Q. Why shouldn't I use a domain-administrator account to log on to a read-only domain controller (RODC)?

A. The fact that it's an RODC isn't the crucial factor. RODCs typically aren't secure because they're in branch offices or somewhere else exposed to physical attack.

RODCs expressly deny caching domain-administrator account credentials. You should use your administrator credentials only on secure terminals. Someone that controls a box can run a keylogger to capture plain-text passwords, hijack the session with local control, or configure a bad policy to run at logon.

The best practice is to never log on to an RODC as a full domain administrator, and never access an RODC by remote desktop protocol (RDP) as a domain administrator. Instead, use Windows Remote Shell or Windows Remote Management to run RODC commands, or use Microsoft Management Console (MMC) in remote mode. Otherwise, you could give away credentials from a compromised box. This rule of thumb not only applies to RODCs but also to any potentially unsecure box.

You should decide how practical these options are for your environment. It's far easier to use RDP to access a remote box than run remote commands and MMC snap-ins.