Now my understanding of a RODC is that it stores a read-only copy of the ntds.dit file. From the MS website "Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC. "
However, if I go into my RODCs and check the permissions of the ntds.dit file, the SYSTEM and <domain>\Administrators have full access to the file. Am I just missing something here?