PrepAway - Latest Free Exam Questions & Answers

You need to ensure that the user’s password is stored on RODC1 when he logs on to a branch office site c

Your network contains an Active Directory domainnamed contoso.com.
The network has a branch office sitethat contains a read-only domain controller (RODC)named RODC1.
RODC1runs Windows Server 2008 R2.
A user logs on to a computer in the branch office site.
You discover that the user’s password is not stored on RODC1.
You need to ensure that the user’s password is stored on RODC1 when he logs on to a branch office
site computer.
What should you do?

PrepAway - Latest Free Exam Questions & Answers

A.
Modify the RODC s password replication policy by removing the entry for the Allowed RODC Password
Replication Group.

B.
Modify the RODC’s password replication policy by adding RODC1’s computer account to the list of allowed
users, groups, and computers.

C.
Add the user’s user account to the built-in Allowed RODC Password Replication Group on RODC1.

D.
Add RODC1’s computer account to the built-in Allowed RODC Password Replication Group on RODC1.

Explanation:
Reference:
MS Press – Self-Paced Training Kit (Exam 70-640) (2nd Edition, July 2012)
pages 416-417
Password Replication Policy
Password Replication Policy (PRP) determines which users’ credentials can be cached on a specific RODC. If
PRP allows an RODC to cache a user’s credentials, authentication and service ticket activities of thatuser can
be processed by the RODC. If a user’s credentials cannot be cached on an RODC, authentication and service
ticket activities are referred by the RODC to a writable domain controller.
An RODC’s PRP is determined by two multivalued attributes of the RODC’s computer account. These
attributes are commonly known as the Allowed List and the Denied List. If a user’s account is on the Allowed
List, the user’s credentials are cached. You can include groups on the Allowed List, in which case allusers who
belong to the group can have their credentials cached on the RODC. If the user is on both the Allowed List and
the Denied List, the user’s credentials will not becached—the Denied List takes precedence.
Configuring Domain-Wide Password Replication Policy
To facilitate the management of PRP, Windows Server2008 R2 creates two domain local security groups in the
Users container of Active Directory. The first group, Allowed RODC Password Replication Group, is added
to the Allowed List of each new RODC. By default, the group has no members. Therefore, by default, a new
RODC will not cache any user’s credentials. If you have users whose credentials you want to be cached by all
domain RODCs, add those users to the Allowed RODC Password Replication Group.


Leave a Reply