You are an administrator at ABC.com.
Company has a RODC(read-only domain controller) server at a remote location.
The remote location doesn’t have proper physical security.
You need to activate nonadministrative accounts passwords on that RODC server.
Which of the following actions should be consideredto populate the RODC server with non-administrative
accounts passwords?

A.
Delete all administrative accounts from the RODC’s group

B.
Configure the permission to Deny on Receive for administrative accounts on the security tab for Group
Policy Object (GPO)

C.
Configure the administrative accounts to be addedin the Domain RODC Password Replication Denied
group

D.
Add a new GPO and enable Account Lockout settings. Link it to the remote RODC server and on the
security tab on GPO, check the Read Allow and the Apply group policy permissions for the administrators.

E.
None of the above

Explanation:

http://technet.microsoft.com/en-us/library/cc770320%28v=ws.10%29.aspx
Advantages That an RODC Can Provide to an Existing Deployment
Branch office server administration. RODCs provide Administrator Role Separation (ARS), which you can use
to delegate administration of an RODC to a nonadministrative user or group. This means that it is not
necessary for a highly privileged administrator to log on to the domain controller in the branch office to perform
routine server maintenance.
http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx
Password Replication Policy
When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain
controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be
permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it
refers to the Password Replication Policy to determine if the password for the account should be cached. The
same account can then perform subsequent logons more efficiently.
The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are
explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached
does not imply that the RODC has necessarily cachedthe passwords for those accounts. An administratorcan,
for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate
those accounts, even if the WAN link to the hub site is offline.
Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC
operations. These are the Allowed RODC Password Replication Group and Denied RODC Password
Replication Group.
..
The combination of the Allowed List and Denied Listattributes for each RODC and the domain-wide Denied
RODC Password Replication Group and Allowed RODC Password Replication Group give administrators great
flexibility. They can decide precisely which accounts can be cached on specific RODCs.