Read-only domain controllers (RODCs)

• What Is an RODC?

Applies To: Windows Server 2008, Windows Server 2012

Read-only domain controllers (RODCs) are a new feature of Active Directory Domain Services (AD DS) in Windows Server 2008. RODCs are additional domain controllers for a domain that host complete, read-only copies of the partitions of the Active Directory database and a read-only copy of the SYSVOL folder contents. By selectively caching credentials, RODCs address some of the challenges that enterprises can encounter in branch offices and perimeter networks (also known as DMZs) that may lack the physical security that is commonly found in datacenters and hub sites. RODCs also offer a number of manageability improvements
https://technet.microsoft.com/en-us/library/cc771030(v=ws.10).aspx

• Advantages That an RODC Can Provide to an Existing Deployment

Security
Unidirectional replication. Unidirectional replication refers to how RODCs can replicate changes inbound but outbound replication does not occur.
Special krbtgt account. Each RODC has a special krbtgt account that also helps to restrict malicious updates from affecting the rest of the forest
Password Replication Policy (PRP). Each RODC has a PRP that, by default, does not allow any passwords to be cached on the RODC
RODC filtered attribute set (FAS). You can also restrict which application data can replicate to RODCs in your forest by adding attributes to the RODC FAS and marking them as confidential.
https://technet.microsoft.com/en-us/library/cc770320(v=ws.10).aspx