WServerNews.com Newsletter: Vol. 20, #5 - February 9, 2015 - Issue #1015

Table 1: Active Directory features supported by different VERSIONS of Windows Server

AD feature Windows 2000 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2
Group Policy Preferences N/A SP1 Enabled Enabled Enabled Enabled
Operation-based Auditing N/A Enabled Enabled Enabled Enabled Enabled
DNS Application Partitions N/A Enabled Enabled Enabled Enabled Enabled
DNS Stub Zones N/A Enabled Enabled Enabled Enabled Enabled
DNS Conditional Forwarding N/A Enabled Enabled Enabled Enabled Enabled
DNS Background Zone Loading NA NA Enabled Enabled Enabled Enabled
DNS GlobalNames Zone NA NA Enabled Enabled Enabled Enabled
DNS Settings via GPO NA NA NA Vista+ clients Vista+ clients Vista+ clients
DNS Security Extensions (DNSSEC) NA NA NA Enabled Enabled Enabled
DNS Security Extensions (DNSSEC): online signing and automated key management and other enhancements NA NA NA NA Enabled Enabled
DNS Security Extensions (DNSSEC): support for Key Master role NA NA NA NA NA Enabled
DNS Devolution NA NA NA Enabled Enabled Enabled
DNS Cache Locking NA NA NA Enabled Enabled Enabled
DNS Socket Pool NA NA NA Enabled Enabled Enabled
NTLM  minimum session security encryption (default) 40/56 bits 40/56 bits 40/56 bits 128 bits 128 bits 128 bits
NTLM restriction N/A N/A N/A Enabled Enabled Enabled
Kerberos DES default cipher suites default configuration Enabled Enabled Enabled Disabled by default Disabled by default Disabled by default
Per User Selective Auditing N/A Enabled Enabled Enabled Enabled Enabled
Logon/Logoff  Auditing events with IP/User Name/Workstation Name N/A Enabled Enabled Enabled Enabled Enabled
Account Management auditing:- Group Membership Changes N/A Enabled Enabled Enabled Enabled Enabled
Directory Services Auditing ON/OFF (single category Directory Access) Enabled 59 granular settings 59 granular settings 59 granular settings 59 granular settings
Auditing of Removable Storage Devices N/A N/A N/A N/A Only Win8 Clients Only Win8 Clients
AD Database Mounting Tool N/A N/A Enabled Enabled Enabled Enabled
Restartable Directory Services N/A N/A Enabled Enabled Enabled Enabled
Install Replica from Media N/A Enabled Enabled Enabled Enabled Enabled
DCPromo /Forceremoval N/A Enabled Enabled Enabled Enabled Enabled
Confidential Attributes N/A SP1 Enabled Enabled Enabled Enabled
Access Based Enumeration N/A SP1 Enabled Enabled Enabled Enabled
Directory Partition Quotas N/A Enabled Enabled Enabled Enabled Enabled
LDAP bind to rootDSE Anonymous Authenticated Users Authenticated Users Authenticated Users Authenticated Users Authenticated Users
Single-Instance Security Descriptors N/A Enabled. Need to defrag DB after upgrade. Enabled. Need to defrag DB after upgrade. Enabled. Need to defrag DB after upgrade. Enabled. Need to defrag DB after upgrade. Enabled. Need to defrag DB after upgrade.
Garbage Collection - Tombstones purged every 12 hrs  (default) - 5000 objects per batch - If > 5000, every 50% of tombstone purge cycle No limits per batch No limits per batch No limits per batch No limits per batch No limits per batch
ADUC: protect container from accidental deletion N/A N/A Enabled Enabled Enabled Enabled
ADUC: drag'n'drop warning N/A Enabled Enabled Enabled Enabled Enabled
Directory Services Backup Reminders N/A SP1 Enabled Enabled Enabled Enabled
Active Directory Administrative Center N/A At least 1 DC 2008 R2 At least 1 DC 2008 R2 Enabled Enabled Enabled
Active Directory Best Practices Analyzer N/A At least 1 DC 2008 R2 At least 1 DC 2008 R2 Enabled Enabled Enabled
Active Directory Web Services N/A At least 1 DC 2008 R2 At least 1 DC 2008 R2 Enabled Enabled Enabled
Block the creation of duplicate service principal names (SPN) and user principal names (UPN). N/A N/A N/A N/A N/A Enabled
Command line process auditing N/A N/A N/A N/A N/A Enabled
Restricted Admin mode for Remote Desktop Connection N/A N/A N/A N/A N/A Enabled
LDAP query optimizer algorithm improved N/A N/A N/A N/A N/A Enabled
LDAP search result statistics (event ID 1644) N/A N/A N/A N/A Enabled Enabled
LDAP search result statistics (event ID 1644). Additional statistics N/A N/A Enabled With hotfix KB2800945 Enabled With hotfix KB2800945 Enabled With hotfix KB2800945 Enabled
Active Directory Replication throughput improvement Adjusts the maximum AD Replication throughput from 40Mbps to around 600 Mbps. N/A N/A N/A N/A N/A Enabled Between 2012 R2 DCs

 

Table 2: Active Directory features supported by different FOREST functional levels

Forest feature Windows 2000 Windows 2003 Interim Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2
Global catalog replication improvements Enabled if both replication partners are running Windows Server 2003. Enabled Enabled Enabled Enabled Enabled Enabled
Defunct schema objects (Schema de-/reactivation) N/A N/A Enabled Enabled Enabled Enabled Enabled
Forest trusts N/A N/A Enabled Enabled Enabled Enabled Enabled
Kerberos Forest Search Order N/A N/A N/A N/A Enabled Enabled Enabled
Linked value replication N/A Enabled Enabled Enabled Enabled Enabled Enabled
Domain rename N/A N/A Enabled Enabled Enabled Enabled Enabled
Improved Active Directory replication algorithms N/A Enabled Enabled Enabled Enabled Enabled Enabled
Dynamic auxiliary classes. N/A N/A Enabled Enabled Enabled Enabled Enabled
User to InetOrgPerson objectClass change N/A N/A Enabled Enabled Enabled Enabled Enabled
Basic and query based groups (for roles based auth) N/A N/A Enabled Enabled Enabled Enabled Enabled
Read Only Domain Controlller N/A N/A Enabled At least 1 DC 2008 Enabled Enabled Enabled Enabled
Admin Role Separation N/A N/A Enabled At least 1 DC 2008 Enabled (with RODC) Enabled (with RODC) Enabled (with RODC) Enabled (with RODC)
Password Replication Policy N/A N/A Enabled At least 1 DC 2008 Enabled (with RODC) Enabled (with RODC) Enabled (with RODC) Enabled (with RODC)
Active Directory Recycle Bin N/A N/A N/A N/A Enabled Enabled Enabled
Active Directory Recycle Bin User Interface N/A N/A N/A N/A Enabled With 1 or more 2012 DCs Enabled Enabled
Domain Functional Level Rollback N/A N/A N/A N/A N/A Supported FFL Rollbacks: - DFL = 2012 AND FFL=2008 R2 -> FFL 2008 R2 - DFL = 2012 AND FFL=2008  -> FFL 2008 R2 - DFL = 2012 AND FFL=2008  -> FFL 2008 - DFL = 2008 R2 AND FFL=2008  -> FFL 2008 Supported FFL Rollbacks: - DFL = 2012 AND FFL=2008 R2 -> FFL 2008 R2 - DFL = 2012 AND FFL=2008  -> FFL 2008 R2 - DFL = 2012 AND FFL=2008  -> FFL 2008 - DFL = 2008 R2 AND FFL=2008  -> FFL 2008
Virtualized DC Cloning N/A N/A Enabled PDCe must be on 2012 Enabled PDCe must be on 2012 Enabled PDCe must be on 2012 Enabled PDCe must be on 2012 Enabled PDCe must be on 2012

 

Table 3: Active Directory features supported by different DOMAIN functional levels

Domain feature Windows 2000 mixed Windows 2000 native Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2
Domain controller rename tool N/A N/A Enabled Enabled Enabled Enabled Enabled
Update logon timestamp N/A N/A Enabled Enabled Enabled Enabled Enabled
User password on InetOrgPerson object N/A N/A Enabled Enabled Enabled Enabled Enabled
Universal Groups Enabled for distribution groups. Disabled for security groups. Enabled Allows both security and distribution groups. Enabled Allows both security and distribution groups. Enabled Allows both security and distribution groups. Enabled Allows both security and distribution groups. Enabled Allows both security and distribution groups. Enabled Allows both security and distribution groups.
Group Nesting Enabled for distribution groups. Disabled for security groups, except for domain local security groups that can have global groups as members. Enabled Allows full group nesting. Enabled Allows full group nesting. Enabled Allows full group nesting. Enabled Allows full group nesting. Enabled Allows full group nesting. Enabled Allows full group nesting.
Converting Groups Disabled Enabled Allows conversion between security groups and distribution groups. Enabled Allows conversion between security groups and distribution groups. Enabled Allows conversion between security groups and distribution groups. Enabled Allows conversion between security groups and distribution groups. Enabled Allows conversion between security groups and distribution groups. Enabled Allows conversion between security groups and distribution groups.
SID history Disabled Enabled Enabled Enabled Enabled Enabled Enabled
Redirect users and computers N/A N/A Enabled Enabled Enabled Enabled Enabled
Auth manager can store auth policies N/A N/A Enabled Enabled Enabled Enabled Enabled
Kerberos Constrained delegation for computers N/A N/A Enabled Enabled Enabled Enabled Enabled
Kerberos Constrained delegation for computers across  Forests N/A N/A Enabled - 2012  schema update in back-end server's forest - One or more DCs in front-end domain running  2012 - One or more DCs  in back-end domain running  2012 Enabled - 2012  schema update in back-end server's forest - One or more DCs in front-end domain running  2012 - One or more DCs  in back-end domain running  2012 Enabled - 2012  schema update in back-end server's forest - One or more DCs in front-end domain running  2012 - One or more DCs  in back-end domain running  2012 Enabled Enabled
Selective authentication cross-forest N/A N/A Enabled Enabled Enabled Enabled Enabled
Fine-grained password policies N/A N/A N/A Enabled Enabled Enabled Enabled
Fine-Grained Password Policy User Interface N/A N/A N/A Enabled With 1 or more 2012 DCs Enabled With 1 or more 2012 DCs Enabled Enabled
DFS replication support for the Windows Server 2003 System Volume (SYSVOL) N/A N/A N/A Enabled Enabled Enabled Enabled
Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol N/A N/A N/A Enabled Enabled Enabled Enabled
Last Interactive Logon Information: - The time of the last successful interactive logon for a user - The name of the workstation that the used logged on from - The number of failed logon attempts since the last logon N/A N/A N/A Enabled Enabled Enabled Enabled
Authentication mechanism assurance for ADFS N/A N/A N/A N/A Enabled Enabled Enabled
Off line Domain Join N/A N/A N/A N/A Enabled Enabled Enabled
Off line Domain Join vía DirectAccess N/A N/A Enabled. - At least 1 DC 2012 - Only for 2012 Member Servers and Win8 Clients Enabled. - At least 1 DC 2012 - Only for 2012 Member Servers and Win8 Clients Enabled. - At least 1 DC 2012 - Only for 2012 Member Servers and Win8 Clients Enabled. - Only for 2012 Member Servers and Win8 Clients Enabled. - Only for 2012 Member Servers and Win8 Clients
Managed Service Accounts N/A N/A Enabled. - At least 1 DC 2008 R2. - Only for 2008 R2+ Member Servers Enabled. - At least 1 DC 2008 R2. - Only for 2008 R2+ Member Servers Enabled. - Only for 2008 R2+ Member Servers Enabled. - Only for 2008 R2+ Member Servers Enabled. - Only for 2008 R2+ Member Servers
Group Managed Service Accounts N/A N/A Enabled. - At least 1 DC 2012. - Only for 2008 R2+ Member Servers Enabled. - At least 1 DC 2012. - Only for 2008 R2+ Member Servers Enabled. - At least 1 DC 2012. - Only for 2008 R2+ Member Servers Enabled. - Only for 2008 R2+ Member Servers Enabled. - Only for 2008 R2+ Member Servers
Remote Group Policy Update N/A N/A Enabled. At least 1 DC in 2012. Enabled. At least 1 DC in 2012. Enabled. At least 1 DC in 2012. Enabled Enabled
Group Policy Report Improvements N/A N/A Enabled. At least 1 DC in 2012. Enabled. At least 1 DC in 2012. Enabled. At least 1 DC in 2012. Enabled Enabled
Group Policy infrastructure status N/A N/A Enabled. At least 1 DC in 2012. Enabled. At least 1 DC in 2012. Enabled. At least 1 DC in 2012. Enabled Enabled
Local Group Policy support for Windows RT N/A N/A Enabled. At least 1 DC in 2012. Enabled. At least 1 DC in 2012. Enabled. At least 1 DC in 2012. Enabled Enabled
KDC Support for Claims N/A N/A N/A N/A N/A Enabled Enabled
Compound Authentication N/A N/A N/A N/A N/A Enabled Enabled
Flexible Authentication Secure Tunneling (FAST) (aka Kerberos Armoring) N/A N/A N/A N/A N/A Enabled Enabled
Domain Functional Level Rollback N/A N/A N/A N/A N/A Supported DFL Rollbacks: - DFL = 2012 AND FFL=2008 R2 -> DFL 2008 R2 - DFL = 2012 AND FFL=2008  -> DFL 2008 R2 - DFL = 2012 AND FFL=2008  -> DFL 2008 - DFL = 2008 R2 AND FFL=2008  -> DFL 2008 Supported DFL Rollbacks: - DFL = 2012 AND FFL=2008 R2 -> DFL 2008 R2 - DFL = 2012 AND FFL=2008  -> DFL 2008 R2 - DFL = 2012 AND FFL=2008  -> DFL 2008 - DFL = 2008 R2 AND FFL=2008  -> DFL 2008
Workplace Join for Windows 8.1 and iOS 5+ devices N/A N/A N/A                 Enabled -  ADFS 3.0 Servers (Windows Server 2012 R2) - Schema of the forest must be  Windows Server 2012 R2 - Group Managed Service accounts for ADFS 3.0 require at least 1 Windows Server 2012 DC - Extranet Access: requires Windows Server 2012 R2 WAP Servers                 Enabled -  ADFS 3.0 Servers (Windows Server 2012 R2) - Schema of the forest must be  Windows Server 2012 R2 - Group Managed Service accounts for ADFS 3.0 require at least 1 Windows Server 2012 DC - Extranet Access: requires Windows Server 2012 R2 WAP Servers                 Enabled -  ADFS 3.0 Servers (Windows Server 2012 R2) - Schema of the forest must be  Windows Server 2012 R2 - Group Managed Service accounts for ADFS 3.0 require at least 1 Windows Server 2012 DC - Extranet Access: requires Windows Server 2012 R2 WAP Servers                 Enabled -  ADFS 3.0 Servers (Windows Server 2012 R2) - Schema of the forest must be  Windows Server 2012 R2 - Group Managed Service accounts for ADFS 3.0 require at least 1 Windows Server 2012 DC - Extranet Access: requires Windows Server 2012 R2 WAP Servers
Second Factor Authentication Across Company Applications Windows 8.1 and iOS 5+ devices N/A N/A N/A
Web Based Single Sign-On (SSO) to resources from known devices (Windows 8.1 and IOS 5+) N/A N/A N/A
Multi-factor Access Control N/A N/A N/A
Work Folders Intranet Access N/A N/A N/A Enabled File Servers must be Windows Server 2012 R2 Enabled File Servers must be Windows Server 2012 R2 Enabled File Servers must be Windows Server 2012 R2 Enabled File Servers must be Windows Server 2012 R2
Work Folders Extranet  Access N/A N/A N/A                Enabled - File Servers must be Windows Server 2012 R2 - Same requirements as "Workplace Join"                Enabled - File Servers must be Windows Server 2012 R2 - Same requirements as "Workplace Join"                Enabled - File Servers must be Windows Server 2012 R2 - Same requirements as "Workplace Join"                Enabled - File Servers must be Windows Server 2012 R2 - Same requirements as "Workplace Join"
Kerberos Authentication: KDC Resource Group Compression N/A N/A N/A N/A N/A Enabled Enabled
Kerberos Authentication:  Kerberos SSPI context token buffer size (Windows 8.x clients) N/A N/A N/A N/A N/A Enabled Enabled
Kerberos Constrained Delegation Resource-based constrained delegation across domains N/A N/A N/A N/A N/A Enabled Enabled
Group Policy: Expanded IPv6 Support N/A N/A N/A N/A N/A N/A Enabled
Group Policy: Policy Caching N/A N/A N/A N/A N/A N/A Enabled
Protected Users.  Members  signed-on to Windows 8.1 devices and Windows Server 2012 R2 hosts can no longer use: - Default credential delegation (CredSSP) - plaintext credentials are not cached even when the Allow delegating default credentials policy is enabled - Windows Digest - plaintext credentials are not cached even when they are enabled - NTLM - NTOWF is not cached - Kerberos long term keys - Kerberos ticket-granting ticket (TGT) is acquired at logon and cannot be re-acquired automatically -  Sign-on offline - the cached logon verifier is not created N/A N/A N/A Enabled PDCe must be on Windows Server 2012 R2 Enabled PDCe must be on Windows Server 2012 R2 Enabled PDCe must be on Windows Server 2012 R2 Enabled
Protected Users. Members   members of the group can no longer: - Authenticate by using NTLM authentication - Use DES  or RC4 cipher suites in Kerberos pre-authentication - Be delegated by using unconstrained or constrained delegation - Renew user tickets (TGTs) beyond the initial 4-hour lifetime. N/A N/A N/A N/A N/A N/A Enabled
Authentication Policy Silos.  Configure authentication policy for each silo in order to control: - Non-renewable TGT lifetime - Access control conditions for returning TGT - Access control conditions for returning service ticket N/A N/A N/A N/A N/A N/A Enabled
Restrict a user account to specific devices and hosts N/A N/A N/A N/A N/A N/A Enabled