The task was to promote the first RODC in a mixed OS domain with Windows 2003 Forest/Domain functional levels. Before DC promotion the AD Schema was successfully extended and there was one Writable Domain Controller (Windows Server 2013 R2) up and running.
I noticed some RODC related groups are missing even trough adprep finished without any errors:
- Read-only Domain Controllers
- Allowed RODC Password Replication Group
- Denied RODC Password Replication Group
I thought they will appear after first RODC promotion. But that was not the case!
These groups, along with many others, are created AFTER you transfer the PDC role to a domain controller, running Windows Server 2008 or later!
After transferring the PDC role these groups were created:
Move-ADDirectoryServerOperationMasterRole -Identity "destination_PDC_holder" –OperationMasterRole PDCEmulator
Nice to know it 🙂
Thereafter the first RODC was promoted successfully!