- Delegate permission to unlock Active Directory accounts - Thu, May 2 2024
- Partition Windows drive in WinPE using PowerShell - Mon, Apr 29 2024
- New mitigations for CVE-2023-24932 (BlackLotus) in the April update, not yet enabled by default - Mon, Apr 22 2024
AD DS have not received any significant updates since Windows Server 2016, and the functional level didn't increase in Server 2019/2022. However, this will change with the next release of the operating system in the Long Term Service Channel (LTSC), expected to be called Windows Server 2025 if Microsoft follows its previous update cycles.
New functional level
Elevating the functional level for domains or forests is typically done to take advantage of new features offered by the respective server version. The vNext update for AD DS and Lightweight Domain Services (AD LDS) carries an internal version number of 10, whereas Server 2016 was at version 7.
Microsoft is thus skipping versions 8 and 9, which normally would have been given to Server 2019 and 2022, both of which are stuck at the 2016 level. According to the announcement, there are no plans to retroactively assign these unused versions to the two older servers.
For newly created AD forests under Server vNext, the minimum functional level must be set to Server 2016. If you wish to promote a Server 2025 to a domain controller in an existing domain, that domain must also be at least at the 2016 functional level.
More powerful database
The primary reason for upgrading an AD forest to the new functional level 10 is to benefit from the enhanced database engine. Since the introduction of AD in Windows Server 2000, it has used an 8K page size, resulting in various limitations, such as individual objects not being able to exceed 8K in size.
The revised Jet Blue extends the page size to 32K, allowing the maximum size of objects to reach this value. Multi-value attributes can then accommodate up to 3200 values.
New domain controllers are installed with a 32K page size and use 64-bit long value IDs. For compatibility with existing environments, they also support an 8K page mode.
When upgrading existing DCs to Server vNext, they continue to use the previous database format with an 8K page size. The global transition to 32K occurs at the forest level by raising the functional level, assuming that all DCs have a 32K-capable database and the feature is additionally enabled.
The new release also expands the Active Directory Schema with two new LDF files. The equivalent schema update for AD LDS is contained in the file MS-ADAM-Upgrade3.ldf.
NUMA-Support
The new NUMA (Non-Uniform Memory Access) support benefits scalability and performance. Previously, AD DS could only utilize CPUs in group 0, but now they have access to all processor groups.
However, this improvement isn't exclusive to Server vNext since it was also delivered with the cumulative update for August 2022 to Windows Server 2022.
New performance counters
Microsoft has introduced several new counters for tracking the performance of various AD operations. These cover the following functions:
- Local Security Authority (LSA) Lookups
- DC Locator
- LDAP Client
Priority of replication partners
The system automatically calculates the priority for data replication between different DCs. However, with Server vNext, administrators now have the ability to increase the priority for specific replication partners.
This provides greater flexibility in replication for specific scenarios.
New algorithm for locating DC
Microsoft has disabled WINS and Mailslots as methods by which members of the domain can locate a DC. The new discovery algorithm allows DCs to be found based on NetBIOS names without relying on this outdated protocol.
Security enhancements
The next version of Active Directory introduces several security enhancements, some of which have become necessary due to past issues.
This includes improvements related to Kerberos support for the RC4 algorithm, which Microsoft had advised against using, especially after the discovery of CVE-2022-37966. RC4 is now added to the cipher list for methods that should not be used.
LDAP communication now supports TLS 1.3 for LDAP over TLS. In addition, LDAP sealing is automatically enabled after SASL authentication.
If LDAP Channel Binding is enforced through a stricter policy, errors can occur, especially on older devices. Two new events (3074 and 3075) are designed to help detect such issues. This option is now also available in Windows Server 2022.
Password change methods
The current SAM-RPC method for changing passwords uses AES encryption and is accepted as the new default. However, Microsoft will block several older SAM-RPCs in the future.
For members of the Protected Users group and for local accounts of domain computers, the SAM-RPC interface will be blocked by default. This can be changed via group policy if required.
Conclusion
After two releases of Windows Server without any significant innovation for AD DS, the Active Directory is once again receiving major enhancements. These include a database upgrade to address long standing limitations, reflected in a new functional level for forests and domains.
Subscribe to 4sysops newsletter!
Additional improvements in security, replication management, and long-awaited NUMA support further enhance the capabilities of Active Directory.
IT Administration News
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.