What is the exact risk associated with RODC and password caching and how easily once someone had the RODC could they extract the password ? and second part of question is the risk associated with RODC password caching any less secure than placing a RWDC at the site instead of the RODC ?

Physical acces to the database is generally considderd less secured in a branch site than in a highly secured datacenter.Physical acces to a DCs databse makes it easy to obtain passwords. Cf. http://www.l0phtcrack.com, but if you use drive encryption one could argue about this.RODC is less vulnerable to contaminate the DCs back home, cause undesirable changes are not replicated back to the Datacenter RWDC's.Prepopulation Mechanism http://technet.microsoft.com/en-us/library/cc755310(WS.10).aspx so I would say a RWDC is less secure than a RODC. The main question is how insecure is the physical location and who has acces to it.

So if you had the same site with a RODC and RWDC at the site (in the example scenario the security of the site is the same for both DC types) then the RWDC would pose the biggest security threat ?

Thanks for input PJHanson.

In the last episode of <4f1cd10e-e1ec-49ee-a8b4-d50b5fd29b13@communitybridge.codeplex.com>, MicroBlogger said: So if you had the same site with a RODC and RWDC at the site (in the example scenario the security of the site is the same for both DC types) then the RWDC would pose the biggest security threat ? Yes. Without disk encryption, all it takes is physical access to a RWDC, the ability to take it offline for 15 minutes or so without anyone noticing and a bit of creativity to gain administrative access to the entire Active Directory environment.