A few remarks trying to solve the confusions.
First: It is correct that Backup and Replica Directory nodes are Read-Only with regards to changes in the OpenLDAP-based Directory of UCS. While it is possible to apply changes on a Backup with UMC we have to be aware that this changes are directly written to the Primary by using the functions of the Univention Directory Manager.
The “Active Directory compatible Domain Controller” adds another Directory to an UCS domain which is based on Samba. This directory is synchronized to OpenLDAP with a component called “Univention S4 Connector”. This connectory usually runs on a Primary Node.
Domain Controllers in Active Directory are multi-master capable which means that every DC can be used to apply changes. Those changes are synced between DCs by using the “Directory Replication Service/DRS” which is also implemented in Samba. There are some Help articles like Samba 4 Troubleshooting Guide which might give some insights.
This should explain the behaviour that was mentioned in the inital post.
Further on: It is not just OK to install Samba/AD on a Backup or even a Replicy DN. It is a recommend setup to achieve redundancy. And it is a requirement to be able to convert a Backup to Primary in case of emergency.
Running a RODC is a specific requirement and mostly used if one needs AD functionality in scenarios where no changes are wanted or allowed (like hosts in a DMZ).
hth,
Dirk