Within the Administering Windows Server Hybrid Core Infrastructure content for AD DS deployment, Microsoft specifies that Install From Media (IFM) for promoting a domain controller—especially a Read-Only Domain Con troller (RODC) —must be created from a writable domain controller in the same target domain . The guide explains that IFM “pre-stages the AD DS database so that the promotion consumes far less replication traffic,” and it emphasizes: “RODC IFM cannot be gene rated from an RODC; it must be created on a writable DC of the destination domain.” It also clarifies tool choice: “Use ntdsutil ifm to generate media for a writable DC or an RODC. The media is then used during promotion to avoid full initial replication a cross the network.”

Applied here: the server to be promoted (Server1) will be an RODC in child.contoso.com . The only writable DC in that domain shown is DC2 (Domain-wide FSMO holder for child. contoso.com ), making it the correct and traffic-efficient source . DC1 and RODC3 are in contoso.com (parent domain), so neither meets the requirement; additionally, an RODC cannot be used as an IFM source . Regarding tooling, the documentation notes that Windows Server Backup is for system-state backup/restore and is not the supported method to generate IFM media ; the prescribed tool is Ntdsutil.exe with the IFM context . Therefore, to minimize network traffic and satisfy Azure/AD DS best practices, create the IFM media on DC2 using Ntdsutil.exe and then promote Server1 wi th that media.