Does Centrify product work with Microsoft's Read Only Domain Controller (RODC) located in the DMZ?
The short answer is not "out of the box". In the current release of Centrify which is 5.0 at the time of writing this KB, Centrify (adclient) requires RWDC (ReadWrite Domain Controller) to do adjoin/adleave and also do the machine password change (this defaults to 28 days). So, customer needs to open the relevant ports to RWDC (Read/Write DC) for the Unix servers (Please follow KB-0029: Firewall port settings for Centrify Direct Control).
The alternative is to do an adjoin with RWDC, then move the machine into DMZ, and then disable machine password change (In /etc/centrifydc/centrifydc.conf, the following parameter adclient.krb5.password.change.interval can be made 0; the default is 28 days; centrify must be started or adreload must be run).
There are other things that will not work like updating machine profile (like OS level) in CDC console, but these are NOT really critical for the product to work.
Centrify realizes that this is a critical problem, and we addressed this issue in the 4.4.4 release but for customers who have moved to 5.0.2 release, can upgrade to 5.1 release and follow these steps.
The fix is that adclient will execute all the necessary changes/updates of AD through RODC to RWDC.
For 2012 (4.4.4)
For 2013 (5.1/Page 190)