Does Defender Support Read Only Domain Controllers?
Does Defender support Read Only Domain Controllers (RODC)?
The Defender Security Server (DSS) can be installed on a Domain Controller (DC), member server or a RODC. However, the DSS only supports connecting to a Read/Write Domain Controller (i.e. the value in Defender Security Server Configuration | Active Directory LDAP | Addresses ).
The DSS needs to update Active Directory (AD) attributes such as violation count and Microsoft account lockout. Not being able to do this would mean an attacker would have unlimited attempts at doing two-factor authentication logons against a user.