Configure Read Only Domain Controller to receive config

I'll give you a real-world scenario:

• we have one in our branch office in China

We use it because there isn't an IT dept there, we handle all requests for AD accounts, etc. here in the USA. By having a RODC there we know:

1. Nobody there can log onto it and try to "hack away" at AD.
2. Nobody can steal it and get anything worthwhile to then come back with and "hack away" at the network later.

By having AD/DNS read-only we don't have to worry about attempts to manipulate the data on the DC there.

This is because of features found here: http://technet.microsoft.com/en-us/library/cc732801%28WS.10%29.aspx

It's more of "peace of mind" than anything else for us...plus it allowed for a very minimal server install since it was just server core with RODC role installed. We put it on an older 1U server with 2 Raid-1 18GB drives. We actually put 2 of them in...same exact configuration using older non-warrantied hardware we had in the racks.

Simple, does what it needs to do, and we don't have to worry about it. If one of the boxes fails, we would simply replace it again.

RoDC DNS replication isn't a whole lot different than DNS replication for other domain controller computers (see the entry in the table titled "Read-only domain controller support" here for details), though you do need to have at least one Windows Server 2008-based DNS server hosting a writable copy of the zone (see the "Note" in the section titled "DNS updates for clients that are located in an RODC site" in this document for details). It sounds like you've got a writable Windows Server 2008 DNS server (the one in the data center), though, so that shouldn't be your issue. That W2K8 DNS server computer in the data center does have an "NS" record published in the DNS, doesn't it?

Are you sure you're getting replication to the RoDC machine? I'm getting the feeling that it's not receiving replication at all. A quick check w/ REPLMON (from the Windwos Support Tools) or your favorite replication monitor would let you know the last time the directory partitions it hosts were updated.