Windows Server Summit 2026 | Part 17: Modernize AD for hybrid identity in Windows Server 2025

Active Directory is the most important server role in Windows Server and is used by many organizations for user management and authentication. When combined with Entra ID, the user directory in the Microsoft Cloud, it also allows you to create hybrid identities—that is, user accounts that can be used in both environments.

Active Directory itself has not received many new features in recent years. However, Windows Server 2025 introduced several new features, primarily focused on improving security.

This article covers new features for Active Directory that are already available and those coming soon.

Recap

The improvements made so far are based on three pillars. Rather than listing all the changes discussed at the meeting, we will highlight a few key points:

• SECURITY
  • LDAP encryption enabled by default
  • Support for TLS 1.3 in LDAP
• CLOUD ENABLEMENT
  • Additional features for Windows LAPS (e.g., support for passphrases and password recovery even in disaster scenarios)
• SUPPORTABILITY
  • 32 KB page size for the NTDS database
  • Delegated managed service accounts
  • Credential Guard enabled by default

Modernizing Active Directory for hybrid management

Microsoft is currently investing heavily in features that enable cloud-based management of on-premises infrastructure and help modernize that infrastructure.

Entra Cloud Source of Authority Lockdown for AD

In recent months, new features have been added to manage objects in the cloud. The underlying functionality is known as “Source of Authority” (SoA). This makes it possible to manage objects synchronized from Active Directory using modern cloud services.

With SoA, the synchronization direction is reversed—objects are modified in the cloud, and the changes are transferred to Active Directory via Entra cloud synchronization. This makes it possible, for example, to use Entra ID for identity and access management and to utilize all the features available for this purpose, such as

• Access audits for verifying and automatically cleaning up group memberships
• Time- and role-based access control via Entra Privileged Identity Management
• Mapping of Joiner/Mover/Leaver processes with Entra ID Governance

Modification of local objects is then blocked to prevent accidental changes and potential inconsistencies.

New LDAP events and logging

Some applications still use LDAP for authentication. New LDAP events are now available to help identify such applications more quickly. These events can be read using existing third-party solutions or PowerShell (as well as manually).

However, they must be enabled manually via a registry value.

Repair object integrity

If an object is damaged for any reason—for example, because critical attributes are deleted—until now, these objects could only be restored from a backup. Windows Server 2025 now offers the ability to repair such objects. This saves valuable time, as there is no longer a need to perform a time-consuming restore.

Directory corruption recovery

On a larger scale, Windows Server 2025 now also makes it possible to detect major corruption in the Active Directory directory and, for example, repair invalid object references. This helps reduce replication and consistency issues.

Enhancements for the AD database and challenges

Integrating cloud services introduces additional requirements for security groups and attributes used to assign access rights. These requirements can no longer be adequately met using the existing sizes in Active Directory.

For these reasons, the maximum page size for Jet-based databases has been increased from 8k to 32k. This significantly improves scalability. However, after an update to 2025, domain controllers will initially continue to use the old size. Only once all domain controllers have been upgraded to 2025 can the extension be enabled as an optional AD feature.

Delegated group managed service accounts

Service accounts are used to provide applications and systems with the ability to authenticate against Active Directory. These are generic accounts that are not used for interactive logins (e.g., by a user).

The following types are distinguished:

Most companies typically use a combination of these types, with uMSA and gMSA being the most common. The new dMSA type is now intended to help phase out unmanaged user accounts while offering a higher level of security than gMSA. This is achieved, for example, by ensuring that the account password is no longer transmitted but remains stored in Active Directory.

NTLM-less

Microsoft is currently making significant efforts to remove the outdated NTLM authentication protocol from Active Directory and allow only Kerberos with modern algorithms. As a result, it is already disabled by default in new installations (i.e., those without an existing domain).

In existing environments, however, IT must ensure that all applications and systems support Kerberos authentication.

However, there has been a problem so far—Kerberos can only be used by systems that are part of Active Directory. Individual workgroup servers have therefore only been able to use NTLM authentication until now. Likewise, Kerberos authentication requires a direct connection between the system and a domain controller.

However, both of these issues will soon be a thing of the past—with the introduction of the following improvements:

• IAKerb enables Kerberos authentication without requiring the system to have a direct connection to the domain controller
  • Windows Insider builds starting with 26H2 will include this feature!
• LocalKDC enables the use of Kerberos for systems outside of Active Directory

Liked this article? Share it!

• Share on LinkedIn
• Share on Bluesky
• Share on Facebook
• Email this Page
• Share on Reddit