Pop Quiz

Pop Quiz: Windows Server 2008 R2, Active Directory Configuration -- Configure RODC

Applies to the "Configuring Active Directory Roles and Services" objective of Exam 70-640 TS: Windows Server 2008 Active Directory Configuration.

• By Andy Barkl
• 04/18/2012

Q: Which of the following must be present to enable credential caching on a read-only domain controller (RODC)?

1. All DCs must be running Windows Server 2008
2. All DCs must be running Windows Server 2008 R2
3. There must be at least one writable domain controller in the domain
4. The functional level for the domain and forest must be Windows Server 2003 or higher

Answer is C and D: Credentials consist of a small set of approximately 10 passwords that are associated with user or computer accounts. By default a RODC does not store user or computer credentials. The administrator must explicitly allow any credential caching on an RODC.

Quick Tip: An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller.

References:

• TechNet: Password Replication Policy Administration
• Exam 70-640 Objectives Guide

Bonus Question: What are the steps required to perform an offline defragmentation of the Active Directory database? (Tweet your answer with #pop640c and get a chance to win a Redmond t-shirt! Deadline for entries is Wednesday, April 25.)

Answer to last week's bonus question: The Active Directory module for Windows PowerShell, ADSI Edit, and ldifde can all be used to create a PSO (Password Settings Object) in a domain to support FGPP (Fine-Grained Password and Account Lockout Policies).