Hello,
Thank you so much for posting here.
When a user try to authenticate to an RODC, a check is performed to see if the password is cached on the RODC of the site. If the password is cached, the RODC will authenticate the user account locally. If the user’s password is not cached or RODC is not accessible, then the authentication request is forwarded to a writable Domain Controller which in turn authenticates the account and passes the authenticated request back.
And if the RODC fails, the clients will find other DCs in other site. As mentioned, if site B is forbidden, it will find the DC in site A. Or if we would like to redirect the clients in site C to DC in site A, we could try to enable clients to locate the Next Closest Domain Controller. For more information about this, we could refer to:
For any question, please feel free to contact us.
Best regards,
Hannah Xiong