I have numerous servers that sit in a DMZ which has an RODC in it as well. As you probably know, the machine passwords will change after a certain amount of time. After which I have to disjoin-rejoin these machines to the domain.
Is there a better practice to prevent this from happening other than having the servers never change their passwords?
What are the security risks of not having these machine change their passwords?
Best Answer
http://technet.microsoft.com/en-us/library/cc754218(v=ws.10).aspx says, basically, to add the computer objects to Allowed RODC Password Replication Group. At least, that is what I'm testing, as I've run across the same issue as you describe.