Active Directory with Windows Server 2016 - RODCs

To replace all domain controllers

To enhance security in remote offices with limited IT staff

To allow write access to all users

To serve as a backup for all domain controllers

It does not handle any changes

It allows users to make changes directly

It pushes changes to other domain controllers

It pulls changes from other domain controllers

It caches all passwords by default

It allows local authentication without WAN dependency

It requires WAN access for all authentications

It does not cache any passwords

Local Users

Domain Admins

Remote Users

Allowed RODC Password Replication Group

Allow all users by default

Set a global deny list and a local allow list

Use only local policies

Deny all users by default

Operations Master Role

Password Caching

Local Authentication

Read-Only Access

For allowing write access

For authenticating users on the denied list

For updating the RODC software

For local password changes