Event banner

What's new in Active Directory

Event Ended
Tuesday, Nov 28, 2023, 10:00 AM PST
Online

Event details

Lean in as software developers from the Active Directory software engineering team dive into the latest improvements in Active Directory. We'll cover key areas of investment including scalability, security, and supportability and show you the enhancements we're making to help keep you more secure and productive!

 

This session is part of the Microsoft Technical Takeoff: Windows + Intune. Add it to your calendar, RSVP for event reminders, and post your questions and comments below! This session will also be recorded and available on demand shortly after conclusion of the live event.
Char_Cheesman
Updated Dec 27, 2024
Technical Takeoff
  • AndrewPrior's avatar
    AndrewPrior
    Brass Contributor
    Nov 29, 2023
    Seen the video on migrating a service account to a dMSA. My understanding is that you need the schema updates (89 and 90). but what other requirements would be required if you want to use this on a domain running 2019 wit DFL and FFL set at 2016? Does DFL and FFL need to be set to 2025 to use this and would we require any 2025 domain controllers and if so, would we need jsut 1 or would teh whole domain need to be running 2025 DCs?
    • Wayne_McIntyre's avatar
      Wayne_McIntyre
      Icon for Microsoft rankMicrosoft
      Nov 29, 2023
      DFL/FFL needs to only be at 2016 - - You will need at least one DC running 2025 per domain. There are also changes to the client auth flow, and those details are still being worked on.
      • Kumar's avatar
        Kumar
        Occasional Reader
        Jul 01, 2024
        To experiment with dMSA, I installed Windows Server 2025 Preview DC in a domain. I would appreciate your help with a few questions: 1. Do we need to create dMSA on a server where it is used by the service? 2. Does the server need to be a DC, or can it be a member server? 3. What GPO changes, specifically for Kerberos, are required for dMSA to work and be able to migrate a legacy service account? Thank you in advance. 
  • Nannnu's avatar
    Nannnu
    Copper Contributor
    Nov 28, 2023
    When the pDC is moved to the new 2025 (Vnext DC) , a new group is created "Forest Trust Accounts" . Any special reason for this group or anything we should be aware of ?
      • Lindakup's avatar
        Lindakup
        Icon for Microsoft rankMicrosoft
        Nov 29, 2023
        Robin is correct, this is part of a security improvement for trusts. There are actually 2 new groups related to trusts - External Trust Accounts and Forest Trust Accounts. These are set as the primary group for corresponding trust account as a protection mechanism for trusts. These groups operate in the same way as other well known groups - like 'Domain Controllers' for example in the sense that membership is a result of the primaryGroupId attribute. Note that these don't apply to intra-forest trusts. They are for external and forest trusts respectively and should be left alone. This was not part of the session because this session covered 'some' of the features and improvements - not all. There was just not enough time to cover everything in the 25mins we had and there is work that has also not made it to insider preview. So you may see other new things we did not yet mention as time goes along and we intend to document it all before the final release.
  • Nannnu's avatar
    Nannnu
    Copper Contributor
    Nov 28, 2023
    Also great event , really appreciate this , can you also add some examples for the new replication priority boost functionality
    • Jiajing_Zhu's avatar
      Jiajing_Zhu
      Icon for Microsoft rankMicrosoft
      Nov 28, 2023
      This functionality provides a method to alter the built-in replication priorities among DCs, to make the replication order better fit some special customer scenarios. Examples that customer may want to change the priorities: 1. For the topology of one primary site to take originating writes and several other sites to backup the data, changes happening in primary site are more important than the internal replication flows among backup sites, that we may want to increase the replication priority with bridgehead DCs. 2. Non important changes happening in system NCs, that may delay the replication in domain NC. 3. Over the wire installation for big size DIT. It is more efficient to stick to a single source DC by increasing the replication priority with this DC.
  • Nannnu's avatar
    Nannnu
    Copper Contributor
    Nov 28, 2023
    Is there any fixes planned for schema change events only going to DS schema type events like 1898 and 1899 and not creating 5136 events. Very difficult to correlate because they go into different event but also schema modification events (unlike creation) don’t even tell you what attribute was modified , example description (in the 1898 event)
    • Wayne_McIntyre's avatar
      Wayne_McIntyre
      Icon for Microsoft rankMicrosoft
      Nov 28, 2023
      Hi Narayanan, I just checked the code and did a quick test and 1898 event (schema modification) includes the schema object being modified. Internal event: The following schema object was modified. Schema object: CN=account,CN=Schema,CN=Configuration,DC=Contoso,DC=com
      • Nannnu's avatar
        Nannnu
        Copper Contributor
        Nov 28, 2023
        Well my bad putting it in wrong words I meant the attribute
  • Cribbster's avatar
    Cribbster
    Copper Contributor
    Nov 28, 2023
    It may seem small, but I really, really do like the new DMSA feature. An ingenious way of helping customers to address the security nightmare that is ordinary service accounts. Bravo! 🙂
    • Cribbster's avatar
      Cribbster
      Copper Contributor
      Nov 29, 2023
      As a follow on to this: What will the requirements be for us to be able to use this feature? Will it require DFL (or FFL) vNext? Will it require the member servers where the service account is being used to be running Windows Server vNext? Or will it only require one DC running Windows Server vNext?
      • Lindakup's avatar
        Lindakup
        Icon for Microsoft rankMicrosoft
        Nov 29, 2023
        There is no DFL/FFL requirement (we like to avoid that at all costs because we know it prevents adoption) however, the machines involved in the authentication flow will need to be running some new code to take advantage of the new feature. Those details are still being worked on.
  • GiManzo's avatar
    GiManzo
    Icon for Microsoft rankMicrosoft
    Nov 28, 2023
    Thank you mates, great session and demo, I look forward for exploiting the new features! Active Directory, since 1999, our NeverEnding Story ! 🙂
  • ZaferBalkan's avatar
    ZaferBalkan
    Brass Contributor
    Nov 28, 2023
    I will try to give a link to a discussion we had long time ago. https://old.reddit.com/r/activedirectory/comments/ozg8v2/active_directory_feedback/ * KRBTGT Account Password Reset built-in without using 3rd Party scripts. A sane and simple PowerShell module and an integrated GUI, just a window, would be great. * The most googled question for AD Objects: Creator's and modifier's name. And the answer is always "check your event log". But those events are not even turned on by default. AD desperately needs creatorsName and modifiersName attributes.
  • Char_Cheesman's avatar
    Char_Cheesman
    Bronze Contributor
    Nov 28, 2023

    Thanks for joining us! We hope you enjoyed this session. If you missed the live broadcast, don’t worry – you can watch it on demand. And we’ll continue to answer questions here in the chat through the end of the week. There's more great content in store at the Microsoft Technical Takeoff! What do you like about the event so far? Share your feedback and help shape the direction of future events on the Tech Community!

Date and Time
Nov 28, 202310:00 AM - 10:30 AM PST