PrepAway - Latest Free Exam Questions & Answers

Which tool should you use?

Your network contains an Active Directory domain. The domain contains five sites. One of
the sites contains a read-only domain controller (RODC) named RODC1.
You need to identify which user accounts can have their password cached on RODC1.
Which tool should you use?

PrepAway - Latest Free Exam Questions & Answers

A.
Repadmin

B.
Dcdiag

C.
Get-ADDomainControllerPasswordReplicationPolicyUsage

D.
Adtest

Explanation:
Original answer was C (“Get-ADDomainControllerPasswordReplicationPolicyUsage”). On
why it’s not correct, I quote the original explanation:
“The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer
accounts that are authenticated by a read-only domain controller (RODC) or that have
passwords that are stored on that RODC. The list of accounts that are stored on a RODC is
known as the revealed list.”
So, this revealed list has a list of accounts whose passwords are cached on RODC’s. But we
don’t need the accounts that are cached on RODC1, but the ones that can be cached on
RODC1. Those are in the allowed list, and we can get it using repadmin.

http://technet.microsoft.com/en-us/library/cc835090.aspx
Repadmin /prp
Lists and modifies the Password Replication Policy (PRP) for read-only domain controllers
(RODCs).
Syntax
repadmin /prp view <RODC> {<List_Name>|<User>}
Displays the security principals in the specified list or displays the current PRP setting
(allowed or denied) for a specified user.
Parameters
<RODC>

Specifies the host name of the RODC. You can specify the single-label host name or the
fully qualified domain name. In addition, you can use an asterisk (*) as a wildcard character
to specify multiple RODCs in one domain.
<List_Name>
Specifies all the security principals that are in the list that you want to view. The valid list
names are as follows:
auth2: The list of security principals that the RODC has authenticated.
reveal: The list of security principals for which the RODC has cached passwords.
allow: The list of security principals in the msDS-RevealOnDemandGroup attribute. The
RODC can cache
passwords for this list of security principals only.
deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC
cannot cache
passwords for any security principals in this list.
Original explanation for answer C:
The Get-ADDomainControllerPasswordReplicationPolicyUsage gets the user or computer
accounts that are authenticated by a read-only domain controller (RODC) or that have
passwords that are stored on that RODC. The list of accounts that are stored on a RODC is
known as the revealed list.
http://technet.microsoft.com/en-us/library/ee617194.aspx


Leave a Reply