Does an RODC perform password validation forwarding even when it has a password for a user?

Yes, in the case where a user presents a password that does not match what the RODC has stored locally, the RODC will forward the authentication request. The RODC forwards the request to the writable Windows Server 2008 domain controller that is its replication partner, which in turn forwards the request to the PDC emulator if required. If the authentication is validated at the writable Windows Server 2008 domain controller or the PDC emulator, the RODC will purge the currently stored password and replicate the new password by RSO operation.