Your network contains an Active Directory domain named adatum.com. The domain contains two
domain controllers that run Windows Server 2012 R2. The domain controllers are configured as
shown in the following table.
You log on to DC1 by using a user account that is a member of the Domain Admins group, and then
you create a new user account named User1.
You need to prepopulate the password for User1 on DC2.
What should you do first?
A.
Connect to DC2 from Active Directory Users and Computers.
B.
Add DC2 to the Allowed RODC Password Replication Policy group.
C.
Add the User1 account to the Allowed RODC Password Replication Policy group.
D.
Run Active Directory Users and Computers as a member of the Enterprise Admins group.
Explanation:
To prepopulate the password cache for an RODC by using Active Directory Users and Computers (see
step 1 below).
Administrative credentials: To prepopulate the password cache for an RODC, you must be a member
of the Domain Admins group.
Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
Ensure that Active Directory Users and Computers points to the writable domain controller that is
running Windows Server 2008, and then click Domain Controllers.
In the details pane, right-click the RODC computer account, and then click Properties.
Click the Password Replication Policy tab.
Click Advanced.
Click Prepopulate Passwords.
Type the name of the accounts whose passwords you want to prepopulate in the cache for the
RODC, and then click OK.
When you are asked if you want to send the passwords for the accounts to the RODC, click Yes.
Note: You can prepopulate the password cache for an RODC with the passwords of user and
computer accounts that you plan to authenticate to it. When you prepopulate the RODC password
cache, you trigger the RODC to replicate and cache the passwords for users and computers before
the accounts try to log on in the branch office.
Incorrect:
Not C. You don’t need to add User1 to the Allowed RODC Password Replication Policy group. As a
first step you should run Active Directory Users and Computers as a member of the
Domain/Enterprise Admins group.-Password Replication Policy Administration
http://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx#BKMK_pre
Answer should be C.
1
0
I agree. C
1
0
agree
1
0
me too
1
0
I wasn’t sure but I now think that the answer should be C as the first thing you need to do is add User1 to the Allowed RODC Password Replication Group. This doesn’t prepopulate User1 password to the DC2 it only allows it to be cached to the server, so you would then follow the instructions given in the answer explanation.
If you try and prepopulate the password without putting the user into the Allowed RODC Password Replication Group then it will fail.
Also there’s no need to log in as an Enterprise Admin, you only need to be a Domain Admin to prepopulate passwords and the question says you have already logged in as a Domain Admin
0
0
quite a fair bit of argument here. it could go either way C or D
http://www.aiotestking.com/microsoft/you-need-to-prepopulate-the-password-for-user1-on-dc2-5/
0
0
The log in as a enterprise admin is a trick. the key is running the active directory user and computer
0
0
If you just created the account, you’re A) Already running AD UC, or B) Using PowerShell
0
0
Shawn, the only issue I have with that is the fact that you’d have to sign out and back in, which would be completely unnecessary given you’re already a Domain Admin. Additionally, you don’t HAVE to run AD UC, you can do this through Powershell; on the other hand, you DO have to add User1 to the RODC Rep. Policy group.
Go with C, at the very least it’s the most justified.
0
0
D is Correct.
Question asks to populate the RODC with password for User 1.
You do this with AD user and computer > right click RODC computer object > Password Replication Policy Tab > Advanced to add the user account “User 1”
D, first, as this procedd sends the password down to the RODC
https://technet.microsoft.com/en-us/library/cc753470(v=ws.10).aspx
to manage the Allowed or Denied RODC Password Replication Group, you would add user 1 to the Allow group second. Once the users password is on the RODC, Option E would controls access though an allow or deny list (group)
https://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx
hope this helps
0
0
Option B not E for point 2
0
0
I see what you are saying, it makes sense now. They are asking what should you do “First”, That tells me that second thing would be doing option “C”. Trick questions indeed.
0
0
C first, need the user1 in the “allowed RODC Password Replication Group”. It can be done in PowerShell Add-ADDomainControllerPasswordReplicationPolicy, so it does not need to be done in AD UC
0
0