What restriction applies when installing the first domain controller in a new domain regarding RODCs?

When installing the first domain controller in a new domain, the restriction is that it cannot be a Read-Only Domain Controller (RODC). This is because an RODC is designed primarily for environments that require a domain controller with enhanced security, primarily in branch offices or locations that may not be secure, therefore not suitable for the initial setup of a new domain.

The primary domain controller needs to be writable so it can handle tasks like creating and managing the directory services in the Active Directory Domain Services (AD DS). Since an RODC does not allow for data writes and is meant to replicate information from a writable domain controller, it cannot fulfill the necessary role of initial data creation and management.

In contrast, the other options suggest conditions that do not apply to the initial installation of a domain controller. For instance, while RODCs can be utilized in remote locations, this restriction does not impact the capability of a primary domain controller. Moreover, there is no requirement for the first DC to be a specific version of Windows Server or to set up an RODC after establishing a secondary domain controller. The focus is solely on the fact that the very first domain controller has to be a writable one, making the option about RODCs being excluded as