Configure the Allowed RODC Password Replication Group – leave the user out of that group. Then use Denied RODC Password Replication Group to explicitly deny caching for that user. (But if user is not in Allowed, their password never caches – they can only authenticate when a writable DC is reachable, which defeats the "only during maintenance window". For time-based access, you would instead use Group Policy with logon hours and ensure the RODC has the password cached only during the window.)
The exam was never just a test—it was a rite of passage for Windows Server administrators. It forced you to understand how Active Directory thinks: how it replicates, how it authenticates, and how it secures enterprise resources. mcitp 70-640
You might wonder why an article would focus on a retired exam. The answer lies in the ubiquity of Windows Server 2008 R2. Many enterprises still maintain hybrid environments or legacy applications that rely on Server 2008 architecture. Furthermore, the concepts introduced in 70-640—such as Group Policy, DNS integration, and AD replication—are timeless. Understanding them at the 70-640 level provides a bedrock of knowledge that makes learning Azure Active Directory (Entra ID) and modern Windows Server versions significantly easier. Configure the Allowed RODC Password Replication Group –