Remote office Domain Controller

You have to tell active directory which accounts/passwords are allowed to be stored on the read-only domain controller.  You can also pre-populate the passwords....

https://blogs.technet.microsoft.com/askds/2008/01/18/understanding-read-only-domain-controller-authentication/

Why make it read only though?  I'm guessing you only want replication to occur in a single direction?  is the RoDC at a different location because you don't allow cached logons if the link to the Primary Directory server is down?  I guess this doesn't really answer your question, just curious about why you are configured as you are.

Its a server ive inherited, but I have the same question. Im in the senario "If its not broke dont fix it senario".

I am happy with the replication being in one direction i just want the other site to still be able to login if the VPN goes down.

Thanks so far, i have allowed the remote office group to be stored on the RoDC, do i also need to add a group from the remote office computers?

but if cached logins are not disabled, the only case where people can't log in if the link is down, is in the case of logging onto a workstation someone hasn't previously logged into, or in cases where they haven't logged in for months.  I would think if the link is down, access to network resources would be kind of nerfed by the link being down anyway.  Unless there is file replication across the WAN for file shares, I can't see the point of the RoDC in the first place.  Again... sorry, I'm not really helping... again, just curious discussion.

are you saying by turning on cache credentials the users will still struggle to login if the VPN link is down?
The users of the remote office main network resources are on the RoDC anyway so they can carry on.

Do i need to add the computer group for the remote office to the Password replication policy?

I guess setting the DC to be a RoDC it is more secure in the long run.

I kind of agree with you, if i had set this up i would probably prefer the 2nd Dc to be standard.

The one issue the users noticed was some who use sage 200 which is uses the logged on users credentials (SSO) came up with a message (attached)

That brings into question which iteration of Sage200 is being used, the online, or on premesis?  Sage is attempting to use NTLM authentication to log users into the system.  The question becomes, does the sage server software authenticate against the primary DC only? or is it actually aware of and able to contact both DC's (read only or not)

sage 200 is on premises. But would you know how i would find out which DC it is contacting? Or is this a test it and see question?

Unfortunately configuration of NTLM authentication for Sage200 is beyond the scope of my current technical know-how