Access Denied: Installing a New NT 4.0 BDC into a Windows 2003 Domain

When I create a new computer account in Windows Server 2003, I see an Assign this computer as a backup domain controller option. But BDCs went away with Windows NT—what's up?

You're right—in Windows 2003 and Windows 2000 Server, domain controllers (DCs) are all peers except for the Flexible Single-Master Operation (FSMO) roles that some DCs hold. This option threw me at first too and could certainly be labeled better. It's there just to support a rare requirement. Some applications have an absolute requirement to run on an NT 4.0 BDC. Even if you have such an application, you'll need to create a computer account using this option only if you inadvertently upgrade the NT 4.0 BDC the application is running on or if you need to set up another computer to run the application. In such a case, you create the computer account ahead of time for the NT 4.0 BDC and select this option. Then you install NT 4.0 on the computer as a BDC and join it to the domain. The selected option tells the Windows 2003 DC that it's OK for the computer to join as a BDC, and the Windows 2003 DC replicates to the BDC as though it were an NT 4.0 PDC. Running NT 4.0 BDCs and raising your domain and forest functionality past Win2K mixed mode or Windows 2003 interim mode causes compatibility problems that the Assign this computer as a backup domain controller option label doesn't explain very well. NT 4.0 DCs can't comprehend some Windows 2003 and Win2K domain features; therefore, Microsoft added the mixed mode and interim mode, which restrict AD functions that NT can't handle.