Read-only domain controllers (RODCs) have read-only copies of the Active Directory database and the SYSVOL folder. This is helpful for branch office or remote locations that use a local Active Directory Domain Services (AD DS) server but don’t require a full, writable copy of AD DS at those locations.
One reason for deploying an RODC is security. RODCs don’t replicate changes from remote locations to the main directory, but rather pass changes made to the directory to a writable domain controller. Requests for access to resources outside the RODC-based domain must be passed to a hub site that examines and rewrites the request after verifying access.The hub site does so because the RODC uses a special krbtgt account for accounts whose passwords are cached locally. RODCs have a special Password Replication Policy (PRP) that doesn’t allow passwords to be cached by default. Another aspect of RODC security is the Filtered Attribute Set (FAS), which can restrict application data that can be replicated to RODCs.
Another reason for deploying an RODC is manageability. RODCs lend themselves to delegation of administration, enabling local administrators to work with the RODC at their locations. You can accomplish Administrator Role Separation (ARS) with a certain amount of granularity when using RODCs. Further, when applications need to run on a domain controller, an RODC is a good candidate for this type of deployment, assuming that the application doesn’t require a writable directory service.
In the event of a wide area network (WAN) outage, an RODC can still provide logon capabilities to users at the RODC location. However, several items no longer work when a branch office goes offline, such as password changes and domain joins.
A final reason for deploying an RODC is scalability. RODCs use unidirectional replication, thus lessening the amount of traffic that must pass over a WAN link. Distributed File System (DFS) replication also alleviates some load on the WAN link by using compression and replicating changes only for SYSVOL traffic.
