Mcitp 70-640 ((link))

Exam 70-640, titled is a foundational Microsoft certification that validates skills in managing and implementing Active Directory infrastructure. It was a core requirement for earning the MCITP: Server Administrator and MCITP: Enterprise Administrator credentials.

Supports basic replication and global catalog placement. mcitp 70-640

Administrators must differentiate between organizational units (OUs) and generic containers like CN=Computers or CN=Users . Configure the Allowed RODC Password Replication Group –

Policies linked to the specific OU or nested sub-OUs holding the target object. Security Policy Application For time-based access

Operates independently of the domain infrastructure and requires manual processing for certificate issuance.

Configure the Allowed RODC Password Replication Group – leave the user out of that group. Then use Denied RODC Password Replication Group to explicitly deny caching for that user. (But if user is not in Allowed, their password never caches – they can only authenticate when a writable DC is reachable, which defeats the "only during maintenance window". For time-based access, you would instead use Group Policy with logon hours and ensure the RODC has the password cached only during the window.)

The local security policy configured on the individual workstation.