Can Read-Only Domain Controller in External location work when VPN tunnel is down?
Solution 1:
When using a RODC you really have 2 options for DNS
- A read only primary zone (yes I know that doesn't sound right, but it is) which is active directory integrated or
- A standard secondary zone
Obviously having a writeable primary zone on a RODC (or in that office) is a security issue.
Assuming you have this, and you have setup cached credentials correctly in your Password Replication Policy then when the network goes down, your users should be able to continue working.
Assuming you have a read only DNS zone to go with your RODC then this should be safe. Obviously if you are caching credentials locally there is a slight risk there, but if you are using your PRP properly then you should be able to revoke these credentials should anything happen.