{"id":4594,"date":"2025-09-18T20:03:00","date_gmt":"2025-09-19T00:03:00","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4594"},"modified":"2025-09-15T11:13:51","modified_gmt":"2025-09-15T15:13:51","slug":"active-directory-security-tip-6-domain-controller-operating-system-versions","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4594","title":{"rendered":"Active Directory Security Tip #6: Domain Controller Operating System Versions"},"content":{"rendered":"\n

Ensuring proper Domain Controller configuration is key for Active Directory security.

Part of this is making sure they are running supported versions of Windows. At this point, DCs should be running at least Windows Server 2016, preferably Windows Server 2019 or 2022.

Hold off on deploying Windows Server 2025 DCs for now due to the dMSA issue (https:\/\/akamai.com\/blog\/security-research\/abusing-dmsa-for-privilege-escalation-in-active-directory<\/a>).
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


Active Directory PowerShell code for Domain Controller operating system versions & site location for the current domain:<\/strong><\/p>\n\n\n\n

$Domain = $env:userdnsdomain\n$DomainDC = (Get-ADDomainController -Discover -DomainName $Domain).Name\n$DomainDCs = Get-ADDomainController -Filter * -Server $DomainDC\n$DomainDCs | Select HostName,IPv4Address,OperatingSystem,Site | Sort HostName | Format-Table -AutoSize<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Ensuring proper Domain Controller configuration is key for Active Directory security. Part of this is making sure they are running supported versions of Windows. At this point, DCs should be running at least Windows Server 2016, preferably Windows Server 2019 or 2022. Hold off on deploying Windows Server 2025 DCs for now due to the … <\/p>\n
Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,7,2],"tags":[1469,1476],"class_list":["post-4594","post","type-post","status-publish","format-standard","hentry","category-activedirectorysecurity","category-powershell","category-technical-reference","tag-activedirectorysecuritytip","tag-domaincontrolleroperatingsystemversions","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4594","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4594"}],"version-history":[{"count":7,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4594\/revisions"}],"predecessor-version":[{"id":4646,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4594\/revisions\/4646"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}