Read-only Domain Controllers are not part of the groups "Domain Controllers" or "Domain Computers". They have their own group called "Read-only Domain Controllers".
Because of this those computers don't have permissions on the deployment folders nor permissions to decrypt the encrypted secret.
Managed to onboard them using a modified version of the script, including this group and sid.
Read-only Domain Controllers are not part of the groups "Domain Controllers" or "Domain Computers". They have their own group called "Read-only Domain Controllers".
Because of this those computers don't have permissions on the deployment folders nor permissions to decrypt the encrypted secret. Managed to onboard them using a modified version of the script, including this group and sid.