Event banner
What's new in Active Directory
Event Ended
Tuesday, Nov 28, 2023, 10:00 AM PSTEvent details
Lean in as software developers from the Active Directory software engineering team dive into the latest improvements in Active Directory. We'll cover key areas of investment including scalability, security, and supportability and show you the enhancements we're making to help keep you more secure and productive!
This session is part of the Microsoft Technical Takeoff: Windows + Intune. Add it to your calendar, RSVP for event reminders, and post your questions and comments below! This session will also be recorded and available on demand shortly after conclusion of the live event. |
Char_Cheesman
Updated Dec 27, 2024
- AndrewPriorBrass ContributorSeen the video on migrating a service account to a dMSA. My understanding is that you need the schema updates (89 and 90). but what other requirements would be required if you want to use this on a domain running 2019 wit DFL and FFL set at 2016? Does DFL and FFL need to be set to 2025 to use this and would we require any 2025 domain controllers and if so, would we need jsut 1 or would teh whole domain need to be running 2025 DCs?
- Wayne_McIntyreMicrosoftDFL/FFL needs to only be at 2016 - - You will need at least one DC running 2025 per domain. There are also changes to the client auth flow, and those details are still being worked on.
- KumarOccasional ReaderTo experiment with dMSA, I installed Windows Server 2025 Preview DC in a domain. I would appreciate your help with a few questions: 1. Do we need to create dMSA on a server where it is used by the service? 2. Does the server need to be a DC, or can it be a member server? 3. What GPO changes, specifically for Kerberos, are required for dMSA to work and be able to migrate a legacy service account? Thank you in advance.
- NannnuCopper ContributorWhen the pDC is moved to the new 2025 (Vnext DC) , a new group is created "Forest Trust Accounts" . Any special reason for this group or anything we should be aware of ?
- canix1Copper ContributorCould it be to protect the "Forest Trust Accounts" from authenticating as a normal user and allow for access over a one-way trust? Like the scenario that you could fix by using an Authentication Policy. See https://managedpriv.com/blog/securing-the-forest-boundary/
- LindakupMicrosoftRobin is correct, this is part of a security improvement for trusts. There are actually 2 new groups related to trusts - External Trust Accounts and Forest Trust Accounts. These are set as the primary group for corresponding trust account as a protection mechanism for trusts. These groups operate in the same way as other well known groups - like 'Domain Controllers' for example in the sense that membership is a result of the primaryGroupId attribute. Note that these don't apply to intra-forest trusts. They are for external and forest trusts respectively and should be left alone. This was not part of the session because this session covered 'some' of the features and improvements - not all. There was just not enough time to cover everything in the 25mins we had and there is work that has also not made it to insider preview. So you may see other new things we did not yet mention as time goes along and we intend to document it all before the final release.
- NannnuCopper ContributorAlso great event , really appreciate this , can you also add some examples for the new replication priority boost functionality
- Jiajing_ZhuMicrosoftThis functionality provides a method to alter the built-in replication priorities among DCs, to make the replication order better fit some special customer scenarios. Examples that customer may want to change the priorities: 1. For the topology of one primary site to take originating writes and several other sites to backup the data, changes happening in primary site are more important than the internal replication flows among backup sites, that we may want to increase the replication priority with bridgehead DCs. 2. Non important changes happening in system NCs, that may delay the replication in domain NC. 3. Over the wire installation for big size DIT. It is more efficient to stick to a single source DC by increasing the replication priority with this DC.
- NannnuCopper ContributorIs there any fixes planned for schema change events only going to DS schema type events like 1898 and 1899 and not creating 5136 events. Very difficult to correlate because they go into different event but also schema modification events (unlike creation) don’t even tell you what attribute was modified , example description (in the 1898 event)
- Wayne_McIntyreMicrosoftHi Narayanan, I just checked the code and did a quick test and 1898 event (schema modification) includes the schema object being modified. Internal event: The following schema object was modified. Schema object: CN=account,CN=Schema,CN=Configuration,DC=Contoso,DC=com
- NannnuCopper ContributorWell my bad putting it in wrong words I meant the attribute
- CribbsterCopper ContributorIt may seem small, but I really, really do like the new DMSA feature. An ingenious way of helping customers to address the security nightmare that is ordinary service accounts. Bravo! 🙂
- CribbsterCopper ContributorAs a follow on to this: What will the requirements be for us to be able to use this feature? Will it require DFL (or FFL) vNext? Will it require the member servers where the service account is being used to be running Windows Server vNext? Or will it only require one DC running Windows Server vNext?
- LindakupMicrosoftThere is no DFL/FFL requirement (we like to avoid that at all costs because we know it prevents adoption) however, the machines involved in the authentication flow will need to be running some new code to take advantage of the new feature. Those details are still being worked on.
- GiManzoMicrosoftThank you mates, great session and demo, I look forward for exploiting the new features! Active Directory, since 1999, our NeverEnding Story ! 🙂
- KrazeyKamiCopper ContributorGood times GL... 🙂
- ZaferBalkanBrass ContributorI will try to give a link to a discussion we had long time ago. https://old.reddit.com/r/activedirectory/comments/ozg8v2/active_directory_feedback/ * KRBTGT Account Password Reset built-in without using 3rd Party scripts. A sane and simple PowerShell module and an integrated GUI, just a window, would be great. * The most googled question for AD Objects: Creator's and modifier's name. And the answer is always "check your event log". But those events are not even turned on by default. AD desperately needs creatorsName and modifiersName attributes.
- Cliff_FisherMicrosoftWe appreciate the feedback.
- Char_CheesmanBronze Contributor
Thanks for joining us! We hope you enjoyed this session. If you missed the live broadcast, don’t worry – you can watch it on demand. And we’ll continue to answer questions here in the chat through the end of the week. There's more great content in store at the Microsoft Technical Takeoff! What do you like about the event so far? Share your feedback and help shape the direction of future events on the Tech Community!
- Cliff_FisherMicrosoft
We would love to hear your feedback! Please fill out the evaluation at https://aka.ms/ADTechTakeOff.
Thank you!
- Cliff_FisherMicrosoft
Links to the bonus demos mentioned in the presentation:
https://aka.ms/ADTTDcLocPerfDemo
https://aka.ms/ADTT32kpagesdemo
https://aka.ms/adttLsaLookupDemo
https://aka.ms/adttLdapPerfDemo
https://aka.ms/adttdcLocatorDemo