I'm just learning about RODCs and trying things out by example. I have two DCs and an RODC through Virtual PC 2007 and when I make updates to the RODC, for example, adding user accounts or putting accounts in Enterprise Admins, these changes replicate to my DCs. I thought RODC was read only and I wouldn't be able to edit AD? Can somebody explain this to me please as I haven't had much luck finding an answer to this.

Hi, By default, the RODC supports only inbound replication, which means it replicates from writeable DCs but can’t replicate to DCs. Regarding your problem, the following similar issue may explain your situation: RODC AD changes replicating back to DC Best Regards DalePlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thank you that helped a lot. To clear it up. If you put an RODC and a DC on the same subnet, then essentially you can be on the RODC and make updates and they will go through because they will be referred to the DC in the same subnet and then replicated back to the RODC behind the scenes. So you need to have an RODC on its own site and subnet and only then you will not be able to make changes on the RODC machine to AD. Is that correct? Please let me know if I'm getting this or not! Great help on this site by the way.

Generally, when a user in a site that is serviced by an RODC attempts to perform a write operation, one of the following actions can occur: l The RODC forwards the write request to a writable domain controller and then replicates the change back from the writable domain controller. l The RODC sends a referral for a writable domain controller to the client. l The write operation fails: it is neither referred nor forwarded to a writable domain controller. For information on RODC handles the write operation, please visit the following article: Read-Only Active Directory Database, SYSVOL, and Unidirectional Replication Moreover, it is recommended to place the writable domain controller running Windows Server 2008 in the nearest site in your network topology to the site that contains the RODC. An RODC that is placed in the same site as a writable domain controller does not provide security benefits. To get more considerations on placing RODC, you can refer to the following link: RODC Placement Considerations Best Regards DalePlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.