Q. Can the Microsoft RADIUS work with a Read-Only Domain Controller?
A. RADIUS when implemented with Network Policy Server (NPS) can leverage Active Directory when using authentication such as PEAP MsCHAPv2. A Read-Only Domain Controller (RODC) stores a read-only copy of the Active Directory database that additionally can be configured to only cache the passwords of certain accounts, typically those users at the location of the RODC. NPS works fine with RODC however there are some considerations:
- If the RODC cannot contact a regular RWDC then only credentials cached on the RODC can be authenticated while other authentications will fail
- Provided the RODC can contact a regular RWDC then if a new user authentication is required the RWDC will be contacted then the credential cached for future authentications