Active Directory Feature Requirements

Reading Time: 2 minutes

Microsoft has included numerous features in Active Directory the last couple of years. Also, more and more technologies in products like Exchange Server, SharePoint Server and the Windows client (Windows Vista, Windows 7) have an Active Directory opt-in to store information in Active Directory.

All this bountiful integration, however, comes with a price. The price in the case of Active Directory comes in three guises:

  • Operating System (OS) on the Active Directory Domain Controllers (DCs)
  • Active Directory Domain Functional Level
  • Active Directory Forest Functional Level

The table below shows the dependencies Active Directory features, like Group Policy Preferences, the Active Directory Best Practices Analyzer and Read-only Domain Controllers, and Active Directory opt-in technologies, like BitLocker Recovery Key Storage and DirectAccess, have in regards to the list above:

Red Not Available, Orange Required Set, Green Available, Grey Depends




1 This feature requires the Group Policy Preferences Client Side Extensions on Windows clients. When no Windows Server 2008-based Domain Controllers are in use, the Group Policy Preferences need to be management from a workstation with at least Windows Vista SP1.( Windows 7 recommended)
2 For Windows Server 2003 and Windows Server 2008-based Domain Controllers the Active Directory Management Gateway Service needs to be installed. When no Windows Server 2008 R2-based Domain Controllers are in use, the management features can be accessed from a Windows 7 management workstation.
3 Managed Service Accounts (MSAs) are virtual domain accounts that can be used on Windows 7 and Windows Server 2008 R2 in Active Directory environments running Windows Server 2003 and Windows Server 2008 Functional levels. Domains at the Windows Server 2008 R2 functional level provide native support for both automatic password management and SPN management
4 In environments with multiple Domain Controllers, this feature requires the Domain Controllers participating in this feature to be installed with at least Windows Server 2008.
5 Enabled by default when an Active Directory domain is first setup using a Windows Server 2008 Domain Controller. Workaround available for Windows Server 2003-based Active Directory environments. (More info)
6 Enabled by default when an Active Directory domain is first setup using a Windows Server 2008 Domain Controller with the Windows Server 2008 Domain Functional Level. Requires a Sysvol FRS to DFS-R migration when migrating from a Windows Server 2003 environment.  (More info)
7 Requires the BitLockerTPMSchemaExtension.ldf schema extension on Domain Controllers running Windows Server 2003. Also, all Domain Controllers need to be running at least Windows Server 2003 with ServicePack 1. (More info)
8 Requires at least one domain controller and DNS server that is running Windows Server 2008 SP2+ or Windows Server 2008 R2. When UAG is used, DirectAccess can be deployed with DNS servers and domain controllers that are running Windows Server 2003 when NAT64 functionality is enabled.

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at and He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.