Windows Server 2025 Active Directory New Features

Windows Server 2025 contains many great new improvements from previous versions of Windows Server. One of the areas where we are seeing many new features and capabilities introduced is Active Directory, including a new domain functional level and forest functional level. In this post, we will take a deep dive into Windows Server 2025 new Active Directory features in the latest release.

New domain and forest functional level version

One of the new features of Windows Server 2025 Active Directory Features is a new domain functional level and forest functional level. To introduce a Windows Server 2025 domain controller, you will need to have at least a Windows Server 2016 Active Directory functional level for integration into the domain. Like before you will bring in a 2025 DC and then plan your migration to 2025 native.

The domain functional levels and forest functional levels offer admins more administrative control. It helps to deploy new domain controllers within an existing domain. It also helps with current and upcoming support for Windows clients like Windows 11 and beyond. Also, including features like Storage Spaces Direct and enhancements in AD LDS will just continue to improve Windows Server 2025’s domain management and security.

The new Windows Server 2025 functional level is needed to take advantage of some of the new features we will talk about below, like 32K page mode, NUMA support, and DMSA service accounts. 

Below is a screenshot of the DCPROMO process running on a newly installed Windows Server Datacenter server running as a lab domain controller. You will see this in the latest releases of the Windows Server vNext download Server operating systems.

Security improvements

Jumping right in, one of the first new things to note with Windows Server 2025 Active Directory are the new security improvements it contains. 

The new security enhancements include:

• “Protected Users Group”
• LDAP channel binding improvements
• AES encryption method for LDAP communication

Delegated Managed Service Accounts (DMSA)

This feature will greatly improve how admins manage service accounts by enabling automatic password management and help admins transition to a more secure stance with their service accounts. 

It helps with the age-old problem of security challenges associated with static passwords and manual management of these often very privileged service accounts. It provides an automated solution for service account management.

Quick tutorial on created a DMSA service account

You can create a DMSA service account fairly easily. Note the following PowerShell commands:

New-ADServiceAccount -CreateDelegatedServiceAccount -KerberosEncryptionType AES256 -Name DMSA-Demo -DNSHostName win2025dc1.win2025.local

Start-ADServiceAccountMigration -Identity DMSA-Demo "CN=MyService,OU=ServiceAccounts,DC=win2025,DC=local"

LDAP Signing and Channel Binding Enhancements 

By enforcing LDAP signing and channel binding as default settings, Windows Server 2025 strengthens the security posture of domain AD communications. It helps to prevent credential relaying attacks and ensure AD communications are securely encrypted and authenticated.

Kerberos Authentication Strengthening: 

The Kerberos protocol now includes AES SHA-256 and 384 support which will improve the cryptographic strength and flexibility of AD authentication. This update is part of a broader initiative to improve PKInit and cryptographic capabilities inside the Kerberos framework.

Jet 32k Page database format and Numa Support

The introduction of the Jet 32k database page size is a significant improvement in Windows Server 2025 Active Directory, especially for large customers in their environment with many DCs. It allows for more efficient storage and retrieval of AD objects. 

Active Directory relies on the Extensible Storage Engine (ESE), also known as the Jet Blue database engine, to manage the storage of directory information. The ESE organizes data into pages, which are the basic storage units within the database. 

In previous versions of Active Directory, these pages have been 8K in size. This has been a constraint that leads to limitations for some organizations that have thousands of domain controllers and Active Directory database files that are hundreds of gigabytes in size.

Advantage of 32k pages

Microsoft says that moving to 32k pages allows for 4x the amount of data that can be stored on a single page. Note the following benefits to Windows Server 2025 Active Directory 32k pages:

1. Reduced Page Fragmentation: Larger page sizes mean that more data can be stored together (contiguously). It reduces Active Directory fragmentation (remember the principles of disk defragmenter). The fewer disk I/O operations required to read or write data which leads to better Active Directory performance.
2. Better storage of large objects: Active Directory environments, especially in large enterprises, may need to manage objects with many attributes or large amounts of data. With 32k pages, the Jet Database can house larger objects much more efficiently. It minimizes the need for complex data structures that span multiple pages or require off-page storage.
3. Improved Database Scalability: As organizations grow, their Active Directory data grows too. The increased page size allows the Jet Database to scale more effectively and support large AD datasets. Organizations with massive networks and objects will benefit from these improvements.
4. Optimized for Modern Hardware: The 32K page size is better suited for modern hardware with large memory configurations and allows Active Directory to make use of available resources for improved efficiency and throughput.

Active Directory NUMA support

Windows Server 2025’s Active Directory enhancements include support for NUMA with modern CPUs. This new feature allows for the taking advantage of modern server hardware. By recognizing and optimizing for NUMA configurations, Windows Server 2025 ensures that Active Directory can use the full computational power and memory resources of the underlying hardware. This will no doubt improve the performance of directory services on large-scale deployments.

NUMA Support Windows Server 2025: What’s New?

1. Optimized Processor and Memory Utilization: The new NUMA support in Windows Server 2025 enables Active Directory to intelligently distribute its workload across the available processor groups and memory nodes. With this, AD will not be bottlenecked by memory access delays. Like NUMA benefits in virtualization, overall system responsiveness and throughput will improve for Active Directory.
2. Improved Scalability for Large Deployments: For enterprises with extremely large AD infrastructures, the ability to scale up and efficiently manage a growing number of user accounts, computer objects, and resource allocations is extremely important. NUMA support allows Active Directory to better handle large volumes of simultaneous requests by minimizing cross-node memory access. It will reduce latency and increase scalability.
3. Enhanced Performance in Virtualized Environments: Many organizations deploy Active Directory within virtualized environments to take advantage of resource isolation, ease of management, and cost savings. Windows Server 2025’s enhanced NUMA support will extend to virtualized instances of Active Directory. These will benefit from ensuring that even in a virtual machine context, AD can leverage NUMA optimizations.
4. Tailored Configuration and Management: Administrators have the flexibility to configure NUMA settings according to their specific hardware and workload requirements. This includes the ability to enable or disable NUMA spanning, adjust memory allocation policies, and optimize processor affinity settings for Active Directory processes. These configuration options are accessible via Windows Server 2025’s management tools, providing granular control over how AD interacts with the server hardware.

Combined with NUMA awareness, it will mean AD can fully utilize the CPU resources of modern hardware and overcome previous performance challenges.

Replication Priority Boost

The new replication priority boost feature gives admins fine-grained control over the AD replication process. They can control the efficiency and reliability of data synchronization across distributed environments and domain controllers. 

Note the following features:

• User interface to boost the priority of a replication partner
• Add boost factor on top of system calculated priority
• Administrator manipulated feature

New Active Directory Schema

The active directory scheme has received a major overhaul in schema functionality and features.

Key enhancements include:

• NUMA Support Windows Server: Optimizing performance for domain controllers by efficiently utilizing processor groups.
• Forest and Domain Functional Levels: New functional level versions ensure compatibility and leverage new AD features across the existing infrastructure.
• ESE Database Engine Upgrade: The Jet Blue engine’s improvements enhance the storage and retrieval of AD objects, aligning with the ESE database’s current format requirements.

With the new functional level version, there are schema version updates.

New monitoring tools

Server 2025 introduces a suite of performance counters and monitoring tools to aid administrators in managing and troubleshooting AD environments.

Performance Counters: New performance counters for LDAP client activities, DC locator operations, and name-to-SID lookups will help admins understand the function of AD services. These counters can help identify and troubleshoot performance bottlenecks. It can also help verify security and TLS 1.3 authorization and smooth AD operations across the enterprise.

DC Locator and LDAP Client Enhancements: Active Directory in Windows Server 2025 has improvements to the DC locator mechanism and enhanced monitoring of LDAP client interactions. With this, administrators have tools to optimize AD performance and reliability. 

Other general Windows Server 2025 benefits for domain controllers

With Windows Server 2025 in general, Microsoft is introducing hotpatching for the operating system as part of a subscription service with Azure Arc and Microsoft’s cloud service.

Windows Server 2025 domain controllers can also take advantage of the general improvements in Windows Server 2025 storage technologies for NVMe drives, group policy, DNS, and virtualization for domain controllers.

Enhanced security with server message block (SMB) across the network and Hyper-V in general will also enhance domain controller functionalities. 

Windows Server 2025 vs Windows Server 2022

You can take a look at my documentation here on Windows Server 2025 vs Windows Server 2022 in my recent post here: Windows Server 2025 vs Windows Server 2022.

Wrapping up

Windows Server 2025 contains many great new Active Directory features and capabilities that span security, scalability, and performance improvements. Several standout features will have many practical benefits. The 32k pages will definitely be a welcome change for extremely large organizations that may struggle with AD performance today. I also think the option of delegated managed service accounts (DMSA) will be a game-changer in how admins and organizations configure their service account objects for servers compared to legacy methods.

Let me know in the comments for this article what you think about the new Active Directory features in Windows Server 2025. I would be curious to know if these features are ones that would benefit your environment.