220.127.116.11 Optional Features
On Windows Server 2008 R2 operating system and later, Active Directory supports a set of optional features. An optional feature is a set of modifications to the Active Directory state model and the Directory Replication Service (DRS) Remote Protocol [MS-DRSR].
Optional features are enabled in some scope. A scope defines the set of DCs participating in the state-model changes that make up the optional feature. Optional features can be forest-wide, domain-wide, or server-wide in scope. A forest-wide optional feature affects the state model of all DCs in the forest when the optional feature is enabled. A domain-wide optional feature affects the state model of all DCs in the domain in which the optional feature is enabled. A server-wide optional feature affects the state model of the DCs in which the optional feature is enabled. AD LDS supports forest-wide and server-wide optional features. In AD LDS, a forest-wide optional feature affects the state model of all AD LDS instances in a configuration set. Domain-wide optional features are not supported in AD LDS.
Scopes are represented by objects in the directory information tree (DIT). The object that represents the forest-wide scope is the Cross-Ref-Container container (see section 18.104.22.168.1). The object that represents a domain-wide scope is the NC root object of the domain. The object that represents a server-wide scope is the nTDSDSA object.
Optional features are represented by instances of the object class msDS-OptionalFeature. Objects representing optional features are stored in the Optional Features container in the Config NC (see section 22.214.171.124.4.1.3).
Optional features are enabled in a scope via the enableOptionalFeature rootDSE modify operation (see section 126.96.36.199.3.28).
The list of optional features enabled for a scope is stored in the msDS-EnabledFeature attribute on the object representing the scope. The value stored is a reference to the specific enabled optional feature.
The list of scopes in which an optional feature is enabled is stored in the msDS-EnabledFeatureBL attribute on the object representing the optional feature. The values stored are references to the objects representing the scopes where the feature is enabled.
The following procedure determines whether an optional feature is enabled in a scope by using the msDS-EnabledFeature attribute:
procedure IsOptionalFeatureEnabled ( scope: DSNAME, featureGuid: GUID): boolean Returns true if scope!msDS-EnabledFeature contains the DN of a msDS-optionalFeature object o such that o!msDS-optionalFeatureGUID equals featureGuid. Returns false otherwise.
Permissible scopes for optional features are specified in the msDS-OptionalFeatureFlags attribute on the object representing the optional feature. If an optional feature is permissible for a forest-wide scope, the attribute contains the bit flag FOREST_OPTIONAL_FEATURE (see section 2.2.17). If an optional feature is permissible for a domain-wide scope, the attribute contains the bit flag DOMAIN_OPTIONAL_FEATURE (see section 2.2.17). If an optional feature is permissible for a server-wide scope, the attribute contains the bit flag SERVER_OPTIONAL_FEATURE (see section 2.2.17). More than one flag can be specified, meaning that the optional feature can be enabled in more than one scope. If none of these flags is specified, an optional feature does not have a scope and, therefore, will not be enabled anywhere.
Whether an optional feature can be disabled is specified in the msDS-OptionalFeatureFlags attribute on the object representing the optional feature. If the feature can be disabled, the attribute contains the bit flag DISABLABLE_OPTIONAL_FEATURE. Absence of this flag means that the feature cannot be disabled once it has been enabled.
Optional features might require Active Directory to be at specific functional levels in order to be enabled.
If an optional feature requires a specific forest functional level before it can be enabled, the forest functional level required is stored in the msDS-RequiredForestBehaviorVersion attribute of the object representing the optional feature.
If an optional feature requires a specific domain functional level before it can be enabled in a domain-wide scope, the domain functional level required is stored in the msDS-RequiredDomainBehaviorVersion attribute of the object representing the optional feature.
The following table shows the optional features that are available in applicable Windows Server releases.
The table contains information for the following products. See section 3 for more information.
M --> Windows Server 2008 R2
R --> Windows Server 2012 operating system
U --> Windows Server 2012 R2 operating system
X --> Windows Server 2016 operating system
A2 --> Windows Server v1709 operating system
D2 --> Windows Server v1803 operating system
G2 --> Windows Server v1809 operating system
J2 --> Windows Server 2019 operating system
Optional feature name
M, R, U
X, A2, D2, G2, J2
Privileged Access Management