A while ago, I wrote a blogpost on the requirements you’d need to meet to take advantage of Active Directory features in Windows Server 2003 through Windows Server 2008 R2. Since Windows Server 2012 was released almost a year ago, it’s time to look at the requirements for Active Directory features in Windows Server 2012.
The table below shows the dependencies Active Directory features, like Active Directory-based Activation, Resource SID Compression, Exposed Distinguished Name Tags (DNTs), Deferred Index Creation, group Managed Service Accounts (gMSAs), Domain Controller Cloning, Kerberos Armoring and Dynamic Access Control (DAC) have:
1 Active Directory-based Activation requires the Windows Server 2012 schema extensions. This means adprep.exe needs to have been run. To report on Active Directory-based Activation you will need VAMT.
2 To point the PowerShell commands to a Domain Controller, this Domain Controller needs to run the Active Directory Web Services (ADWS). This is available since Windows Server 2008 R2 and as a separate download for Windows Server 2003 and Windows Server 2008. ADWS is not available for Server Core installations of Windows Server 2008.
3 You will need to meet the requirements for the Fine-Grained Password Policies to be able to use the Fine-Grained Password policies GUI. The Domain Functional Level will need to be Windows Server 2008, to be able to utilize this feature.
4 You will need to meet the requirements for the Active Directory Recycle Bin to be able to use this feature. The Forest Functional Level will need to be Windows Server 2008 R2, to be able to utilize this feature.
5 Computers used by colleagues to access the service need to run Windows XP or later. Front-end servers need to run Windows Server 2012. Back-end server accounts need to be configured with accounts that are permitted for impersonation.Back-end application servers need to be running Windows Server 2003 or later.
6 The Domain Controller will need to be deployed the Active Directory Module for Windows PowerShell feature installed. The Windows Server 2008 R2 Domain Functional Level is recommended for automatic password and SPN management.
7 To activate the Virtualization safeguards, the Domain Controller needs to be run on a VM-GenerationID-capable virtualization platform and the Integration Components / Tools need to be installed and running.
8 The source Domain Controller needs to be run on a VM-GenerationID-capable virtualization platform and the Integration Components / Tools need to be installed and running. A Windows Server 2012 Domain Controller with the PDC emulator (PDCe) Flexible Single Master Operations (FSMO) role should be available to the destination Domain Controller during cloning.
9 Requires djoin.exe on Windows 8, Windows RT or Windows Server 2012, that needs to be run by a user account with sufficient permissions to create computer accounts.
10 The RID Pool Master Flexible Single Master Operations (FSMO) needs to be run held by a Windows Server 2012-based Domain Controller for this functionality.
11 When FAST is enabled, Windows 8 clients will only communicate with Windows Server 2012 Domain Controllers. This might create a pile-on effect. Therefore, ensure you have sufficient Domain Controllers to prevent authentication traffic passing Active Directory site links.
12 File Servers with access based on claims need to run Windows Server 2012 and have the File Server Resource Manager (FSRM) Role Service installed.