Getty Images/iStockphoto
New Active Directory features coming in Windows Server 2025
The upcoming Windows Server release will bring significant enhancements to Active Directory, including a new functional level and security and performance improvements.
Each Windows Server release brings new features and notable enhancements, but Microsoft plans to overhaul one of its core features when Windows Server 2025 arrives later this year.
For this next release of the server OS, Microsoft placed an especially heavy emphasis on modernizing Active Directory, the on-premises identity and access management platform. Microsoft introduced Active Directory nearly 25 years ago with the release of Windows 2000 Server. Although Microsoft has occasionally added more capabilities with new functional levels, the core Directory Services are dated and in need of an overhaul.
New functional level is available in Windows Server 2025
The last time Microsoft added a new Active Directory functional level was in Windows Server 2016. Windows Server 2025 will bring a new functional level that admins must enable to take advantage of the new features.
The functional level is tied to a minimum Windows Server version and dictates what features in Active Directory Domain Services work in the domain or forest. Microsoft said organizations must be on a Windows Server 2016 functional level to deploy a Windows Server 2025 domain controller. A schema update will also accompany the Windows Server 2025 domain controller.
NUMA support should benefit large deployments
One of the big changes in the new Active Directory in Windows Server 2025 is better support for non-uniform memory access (NUMA) by lifting the 64 CPU core limit.
To date, Active Directory could only use CPUs associated with NUMA group 0, which is often the default NUMA node on a system. Even if the hardware had multiple NUMA groups, Active Directory only had access to the default NUMA node.
In Windows Server 2025, Microsoft removed this limitation, and Active Directory will use all CPUs across multiple NUMA groups. These changes should significantly improve performance for enterprises with a large Active Directory deployment.
Database page sizes get a boost
From the beginning, Microsoft based Active Directory around Extensible Storage Engine, also called JET or JET Blue based on its former name, Joint Engine Technology Blue. The pages within the database had an 8 KB size limit, which hampers the performance of Active Directory.
In Windows Server 2025, Microsoft will increase the page size to 32 KB, which will benefit organizations that need to store large numbers of multivalue attributes to create more complex objects. Microsoft will also increase the multivalue attribute limit from about 1,200 to approximately 3,200.
Upgrading a domain controller to Windows Server 2025 will not increase its page size. This is a forest-level operation that must be applied to all domain controllers simultaneously.
Domain controller deployments are made simpler
Microsoft simplified the deployment of domain controllers -- or any new Windows servers, regardless of role -- in Windows Server 2025 by employing a similar technology the company uses with Windows 11.
Windows 11 can upgrade to the latest build directly through Windows Update. Windows Server 2025 will offer similar capabilities to make upgrades possible without installation media.
Organizations can block these updates through Group Policy settings. Admins will be able to manually install Windows Server, just as they always have. Microsoft will continue to support automated deployments based on Sysprep.
Microsoft has not disclosed the license requirements for upgrades based on Windows Update. However, Microsoft's plan to offer either a perpetual license or a subscription for Windows Server 2025 makes it likely that Windows Update-based upgrades will be available only with a subscription-based license.
Admins can fine-tune domain controller replication
Another Active Directory improvement in Windows Server 2025 is more replication control for admins. Replication between domain controllers has been automatic and works without any administrative intervention. As a distributed system, Active Directory copies changes between domain controllers, which had been hardcoded with priority numbers. Priority numbers may not work for every environment, especially if there is significant distance between domain controllers.
The new Active Directory in Windows Server 2025 will debut a feature called replication priority boost. Admins can prioritize the replication process to optimize data transfer between certain domain controllers.
Security sees improvement from delegated Managed Service Account feature
The new Active Directory will work with the delegated Managed Service Account (dMSA) feature for improved security.
Larger organizations tend to use standard user accounts with unmanaged passwords as service accounts. Applications such as SQL Server use service accounts to work with Active Directory, but this opens the organization to risk because the passwords are often outdated or not strong enough.
DMSA uses Credential Guard to tie the credentials to the machine and performs automatic password rotation via Kerberos Key Distribution Center.
DMSA handles the account migration seamlessly to avoid configuration work with the applications that were using the service account. DMSA also deactivates the service account after the account change.
New counters help with troubleshooting and monitoring
Microsoft also plans to roll out several new performance counters to help admins to maintain and monitor the health of the new Active Directory in Windows Server 2025.
The Lightweight Directory Access Protocol client performance counter will detect which applications are sending many LDAP requests to the domain controller, which can degrade performance on the domain controller. The LDAP client counter will show additional details on the number of connections, source of the requests and how many requests per second.
The domain controller locator performance counter checks components in the client and server side in the domain controller locator process, including active mail slot pings and client requests per second.
Security Identifier and Local Security Authority name performance lookup counters help admins find possible slowdowns caused by a significant number of lookups to resources, such as file shares. Netlogon secure channel will only be used as a backup option.
Microsoft strengthens Kerberos authentication
In Windows Server 2025, Active Directory Domain Services will continue to use Kerberos as the authentication protocol of choice. However, Microsoft will improve security and reliability by adding support for Advanced Encryption Standard Secure Hash Algorithm-256 and SHA-384 cryptography. These changes will help organizations meet regulatory and compliance requirements.
Microsoft will deprecate Rivest Cipher 4 encryption in Windows Server 2025.
Brien Posey is a 15-time Microsoft MVP with two decades of IT experience. He has served as a lead network engineer for the U.S. Department of Defense and as a network administrator for some of the largest insurance companies in America.
