We're bringing up an RDP 2012 farm which will have a pair of Gateway servers out in the DMZ. After considering our options with respect to AD membership, we would prefer to use the RODC approach as we already have one in the DMZ. My confusion is about communication that requires write access, like updating the computer account password in AD. I see the approach is a recommended method form Microsoft, but how are issues such as the account password change addressed?
I found http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx that talks about disabling the password change on the machine, but is there a better way than registry hacks to make this work, or am I completely overthinking the whole situation?
I'm aware we could also setup a reverse proxy, setup a DMZ domain and create a 1-way trust, or open all the ports necessary for communication through the firewall, but this option seems best for us.