Your network consists of a single Active Directory domain. All domain controllers run
Windows Server 2003.
You upgrade all domain controllers to Windows Server 2008.
You need to configure the Active Directory environment to support the application of multiple
password policies.
What should you do?

A.
Raise the functional level of the domain to Windows Server 2008.

B.
On one domain controller, run dcpromo /adv.

C.
Create multiple Active Directory sites.

D.
On all domain controllers, run dcpromo /adv.

Explanation:
http://technet.microsoft.com/en-us/library/cc770842%28v=ws.10%29.aspx
AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide
This step-by-step guide provides instructions for configuring and applying fine-grained
password and account lockout policies for different sets of users in Windows Server® 2008
domains.
In Microsoft® Windows® 2000 and Windows Server 2003 Active Directory domains, you
could apply only one password and account lockout policy, which is specified in the domain’s
Default Domain Policy, to all users in the domain. As a result, if you wanted different
password and account lockout settings for different sets of users, you had to either create a
password filter or deploy multiple domains. Both options were costly for different reasons.
In Windows Server 2008, you can use fine-grained password policies to specify multiple
password policies and apply different password restrictions and account lockout policies to
different sets of users within a single domain.
Requirements and special considerations for fine-grained password and account lockout
policies
Domain functional level: The domain functional level must be set to Windows Server 2008 or
higher.