Can I make a Windows Server 2003 DC read only?

I was wondering something.  I know with 2008 you can make a DC read-only, but I was wondering if there was some way to make a 2003 DC read-only too?

Here is my scenario:
1 main site (PDC resides here along with a couple other DCs for backup purposes)
3 remote sites (each site has a DC)

I would like to make the 3 remote site DCs read-only, if not then I will have to change the admin password to keep my level 1 tech hands out of the cookie jar, but they really need to have access to a couple of the programs on the server at those sites.  It would be nice to just make sure they could not make any changes the AD from those sites.

Thanks for your time.

rsnellmanIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

No. This feature is only supported on Windows Server 2008. Sorry.
You need to tell them not to touch the AD and specific programs, or upgrade to win 2008.

I hope this helps !
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
You cannot have a read only DC in WIndows 2003.

It is a new feature in Windows 2008. In order to have a read only DC, you need to have atleast one Windows 2008 DC (not read only) along with your 2003 DCs to start with. Only after that, you can think of having a read only DC.

So, the first step will be to introduce a new Windows 2008 DC to the mix.

Hope this helps.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rsnellmanIT ManagerAuthor Commented:
OK, I thought that was the case.  So, I think I will be going to plan B, which is demote the current DC and make it a file server only and give them access to only that server for the specific programs.

Maybe I could give them a different login account, so they could log into that remotely and access those specific programs.

That should be the best route, right now, correct?  It is unfortunate that I have to go this route, but for whatever reasons my boss will not enforce it and they won't listen to me.  So, for their sake and more for mine, I need to take these measures to prevent an AD disaster.

Ok, thanks again for everything.

Have a great day.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.