By default, an Read Only DC doesn't actually store any passwords ("user secrets"). Not only that, but the replication is unidirectional so an RODC won't replicate any information back to the primary domain controller. These features in-turn reduce the attack surface of a Windows Server.

The story that is trying to be won with this new feature in this release is the Branch Office story. Basically, for a company that is large enough to have branch offices (where physical security might not be as strong), instead of deploying a fully blown domain controller, you can now deploy a read-only domain controller. This ensures that if the remote domain controller is compromised, that the entire AD forest is not compromised (since by default, there is very little chance that a username/password combination is cached that could be used to compromise the rest of the domain). Combine this new features with the new "Server Core" installation option, and you come one step closer to a true "domain appliance." What is Server Core? Server Core is an install path of Longhorn Server (as of Beta 2) that does not install the unnecessary components of the OS (like the GUI or applications like Internet Explorer (after all, why in the world would I need Internet Explorer on a Server?!?!?)). Not only does this further reduce the attack surface of Windows Server, it also will minimize the amount of patching and maintenance that is required. This is something that the Linux/Unix servers have been doing great for a while, so I'm happy to see Windows Server finally catching up in this space!