This article describes the Windows Server 2008 read-only domain controller (RODC) compatibility pack for Windows Server 2003 clients and for Windows XP clients. This update addresses compatibility issues that occur with down-level clients that do not support Windows Server 2008 RODC features.
You do not necessarily have to apply this update before you can deploy a read-only domain controller. Sometimes, compatibility issues do not affect your deployment. Or, you may be able to use a workaround instead of applying the update.
Below is a list of the symptoms you may experience, with more details on the Scenario and affected clients, Influence and Workarounds - please go here for more information - http://support.microsoft.com/kb/944043.
If a client can access only read-only domain controllers, Windows Management Instrumentation (WMI) filters that are configured for Group Policy are not applied.
Internet Protocol security (IPsec) policies cannot be applied, and Win32 error code 8219 (ERROR_POLICY_OBJECT_NOT_FOUND) is returned when only Windows Server 2008 read-only domain controllers are available.
Windows Server 2003 member computers and Windows XP member computers do not synchronize Win32 time with Windows Server 2008 read-only domain controllers.
Computers in a perimeter network cannot join the domain.
In a site that has only read-only domain controllers available, users try to change their passwords on computers that are running Windows 2000, Windows XP, or Windows Server 2003. When the users do this, the password change operation fails.
Windows Server 2008 read-only domain controllers cannot retrieve or create the public key certificate by using the LsaRetrievePrivateData function or the LsaStorePrivateData function.
When you try to publish a printer, the published printer may not work correctly.
In a site that has only read-only domain controllers available, you use the Find Printer dialog box on a client computer that is running Windows 2000, Windows XP, or Windows Server 2003. When you do this, the Find Printer dialog box stops responding.
Active Directory Service Interfaces (ADSI) API functions in Windows Server 2003 and in Windows XP always send requests to a remote writable domain controller instead of to a local read-only domain controller.
Domain controllers that are running Windows Server 2003 perform automatic site coverage for sites that have read-only domain controllers.