As a result, users in this situation can receive the following benefits: Inadequate physical security is the most common reason to consider deploying an RODC.
An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller.
However, your organization may also choose to deploy an RODC for special administrative requirements.
An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database.
Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller.
The one problem I have been having is with AD-integrated DNS records updates.
In the data center, we had to make an IP address change on a particular server.
This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches.
In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle, at which time its value that is stored on the RODC will be changed to Null.
The local clients should use the RODC for their DNS queries.
In the event the client needs to write a record, such as during a DHCP lease, the client will be redirected to a writable DNS server for the write operation.
Since Domain controllers store security sensitive data, they are particularly endangered.