Hyper‑V host domain membership with RWDC access only during initial join, then RODC‑only connectivity

This configuration is not supported by Microsoft.

A Hyper-V host that is domain-joined and has no ongoing connectivity to a writable domain controller (RWDC), relying only on RODCs, will eventually experience AD-related failures.

While initial domain join may succeed using an RWDC, continuous operations (secure channel maintenance, machine account password updates, authentication, and Group Policy processing) require access to an RWDC.

RODCs are intended for limited authentication scenarios (e.g., branch offices), not as the sole domain controller source for member servers.

Recommended approach: ensure persistent connectivity to at least one RWDC or deploy a writable domain controller in the same site.

Microsoft doesn’t consider a Hyper‑V host that only ever talks to RODCs as a fully supported design. The reason is that RODCs are designed for branch office scenarios where you want read‑only directory data and limited replication, but they don’t handle writes or certain authentication flows that a Hyper‑V host may need over time. Joining the host to the domain while you have temporary RWDC access will technically work, but once that RWDC connectivity is gone, you’ll start running into issues like password changes not syncing, service accounts failing to authenticate, and potential Kerberos ticket renewal problems. Hyper‑V hosts aren’t treated differently from other member servers in this respect they still rely on RWDCs for full domain functionality.

Over time, you could see things like stale credentials, inability to add new VMs with domain accounts, or failures when trying to use features that depend on writable directory operations. If you’re in a site where only RODCs are reachable, the Microsoft‑supported design is usually to keep at least one RWDC accessible (even if via a secure VPN or dedicated link) so that domain joins, password resets, and replication can happen correctly. Another option is to run the Hyper‑V host in a workgroup and manage VM authentication differently, but that comes with its own trade‑offs.

So bottom line: the setup you described isn’t considered a correct implementation, and it will cause headaches down the road. The prescriptive guidance is to ensure RWDC connectivity for Hyper‑V hosts, even if it’s remote, or rethink the domain join strategy.

Hope that clears things up, please consider to hit “Accept Answer” . If you need more information, feel free to leave a message. We are happy to help!