When a branch users and computers logs in, the RODC contacts a writeable DC for their authentication and caches their password provided Password Replication Policy (PRP) is configured. However, you can prepopulate the passwords cache on RODC with user and computer accounts before they try to log in at the branch site.
Set the photo for Azure AD users from an on-premises AD user
Create an object in a complex OU structure if not already present.
When searching AD, here's how find objects at a certain level only.
Branch users’ credentials are not cached on RODC by default and it relies on writable DC for login authentications. Although this approach protects credential from being stolen from RODC on branch site. However, it has following drawbacks.