Your company has a main office and a branch office.
The network contains an Active Directory domain named contoso.com. The domain contains three
domain controllers. The domain controllers are configured as shown in the following table.
The domain contains two global groups. The groups are configured as shown in the following table.
You need to ensure that the RODC is configured to meet the following requirements:
Cache passwords for all of the members of Branch1Users.
Prevent the caching of passwords for the members of Helpdesk.
What should you do?
A.
Modify the membership of the Denied RODC Password Replication group.
B.
Install the BranchCache feature on RODC1.
C.
Modify the delegation settings of RODC1.
D.
Create a Password Settings object (PSO) for the Helpdesk group.
Explanation:
Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support
RODC operations. These are the Allowed RODC Password Replication Group and Denied RODC Password
Replication Group.
These groups help implement a default Allowed List and Denied List for the RODC Password Replication
Policy. By default, the two groups are respectively added to the msDS-RevealOnDemandGroup and
msDS-NeverRevealGroup Active Directory attributes.
Password Replication Policy
https://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx
Here is why: When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.
The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline.
1
0
I believe the answer should be “Modify the membership of the Allowed RODC Password Replication group.”
why..
this group is empty by default, so no passwords are cached by default.
You need to add Branch1Users to this group so their passwords can be cached.
The helpdesk users wont be cached since they are not implicitly allowed, there is no need to deny them – they are denied simply by the absence of an allow permission.
the deny group would come into play where a user is a member of a group that is in the ‘allowed to replicate’ group, but you wish to implicitly deny that user from being cached – just like file permissions, a deny will override an allow permission.
1
0