Home

AD feature

Windows 2000

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Group Policy Preferences

N/A

SP1

Enabled

Enabled

Enabled

Enabled

Operation-based Auditing

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

DNS Application Partitions

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

DNS Stub Zones

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

DNS Conditional Forwarding

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

DNS Background Zone Loading

NA

NA

Enabled

Enabled

Enabled

Enabled

DNS GlobalNames Zone

NA

NA

Enabled

Enabled

Enabled

Enabled

DNS Settings via GPO

NA

NA

NA

Vista+ clients

Vista+ clients

Vista+ clients

DNS Security Extensions (DNSSEC)

NA

NA

NA

Enabled

Enabled

Enabled

DNS Security Extensions (DNSSEC): online signing and automated key management and other enhancements

NA

NA

NA

NA

Enabled

Enabled

DNS Security Extensions (DNSSEC): support for Key Master role

NA

NA

NA

NA

NA

Enabled

DNS Devolution

NA

NA

NA

Enabled

Enabled

Enabled

DNS Cache Locking

NA

NA

NA

Enabled

Enabled

Enabled

DNS Socket Pool

NA

NA

NA

Enabled

Enabled

Enabled

NTLM  minimum session security encryption (default)

40/56 bits

40/56 bits

40/56 bits

128 bits

128 bits

128 bits

NTLM restriction

N/A

N/A

N/A

Enabled

Enabled

Enabled

Kerberos DES default cipher suites default configuration

Enabled

Enabled

Enabled

Disabled by default

Disabled by default

Disabled by default

Per User Selective Auditing

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Logon/Logoff  Auditing events with IP/User Name/Workstation Name

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Account Management auditing:- Group Membership Changes

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Directory Services Auditing

ON/OFF (single category Directory Access)

Enabled

59 granular settings

59 granular settings

59 granular settings

59 granular settings

Auditing of Removable Storage Devices

N/A

N/A

N/A

N/A

Only Win8 Clients

Only Win8 Clients

AD Database Mounting Tool

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Restartable Directory Services

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Install Replica from Media

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

DCPromo /Forceremoval

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Confidential Attributes

N/A

SP1

Enabled

Enabled

Enabled

Enabled

Access Based Enumeration

N/A

SP1

Enabled

Enabled

Enabled

Enabled

Directory Partition Quotas

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

LDAP bind to rootDSE

Anonymous

Authenticated Users

Authenticated Users

Authenticated Users

Authenticated Users

Authenticated Users

Single-Instance Security Descriptors

N/A

Enabled. Need to defrag DB after upgrade.

Enabled. Need to defrag DB after upgrade.

Enabled. Need to defrag DB after upgrade.

Enabled. Need to defrag DB after upgrade.

Enabled. Need to defrag DB after upgrade.

Garbage Collection

- Tombstones purged every 12 hrs  (default) - 5000 objects per batch - If > 5000, every 50% of tombstone purge cycle

No limits per batch

No limits per batch

No limits per batch

No limits per batch

No limits per batch

ADUC: protect container from accidental deletion

N/A

N/A

Enabled

Enabled

Enabled

Enabled

ADUC: drag'n'drop warning

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Directory Services Backup Reminders

N/A

SP1

Enabled

Enabled

Enabled

Enabled

Active Directory Administrative Center

N/A

At least 1 DC 2008 R2

At least 1 DC 2008 R2

Enabled

Enabled

Enabled

Active Directory Best Practices Analyzer

N/A

At least 1 DC 2008 R2

At least 1 DC 2008 R2

Enabled

Enabled

Enabled

Active Directory Web Services

N/A

At least 1 DC 2008 R2

At least 1 DC 2008 R2

Enabled

Enabled

Enabled

Block the creation of duplicate service principal names (SPN) and user principal names (UPN).

N/A

N/A

N/A

N/A

N/A

Enabled

Command line process auditing

N/A

N/A

N/A

N/A

N/A

Enabled

Restricted Admin mode for Remote Desktop Connection

N/A

N/A

N/A

N/A

N/A

Enabled

LDAP query optimizer algorithm improved

N/A

N/A

N/A

N/A

N/A

Enabled

LDAP search result statistics (event ID 1644)

N/A

N/A

N/A

N/A

Enabled

Enabled

LDAP search result statistics (event ID 1644). Additional statistics

N/A

N/A

Enabled With hotfix KB2800945

Enabled With hotfix KB2800945

Enabled With hotfix KB2800945

Enabled

Active Directory Replication throughput improvement Adjusts the maximum AD Replication throughput from 40Mbps to around 600 Mbps.

N/A

N/A

N/A

N/A

N/A

Enabled Between 2012 R2 DCs

Forest feature

Windows 2000

Windows 2003 Interim

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Global catalog replication improvements

Enabled if both replication partners are running Windows Server 2003.

Enabled

Enabled

Enabled

Enabled

Enabled

Enabled

Defunct schema objects (Schema de-/reactivation)

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Forest trusts

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Kerberos Forest Search Order

N/A

N/A

N/A

N/A

Enabled

Enabled

Enabled

Linked value replication

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Enabled

Domain rename

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Improved Active Directory replication algorithms

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Enabled

Dynamic auxiliary classes.

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

User to InetOrgPerson objectClass change

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Basic and query based groups (for roles based auth)

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Read Only Domain Controlller

N/A

N/A

Enabled At least 1 DC 2008

Enabled

Enabled

Enabled

Enabled

Admin Role Separation

N/A

N/A

Enabled At least 1 DC 2008

Enabled (with RODC)

Enabled (with RODC)

Enabled (with RODC)

Enabled (with RODC)

Password Replication Policy

N/A

N/A

Enabled At least 1 DC 2008

Enabled (with RODC)

Enabled (with RODC)

Enabled (with RODC)

Enabled (with RODC)

Active Directory Recycle Bin

N/A

N/A

N/A

N/A

Enabled

Enabled

Enabled

Active Directory Recycle Bin User Interface

N/A

N/A

N/A

N/A

Enabled With 1 or more 2012 DCs

Enabled

Enabled

Domain Functional Level Rollback

N/A

N/A

N/A

N/A

N/A

Supported FFL Rollbacks: - DFL = 2012 AND FFL=2008 R2 -> FFL 2008 R2 - DFL = 2012 AND FFL=2008  -> FFL 2008 R2 - DFL = 2012 AND FFL=2008  -> FFL 2008 - DFL = 2008 R2 AND FFL=2008  -> FFL 2008

Supported FFL Rollbacks: - DFL = 2012 AND FFL=2008 R2 -> FFL 2008 R2 - DFL = 2012 AND FFL=2008  -> FFL 2008 R2 - DFL = 2012 AND FFL=2008  -> FFL 2008 - DFL = 2008 R2 AND FFL=2008  -> FFL 2008

Virtualized DC Cloning

N/A

N/A

Enabled PDCe must be on 2012

Enabled PDCe must be on 2012

Enabled PDCe must be on 2012

Enabled PDCe must be on 2012

Enabled PDCe must be on 2012

Domain feature

Windows 2000 mixed

Windows 2000 native

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Domain controller rename tool

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Update logon timestamp

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

User password on InetOrgPerson object

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Universal Groups

Enabled for distribution groups. Disabled for security groups.

Enabled Allows both security and distribution groups.

Enabled Allows both security and distribution groups.

Enabled Allows both security and distribution groups.

Enabled Allows both security and distribution groups.

Enabled Allows both security and distribution groups.

Enabled Allows both security and distribution groups.

Group Nesting

Enabled for distribution groups. Disabled for security groups, except for domain local security groups that can have global groups as members.

Enabled Allows full group nesting.

Enabled Allows full group nesting.

Enabled Allows full group nesting.

Enabled Allows full group nesting.

Enabled Allows full group nesting.

Enabled Allows full group nesting.

Converting Groups

Disabled

Enabled Allows conversion between security groups and distribution groups.

Enabled Allows conversion between security groups and distribution groups.

Enabled Allows conversion between security groups and distribution groups.

Enabled Allows conversion between security groups and distribution groups.

Enabled Allows conversion between security groups and distribution groups.

Enabled Allows conversion between security groups and distribution groups.

SID history

Disabled

Enabled

Enabled

Enabled

Enabled

Enabled

Enabled

Redirect users and computers

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Auth manager can store auth policies

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Kerberos Constrained delegation for computers

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Kerberos Constrained delegation for computers across  Forests

N/A

N/A

Enabled - 2012  schema update in back-end server's forest - One or more DCs in front-end domain running  2012 - One or more DCs  in back-end domain running  2012

Enabled - 2012  schema update in back-end server's forest - One or more DCs in front-end domain running  2012 - One or more DCs  in back-end domain running  2012

Enabled - 2012  schema update in back-end server's forest - One or more DCs in front-end domain running  2012 - One or more DCs  in back-end domain running  2012

Enabled

Enabled

Selective authentication cross-forest

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Enabled

Fine-grained password policies

N/A

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Fine-Grained Password Policy User Interface

N/A

N/A

N/A

Enabled With 1 or more 2012 DCs

Enabled With 1 or more 2012 DCs

Enabled

Enabled

DFS replication support for the Windows Server 2003 System Volume (SYSVOL)

N/A

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol

N/A

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Last Interactive Logon Information: - The time of the last successful interactive logon for a user - The name of the workstation that the used logged on from - The number of failed logon attempts since the last logon

N/A

N/A

N/A

Enabled

Enabled

Enabled

Enabled

Authentication mechanism assurance for ADFS

N/A

N/A

N/A

N/A

Enabled

Enabled

Enabled

Off line Domain Join

N/A

N/A

N/A

N/A

Enabled

Enabled

Enabled

Off line Domain Join vía DirectAccess

N/A

N/A

Enabled. - At least 1 DC 2012 - Only for 2012 Member Servers and Win8 Clients

Enabled. - At least 1 DC 2012 - Only for 2012 Member Servers and Win8 Clients

Enabled. - At least 1 DC 2012 - Only for 2012 Member Servers and Win8 Clients

Enabled. - Only for 2012 Member Servers and Win8 Clients

Enabled. - Only for 2012 Member Servers and Win8 Clients

Managed Service Accounts

N/A

N/A

Enabled. - At least 1 DC 2008 R2. - Only for 2008 R2+ Member Servers

Enabled. - At least 1 DC 2008 R2. - Only for 2008 R2+ Member Servers

Enabled. - Only for 2008 R2+ Member Servers

Enabled. - Only for 2008 R2+ Member Servers

Enabled. - Only for 2008 R2+ Member Servers

Group Managed Service Accounts

N/A

N/A

Enabled. - At least 1 DC 2012. - Only for 2008 R2+ Member Servers

Enabled. - At least 1 DC 2012. - Only for 2008 R2+ Member Servers

Enabled. - At least 1 DC 2012. - Only for 2008 R2+ Member Servers

Enabled. - Only for 2008 R2+ Member Servers

Enabled. - Only for 2008 R2+ Member Servers

Remote Group Policy Update

N/A

N/A

Enabled. At least 1 DC in 2012.

Enabled. At least 1 DC in 2012.

Enabled. At least 1 DC in 2012.

Enabled

Enabled

Group Policy Report Improvements

N/A

N/A

Enabled. At least 1 DC in 2012.

Enabled. At least 1 DC in 2012.

Enabled. At least 1 DC in 2012.

Enabled

Enabled

Group Policy infrastructure status

N/A

N/A

Enabled. At least 1 DC in 2012.

Enabled. At least 1 DC in 2012.

Enabled. At least 1 DC in 2012.

Enabled

Enabled

Local Group Policy support for Windows RT

N/A

N/A

Enabled. At least 1 DC in 2012.

Enabled. At least 1 DC in 2012.

Enabled. At least 1 DC in 2012.

Enabled

Enabled

KDC Support for Claims

N/A

N/A

N/A

N/A

N/A

Enabled

Enabled

Compound Authentication

N/A

N/A

N/A

N/A

N/A

Enabled

Enabled

Flexible Authentication Secure Tunneling (FAST) (aka Kerberos Armoring)

N/A

N/A

N/A

N/A

N/A

Enabled

Enabled

Domain Functional Level Rollback

N/A

N/A

N/A

N/A

N/A

Supported DFL Rollbacks: - DFL = 2012 AND FFL=2008 R2 -> DFL 2008 R2 - DFL = 2012 AND FFL=2008  -> DFL 2008 R2 - DFL = 2012 AND FFL=2008  -> DFL 2008 - DFL = 2008 R2 AND FFL=2008  -> DFL 2008

Supported DFL Rollbacks: - DFL = 2012 AND FFL=2008 R2 -> DFL 2008 R2 - DFL = 2012 AND FFL=2008  -> DFL 2008 R2 - DFL = 2012 AND FFL=2008  -> DFL 2008 - DFL = 2008 R2 AND FFL=2008  -> DFL 2008

Workplace Join for Windows 8.1 and iOS 5+ devices

N/A

N/A

N/A

                Enabled -  ADFS 3.0 Servers (Windows Server 2012 R2) - Schema of the forest must be  Windows Server 2012 R2 - Group Managed Service accounts for ADFS 3.0 require at least 1 Windows Server 2012 DC - Extranet Access: requires Windows Server 2012 R2 WAP Servers

                Enabled -  ADFS 3.0 Servers (Windows Server 2012 R2) - Schema of the forest must be  Windows Server 2012 R2 - Group Managed Service accounts for ADFS 3.0 require at least 1 Windows Server 2012 DC - Extranet Access: requires Windows Server 2012 R2 WAP Servers

                Enabled -  ADFS 3.0 Servers (Windows Server 2012 R2) - Schema of the forest must be  Windows Server 2012 R2 - Group Managed Service accounts for ADFS 3.0 require at least 1 Windows Server 2012 DC - Extranet Access: requires Windows Server 2012 R2 WAP Servers

                Enabled -  ADFS 3.0 Servers (Windows Server 2012 R2) - Schema of the forest must be  Windows Server 2012 R2 - Group Managed Service accounts for ADFS 3.0 require at least 1 Windows Server 2012 DC - Extranet Access: requires Windows Server 2012 R2 WAP Servers

Second Factor Authentication Across Company Applications Windows 8.1 and iOS 5+ devices

N/A

N/A

N/A

Web Based Single Sign-On (SSO) to resources from known devices (Windows 8.1 and IOS 5+)

N/A

N/A

N/A

Multi-factor Access Control

N/A

N/A

N/A

Work Folders Intranet Access

N/A

N/A

N/A

Enabled File Servers must be Windows Server 2012 R2

Enabled File Servers must be Windows Server 2012 R2

Enabled File Servers must be Windows Server 2012 R2

Enabled File Servers must be Windows Server 2012 R2

Work Folders Extranet  Access

N/A

N/A

N/A

               Enabled - File Servers must be Windows Server 2012 R2 - Same requirements as "Workplace Join"

               Enabled - File Servers must be Windows Server 2012 R2 - Same requirements as "Workplace Join"

               Enabled - File Servers must be Windows Server 2012 R2 - Same requirements as "Workplace Join"

               Enabled - File Servers must be Windows Server 2012 R2 - Same requirements as "Workplace Join"

Kerberos Authentication: KDC Resource Group Compression

N/A

N/A

N/A

N/A

N/A

Enabled

Enabled

Kerberos Authentication:  Kerberos SSPI context token buffer size (Windows 8.x clients)

N/A

N/A

N/A

N/A

N/A

Enabled

Enabled

Kerberos Constrained Delegation Resource-based constrained delegation across domains

N/A

N/A

N/A

N/A

N/A

Enabled

Enabled

Group Policy: Expanded IPv6 Support

N/A

N/A

N/A

N/A

N/A

N/A

Enabled

Group Policy: Policy Caching

N/A

N/A

N/A

N/A

N/A

N/A

Enabled

Protected Users.  Members  signed-on to Windows 8.1 devices and Windows Server 2012 R2 hosts can no longer use: - Default credential delegation (CredSSP) - plaintext credentials are not cached even when the Allow delegating default credentials policy is enabled - Windows Digest - plaintext credentials are not cached even when they are enabled - NTLM - NTOWF is not cached - Kerberos long term keys - Kerberos ticket-granting ticket (TGT) is acquired at logon and cannot be re-acquired automatically -  Sign-on offline - the cached logon verifier is not created

N/A

N/A

N/A

Enabled PDCe must be on Windows Server 2012 R2

Enabled PDCe must be on Windows Server 2012 R2

Enabled PDCe must be on Windows Server 2012 R2

Enabled

Protected Users. Members   members of the group can no longer: - Authenticate by using NTLM authentication - Use DES  or RC4 cipher suites in Kerberos pre-authentication - Be delegated by using unconstrained or constrained delegation - Renew user tickets (TGTs) beyond the initial 4-hour lifetime.

N/A

N/A

N/A

N/A

N/A

N/A

Enabled

Authentication Policy Silos.  Configure authentication policy for each silo in order to control: - Non-renewable TGT lifetime - Access control conditions for returning TGT - Access control conditions for returning service ticket

N/A

N/A

N/A

N/A

N/A

N/A

Enabled

Restrict a user account to specific devices and hosts

N/A

N/A

N/A

N/A

N/A

N/A

Enabled