Bereits 2015 habe ich die nachfolgenden Tabellen entdeckt und gleichmal in mein OneNote kopiert, für den schnellen Überblick im Falle eines fachlichen Streitgespräches kann das jede Menge Zeit sparen.
Erfreulicherweise hat auch der Editor im Joomla meine Copy and Paste aus OneNote klaglos mitgemacht, das war leider nicht schon immer so.
Table 1: Active Directory features supported by different VERSIONS of Windows Server
AD feature |
Windows 2000 |
Windows Server 2003 |
Windows Server 2008 |
Windows Server 2008 R2 |
Windows Server 2012 |
Windows Server 2012 R2 |
Group Policy Preferences |
N/A |
SP1 |
Enabled |
Enabled |
Enabled |
Enabled |
Operation-based Auditing |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
DNS Application Partitions |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
DNS Stub Zones |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
DNS Conditional Forwarding |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
DNS Background Zone Loading |
NA |
NA |
Enabled |
Enabled |
Enabled |
Enabled |
DNS GlobalNames Zone |
NA |
NA |
Enabled |
Enabled |
Enabled |
Enabled |
DNS Settings via GPO |
NA |
NA |
NA |
Vista+ clients |
Vista+ clients |
Vista+ clients |
DNS Security Extensions (DNSSEC) |
NA |
NA |
NA |
Enabled |
Enabled |
Enabled |
DNS Security Extensions (DNSSEC): online signing and automated key management and other enhancements |
NA |
NA |
NA |
NA |
Enabled |
Enabled |
DNS Security Extensions (DNSSEC): support for Key Master role |
NA |
NA |
NA |
NA |
NA |
Enabled |
DNS Devolution |
NA |
NA |
NA |
Enabled |
Enabled |
Enabled |
DNS Cache Locking |
NA |
NA |
NA |
Enabled |
Enabled |
Enabled |
DNS Socket Pool |
NA |
NA |
NA |
Enabled |
Enabled |
Enabled |
NTLM minimum session security encryption (default) |
40/56 bits |
40/56 bits |
40/56 bits |
128 bits |
128 bits |
128 bits |
NTLM restriction |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Kerberos DES default cipher suites default configuration |
Enabled |
Enabled |
Enabled |
Disabled by default |
Disabled by default |
Disabled by default |
Per User Selective Auditing |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Logon/Logoff Auditing events with IP/User Name/Workstation Name |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Account Management auditing:- Group Membership Changes |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Directory Services Auditing |
ON/OFF (single category Directory Access) |
Enabled |
59 granular settings |
59 granular settings |
59 granular settings |
59 granular settings |
Auditing of Removable Storage Devices |
N/A |
N/A |
N/A |
N/A |
Only Win8 Clients |
Only Win8 Clients |
AD Database Mounting Tool |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Restartable Directory Services |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Install Replica from Media |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
DCPromo /Forceremoval |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Confidential Attributes |
N/A |
SP1 |
Enabled |
Enabled |
Enabled |
Enabled |
Access Based Enumeration |
N/A |
SP1 |
Enabled |
Enabled |
Enabled |
Enabled |
Directory Partition Quotas |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
LDAP bind to rootDSE |
Anonymous |
Authenticated Users |
Authenticated Users |
Authenticated Users |
Authenticated Users |
Authenticated Users |
Single-Instance Security Descriptors |
N/A |
Enabled. Need to defrag DB after upgrade. |
Enabled. Need to defrag DB after upgrade. |
Enabled. Need to defrag DB after upgrade. |
Enabled. Need to defrag DB after upgrade. |
Enabled. Need to defrag DB after upgrade. |
Garbage Collection |
- Tombstones purged every 12 hrs (default) - 5000 objects per batch - If > 5000, every 50% of tombstone purge cycle |
No limits per batch |
No limits per batch |
No limits per batch |
No limits per batch |
No limits per batch |
ADUC: protect container from accidental deletion |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
ADUC: drag'n'drop warning |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Directory Services Backup Reminders |
N/A |
SP1 |
Enabled |
Enabled |
Enabled |
Enabled |
Active Directory Administrative Center |
N/A |
At least 1 DC 2008 R2 |
At least 1 DC 2008 R2 |
Enabled |
Enabled |
Enabled |
Active Directory Best Practices Analyzer |
N/A |
At least 1 DC 2008 R2 |
At least 1 DC 2008 R2 |
Enabled |
Enabled |
Enabled |
Active Directory Web Services |
N/A |
At least 1 DC 2008 R2 |
At least 1 DC 2008 R2 |
Enabled |
Enabled |
Enabled |
Block the creation of duplicate service principal names (SPN) and user principal names (UPN). |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Command line process auditing |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Restricted Admin mode for Remote Desktop Connection |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
LDAP query optimizer algorithm improved |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
LDAP search result statistics (event ID 1644) |
N/A |
N/A |
N/A |
N/A |
Enabled |
Enabled |
LDAP search result statistics (event ID 1644). Additional statistics |
N/A |
N/A |
Enabled With hotfix KB2800945 |
Enabled With hotfix KB2800945 |
Enabled With hotfix KB2800945 |
Enabled |
Active Directory Replication throughput improvement Adjusts the maximum AD Replication throughput from 40Mbps to around 600 Mbps. |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled Between 2012 R2 DCs |
Table 2: Active Directory features supported by different FOREST functional levels
Forest feature |
Windows 2000 |
Windows 2003 Interim |
Windows Server 2003 |
Windows Server 2008 |
Windows Server 2008 R2 |
Windows Server 2012 |
Windows Server 2012 R2 |
Global catalog replication improvements |
Enabled if both replication partners are running Windows Server 2003. |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Defunct schema objects (Schema de-/reactivation) |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Forest trusts |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Kerberos Forest Search Order |
N/A |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Linked value replication |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Domain rename |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Improved Active Directory replication algorithms |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Dynamic auxiliary classes. |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
User to InetOrgPerson objectClass change |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Basic and query based groups (for roles based auth) |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Read Only Domain Controlller |
N/A |
N/A |
Enabled At least 1 DC 2008 |
Enabled |
Enabled |
Enabled |
Enabled |
Admin Role Separation |
N/A |
N/A |
Enabled At least 1 DC 2008 |
Enabled (with RODC) |
Enabled (with RODC) |
Enabled (with RODC) |
Enabled (with RODC) |
Password Replication Policy |
N/A |
N/A |
Enabled At least 1 DC 2008 |
Enabled (with RODC) |
Enabled (with RODC) |
Enabled (with RODC) |
Enabled (with RODC) |
Active Directory Recycle Bin |
N/A |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Active Directory Recycle Bin User Interface |
N/A |
N/A |
N/A |
N/A |
Enabled With 1 or more 2012 DCs |
Enabled |
Enabled |
Domain Functional Level Rollback |
N/A |
N/A |
N/A |
N/A |
N/A |
Supported FFL Rollbacks: - DFL = 2012 AND FFL=2008 R2 -> FFL 2008 R2 - DFL = 2012 AND FFL=2008 -> FFL 2008 R2 - DFL = 2012 AND FFL=2008 -> FFL 2008 - DFL = 2008 R2 AND FFL=2008 -> FFL 2008 |
Supported FFL Rollbacks: - DFL = 2012 AND FFL=2008 R2 -> FFL 2008 R2 - DFL = 2012 AND FFL=2008 -> FFL 2008 R2 - DFL = 2012 AND FFL=2008 -> FFL 2008 - DFL = 2008 R2 AND FFL=2008 -> FFL 2008 |
Virtualized DC Cloning |
N/A |
N/A |
Enabled PDCe must be on 2012 |
Enabled PDCe must be on 2012 |
Enabled PDCe must be on 2012 |
Enabled PDCe must be on 2012 |
Enabled PDCe must be on 2012 |
Table 3: Active Directory features supported by different DOMAIN functional levels
Domain feature |
Windows 2000 mixed |
Windows 2000 native |
Windows Server 2003 |
Windows Server 2008 |
Windows Server 2008 R2 |
Windows Server 2012 |
Windows Server 2012 R2 |
Domain controller rename tool |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Update logon timestamp |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
User password on InetOrgPerson object |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Universal Groups |
Enabled for distribution groups. Disabled for security groups. |
Enabled Allows both security and distribution groups. |
Enabled Allows both security and distribution groups. |
Enabled Allows both security and distribution groups. |
Enabled Allows both security and distribution groups. |
Enabled Allows both security and distribution groups. |
Enabled Allows both security and distribution groups. |
Group Nesting |
Enabled for distribution groups. Disabled for security groups, except for domain local security groups that can have global groups as members. |
Enabled Allows full group nesting. |
Enabled Allows full group nesting. |
Enabled Allows full group nesting. |
Enabled Allows full group nesting. |
Enabled Allows full group nesting. |
Enabled Allows full group nesting. |
Converting Groups |
Disabled |
Enabled Allows conversion between security groups and distribution groups. |
Enabled Allows conversion between security groups and distribution groups. |
Enabled Allows conversion between security groups and distribution groups. |
Enabled Allows conversion between security groups and distribution groups. |
Enabled Allows conversion between security groups and distribution groups. |
Enabled Allows conversion between security groups and distribution groups. |
SID history |
Disabled |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Redirect users and computers |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Auth manager can store auth policies |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Kerberos Constrained delegation for computers |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Kerberos Constrained delegation for computers across Forests |
N/A |
N/A |
Enabled - 2012 schema update in back-end server's forest - One or more DCs in front-end domain running 2012 - One or more DCs in back-end domain running 2012 |
Enabled - 2012 schema update in back-end server's forest - One or more DCs in front-end domain running 2012 - One or more DCs in back-end domain running 2012 |
Enabled - 2012 schema update in back-end server's forest - One or more DCs in front-end domain running 2012 - One or more DCs in back-end domain running 2012 |
Enabled |
Enabled |
Selective authentication cross-forest |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Enabled |
Fine-grained password policies |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Fine-Grained Password Policy User Interface |
N/A |
N/A |
N/A |
Enabled With 1 or more 2012 DCs |
Enabled With 1 or more 2012 DCs |
Enabled |
Enabled |
DFS replication support for the Windows Server 2003 System Volume (SYSVOL) |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Last Interactive Logon Information: - The time of the last successful interactive logon for a user - The name of the workstation that the used logged on from - The number of failed logon attempts since the last logon |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Enabled |
Authentication mechanism assurance for ADFS |
N/A |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Off line Domain Join |
N/A |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Enabled |
Off line Domain Join vía DirectAccess |
N/A |
N/A |
Enabled. - At least 1 DC 2012 - Only for 2012 Member Servers and Win8 Clients |
Enabled. - At least 1 DC 2012 - Only for 2012 Member Servers and Win8 Clients |
Enabled. - At least 1 DC 2012 - Only for 2012 Member Servers and Win8 Clients |
Enabled. - Only for 2012 Member Servers and Win8 Clients |
Enabled. - Only for 2012 Member Servers and Win8 Clients |
Managed Service Accounts |
N/A |
N/A |
Enabled. - At least 1 DC 2008 R2. - Only for 2008 R2+ Member Servers |
Enabled. - At least 1 DC 2008 R2. - Only for 2008 R2+ Member Servers |
Enabled. - Only for 2008 R2+ Member Servers |
Enabled. - Only for 2008 R2+ Member Servers |
Enabled. - Only for 2008 R2+ Member Servers |
Group Managed Service Accounts |
N/A |
N/A |
Enabled. - At least 1 DC 2012. - Only for 2008 R2+ Member Servers |
Enabled. - At least 1 DC 2012. - Only for 2008 R2+ Member Servers |
Enabled. - At least 1 DC 2012. - Only for 2008 R2+ Member Servers |
Enabled. - Only for 2008 R2+ Member Servers |
Enabled. - Only for 2008 R2+ Member Servers |
Remote Group Policy Update |
N/A |
N/A |
Enabled. At least 1 DC in 2012. |
Enabled. At least 1 DC in 2012. |
Enabled. At least 1 DC in 2012. |
Enabled |
Enabled |
Group Policy Report Improvements |
N/A |
N/A |
Enabled. At least 1 DC in 2012. |
Enabled. At least 1 DC in 2012. |
Enabled. At least 1 DC in 2012. |
Enabled |
Enabled |
Group Policy infrastructure status |
N/A |
N/A |
Enabled. At least 1 DC in 2012. |
Enabled. At least 1 DC in 2012. |
Enabled. At least 1 DC in 2012. |
Enabled |
Enabled |
Local Group Policy support for Windows RT |
N/A |
N/A |
Enabled. At least 1 DC in 2012. |
Enabled. At least 1 DC in 2012. |
Enabled. At least 1 DC in 2012. |
Enabled |
Enabled |
KDC Support for Claims |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Compound Authentication |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Flexible Authentication Secure Tunneling (FAST) (aka Kerberos Armoring) |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Domain Functional Level Rollback |
N/A |
N/A |
N/A |
N/A |
N/A |
Supported DFL Rollbacks: - DFL = 2012 AND FFL=2008 R2 -> DFL 2008 R2 - DFL = 2012 AND FFL=2008 -> DFL 2008 R2 - DFL = 2012 AND FFL=2008 -> DFL 2008 - DFL = 2008 R2 AND FFL=2008 -> DFL 2008 |
Supported DFL Rollbacks: - DFL = 2012 AND FFL=2008 R2 -> DFL 2008 R2 - DFL = 2012 AND FFL=2008 -> DFL 2008 R2 - DFL = 2012 AND FFL=2008 -> DFL 2008 - DFL = 2008 R2 AND FFL=2008 -> DFL 2008 |
Workplace Join for Windows 8.1 and iOS 5+ devices |
N/A |
N/A |
N/A |
Enabled - ADFS 3.0 Servers (Windows Server 2012 R2) - Schema of the forest must be Windows Server 2012 R2 - Group Managed Service accounts for ADFS 3.0 require at least 1 Windows Server 2012 DC - Extranet Access: requires Windows Server 2012 R2 WAP Servers |
Enabled - ADFS 3.0 Servers (Windows Server 2012 R2) - Schema of the forest must be Windows Server 2012 R2 - Group Managed Service accounts for ADFS 3.0 require at least 1 Windows Server 2012 DC - Extranet Access: requires Windows Server 2012 R2 WAP Servers |
Enabled - ADFS 3.0 Servers (Windows Server 2012 R2) - Schema of the forest must be Windows Server 2012 R2 - Group Managed Service accounts for ADFS 3.0 require at least 1 Windows Server 2012 DC - Extranet Access: requires Windows Server 2012 R2 WAP Servers |
Enabled - ADFS 3.0 Servers (Windows Server 2012 R2) - Schema of the forest must be Windows Server 2012 R2 - Group Managed Service accounts for ADFS 3.0 require at least 1 Windows Server 2012 DC - Extranet Access: requires Windows Server 2012 R2 WAP Servers |
Second Factor Authentication Across Company Applications Windows 8.1 and iOS 5+ devices |
N/A |
N/A |
N/A |
||||
Web Based Single Sign-On (SSO) to resources from known devices (Windows 8.1 and IOS 5+) |
N/A |
N/A |
N/A |
||||
Multi-factor Access Control |
N/A |
N/A |
N/A |
||||
Work Folders Intranet Access |
N/A |
N/A |
N/A |
Enabled File Servers must be Windows Server 2012 R2 |
Enabled File Servers must be Windows Server 2012 R2 |
Enabled File Servers must be Windows Server 2012 R2 |
Enabled File Servers must be Windows Server 2012 R2 |
Work Folders Extranet Access |
N/A |
N/A |
N/A |
Enabled - File Servers must be Windows Server 2012 R2 - Same requirements as "Workplace Join" |
Enabled - File Servers must be Windows Server 2012 R2 - Same requirements as "Workplace Join" |
Enabled - File Servers must be Windows Server 2012 R2 - Same requirements as "Workplace Join" |
Enabled - File Servers must be Windows Server 2012 R2 - Same requirements as "Workplace Join" |
Kerberos Authentication: KDC Resource Group Compression |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Kerberos Authentication: Kerberos SSPI context token buffer size (Windows 8.x clients) |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Kerberos Constrained Delegation Resource-based constrained delegation across domains |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Enabled |
Group Policy: Expanded IPv6 Support |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Group Policy: Policy Caching |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Protected Users. Members signed-on to Windows 8.1 devices and Windows Server 2012 R2 hosts can no longer use: - Default credential delegation (CredSSP) - plaintext credentials are not cached even when the Allow delegating default credentials policy is enabled - Windows Digest - plaintext credentials are not cached even when they are enabled - NTLM - NTOWF is not cached - Kerberos long term keys - Kerberos ticket-granting ticket (TGT) is acquired at logon and cannot be re-acquired automatically - Sign-on offline - the cached logon verifier is not created |
N/A |
N/A |
N/A |
Enabled PDCe must be on Windows Server 2012 R2 |
Enabled PDCe must be on Windows Server 2012 R2 |
Enabled PDCe must be on Windows Server 2012 R2 |
Enabled |
Protected Users. Members members of the group can no longer: - Authenticate by using NTLM authentication - Use DES or RC4 cipher suites in Kerberos pre-authentication - Be delegated by using unconstrained or constrained delegation - Renew user tickets (TGTs) beyond the initial 4-hour lifetime. |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Authentication Policy Silos. Configure authentication policy for each silo in order to control: - Non-renewable TGT lifetime - Access control conditions for returning TGT - Access control conditions for returning service ticket |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Restrict a user account to specific devices and hosts |
N/A |
N/A |
N/A |
N/A |
N/A |
N/A |
Enabled |
Eingefügt aus <http://cdn.techgenix.com/static/wsn-newsletter-2015-02-09.html>