New Active Directory Features in Windows Server 2016

Active Directory is an extensively-used service on many enterprise networks. Besides offering authentication and authorisation services in Windows domain-type networks, Active Directory supports several other capabilities, which makes it popular.

Windows Server 2016 Active Directory Improved Features

In Windows Server 2016, the Active Directory Domain Services (AD DS) received some enhancements intended to assist organisations realise optimised performance for their network resources.

In this article, we are going to talk about four significant features improved in AD DS.

Privileged Access Management (PAM)

Microsoft has introduced privileged access management (PAM) feature to assist in safeguarding AD DS from credential theft attacks. Examples of such types of attacks include spear phishing and pass-the-hash.

At its core, PAM depends on the Microsoft Identity Manager (MIM) as well as a domain functional level that is not below Windows Server 2012 R2.

The MIM is important for provisioning what is called the bastion Active Directory forest. Whenever PAM is configured, MIM generates a new Active Directory forest, which is segregated to be accessed by privileged accounts. The created Active Directory environment is freed from any illicit activities.

With the creation of the trusted Active Directory environment, MIM can now determine the assigning of permissions to users.

MIM offers workflows for granting administrative privileges, which is based on the type of requests approved. If users are given extra administrative privileges, they are also given memberships in the shadow security groups found in the created secure forest.

What’s more, membership to the groups is time-bound. MIM has an expiring links feature which allows memberships to be revoked after the allocated time period elapses. Users are given just enough time to complete the allocated administrative duties. This time-controlled membership is defined as a time-to-live variable.

If a user enjoys time-controlled membership in several security groups, Microsoft has included improvements in Kerberos Key Distribution Center (KDC) to take care of such a situation by restricting his or her Kerberos ticket lifetime to the lowest attainable time-to-live value.

Furthermore, PAM also provides improved monitoring tools. As such, it makes it easy to quickly establish the users who requested access permissions, the level of access that was given, and the type of tasks that were completed.

Azure Active Directory Join

With the Azure Active Directory Join feature, you can deploy your identity management tasks to the cloud and benefit from centralised management for your corporate and personal devices.

The main objective of the Azure Active Directory Join is to offer the advantages of an on-premise Active Directory environment without much hassles to the users.

This new feature enables users to access Oxygen Services without the need of a Microsoft account. Oxygen Services, with its various features and settings, will be available on devices that are connected to on-premise Windows domain as well as devices connected to the Azure Active Directory account.

Azure Active Directory Join also allows devices, whether they are corporate-owned or BYOD, to benefit from single-sign on web applications. It also allows those devices to be managed using the Mobile Device Management (MDM) integration tool, even if they are not in the Windows intune tool.

It is also possible to use the feature to configure “Kiosk” mode for shared corporate and personal devices. There are also some developer improvements that enhance the process of creating applications for both enterprise and personal uses.

Microsoft Passport

The use of weak credentials is one of the major security issues facing the IT industry today. Most users do not care about their password security and engage in insecure habits like using the same password in numerous places, using poorly crafted passwords, and using simple passwords that are easy to guess.

Fortunately, Microsoft Passport intends to provide a solution to this issue. It incorporates two-factor authentication techniques that enhance the security of users’ passwords without needing the traditional, complex methods like physical smart cards.

Microsoft Passport is created to work together with Windows Hello (the in-built biometric sign-in for the Windows operating system).

Its two-factor authentication technique utilises the credentials available to the user together with the precise credentials of the device the user is accessing. Every user accessing a device is given a precise authenticator (referred to as hello) or a PIN, which verifies the identity of the user before being allowed access.

Microsoft is calling this new Passport feature “password-less authentication”, which can be deployed to safeguard traditional on-premise Active Directory environments and Azure Active Directory environments.

Additionally, the Passport feature can also be used in FIDO (Fast Identity Online) accounts. With the FIDO capabilities, Passport can be used in extensive array of platforms and devices, eliminating the need to remember multiple passwords.

Deprecated features

There are a few features that are no longer supported in Windows Server 2016. For example, the old File Replication Service (FRS), which was utilised to replicate folder data between servers, has now been exclusively replaced with Distributed File Service (DFS) Replication. DFS is useful in replicating SYSVOL.

Furthermore, the Windows Server 2003 functional levels are not recognised in Windows Server 2016. Consequently, to achieve increased reliability and performance, all domain controllers still depending on Windows Server 2003 are required to be taken out from the domain.

Therefore, it is recommended for companies to increase their functional level to Windows Server 2008 (or even to a higher level). Shifting to the higher functional levels guarantees optimal SYSVOL replication compatibility as well as faster support for enhanced performance.

Conclusion

Each of the above Active Directory features are intended to enhance the experience of the large community of Windows Server 2016 users.

PAM offers a technique for preventing credential theft when data is being exchanged in very sensitive environments.

Azure Active Directory Join functionalities allow users to benefit from the advantages of on-premise Active Directory without much hassles. Microsoft Passport aims to revolutionise the way authentication takes place.

Finally, the deprecated features points to Microsoft’s commitment to eliminate flaws and inconsistencies in Windows Server 2016.

Useful Resources

Here is a guide how to set up Active Directory in Windows Server 2016: https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/

 

 

Report NTFS Permissions in 60 Seconds!

Download your Free Edition of the easiest and fastest NTFS Permission Reporter now!