Active Directory Update: RC4 Deprecation, 2025 DC Problems and OU Structure Tips

In this episode of Petri Dish, Russell Smith sits down with Principal Technologist Craig Birch to break down several major Active Directory changes that every IT administrator needs to know right now.

We cover three big topics shaking up the identity and Windows Server world:

1. Kerberos RC4 Deprecation

Microsoft is enforcing the removal of RC4 encryption across all supported Windows Server versions. Craig explains:

• What Kerberos RC4 actually is
• Why Microsoft is phasing it out
• The January, April, and July enforcement phases
• What admins must do now to avoid outages
• How to use new audit events (201–209) to identify vulnerable accounts

2. Windows Server 2025 Domain Controllers

Some organizations are reporting unexpected issues when introducing Windows Server 2025 domain controllers into mixed AD environments. We discuss:

• Authentication failures and KDC errors
• Schema inconsistencies
• The 30‑day pattern behind reported failures
• Why proper testing (and patience) is essential before deployment

3. Active Directory OU Structure Best Practices

OU design still sparks debate decades later. Craig shares guidance on:

• Why “simple is secure”
• Avoiding overly complex org‑chart‑based OU structures
• Implementing tiering (Tier 0/1/2) for stronger AD security
• When and when not to use WMI filters and group filtering

If you’re responsible for Active Directory, hybrid identity, or Windows Server operations, this conversation gives you the clarity and practical direction you need to navigate changes with confidence.

🔗 Links and related articles are in the description below.
Craig’s post on Kerberos RC4: Microsoft Retires RC4, Mandates AES Encryption for Kerberos