 Welcome to my session at Windows Server Summit. My session is about bringing your Active Directory to the next level with Windows Server 2025. My name is Manfred Tellba. I'm a Microsoft Most Valuable Professional in the two categories, Cloud and Data Center Management and Microsoft Azure. I'm working with Windows Server since Windows NT4 and with Active Directory since it was introduced in Windows Server 2000. This information will be important in the presentation in the following steps because we have some huge changes since this first version of Active Directory. Let's have a look at the agenda for today for this session. We are talking about the new Active Directory domain and forest functional level. I will have some demos for you about this. We will talk about new Active Directory domain services database page size. We will see what has changed in scalability, supportability, and security. We will see a mix of live demos and presentations to ensure that you will get all the news about the huge Active Directory improvements in Windows Server 2025. Windows Server 2025 today is a preview version. I assume you know this. But the name is already available, so the new name for Windows Server Vnext, Windows Server 2025 was introduced at the beginning of this year. The new domain functional level for Active Directory domain services is a huge improvement because in the past versions, Windows Server 2022, 2019, and 2016, we had the same Active Directory forest and functional level, and many customers thought we will not see any improvements in Active Directory anymore. But now we know there is a new Active Directory functional level. We will see this in a live demo in a few seconds. Important if you do an automated deployment of Active Directory domain services. The new level is domain level and forest level 10. The previous level, Windows Server 2016 was domain level and forest level 7. Let's switch to a live demo, and I have chosen a graphical user interface installation of Windows Server 2025. I'm absolutely familiar with the information from Microsoft that we should use Server Core for the installation of domain controllers, both is possible. For me, it's important if you are familiar with the Server Core, so with the reduced graphical user interface. I'm pretty sure you know how you do it remotely via Windows Admin Center or via the Server Manager or via PowerShell. If you are not so familiar with the Server Core, I want to ensure that you get the information here, that you are able to use all the functionalities in Windows Server 2025 via the graphical user interface. First, we will use the Manage Adrolls and Features, might be familiar with this, to add the Active Directory domain services role here on this machine. I will go to the role and feature-based installation. I will select my server machine and I will choose the Active Directory domain services, and when I select the Active Directory domain services, I get the recommended additional components and features, I will add them and for sure, I will also use the DNS component here, the DNS role because as you might know, we need Active Directory domain services and DNS in combination, the domain name system. Let's go to next. I don't need any additional features, but if you want to backup your Active Directory with some built-in tools, you could use the Windows Server backup, we will not add this here. We go to next, we will see the Active Directory domain services information, we will get some information for the domain name system configuration. We have the confirmation and we don't need a restart here because after the installation of the Active Directory domain services role, we will have to configure this and after the configuration of Active Directory domain services, there we will need the restart. So let's start the installation and as you might know, this will take a few minutes till the installation has finished and I will use this time to switch to another virtual machine I prepared for us, and this virtual machine already has installed the Active Directory domain services. So here the steps have already finished with the installation of the Active Directory domain service. So this is just to save some time in this live demo. So let's close this here. So it's the same configuration, we have Windows Server 2025, we have computer name already configured, we have installed the Active Directory domain services, and as you might know, we now have a notification here in the information area and there we can switch to the configuration. And there we will see the new domain and forest functional level. So let's go to the configuration, promote the server to a domain controller, that will do the promotion action. You'll see this first step here where we can choose to add a domain controller to an existing forest. I will explain this in a few minutes, the situation about adding Windows Server 2025 as a domain controller to an existing domain with previous domain controller versions, for sure we can create additional forest. And what I want to do is to add a completely new forest. So we are starting completely new with Windows Server 2025. I will choose the MH demo lab. This is my default domain here and I will configure the DNS name here or I'm choosing the DNS name for my Active Directory domain here. And now the research checks if the DNS name is, let's say available, it's not used in this environment here. So the root domain name for this new environment MH demo lab dot DE, dot DE because I'm based in Germany and now we have the interesting new thing here. We have the new forest and domain functional level with server 2025. And this shows us that we have a new version of Active Directory here with several improvements. We'll talk in detail in the next minutes. As you might know, we need the password for the Directory Services Recovery Mode for each domain controller, we can specify it here. And let's have a short look at the available options in the Active Directory domain and forest functional level. So we have the version 2016 and 2025 available. There are no versions between, so there's no Active Directory functional level for forest and domain of 2019 and 2022. All the three Windows Server versions, 2016, 2019, 2022, use the same forest and domain functional level options. The new one is Windows Server 2025 that is introduced with Windows Server 2025. For sure we want to use this latest forest and domain functional level for this new environment. The rest is default, as you might know. So we have the NetBias name, we have the, yeah, let's say confirmation step where we see all the settings we have chosen and then we can install our Active Directory or save the configuration script. So I will just use the default values and click through this wizard. So the important step here was the step with the new functional levels. So the installation will continue here and I have prepared a domain controller where the Active Directory installation already has finished, exactly the same parameters we will use in the next live demo. So to talk again about the functional levels, in Windows Server 2016, 2019 and 2022, we had the Windows Server 2016 functional level. So this was available or this was the functional level, the latest one in the previous three server releases. Windows Server 2022 is still the actual version of Windows Server and Windows Server 2025 is a preview today. The Windows Server 25 functional level is new in the Windows Server 2025 operating system. And when you look vice versa, which functional levels are supported in Windows Server 2025, then it's important to clarify again, the Windows Server 2025 supports the domain levels, Windows Server 2025 and 2016. As you might know, Windows Server 2012 and 2012 R2 are already end of support since October last year. So Microsoft has focused here on the two latest functional levels and covers a huge wide range of Windows Server operating systems here. And if you look into the learn.microsoft.com documentation, you will see a recommendation. There Microsoft recommends to upgrade all your domain controllers to Windows Server 2022 to be perfectly prepared for the next release of Windows Server. So this is not a requirement, but this is a huge recommendation here. So we also have a new Active Directory schema version. So if you look at the Windows System 32 and the AD Prep folder on your domain controller, you will realize there are three new files, the schema 89, 90 and the 91, LDF, so these are the three files here that represent the new schema version we have in, or with Windows Server 2025. One of the improvements through this new domain version and level is a new Active Directory Domain Services database page size. As you might know, for sure we are using a database behind Active Directory and the database engine that is used is called the Extensible Storage Engine Database, or also known as JetBlue Engine. So it's an engine that's absolutely optimized for what we are using or doing in Active Directory Domain Service and the, yeah, let's say schema is database was introduced in Windows Server 2000. So in the first version, an Active Directory was introduced. And since Windows Server 2000, it always had an 8K database page size. And as you might know, if we have an 8K page size, we have some, let's say, limitations or scalability values that are possible with this 8K page. And the 8K architectural design results in that we cannot store more than 8K of bytes in a specific Active Directory object. So now with Windows Server 2025, we have a new 32K database page format. And this is a huge improvement regarding the scalability for the database and for the objects themselves because now we totally have an allowed object size of 32K. And this is a huge improvement when we are looking at further requirements for our local Active Directory database. We will use in the latest version or the next version of Windows Server. And this, I will show to you in the next live demo how we can see this configuration, how we can see this database page size. So I will switch to a domain controller that is completely installed with the latest version of Windows Server 2025, the latest preview version and Active Directory is already configured on this machine. And I've opened the command prompt and as you might see, I'm in the Windows NTDS folder. And if I list the directory content, we will see there are log files in there. And there's one important file you should be familiar with. It's the NTDS state. The NTDS state is our Active Directory database file. The NTDS state represents our Active Directory database. For sure the log files and so on are also important, but this is our Active Directory database. And now we want to look into this database file to see what's the situation about this. And I mentioned this is based on the Windows Server 2025 preview version domain controller. So as we might see here, this is Windows Server 2025 data center. It would also be possible if we have a standard installation. I used the pre-configured VHDX file we can download at Microsoft. And so this is the reason why I have the data center version for this domain controller here. So there are different possibilities to have a look at the structure of this file. One option is to use the easy extensible storage engine and NTUtile. It's a small tool where we can perform different maintenance activities to this file. And when I use the parameter MH and we are looking at the ntds.dit file here, then we will see, oh, this file is in use. So this is an expected error. I can see here, access to source database, NTDS did failed with chat error. So this file is in use. But since Windows Server 2016, we have a new option. It's VSS. So we can use the volume shadow copy services. We can use an VSS snapshot to create a snapshot of the database and have a look at this snapshot of the database. And here we can see many information about the database file about the NTDS.dit. The important for us is the page size, the CBDB page. And if you look at this on the previous version of Windows Server, you will see the 8K page size. Here we are on Windows Server 2025. So we have the 32K page size in the database. So important is to know how this new page size in the database worked with previous versions of domain controllers. And when it's created and when it's not created. When we install a new domain controller, like I did it in the previous live demo, we'll always will have by default the 32K page size with Windows Server 2025. And it runs in an 8K page mode for compatibility with previous versions. So we have some compatibility mode in there. If we upgrade the domain controller, this domain controller continues using the database format and 8K pages. So when you upgrade your Active Directory environment, this page size does not change automatically. But it's possible to move to the 32K page size in the database. Important is that this is done on a forest wide basis. So this means all the domain controllers must be capable of the 32K page size in the database. This means you have to upgrade all your domain controllers to Windows 2025. If you want to use the new page size, if you want to have a smooth transition, for sure you can have Windows Server 2016, 2019, 2022 and 2025 domain controllers in coexistence, this will work. The recommendation for Microsoft is to have the domain controllers all on Windows Server 2022 to be prepared, to be optimal prepared for Windows Server 2025. So if we want to move from 8K to 32K, we are using a PowerShell commandlet. It's called enable AD optional feature. And maybe you have used this PowerShell commandlet in previous Active Directory versions. For example, if you wanted to enable the recycle bin for Active Directory. So the syntax is that we specify specific parameters that will be used with this enable AD optional feature. And the parameters for moving from 8K to 32K database are that we have an identity value, it's a database 32K page feature. We have a scope, it's forest or configuration set. We have a target, it's the name of our domain. And we have a server, this is the main name of the specific domain controller that should be upgraded or transitioned from this 8K to 32K. When we specify these parameters in the next step, for sure we can check if the parameters are in this, yeah, variable are, if they are set correctly, so if you type $params, you will see the scope, the server, the target and the identity. And via enable AD optional feature and specifying the parameters, you will be able to upgrade to the database 32K feature. Important is the information or warning here. This is an irreversible action, so you will not be able to disable the database 32K page feature so you will not be able to switch back to the 8K. But if you are on 2025 with all your domain controllers, the recommendation is to use the latest 32K page size for the database to take advantage of the new scalability improvements. Let's look at the scalability in Active Directory Domain Services in version 2025 in Windows Server 2025. So now we have a number support for Active Directory. In previous Active Directory Domain Controller version, we have the situation that Active Directory only would use CPUs in Numa Group Zero. So this means only in non-uniform memory architecture Group Zero where we have our first socket, the Active Directory resources will use the cores. With the new Active Directory Domain Services, we will take full advantage of Numa of all nodes. So now Active Directory can expand to more than 64 cores. So much more than 64 cores because if we have two or four sockets, we can use all the cores to bring scalability and performance to our Active Directory environment. Supportability is also enhanced in Active Directory Domain Services in Windows Server 2025. We have new performance counters for LSA lookup. We have new performance counters for domain controller locator performance visibility. We have new domain services counters in Perfmon for LDAP client performance. So huge improvements for more visibility in getting insights to your Active Directory. And in the performance counters, we have already seen the counters about the DC locator. And we have a new DC locator algorithm so that we have now an improved way for locating the domain controller for your domain controller queries you have. If you want to get more details about this and specifically there's a detailed learn article, especially for the domain controller locator changes. Security is a huge part in Active Directory because Active Directory is our central service for authentication of our users for our whole environment. And so security is a very important part here. And we have a lot of improvements. We have LDAP support for TLS 1.3 now by default. We have an LDAP encryption by default now. We have binding audit support in Active Directory in Windows Server 2025. We have improved security for confidential attributes in Active Directory. We have changes to the default behavior for legacy password change methods. So we can use the latest password change method for encryption or with encryption when password changes are called remotely. For sure, all these new options can be controlled via group policies that are available in Windows Server 2025. We have security improvements regarding the curve curve char algorithm that now supports 25, 6, and 30, 384 char algorithm. We have a new curve curve public key cryptographic support for authentication. And we have improved security for default machine account passwords. So the mechanism ensures that we have random generated passwords for computer accounts and Windows Server 2025 domain controllers block setting computer account passwords to default passwords where we use the computer name again to increase security. So a lot of improvements also here regarding the security part. So if we summarize this, Windows Server 2025 really brings Active Directory to a next level with a new forest functional level with a new database page size for scalability with scalability, NUMA support, supportability, activity. If you want to see all the improvements in Windows Server 2025, I recommend you to watch the additional sessions about this great new release of Windows Server and to use learn.microsoft.com to read more about the details. So thank you for watching this session and looking forward to see you using Windows Server 2025 in your environment. Thank you.