http://www.veeam.com/blog/read-only-domain-controller-rodc-configuration-active-directory-best-practices.html
Traditional, old-school, writable domain controllers are deployed at ROBO sites so IT admin can resolve application performance. See Figure 1. This practice prevents authentication traffic from traversing the WAN (wide area network) and delays in response times. As a result, things look and feel just like the customer is seated at the main headquarters location. Unfortunately, this practice creates huge security vulnerabilities! Imagine if an unwanted, mischievous user gains physical or virtual access to the network, bidirectional replication would allow this guest to make changes that could severely impact the ENTIRE AD (active directory) forest.
A good resolution it could be the following:
In Windows Server 2008, Microsoft introduced the concept of a Read-Only Domain Controller (RODC), this allows IT to deploy AD Domain Services remotely at branch offices, without having the security worries that traditional writable domain controllers present. See Figure 2. RODCs offer inbound, *unidirectional replication and maintain a local read-only copy of all AD data and the SYSVOL folder. This benefits IT greatly because:
- It mitigates and helps remove replication concerns if a mischievous guest user gains physical or virtual access to the infrastructure
- It prevents accidental deletion of AD objects and/or the SYSVOL by admin within the branch office
- It prevents rogue applications, such as a virus, malware, spyware, from making changes to the AD schema.
*For more on Read-Only domain controllers, unidirectional replication and their benefits, visit: Microsoft TechNet.
Windows Server 2012 and higher versions simplify the deployment process by leveraging Server Manager instead of the deprecated DCPromo utility. After installing the basic AD domain services, you will immediately be prompted to take additional steps if you require the server (a VM) to become a domain controller.
Once you click Promote this server to a domain controller and choose Add to an existing forest, you'll check the checkbox called Read only domain controller (RODC) to promote the DC to a RODC