Event banner
Event details
49 Comments
Cliff_FisherMicrosoft
Link for the bonus blog entry on ESE: https://aka.ms/ESEdeepdivePart1
Welcome to What's new in Active Directory and the second annual Microsoft Technical Takeoff for Windows + Intune! Have a question? Post here in the Comments so we can help. Let’s make this an active Q&A!
- How many percent size increase can we expect to see on NTDS.DIT with the 32k DB Page Sizes and uses 64-bit Long Value Ids?
Wayne_McIntyreHi Martin,
There is no straight forward answer to this as it will depend on your data and how large the existing database is. In most cases there will not be any meaningful impact to the overall size of the database until you start growing larger records beyond previous limits.
We are continuing to collect data on this in our internal testing and in a variety of environments, and have yet to see any significant changes in size with existing data replicated in from 2022 DCs.
- Thanks 😊 In my Insider Build, the NTDS.DIT file was 40MB from scratch. My 2022 DC with some test-users and other stuff is about 20MB. So, I thought this was due to the DB changes.
- Cliff_FisherWe'll get back to you on this one.
- Looking at the early builds, I can see there are now dMSAs, or delegated Managed Service accounts. Could these be explained please?
- Wayne_McIntyreHi Andrew, The session will cover dMSAs briefly as well as have a link to a short demo. This was a joint effort with our Auth/Kerberos team and they will also be publishing doc's on it and step by step instructions on usage and deployment. The main differences between a dMSA and a gMSA is: 1. dMSAs allow migration from existing user accounts that are used for services to be superseded/migrated by a dMSA. 2. dMSAs allow the credential keys to be bound to credguard 3. dMSAs keys are retrieved via kerberos 4. dMSAs passwords are never returned to client (cannot query attirbute over ldap) and password is never stored locally where dMSAs are used
How are dMSA's any different to the original MSA's (pre-cursor to gMSA's), if these are regressing from multiple computes back to singular?
- Not everyone can move to cloud based solutions (Azure AD / Entra / Intune) and need to run an on prem AD platform.
- With MDOP deprecation early 2026, AGPM (Advanced Group Policy Management) will go with it leaving a capability gap for on prem GPO management without moving to 3rd party offerings.
- Can Microsoft / the team responsible for Active Directory consider provision of an integrated AGPM like capability or formal adoption of AGPM itself to ensure continuity of Advanced GPO management capability within on prem AD environments.
- LindakupThanks for this feedback Craig. I will share it to the group policy team.
- Hi Linda, I have a few large customers in the UK that are asking the same question. Is there a contact in the GPO team I can reach out to please. Thanks
