Windows Server 2025 offers new features for Active Directory (AD DS) and Active Directory Lightweight Domain Services (AD LDS) for the first time in a long time. With the new features, Active Directory scales better even in very large environments and brings additional improvements for security and stability.
Optional function for 32k database page size
Since the introduction of Active Directory in Windows 2000, a database called Extensible Storage Engine (ESE) or JET Blue has been used, which stores data in 8k pages. This 8k structure led to certain restrictionsfor example, that a single AD object may not be larger than 8k bytes. The switch to a new 32k page format removes many of these old limitations. For example, multi-value attributes can now store up to around 3200 values. The optional feature can be activated if all domain controllers are running on Windows Server 2025. The following command can be used to determine the current database page size (SearchBase must be adjusted accordingly):
Get-ADObject -LDAPFilter "(ObjectClass=nTDSDSA)" -SearchBase "CN=Configuration,DC=frankysweblab,DC=de" -properties msDS-JetDBPageSize | FL distinguishedName,msDs-JetDBPageSize
The database page size can be increased to 32k with the following command:
$params = @{
Identity = 'Database 32k pages feature'
Scope = 'ForestOrConfigurationSet'
Server = 'DC1'
Target = 'frankysweblab.de'
}
Enable-ADOptionalFeature @params
New DCs with 32k-page database
New domain controllers (DCs) can now be installed with a 32k-page database that uses 64-bit IDs and runs in "8k-page mode" to remain compatible with older versions. An existing DC will retain its current 8k page database format. However, to switch to 32k database pages, all DCs in the overall structure must have a 32k-capable database.
AD schema updates
Damit neue Features genutzt werden können, ist ein Schema Update nötig. Drei neue Log-Dateien (sch89.ldf, sch90.ldf und sch91.ldf) erweitern das AD-Schema. Für AD LDS gibt es dazu passende Updates in der Datei MS-ADAM-Upgrade3.ldf. Die Schema Update Dateien finden sich im Server 2025 ISO im Ordner „support\adprep“:
The schema update can be executed with the following commands:
adprep /forestprep
adprep /domainprep
AD object repair
AD now allows domain admins to fix objects that are missing important attributes such as SamAccountType and ObjectCategory. These changes are made via a new function called fixupObjectState.
Channel Binding Audit support
The event log events 3074 and 3075 can now be activated for channel binding with LDAP. If the channel binding setting is made more secure, an administrator can see which devices in the network do not support channel binding or have problems with it.
Improvements to the DC location algorithm
The DC detection algorithm helps computers in the network to find the nearest domain controller (DC) that performs the authentication requests.
In der neuen Version wurde dieser Algorithmus verbessert: Er kann jetzt besser zwischen den kürzeren NetBIOS-Domänennamen (z. B. „frankysweblab“) und den DNS-Domänennamen (z. B. „frankysweblab.de“) unterscheiden und sie richtig zuordnen.
Overall structure and domain function level
The new Active Directory function levels provide support for the new features and are necessary in order to be able to use the new 32k database page size. The new function levels have the version number 10 for DomainLevel and ForestLevel.
Improved algorithms for name/SID lookups
The forwarding of name and SID queries between computers no longer runs via the old Netlogon channel. Instead, the Active Directory now uses Kerberos authentication and the DC detection algorithm for this.
Improved security for confidential attributes
DCs and AD LDS instances only allow LDAP to add, search for and change confidential attributes if the connection is encrypted.
Improved security for standard computer account passwords
Active Directory now uses randomly generated default passwords for computer accounts. Windows 2025 DCs prevent computer accounts from being set up with the default password of the computer account name.
Kerberos PKINIT support for cryptographic agility
The Kerberos Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) protocol implementation has been updated to enable cryptographic agility by supporting more algorithms and removing hard-coded algorithms.
LAN Manager GPO setting
The GPO setting "Network security: Do not save LAN Manager hash value on next password change" is no longer available or applicable in new versions of Windows.
LDAP encryption by default
After SASL authentication, all LDAP client communications use LDAP sealing by default.
LDAP support for TLS 1.3
LDAP uses the latest SCHANNEL version and supports TLS 1.3 for connections via TLS.
Obsolete SAM-RPC password change behavior
Secure protocols such as Kerberos are the preferred method for changing domain user passwords. The latest password change method, SamrUnicodeChangePasswordUser4 with AES, is supported by default.
NUMA support
AD DS now utilizes NUMA-capable hardware by using CPUs from all processor groups.
Performance Counter
New performance counters are available for line monitoring and troubleshooting:
- DC Locator – Spezifische Indikatoren für Clients und Domänencontroller (DC).
- LSA Lookups – Abfragen von Namen und SIDs über LsaLookupNames, LsaLookupSids und ähnliche APIs. Diese Indikatoren sind sowohl für Client- als auch Server-Versionen verfügbar.
Replication priority
Replication priority allows administrators to increase the system-calculated replication priority for a specific replication partner and naming context. This feature provides more flexibility when configuring the replication order for specific scenarios.