Overview

When attempting to install the Kerio Active Directory Extension (KADE) 64-bit on a Windows 10 or Windows 11 workstation — even with Remote Server Administration Tools (RSAT) installed — the installer reports the following error:

"Active Directory Extension for Kerio Connect requires Windows Server or client server administration tools installed."

This is expected behaviour, not a bug. KADE is only supported on Windows Server 2016, 2019, and 2022. Windows 10/11 client operating systems are not supported installation targets, regardless of whether RSAT is present or whether registry keys are added. This article explains the correct installation target, and describes supported ways to manage Kerio Connect user provisioning without requiring interactive logons to Domain Controllers for day-to-day tasks.

In This Article

• Supported Operating Systems for KADE
• Installing KADE on the Correct Server
• Managing User Provisioning Without Interactive DC Logons
  • Option A: Activate Users from Kerio Connect Administration
  • Option B: Use the Kerio Activation Attribute in Active Directory
• Additional Information
• FAQ

Supported Operating Systems for KADE

The Kerio Active Directory Extension (KADE) 64-bit is listed under Directory Server Extensions in the Kerio Connect System Requirements and is officially supported only on:

• Windows Server 2022
• Windows Server 2019
• Windows Server 2016

Windows 10 and Windows 11 — including configurations with RSAT installed — are not supported KADE installation targets. Adding registry keys does not override this check. The correct installation target is the Active Directory Schema Master (typically the primary Domain Controller in most environments).

For the full system requirements, see: Kerio Connect System Requirements.

Installing KADE on the Correct Server

Step 1: Identify the Schema Master

Run the following command on any Domain Controller to find which server holds the Schema Master FSMO role:

netdom query fsmo

Note the server name listed next to Schema Master.

Step 2: Download the KADE Installer

Log in to the Schema Master (Domain Controller) with appropriate privileges (Domain Admin / Schema Admin), then download the KADE installer from: Downloading Kerio Connect Directory Extensions and Migration Tools.

Step 3: Install KADE on the Domain Controller

Run the installer as Administrator on the Schema Master. For step-by-step guidance see: Installing Kerio Active Directory Extension (KADE).

For a general reference and overview see: Kerio Active Directory Extension.

Step 4: Connect Kerio Connect to Active Directory

After KADE is installed, connect Kerio Connect to your directory service from the Kerio Connect WebAdmin. See: Connecting Kerio Connect to Directory Services.

Step 5: If the Installer Still Fails on the Domain Controller

During installation, use View Log / Save Log File. KADE setup logs are saved by default under:

C:\Users\<username>\AppData\Local\Temp

Share the log with GFI Support for further analysis.

Managing User Provisioning Without Interactive DC Logons

Many administrators manage Active Directory users from Windows 10/11 workstations using RSAT — a standard security practice that avoids routine interactive logons to Domain Controllers. KADE only needs to be installed once on the Schema Master (and re-run for upgrades). Day-to-day user lifecycle operations do not require interactive DC logons, because Kerio Connect's directory mapping is one-way: changes made in Active Directory (add, modify, remove users/groups) are automatically applied to Kerio Connect.

There are two supported methods to provision or activate Kerio Connect mailboxes without logging into a Domain Controller each time:

Option A: Activate Users from Kerio Connect Administration (Recommended)

After an AD user account has been created (from any RSAT-enabled workstation), you can activate the corresponding Kerio Connect mailbox directly from the Kerio Connect Administration interface — no DC logon required:

1. Log in to Kerio Connect Administration.
2. Navigate to Accounts > Users > Add.
3. Select Activate an existing user from Directory Service.
4. Find and select the AD user, then complete the activation.

See: Connecting Kerio Connect to Directory Services.

Option B: Use the Kerio Activation Attribute in Active Directory

Kerio Connect monitors a dedicated AD attribute to determine whether an account should be provisioned. You can set this attribute from any RSAT-enabled workstation using standard AD tools:

• Attribute name: Kerio-Mail-Active
• Setting the value to 1 activates/provisions the account in Kerio Connect.

This approach allows administrators to fully manage the Kerio Connect user lifecycle from their Windows 10/11 admin workstations without ever needing to log on to a Domain Controller for routine provisioning tasks.

Additional Information

Why registry keys do not fix the installer error: The KADE installer checks the underlying operating system type, not just the presence of AD management tools. No registry workaround can change a Windows 10/11 system into a supported Windows Server OS for this check.

Directory sync is one-way: Kerio Connect reads from Active Directory; it does not write back. This means all identity management continues to be driven from AD, consistent with standard AD administration practices.

KADE only needs to be installed once: After the initial setup on the Schema Master, you only need to return to that server when upgrading KADE itself. All other Kerio Connect user management can be handled remotely via the Kerio Connect WebAdmin or via the Kerio-Mail-Active AD attribute.

FAQ

Q1: Can I install KADE on a Windows 11 workstation if I add specific registry keys?
A1: No. The KADE installer checks the OS type, and Windows 10/11 is not a supported platform regardless of registry modifications or whether RSAT is installed. KADE must be installed on a Windows Server 2016, 2019, or 2022 Domain Controller (the Schema Master).

Q2: Do I need to log on to the Domain Controller every time I add a new user in Kerio Connect?
A2: No. Once KADE is installed on the Schema Master, you can activate new Kerio Connect mailboxes in two ways without a DC logon: (1) through the Kerio Connect Administration interface (Accounts > Users > Add > Activate an existing user from Directory Service), or (2) by setting the Kerio-Mail-Active attribute to 1 on the AD user object from any RSAT-enabled workstation.

Q3: Is there a plan to support KADE on Windows 10/11?
A3: There is no announced roadmap item to add Windows 10/11 client OS support for KADE. The supported workarounds described in this article (Kerio Connect Administration UI activation and the Kerio-Mail-Active attribute) are the recommended approaches for environments where administrators manage AD from workstations rather than logging into Domain Controllers.