Active Directory and network requirements for Microsoft Dynamics 365


Updated: December 9, 2016

Applies To: Dynamics 365 (on-premises), Dynamics CRM 2016

Active Directory Domain Services (AD DS) is a feature of the Windows Server operating systems. AD DS provides a directory and security structure for network applications such as Microsoft Dynamics 365.

As with most applications that rely on a directory service, Microsoft Dynamics 365 has dependencies that are important for operation, such as use of AD DS to store user and group information and to create application security.

Microsoft Dynamics 365 Server should only be installed on a Windows Server that is a domain member. The domain where the server is located must be running in one of the Active Directory domain functional levels listed in the Active Directory modes topic.

When you configure Microsoft Dynamics 365 for Internet-facing access it requires federated services that support claims-based authentication. We recommend Active Directory Federation Services (AD FS) in Microsoft Windows Server.

Active Directory Federation Services (AD FS) is a highly secure, highly extensible, and Internet-scalable identity access solution that allows organizations to authenticate users from partner organizations. Using AD FS in Microsoft Windows Server, you can easily and very securely grant external users access to your organization’s domain resources. AD FS can also simplify integration between untrusted resources and domain resources within your own organization.

AD FS is available as a server role in Windows Server.

Active Directory Federation Services (AD FS) requires two types of digital certificates:

  • Claims encryption. Claims-based authentication requires identities to provide an encryption certificate for authentication. This certificate should be trusted by the computer where you are installing Microsoft Dynamics 365 Server, so it must be located in the local Personal store where the Configure Claims-Based Authentication Wizard is running.

  • TLS/SSL (HTTPS) encryption. The certificates for TLS/SSL encryption should be valid for host names similar to,, and To satisfy this requirement you can use a single wildcard certificate (*, a certificate that supports subject alternative names, or individual certificates for each name. Individual certificates for each host name are only valid if you use different servers for each web server role. Multiple IIS bindings, such as a website with two HTTPS or two HTTP bindings, aren’t supported for running Microsoft Dynamics 365. For more information about the options that are available to you, contact your certification authority service company or your certification authority administrator.

To meet these requirements, your organization should have a public key infrastructure or a contract with a digital certificate provider such as VeriSign, GoDaddy, or Comodo.

This version of Microsoft Dynamics 365 works with IPv6 either alone or together with IPv4 within environments that have networks where IPv6 is supported.

© 2016 Microsoft. All rights reserved. Copyright