My RODC is replicating changes to the Writeable DC

Dracula28

I have a domain with two DCs, one (Server01) is a writeable DC, and the other (Server02) is an RODC. The strange thing is that when I create a user or group, or change group membership on Server02, its replicated to Server01. I only have one site.

Isn't replication supposed to be just from Server01 to Server02, and not from Server02 to Server01, since 02 is and RODC? 02 was installed using a prestaged account.

What could be causing this? There is no replication connection for Server02 in Server01s NTDS Settings in AD Sites and Services. While there is RODC Connection (FRS) for Server01 in Server02s NTDS Settings.

cyberguypr

The write event you send to the RODC is actually deferred to the writable DC which is the one responsible for performing the operation. If communication to the writable DC is severed, you'll be unable to create any users.

SephStorm

Based on my limited understanding of SVR 2k8, the RODC is read only, you cannot make changes to it. therefore, you are probably making the changes on server 1 and they are replicating to server 2 as intended.

ptilsen

Cyberguypr and SephStorm have it. Think about dynamic DNS updates and how they would work with an RODC. Ever wonder about that? An RODC cannot write updates to DNS, yet if you have your RODC run DNS and DHCP with secure dynamic updates for that branch, it will work. That's just one example of branch-side changes that can still occur in an RODC-serviced branch while the WAN is up. It's an interesting topic to read up on and some of it can get a little complicated. Here are a few recommended articles:
Appendix A: Client Operations
RODC Frequently Asked Questions
Plan DNS Servers for Branch Office Environments

Dracula28

Thank you very much guys, that was perfectly explained.