Event banner
What's new in Active Directory for Windows Server 2025
Event Ended
Tuesday, Mar 26, 2024, 01:30 PM PDTEvent details
If you have an on-premises Active Directory environment, you do not want to miss this session! The AD product group will present and demonstrate some of the new AD capabilities coming in Windows Server 2025, including new functional levels, security enhancements, and improved scalability.
Speaker: Cliff Fisher
Thanks for tuning in to the Windows Server Summit on demand!
Char_Cheesman
Updated Dec 27, 2024
- Char_CheesmanBronze Contributor
Thank you for joining us this week for the Windows Server Summit! Q&A is now closed, but all sessions are available on demand so you can watch and learn when it is convenient for you. We hope you enjoyed the event.
- Tony_PomboIron Contributor
In the demo, a DC locator mapping was made for "contoso" to contoso.com. Can you add multiple Netbios names for the same DNS name?
For example, could you also map "cont" to contoso.com and "c" to contoso.com? So, all the following would be equivalent for a user:
- tony @ contoso.com
- contoso\tony
- cont\tony
- c\tony
- B4ArtBrass ContributorThis does make think of the history expiring WINS and transit to fully use DNS. There was a special solution created by MS like GlobalNames. https://learn.microsoft.com/en-us/powershell/module/dnsserver/set-dnsserverglobalnamezone?view=windowsserver2022-ps
- Cliff_Fisher
Microsoft
Great question, Tony! No, that is explicitly not supported. In fact, if an admin tries to do it anyway by manually entering the data into the directory, we will detect the duplicate mappings and throw them all out.
- Tony_PomboIron ContributorI don't understand the purpose of DMSA. Why not just move to "old school" MSA or the newer GMSA? Is it just a way to move to a MSA-thing without touching the server where the account is being used? Is there some other benefit I am overlooking? It seems to me that someday, you'll need/want to clean up the old account and touch the "calling servers" anyway.
- Wayne_McIntyre
Microsoft
In addition to the management benefit of moving to a more secure account that Cliff mentioned. There are also direct security improvements of a dmsa over a gmsa. The main one being that dmsa can further be protected by machine binding the credentials with credguard to the machine. Additionally, the password is never sent over the wire, the keys will be exchanged via Kerberos protocol rather than ldap sending the password. - Cliff_Fisher
Microsoft
Correct, the idea is to give people a seamless way to "replace" a service account without touching the service itself, changing the credentials on a bunch of machines to the new account, etc.
- Joseph TownsBrass Contributor
I have to say this was by far the most disappointing talk of the conference. I was hoping to see real improvements to the AD management experience, but we really only got increased page sizes and improvements for some replication edge cases when there are still functionally broken experiences in AD management. For example, search for a user in ADUC, open the object you searched for, then try to edit the object with the attribute editor tab. You can’t, because for some reason you still need to navigate to the object directly via its OU to access the attribute editor. I was also expecting some improvements to AD objects in PowerShell and their strange object behavior that seems to break PowerShell conventions. Some examples are improper AD adapter loading and ADUser properties handling in parallel threads here. It doesn’t seem like the AD administrator’s experience was at the forefront of the Server 2025 AD changes.
- Joseph TownsBrass ContributorCliff_Fisher any word on improvements to AD management tools, ADUC and/or powershell?
- Cliff_Fisher
Microsoft
Thanks for the feedback, Joseph. We've added PowerShell cmdlets for most/all of the new feature work, and I'd consider the PerfMon counters to be loosely "AD Management," or at least supportability. To your direct point - there have not been many updates in the MMC-based AD tools, but we do have some discussions underway in the management space.
- Arne KlæboeBrass ContributorRegarding SID lookups, would it be posible to make them honor the read and list object permissions on the translated name? Right now, if I have deny read (or deny list object) on the object "S-1-5-21-1647000878-563891413-2270807220-1601", and does the .Translate, I still get to see the samaccount name. I would expect to get the same result as if translating a SID that does not exist when I do not have read permission on it. $CurrentSid = "S-1-5-21-1647000878-563891413-2270807220-1601" #SID of object i do not have permission to read $objSID = New-Object System.Security.Principal.SecurityIdentifier($CurrentSid) $objSID.Translate( [System.Security.Principal.NTAccount]) #Will return the samaccountname even if i am not allowed read or list object.
- Sofiane965Copper ContributorWhat about DAC (Dynamic Access Control) on Windows Server Azure Edition and Azure Files?
- Cliff_Fisher
Microsoft
Sorry - no plans that I know of on this.
- SteskaljSteel ContributorWill we see a demo of the new kdc proxy feature?
- Cliff_Fisher
Microsoft
Not in this presentation! Though some of our sister teams who work on KDC Proxy are also presenting, so look out for some of the other security-related sessions.
- Arne KlæboeBrass ContributorWill the task scheduler GUI handle the new gMSAs?
- Cliff_Fisher
Microsoft
Could you please define "handle?" Are you asking about management or useability?- Arne KlæboeBrass ContributorWhen creating a scedulet task and setting what user the it is running as, the GUI will not let you chose a gMSA. It has to be done with powershell. When editing a scheduled task running as a gMSA in the GUI, it will not let you save it.
- MathiasRBrass ContributorI love the DMSA migration process, that looks great! What is the end state for a service account that has been succeeded by a DMSA? Can the old account eventually be deleted? I did not catch if the services are reconfigured to use the DMSA as part of this process.
- Cliff_Fisher
Microsoft
Will need to clarify this point for you, I believe the goal for end state is that the SA still exists in disabled state. - Wayne_McIntyre
Microsoft
The end state is the account is disabled. In order to delete the account, you would have to update all servers that use this account to instead log on directly with the dmsa account (using the same way you configure a gmsa in services snap in/ task scheduler / SQL / etc...). This is not an automated process and we will publish the manual steps needed if you wanted to completely delete the original account. The benefit at least is you can easily identify all machines where the account is used via the msds-groupMSAmembership attribute (principals allowed to retrieve managed password in the powershell verbiage) AD admins will also need to be careful with automated scripts that delete disabled/stale accounts and be sure to exclude the original service account from these automated cleanup scripts.- MathiasRBrass ContributorThanks for explaining that, Wayne, that's how I pictured it. This will help a lot, great feature!
- SteskaljSteel ContributorDMSA is awesome. How would it work with non windows integrate auth services?
- Cliff_Fisher
Microsoft
DMSA is specific to mapping an existing regular service account a delegated Managed Service Account using Kerberos.