Your network contains an Active Directory domain.
The domain contains two sitesnamed Site1and Site2.
Site1contains four domain controllers.
Site2contains a read-only domain controller (RODC).
You add a user named User1 to the Allowed RODC PasswordReplication Group.
The WAN link between Site1 and Site2 fails.
User1 restarts his computer and reports that he is unable to log on to the domain.
TheWAN link is restored and User1 reports that he is able to log on to the domain.
You need to prevent the problem from reoccurring if theWAN link fails.
What should you do?
A.
Create a Password Settings object (PSO) and link the PSO to User1’s user account.
B.
Create a Password Settings object (PSO) and link the PSO to the Domain Users group.
C.
Add the computer account of the RODC to the Allowed RODC Password Replication Group.
D.
Add the computer account of User1’s computer to the Allowed RODC Password Replication Group.
Explanation:
http://technet.microsoft.com/en-us/library/cc730883%28v=ws.10%29.aspx
Password Replication Policy
When you initially deploy an RODC, you must configure the Password Replication Policy on the writable domain
controller that will be its replication partner.
The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be
permitted to cache a password. After the RODC receives an authenticated user or computer logon request, it
refers to the Password Replication Policy to determine if the password for the account should be cached. The
same account can then perform subsequent logons more efficiently.
The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are
explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached
does not imply that the RODC has necessarily cachedthe passwords for those accounts. An administratorcan,
for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate
those accounts, even if the WAN link to the hub site is offline.
Note
You must include the appropriate user, computer,and service accounts in the Password Replication Policy in
order to allow the RODC to satisfy authentication and service ticket requests locally.
When only users from the branch are encompassed by the allow list, the RODC is not able to satisfy requests
for service tickets locally and it relies on accessto a writable Windows Server 2008 domain controller to do so.
In the WAN offline scenario, this is likely to leadto a service outage.
..
Password Replication Policy Allowed and Denied lists
Two new built-in groups are introduced in Windows Server 2008 Active Directory domains to support RODC
operations. These are the Allowed RODC Password Replication Group and Denied RODC Password
Replication Group.
These groups help implement a default Allowed List and Denied List for the RODC Password Replication
Policy. By default, the two groups are respectivelyadded to the msDS-RevealOnDemandGroup and msDSNeverRevealGroup Active Directory attributes mentioned earlier.
By default, the Allowed RODC Password Replication Group has no members. Also by default, the Allowed List
attribute contains only the Allowed RODC Password Replication Group.
By default, the Denied RODC Password Replication Group contains the following members:
Enterprise Domain Controllers
Enterprise Read-Only Domain Controllers
Group Policy Creator Owners
Domain Admins
Cert Publishers
Enterprise Admins
Schema Admins
Domain-wide krbtgt account
By default, the Denied List attribute contains the following security principals, all of which are built-in groups:
Denied RODC Password Replication Group
Account Operators
Server Operators
Backup Operators
Administrators
The combination of the Allowed List and Denied Listattributes for each RODC and the domain-wide Denied
RODC Password Replication Group and Allowed RODC Password Replication Group give administrators great
flexibility. They can decide precisely which accounts can be cached on specific RODCs.