the Deny on Receive as permission for administrative accounts on the RODC computer account
Security tab for the Group Policy Object (GPO)

D.
Configure a new Group Policy Object (GPO) with the Account Lockout settings enabled. Link the GPO to
the remote location. Activate the Read Allow and the Apply group policy Allow permissions for the
administrators on the Security tab for the GPO.

E.
None of the above

Explanation:

http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx
Password Replication Policy
When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain
controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be
permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it
refers to the Password Replication Policy to determine if the password for the account should be cached. The
same account can then perform subsequent logons more efficiently.
The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are
explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached
does not imply that the RODC has necessarily cachedthe passwords for those accounts. An administratorcan,
for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate
those accounts, even if the WAN link to the hub site is offline.
..
Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC
operations. These are the Allowed RODC Password Replication Group and Denied RODC Password
Replication Group.
These groups help implement a default Allowed List and Denied List for the RODC Password Replication
Policy. By default, the two groups are respectivelyadded to the msDS-RevealOnDemandGroup and msDSNeverRevealGroup Active Directory attributes mentioned earlier.
By default, the Allowed RODC Password Replication Group has no members. Also by default, the Allowed List
attribute contains only the Allowed RODC Password Replication Group.
By default, the Denied RODC Password Replication Group contains the following members:
Enterprise Domain Controllers
Enterprise Read-Only Domain Controllers
Group Policy Creator Owners
Domain Admins
Cert Publishers
Enterprise Admins
Schema Admins
Domain-wide krbtgt account
By default, the Denied List attribute contains the following security principals, all of which are built-in groups:
Denied RODC Password Replication Group
Account Operators
Server Operators
Backup Operators
Administrators
The combination of the Allowed List and Denied Listattributes for each RODC and the domain-wide Denied
RODC Password Replication Group and Allowed RODC Password Replication Group give administrators great
flexibility. They can decide precisely which accounts can be cached on specific RODCs.
The following table summarizes the three possible administrative models for the Password Replication Policy.