Windows Server 2025 database and replication support

2023-10-06 12:46:33 +02:00 · 2023-10-06 12:46:33 +02:00 · 9bf3800631
parent f6deab9d04
commit 9bf3800631
23 changed files with 122 additions and 65 deletions
--- a/Src/DSInternals.Common.Test/SupplementalCredentialsTester.cs
+++ b/Src/DSInternals.Common.Test/SupplementalCredentialsTester.cs
@ -125,7 +125,16 @@ namespace DSInternals.Common.Test
            // Test integrity
            Assert.AreEqual(credentials2.ClearText, credentials.ClearText);
            Assert.AreEqual(credentials2.NTLMStrongHash.Length, credentials.NTLMStrongHash.Length);
+
+            // Test WDigest
            Assert.AreEqual(credentials2.WDigest.Length, credentials.WDigest.Length);
+            Assert.AreEqual(credentials2.WDigest[0].ToHex(), credentials.WDigest[0].ToHex());
+
+            // Test Kerberos
+            Assert.AreEqual(credentials2.Kerberos.DefaultSalt, credentials.Kerberos.DefaultSalt);
+            Assert.AreEqual(credentials2.Kerberos.Credentials[0].KeyType, credentials.Kerberos.Credentials[0].KeyType);
+
+            // Test key serialization
            Assert.AreEqual(credentials2.Kerberos.ToByteArray().ToHex(), credentials.Kerberos.ToByteArray().ToHex());
            Assert.AreEqual(credentials2.KerberosNew.ToByteArray().ToHex(), credentials.KerberosNew.ToByteArray().ToHex());
        }
--- a/Src/DSInternals.Common/DSInternals.Common.nuspec
+++ b/Src/DSInternals.Common/DSInternals.Common.nuspec
@ -14,8 +14,7 @@
    <description>This package is shared between all other DSInternals packages. Its main features are Azure AD Graph API and ADSI clients for for retrieval of cryptographic material. It contains implementations of common hash functions used by Windows, including NT hash, LM hash and OrgId hash. It also contains methods for SysKey/BootKey retrieval.</description>
    <summary>This package is shared between all other DSInternals packages.</summary>
    <releaseNotes>
- Implemented managed password calculation.
- Fixed Kerberos PBKDF2 salt derivation for service accounts.
+- Added support for parsing AES SHA2 Kerbers keys.
    </releaseNotes>
    <copyright>Copyright (c) 2015-2023 Michael Grafnetter. All rights reserved.</copyright>
    <tags>ActiveDirectory Security AD AAD Identity Active Directory</tags>
--- a/Src/DSInternals.Common/Data/Principals/KerberosCredential.cs
+++ b/Src/DSInternals.Common/Data/Principals/KerberosCredential.cs
@ -32,7 +32,11 @@
            byte[] desKey = KerberosKeyDerivation.DeriveKey(KerberosKeyType.DES_CBC_MD5, password, this.DefaultSalt);
            var desKeyData = new KerberosKeyData(KerberosKeyType.DES_CBC_MD5, desKey);

-            this.Credentials = new KerberosKeyData[] { desKeyData };
+            // TODO: Generate RC4 key
+            // byte[] rc4Key = KerberosKeyDerivation.DeriveKey(KerberosKeyType.RC4_HMAC_NT, password, this.DefaultSalt);
+            // var rc4KeyData = new KerberosKeyData(KerberosKeyType.RC4_HMAC_NT, rc4Key);
+
+            this.Credentials = new KerberosKeyData[] { desKeyData /*, rc4KeyData */ };
        }

        public short Flags
@ -232,4 +236,4 @@
            writer.Write(keyValueOffset);
        }
    }
-}
+}
--- a/Src/DSInternals.Common/Data/Principals/KerberosCredentialNew.cs
+++ b/Src/DSInternals.Common/Data/Principals/KerberosCredentialNew.cs
@ -35,25 +35,36 @@
            this.DefaultSalt = salt;
            this.DefaultIterationCount = KerberosKeyDerivation.DefaultIterationCount;

-            // Generate AES keys
-            byte[] aes128Key = KerberosKeyDerivation.DeriveKey(KerberosKeyType.AES128_CTS_HMAC_SHA1_96, password, this.DefaultSalt);
-            var aes128KeyData = new KerberosKeyDataNew(KerberosKeyType.AES128_CTS_HMAC_SHA1_96, aes128Key, this.DefaultIterationCount);
+            // Generate AES SHA1 keys
+            byte[] aes128sha1Key = KerberosKeyDerivation.DeriveKey(KerberosKeyType.AES128_CTS_HMAC_SHA1_96, password, this.DefaultSalt);
+            var aes128sha1KeyData = new KerberosKeyDataNew(KerberosKeyType.AES128_CTS_HMAC_SHA1_96, aes128sha1Key, this.DefaultIterationCount);

-            byte[] aes256Key = KerberosKeyDerivation.DeriveKey(KerberosKeyType.AES256_CTS_HMAC_SHA1_96, password, this.DefaultSalt);
-            var aes256KeyData = new KerberosKeyDataNew(KerberosKeyType.AES256_CTS_HMAC_SHA1_96, aes256Key, this.DefaultIterationCount);
+            byte[] aes256sha1Key = KerberosKeyDerivation.DeriveKey(KerberosKeyType.AES256_CTS_HMAC_SHA1_96, password, this.DefaultSalt);
+            var aes256sha1KeyData = new KerberosKeyDataNew(KerberosKeyType.AES256_CTS_HMAC_SHA1_96, aes256sha1Key, this.DefaultIterationCount);

-            if(includeDES)
+            // TODO: Generate AES SHA2 keys (Windows Server 2025)
+            // byte[] aes128sha2Key = KerberosKeyDerivation.DeriveKey(KerberosKeyType.AES128_CTS_HMAC_SHA256_128, password, this.DefaultSalt);
+            // var aes128sha2KeyData = new KerberosKeyDataNew(KerberosKeyType.AES128_CTS_HMAC_SHA256_128, aes128sha2Key, this.DefaultIterationCount);
+
+            // byte[] aes256sha2Key = KerberosKeyDerivation.DeriveKey(KerberosKeyType.AES256_CTS_HMAC_SHA384_192, password, this.DefaultSalt);
+            // var aes256sha2KeyData = new KerberosKeyDataNew(KerberosKeyType.AES256_CTS_HMAC_SHA384_192, aes256sha2Key, this.DefaultIterationCount);
+
+            // TODO: Generate RC4 key
+            // byte[] rc4Key = KerberosKeyDerivation.DeriveKey(KerberosKeyType.RC4_HMAC_NT, password, this.DefaultSalt);
+            // var rc4KeyData = new KerberosKeyDataNew(KerberosKeyType.RC4_HMAC_NT, rc4Key, this.DefaultIterationCount);
+
+            if (includeDES)
            {
                // Generate DES key
                byte[] desKey = KerberosKeyDerivation.DeriveKey(KerberosKeyType.DES_CBC_MD5, password, this.DefaultSalt);
                var desKeyData = new KerberosKeyDataNew(KerberosKeyType.DES_CBC_MD5, desKey, this.DefaultIterationCount);

-                this.Credentials = new KerberosKeyDataNew[] { aes256KeyData, aes128KeyData, desKeyData };
+                this.Credentials = new KerberosKeyDataNew[] { /* aes256sha2KeyData, aes128sha2KeyData, */ aes256sha1KeyData, aes128sha1KeyData, desKeyData /*, rc4KeyData */ };
            }
            else
            {
                // AES keys only
-                this.Credentials = new KerberosKeyDataNew[] { aes256KeyData, aes128KeyData };
+                this.Credentials = new KerberosKeyDataNew[] { /* aes256sha2KeyData, aes128sha2KeyData */ aes256sha1KeyData, aes128sha1KeyData /*, rc4KeyData*/ };
            }
        }

--- a/Src/DSInternals.Common/Data/Principals/KerberosKeyType.cs
+++ b/Src/DSInternals.Common/Data/Principals/KerberosKeyType.cs
@ -10,11 +10,19 @@ namespace DSInternals.Common.Data
        DES_CBC_CRC =                      1,
        DES_CBC_MD4 =                      2,
        DES_CBC_MD5 =                      3,
+        DES3_CBC_MD5 =                     5,
+        OLD_DES3_CBC_SHA1 =                7,
+        SIGN_DSA_GENERATE =                8,
+        ENCRYPT_RSA_PRIV =                 9,
+        ENCRYPT_RSA_PUB =                 10,
+        DES3_CBC_SHA1 =                   16,
        AES128_CTS_HMAC_SHA1_96 =         17,
        AES256_CTS_HMAC_SHA1_96 =         18,
-        DES_CBC_MD5_NT =                  20,
+        AES128_CTS_HMAC_SHA256_128 =      19,
+        AES256_CTS_HMAC_SHA384_192 =      20,
        RC4_HMAC_NT =                     23,
        RC4_HMAC_NT_EXP =                 24,
+        PK_CROSS =                        48,
        RC4_MD4 =                       -128,
        RC4_PLAIN2 =                    -129,
        RC4_LM =                        -130,
--- a/Src/DSInternals.Common/Data/Principals/SupportedEncryptionTypes.cs
+++ b/Src/DSInternals.Common/Data/Principals/SupportedEncryptionTypes.cs
@ -36,6 +36,16 @@ namespace DSInternals.Common.Data
        /// </summary>
        AES256_CTS_HMAC_SHA1_96 = 16,

+        /// <summary>
+        /// Advanced Encryption Standard in 128-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (2)
+        /// </summary>
+        AES128_CTS_HMAC_SHA256_128 = 32,
+
+        /// <summary>
+        /// Advanced Encryption Standard in 256-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (2)
+        /// </summary>
+        AES256_CTS_HMAC_SHA384_192 = 64,
+
        /// <summary>
        /// Flexible Authentication Secure Tunneling (FAST) supported
        /// </summary>
--- a/Src/DSInternals.Common/Properties/AssemblyInfo.cs
+++ b/Src/DSInternals.Common/Properties/AssemblyInfo.cs
@ -5,8 +5,8 @@ using System.Runtime.InteropServices;
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals Common Library")]
-[assembly: AssemblyVersion("4.11")]
-[assembly: AssemblyFileVersion("4.11")]
+[assembly: AssemblyVersion("4.12")]
+[assembly: AssemblyFileVersion("4.12")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]
--- a/Src/DSInternals.DataStore/ADConstants.cs
+++ b/Src/DSInternals.DataStore/ADConstants.cs
@ -12,7 +12,6 @@ namespace DSInternals.DataStore
        public const string SecurityDescriptorTableName = "sd_table";
        public const string EseBaseName = "edb";
        public const string EseTempDatabaseName = "temp.edb";
-        public const int PageSize = 8192; // 8k
        public const int EseLogFileSize = 10240; // 10M
        public const int EseIndexDefaultLocale = 1033; // = DS_DEFAULT_LOCALE = EN-US | SORT_DEFAULT
        public const int EseIndexDefaultCompareOptions = 0x00000001 | 0x00000002 | 0x00010000 | 0x00020000 | 0x00001000; // = DS_DEFAULT_LOCALE_COMPARE_FLAGS | LCMAP_SORTKEY = NORM_IGNORECASE | NORM_IGNOREKANATYPE | NORM_IGNORENONSPACE | NORM_IGNOREWIDTH | SORT_STRINGSORT
--- a/Src/DSInternals.DataStore/DSInternals.DataStore.nuspec
+++ b/Src/DSInternals.DataStore/DSInternals.DataStore.nuspec
@ -14,8 +14,7 @@
    <description>DSInternals DataStore is an advanced framework for offline ntds.dit file manipulation. It can be used to extract password hashes from Active Directory backups or to modify the sIDHistory and primaryGroupId attributes.</description>
    <summary>DSInternals DataStore is an advanced framework for offline ntds.dit file manipulation.</summary>
    <releaseNotes>
- Added the capability to retrieve information about group managed service accounts (gMSAs) from database files and to calculate their current passwords.
- Implemented the offline account unlock feature.
+- Support for Windows Server 2025 Insider Preview.
    </releaseNotes>
    <copyright>Copyright (c) 2015-2023 Michael Grafnetter. All rights reserved.</copyright>
    <tags>ActiveDirectory Security NTDS AD Identity Active Directory</tags>
--- a/Src/DSInternals.DataStore/DirectoryContext.cs
+++ b/Src/DSInternals.DataStore/DirectoryContext.cs
@ -27,7 +27,18 @@
            }

            this.DSADatabaseFile = dbFilePath;
-            ValidateDatabaseState(this.DSADatabaseFile);
+
+            // Retrieve info about the DB (Win Version, Page Size, State,...)
+            JET_DBINFOMISC dbInfo;
+            Api.JetGetDatabaseFileInfo(dbFilePath, out dbInfo, JET_DbInfo.Misc);
+
+            if (dbInfo.dbstate != JET_dbstate.CleanShutdown)
+            {
+                // Database might be inconsistent
+                throw new InvalidDatabaseStateException("The database is not in a clean state. Try to recover it first by running the 'esentutl /r edb /d' command.", dbFilePath);
+            }
+
+            this.PageSize = dbInfo.cbPageSize;

            this.DSAWorkingDirectory = Path.GetDirectoryName(this.DSADatabaseFile);
            string checkpointDirectoryPath = this.DSAWorkingDirectory;
@ -51,7 +62,7 @@
            string jetInstanceName = String.Format(JetInstanceNameFormat, Guid.NewGuid());

            // Note: IsamInstance constructor throws AccessDenied Exception when the path does not end with a backslash.
-            this.instance = new IsamInstance(AddPathSeparator(checkpointDirectoryPath), AddPathSeparator(this.DatabaseLogFilesPath), tempDatabasePath, ADConstants.EseBaseName, jetInstanceName, readOnly, ADConstants.PageSize);
+            this.instance = new IsamInstance(AddPathSeparator(checkpointDirectoryPath), AddPathSeparator(this.DatabaseLogFilesPath), tempDatabasePath, ADConstants.EseBaseName, jetInstanceName, readOnly, this.PageSize);

            try
            {
@ -151,6 +162,12 @@
            }
        }

+        public int PageSize
+        {
+            get;
+            private set;
+        }
+
        public string DSAWorkingDirectory
        {
            get;
@ -294,18 +311,5 @@
                return path + Path.DirectorySeparatorChar;
            }
        }
-
-        public static void ValidateDatabaseState(string dbFilePath)
-        {
-            // Retrieve info about the DB (Win Version, Page Size, State,...)
-            JET_DBINFOMISC dbInfo;
-            Api.JetGetDatabaseFileInfo(dbFilePath, out dbInfo, JET_DbInfo.Misc);
-
-            if (dbInfo.dbstate != JET_dbstate.CleanShutdown)
-            {
-                // Database might be inconsistent
-                throw new InvalidDatabaseStateException("The database is not in a clean state. Try to recover it first by running the 'esentutl /r edb /d' command.", dbFilePath);
-            }
-        }
    }
 }
--- a/Src/DSInternals.DataStore/Properties/AssemblyInfo.cs
+++ b/Src/DSInternals.DataStore/Properties/AssemblyInfo.cs
@ -5,8 +5,8 @@ using System.Runtime.InteropServices;
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals DataStore Library")]
-[assembly: AssemblyVersion("4.11")]
-[assembly: AssemblyFileVersion("4.11")]
+[assembly: AssemblyVersion("4.12")]
+[assembly: AssemblyFileVersion("4.12")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]
--- a/Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec
+++ b/Src/DSInternals.PowerShell/Chocolatey/dsinternals-psmodule.nuspec
@ -3,7 +3,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
  <metadata>
    <id>DSInternals-PSModule</id>
-    <version>4.11</version>
+    <version>4.12</version>
    <packageSourceUrl>https://github.com/MichaelGrafnetter/DSInternals/tree/master/Src/DSInternals.PowerShell/Chocolatey</packageSourceUrl>
    <owners>MichaelGrafnetter</owners>
    <title>DSInternals PowerShell Module</title>
@ -37,9 +37,8 @@ The DSInternals PowerShell Module has these main features:
 ## Disclaimer
 Features exposed through these tools are not supported by Microsoft. Improper use might cause irreversible damage to domain controllers or negatively impact domain security.</description>
    <releaseNotes>
-* Added the Get-ADDBServiceAccount cmdlet for offline managed password derivation.
-* Implemented the Unlock-ADDBAccount cmdlet that can perform offline account unlock.
-* Fixed Kerberos PBKDF2 salt derivation for service accounts in the ConvertTo-KerberosKey cmdlet.
+* Support for Windows Server 2025 Insider Preview.
+* Improved KDS Root Key selection algorithm.
    </releaseNotes>
    <dependencies>
      <!-- Windows Management Framework 3+. For OS prior to Windows 8 and Windows Server 2012. -->
--- a/Src/DSInternals.PowerShell/Commands/Hash/ConvertToKerberosKeyCommand.cs
+++ b/Src/DSInternals.PowerShell/Commands/Hash/ConvertToKerberosKeyCommand.cs
@ -63,15 +63,27 @@
        {
            this.WriteVerbose("Calculating Kerberos keys.");

-            var aes256 = new KerberosKeyDataNew(KerberosKeyType.AES256_CTS_HMAC_SHA1_96, this.Password, this.Salt, this.Iterations);
-            this.WriteObject(aes256);
+            // TODO: AES SHA2 ETypes are not yet supported by the crypto library
+            /*
+            var aes256sha2 = new KerberosKeyDataNew(KerberosKeyType.AES256_CTS_HMAC_SHA384_192, this.Password, this.Salt, this.Iterations);
+            this.WriteObject(aes256sha2);

-            var aes128 = new KerberosKeyDataNew(KerberosKeyType.AES128_CTS_HMAC_SHA1_96, this.Password, this.Salt, this.Iterations);
-            this.WriteObject(aes128);
+            var aes128sha2 = new KerberosKeyDataNew(KerberosKeyType.AES128_CTS_HMAC_SHA256_128, this.Password, this.Salt, this.Iterations);
+            this.WriteObject(aes128sha2);
+            */
+
+            var aes256sha1 = new KerberosKeyDataNew(KerberosKeyType.AES256_CTS_HMAC_SHA1_96, this.Password, this.Salt, this.Iterations);
+            this.WriteObject(aes256sha1);
+
+            var aes128sha1 = new KerberosKeyDataNew(KerberosKeyType.AES128_CTS_HMAC_SHA1_96, this.Password, this.Salt, this.Iterations);
+            this.WriteObject(aes128sha1);

            var des = new KerberosKeyDataNew(KerberosKeyType.DES_CBC_MD5, this.Password, this.Salt, this.Iterations);
            this.WriteObject(des);
+
+            var rc4 = new KerberosKeyDataNew(KerberosKeyType.RC4_HMAC_NT, this.Password, this.Salt, this.Iterations);
+            this.WriteObject(rc4);
        }
        #endregion Cmdlet Overrides
    }
-}
+}
--- a/Src/DSInternals.PowerShell/DSInternals.psd1
+++ b/Src/DSInternals.PowerShell/DSInternals.psd1
@ -8,7 +8,7 @@
 RootModule = 'DSInternals.Bootstrap.psm1'

 # Version number of this module.
-ModuleVersion = '4.11'
+ModuleVersion = '4.12'

 # Supported PSEditions
 # CompatiblePSEditions = 'Desktop'
@ -143,9 +143,8 @@ PrivateData = @{

        # ReleaseNotes of this module
        ReleaseNotes = @"
- Added the Get-ADDBServiceAccount cmdlet for offline managed password derivation.
- Implemented the Unlock-ADDBAccount cmdlet that can perform offline account unlock.
- Fixed Kerberos PBKDF2 salt derivation for service accounts in the ConvertTo-KerberosKey cmdlet.
+- Support for Windows Server 2025 Insider Preview.
+- Improved KDS Root Key selection algorithm.
 "@
    } # End of PSData hashtable

--- a/Src/DSInternals.PowerShell/Properties/AssemblyInfo.cs
+++ b/Src/DSInternals.PowerShell/Properties/AssemblyInfo.cs
@ -5,8 +5,8 @@ using System.Runtime.InteropServices;
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals PowerShell Commands")]
-[assembly: AssemblyVersion("4.11")]
-[assembly: AssemblyFileVersion("4.11")]
+[assembly: AssemblyVersion("4.12")]
+[assembly: AssemblyFileVersion("4.12")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]
--- a/Src/DSInternals.Replication.Interop/AssemblyInfo.cpp
+++ b/Src/DSInternals.Replication.Interop/AssemblyInfo.cpp
@ -14,7 +14,7 @@ using namespace System::Security::Permissions;
 //
 [assembly:AssemblyTitleAttribute(L"DSInternals Replication Interop Library")];
 // Note: Do not forget to change the version in version.rc files.
-[assembly:AssemblyVersionAttribute("4.10")];
+[assembly:AssemblyVersionAttribute("4.12")];
 [assembly:AssemblyDescriptionAttribute(L"")];
 [assembly:AssemblyConfigurationAttribute(L"")];
 [assembly:AssemblyCompanyAttribute(L"")];
--- a/Src/DSInternals.Replication.Interop/DrsConnection.cpp
+++ b/Src/DSInternals.Replication.Interop/DrsConnection.cpp
@ -98,8 +98,8 @@ namespace DSInternals
 			{
 				auto clientInfo = make_midl_ptr<DRS_EXTENSIONS_INT>();
 				clientInfo->dwFlags = DRS_EXT::ALL_EXT;
-				clientInfo->dwFlagsExt = DRS_EXT2::DRS_EXT_LH_BETA2 | DRS_EXT2::DRS_EXT_RECYCLE_BIN | DRS_EXT2::DRS_EXT_PAM;
-				clientInfo->dwExtCaps = DRS_EXT2::DRS_EXT_LH_BETA2 | DRS_EXT2::DRS_EXT_RECYCLE_BIN | DRS_EXT2::DRS_EXT_PAM;
+				clientInfo->dwFlagsExt = DRS_EXT2::DRS_EXT_LH_BETA2 | DRS_EXT2::DRS_EXT_RECYCLE_BIN | DRS_EXT2::DRS_EXT_PAM | DRS_EXT2::DRS_EXT_32K_PAGES;
+				clientInfo->dwExtCaps = DRS_EXT2::DRS_EXT_LH_BETA2 | DRS_EXT2::DRS_EXT_RECYCLE_BIN | DRS_EXT2::DRS_EXT_PAM | DRS_EXT2::DRS_EXT_32K_PAGES;
 				clientInfo->dwReplEpoch = this->_serverReplEpoch;
 				return clientInfo;
 			}
--- a/Src/DSInternals.Replication.Interop/drsr_addons.h
+++ b/Src/DSInternals.Replication.Interop/drsr_addons.h
@ -207,7 +207,11 @@ enum DRS_EXT2 : DWORD
 	/// <summary>
 	/// If present, signifies that the DC has enabled the Privileged Access Management optional feature.
 	/// </summary>
-	DRS_EXT_PAM = 0x00000200
+	DRS_EXT_PAM = 0x00000200,
+	/// <summary>
+	/// If present, signifies that the DC has enabled the Database 32k Pages optional feature.
+	/// </summary>
+	DRS_EXT_32K_PAGES = 0x00001000
 };

 DEFINE_ENUM_FLAG_OPERATORS(DRS_EXT2)
--- a/Src/DSInternals.Replication.Interop/version.rc
+++ b/Src/DSInternals.Replication.Interop/version.rc
@ -39,8 +39,8 @@ END
 //

 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 4,10,0,0
- PRODUCTVERSION 4,10,0,0
+ FILEVERSION 4,12,0,0
+ PRODUCTVERSION 4,12,0,0
 FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
 FILEFLAGS 0x1L
@ -57,12 +57,12 @@ BEGIN
        BEGIN
            VALUE "CompanyName", "Michael Grafnetter"
            VALUE "FileDescription", "DSInternals Replication Interop Library"
-            VALUE "FileVersion", "4.10.0.0"
+            VALUE "FileVersion", "4.12.0.0"
            VALUE "InternalName", "DSInternals.Replication.Interop"
            VALUE "LegalCopyright", "Copyright © 2015-2023 Michael Grafnetter"
            VALUE "OriginalFilename", "DSInternals.Replication.Interop.dll"
            VALUE "ProductName", "DSInternals PowerShell Module"
-            VALUE "ProductVersion", "4.10.0.0"
+            VALUE "ProductVersion", "4.12.0.0"
        END
    END
    BLOCK "VarFileInfo"
--- a/Src/DSInternals.Replication.Model/Properties/AssemblyInfo.cs
+++ b/Src/DSInternals.Replication.Model/Properties/AssemblyInfo.cs
@ -5,8 +5,8 @@ using System.Runtime.InteropServices;
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals Replication Data Model")]
-[assembly: AssemblyVersion("4.8")]
-[assembly: AssemblyFileVersion("4.8")]
+[assembly: AssemblyVersion("4.12")]
+[assembly: AssemblyFileVersion("4.12")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]
--- a/Src/DSInternals.Replication/DSInternals.Replication.nuspec
+++ b/Src/DSInternals.Replication/DSInternals.Replication.nuspec
@ -14,7 +14,7 @@
    <description>DSInternals Replication implements a client for the Active Directory Replication Service Remote Protocol (DRS-R). It can be used to remotely extract password hashes from domain controllers.</description>
    <summary>DSInternals Replication implements a client for the Active Directory Replication Service Remote Protocol (DRS-R).</summary>
    <releaseNotes>
- Added ARM64 support.
+- Support for Windows Server 2025 Insider Preview.
    </releaseNotes>
    <copyright>Copyright (c) 2015-2023 Michael Grafnetter. All rights reserved.</copyright>
    <tags>ActiveDirectory Security RPC DRSR</tags>
--- a/Src/DSInternals.Replication/Properties/AssemblyInfo.cs
+++ b/Src/DSInternals.Replication/Properties/AssemblyInfo.cs
@ -5,8 +5,8 @@ using System.Runtime.InteropServices;
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals Replication Library")]
-[assembly: AssemblyVersion("4.10")]
-[assembly: AssemblyFileVersion("4.10")]
+[assembly: AssemblyVersion("4.12")]
+[assembly: AssemblyFileVersion("4.12")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]
--- a/Src/DSInternals.SAM/Properties/AssemblyInfo.cs
+++ b/Src/DSInternals.SAM/Properties/AssemblyInfo.cs
@ -5,8 +5,8 @@ using System.Runtime.InteropServices;
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
 [assembly: AssemblyTitle("DSInternals SAM Library")]
-[assembly: AssemblyVersion("4.8")]
-[assembly: AssemblyFileVersion("4.8")]
+[assembly: AssemblyVersion("4.12")]
+[assembly: AssemblyFileVersion("4.12")]
 [assembly: AssemblyDescription("")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]