Summary: A Read-Only Domain Controller (RODC) provides local authentication at branch offices without replicating writable directory data outbound, limiting the blast radius if the DC is compromised.
An RODC holds a read-only copy of the AD database. Unlike writable DCs:
The RODC cannot write to its local copy of the directory. Clients requiring write operations (password changes, account unlocks) must contact a writable DC over the WAN.
Certain sensitive attributes are excluded from RODC replication entirely:
Schema admins can add custom attributes to the FAS using ADSI Edit if required.
The PRP controls which accounts' passwords can be cached on the RODC. Cached passwords allow users to authenticate locally if the WAN link is down.
Accounts added here can have their passwords cached. Typically: branch users and computers.
Accounts added here are explicitly blocked from caching. Defaults include:
BUILTIN\AdministratorsAccount Operators, Server Operators, Backup Operators, ReplicatorDomain Admins, Enterprise Admins, Schema AdminsGroup Policy Creator Ownerskrbtgt account⚠️ Admin Account Caching
Never add Domain Admin or other privileged accounts to the Allowed list. If the RODC is physically compromised, cached passwords can be extracted. Compromising cached admin credentials could allow privilege escalation across the domain.
In ADUC, right-click an RODC computer account → Properties → Password Replication Policy tab → Advanced → view which accounts have passwords currently cached.
Pre-populate credentials before WAN failure:
repadmin /rodcpwdrepl RODCname WritableDCname user1 user2
The two-phase staged installation separates the DC admin role (phase 1) from the on-site setup role (phase 2), so DC admin credentials never need to visit the branch.
RODCs support delegated local administration — a branch site admin can manage the RODC without having domain admin rights.
Configured during staged installation (phase 1) or after via:
# View current delegated admin
netdom query /domain:example.com rodc /server:RODCname
Or in ADUC: right-click RODC computer account → Properties → Managed By tab.
| Limitation | Detail |
|---|---|
| No FSMO roles | Cannot hold any FSMO role; PDC Emulator must be a writable DC |
| No writeback | All writes must go to a writable DC; password changes require WAN connectivity unless cached |
| Replication source | Receives replication from a designated writable DC only; if that DC is unavailable, replication stalls |
| SYSVOL | SYSVOL is read-only; GPO changes must be made on writable DCs |
| No outbound replication | Changes on RODC do not replicate anywhere |