Add a read-only domain controller

The optional rodc service joins the domain as a Read-Only Domain Controller: a second DC holding a read-only replica of the directory. It refers writes to the primary and, by default, caches no credentials except those a Password Replication Policy permits. It exists so you can test how an application behaves against an RODC, which is a genuinely different set of edge cases.

Bring it up and verify

The RODC starts with the rest of the stack:

make up
make rodc-logs        # watch the join and directory replication
make rodc-status      # RODC health + the primary's replication links to rodc1
make rodc-test        # read from the RODC, then watch a write get referred

make rodc-test is the proof it is read-only: a user-list read is served straight from the RODC’s replica, then a user create against the RODC returns LDAP_REFERRAL pointing at ldap://dc1..., the RODC handing the write upstream.

Point a client at it

A test client that uses the RODC (10.22.22.24 by default) for DNS and LDAP reads locally and, for anything it cannot satisfy (writes, uncached credentials), transparently chains to the writable dc1. That chaining is the behaviour worth testing against.

Known rough edges

Samba’s RODC support is less mature than its read-write replication. Two harmless quirks show up:

• samba-tool drs showrepl run on the RODC returns WERR_DS_DRA_ACCESS_DENIED. It is cosmetic; the primary’s view (via make rodc-status) confirms replication is healthy.
• Two _gc (Global Catalog) SRV records do not auto-register, because this RODC is not acting as a Global Catalog. The DC-locator records that matter do register. A cold boot’s first samba_dnsupdate can log exit code 4; the periodic retry heals it once the Kerberos path to dc1 settles.

This is a test replica, not redundancy

The RODC is for exercising RODC behaviour, not high availability. For real resilience you would join a second writable DC with samba-tool domain join <realm> DC against dc1.