How to setup a Read-Only Domain Controller (RODC)

Thanks for watching!

Could you please clarify what you mean by this and what you are trying to do?

@@danny_moran is RODC can help to prevent other domain admins thaat have access to AD? or how can i prevent Domain admins restrict them use of AD?

The purpose of an RODC is for when physical security to the domain controller server is not secure.
You need to look into delegating permissions for active directory. This will enable you to remove domain admins permissions but still enable people to administer certain parts of the domain.

I'm not sure what you mean. Most of the config was done within Server Manager.
Thanks for watching!

What is your reason for wanting to block clients from using writeable domain controllers? I'm not sure why you would want to do this.

@@danny_moran We have servers in a DMZ, using RODC’s, all seperated by firewall. But i can see from the firewall logs, that servers in the DMZ is still trying to contact the writeable domain controllers in the domain.

Have you setup Active Directory Sites and Services and assigned the RODC to the DMZ subnet in there? This should tell the clients in the DMZ subnet to use the RODC. I'm not 100% sure if you can tell clients to exclusively use a specific domain controller.
Also, I recommend that you have a look at the below Microsoft docs about using AD DS in a perimeter network. It's for an older version of Windows Server, however, the principles still apply.
learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd728034(v=ws.10)
learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd728030(v%3dws.10)
learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd728028(v=ws.10)
learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd728035(v=ws.10)

@@danny_moran Yes i did setup sites and services with a specific subnet for the DMZ and the RODC’s in their own site. And the clients are working fine. I’m just suspecting something is wrong since they are also trying to access the the writeable domain controllers behind the firewall. My guess is that they are looking at some SRV records, where those domain controllers are listed. Thank you for the linked documents, i will have a look at them as soom as i have time ;)

As long as the requests that are getting sent from the DMZ clients are getting dropped by the firewall, and it's only the RODC > internal DC requests that are able to get through the firewall, it should probably be fine.
I think clients just try to send requests to any domain controller it knows about, as it's built in a resilient way to minimise outages.
If it's not causing any issues, I wouldn't worry about it.
Thanks for watching!

Thanks for watching!