Windows Server vNext Update: Key Enhancements in Active Directory Upgrade

Cloud Computing

Key Takeaways:

  • The Windows Server Insider Build 25951 brings several new features, including support for a new AD Forest and Domain Functional Level.
  • This release also adds NUMA support that lets Active Directory Domain Services utilize CPUs across all processor groups.
  • Microsoft has introduced robust security measures, including LDAP support for TLS 1.3 and Kerberos support for AES SHA256/384.

Microsoft has recently announced the release of the Windows Server Insider Preview build 25951. The new build introduces several enhancements for Active Directory Domain Services (AD DS) and Active Directory Lightweight Domain Services (AD LDS), including support for a new forest and domain functional level.

What are Windows Server Active Directory functional levels?

Functional levels are controls that allow IT admins to specify which advanced features can be used in Windows Server Active Directory environments. It helps to manage the domain and forest features of the Active Directory Domain Services (AD DS) within their organizations.

Furthermore, IT admins must ensure that all domain controllers in a forest or domain are running on a version of the operating system that supports the specific functional level. Once a functional level is raised, it’s impossible to roll it back to a lower level without restoring the backup or rebuilding the domain.

New forest and domain functional level

Microsoft has started testing support for a new domain and forest functional level in Windows Server Active Directory. Since its release in Windows 2000, AD DS and AD LDS have always used an 8k database page size. The new functional level will be required to use the 32k database page size optional feature.

This change is expected to bring significant improvements to various areas that were previously constrained by legacy restrictions. For example, it allows multi-value attributes to accommodate up to 3200 values. Additionally, new domain controllers are set up with a page size of 32k and use 64-bit long value IDs. These domain controllers also offer an 8k page mode to ensure compatibility with existing environments.

“For unattended installs, the new functional level maps to the value of DomainLevel 10 and ForestLevel 10. Windows Server 2016 functional level maps to DomainLevel 7 and ForestLevel 7. Microsoft has no plans to retrofit functional levels for Windows Server 2019 and Windows Server 2022,” Microsoft explained.

Performance and security improvements

Microsoft has introduced NUMA support to let Active Directory Domain Services use CPUs in all processor groups, with the ability to expand even beyond 64 cores. The company also added new performance counters to let IT admins monitor and troubleshoot issues with the Name, SID Lookups, DC Locator, as well as LDAP client requests. This release should also update the DC discovery algorithm to enhance the mapping of the short NetBIOS-style to DNS-style domain names.

Lastly, Microsoft is bringing LDAP support for TLS 1.3 to boost security over older versions. There are also some changes to the default behavior of legacy SAM RPC password change methods. Microsoft also released Kerberos support for AES SHA256/384 to implement more robust encryption and signing mechanisms.