New Active Directory Features in Windows Server 2016

Active Directory is an extensively-used service on many enterprise networks. Besides offering authentication and authorisation services in Windows domain-type networks, Active Directory supports several other capabilities, which makes it popular.

Windows Server 2016 Active Directory Improved Features

In Windows Server 2016, the Active Directory Domain Services (AD DS) received some enhancements intended to assist organisations realise optimised performance for their network resources.

In this article, we are going to talk about four significant features improved in AD DS.

Privileged Access Management (PAM)

Microsoft has introduced privileged access management (PAM) feature to assist in safeguarding AD DS from credential theft attacks. Examples of such types of attacks include spear phishing and pass-the-hash.

At its core, PAM depends on the Microsoft Identity Manager (MIM) as well as a domain functional level that is not below Windows Server 2012 R2.

The MIM is important for provisioning what is called the bastion Active Directory forest. Whenever PAM is configured, MIM generates a new Active Directory forest, which is segregated to be accessed by privileged accounts. The created Active Directory environment is freed from any illicit activities.

With the creation of the trusted Active Directory environment, MIM can now determine the assigning of permissions to users.

MIM offers workflows for granting administrative privileges, which is based on the type of requests approved. If users are given extra administrative privileges, they are also given memberships in the shadow security groups found in the created secure forest.

What’s more, membership to the groups is time-bound. MIM has an expiring links feature which allows memberships to be revoked after the allocated time period elapses. Users are given just enough time to complete the allocated administrative duties. This time-controlled membership is defined as a time-to-live variable.

If a user enjoys time-controlled membership in several security groups, Microsoft has included improvements in Kerberos Key Distribution Center (KDC) to take care of such a situation by restricting his or her Kerberos ticket lifetime to the lowest attainable time-to-live value.

Furthermore, PAM also provides improved monitoring tools. As such, it makes it easy to quickly establish the users who requested access permissions, the level of access that was given, and the type of tasks that were completed.

Azure Active Directory Join

With the Azure Active Directory Join feature, you can deploy your identity management tasks to the cloud and benefit from centralised management for your corporate and personal devices.

The main objective of the Azure Active Directory Join is to offer the advantages of an on-premise Active Directory environment without much hassles to the users.

This new feature enables users to access Oxygen Services without the need of a Microsoft account. Oxygen Services, with its various features and settings, will be available on devices that are connected to on-premise Windows domain as well as devices connected to the Azure Active Directory account.

Azure Active Directory Join also allows devices, whether they are corporate-owned or BYOD, to benefit from single-sign on web applications. It also allows those devices to be managed using the Mobile Device Management (MDM) integration tool, even if they are not in the Windows intune tool.

It is also possible to use the feature to configure “Kiosk” mode for shared corporate and personal devices. There are also some developer improvements that enhance the process of creating applications for both enterprise and personal uses.

Microsoft Passport

The use of weak credentials is one of the major security issues facing the IT industry today. Most users do not care about their password security and engage in insecure habits like using the same password in numerous places, using poorly crafted passwords, and using simple passwords that are easy to guess.

Fortunately, Microsoft Passport intends to provide a solution to this issue. It incorporates two-factor authentication techniques that enhance the security of users’ passwords without needing the traditional, complex methods like physical smart cards.

Microsoft Passport is created to work together with Windows Hello (the in-built biometric sign-in for the Windows operating system).

Its two-factor authentication technique utilises the credentials available to the user together with the precise credentials of the device the user is accessing. Every user accessing a device is given a precise authenticator (referred to as hello) or a PIN, which verifies the identity of the user before being allowed access.

Microsoft is calling this new Passport feature “password-less authentication”, which can be deployed to safeguard traditional on-premise Active Directory environments and Azure Active Directory environments.

Additionally, the Passport feature can also be used in FIDO (Fast Identity Online) accounts. With the FIDO capabilities, Passport can be used in extensive array of platforms and devices, eliminating the need to remember multiple passwords.

Deprecated features

There are a few features that are no longer supported in Windows Server 2016. For example, the old File Replication Service (FRS), which was utilised to replicate folder data between servers, has now been exclusively replaced with Distributed File Service (DFS) Replication. DFS is useful in replicating SYSVOL.

Furthermore, the Windows Server 2003 functional levels are not recognised in Windows Server 2016. Consequently, to achieve increased reliability and performance, all domain controllers still depending on Windows Server 2003 are required to be taken out from the domain.

Therefore, it is recommended for companies to increase their functional level to Windows Server 2008 (or even to a higher level). Shifting to the higher functional levels guarantees optimal SYSVOL replication compatibility as well as faster support for enhanced performance.

Conclusion

Each of the above Active Directory features are intended to enhance the experience of the large community of Windows Server 2016 users.

PAM offers a technique for preventing credential theft when data is being exchanged in very sensitive environments.

Azure Active Directory Join functionalities allow users to benefit from the advantages of on-premise Active Directory without much hassles. Microsoft Passport aims to revolutionise the way authentication takes place.

Finally, the deprecated features points to Microsoft’s commitment to eliminate flaws and inconsistencies in Windows Server 2016.

Useful Resources

Here is a guide how to set up Active Directory in Windows Server 2016: https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/

 

 

Report NTFS Permissions in 60 Seconds!

Download your Free Edition of the easiest and fastest NTFS Permission Reporter now!

Quota Management in Windows Server 2016

Quota management is a valuable feature that enables you to restrict the storage capacity of shared resources in Windows Server 2016. If you create quotas, you will limit the space allocated for a volume or a folder—allowing you to practice capacity management conveniently.

Quota Management in Windows Server 2016

To set quotas in the Windows Server, you’ll need to use a tool called File Server Resource Manager (FSRM). This tool assists in managing and organising data kept on file servers.

The File Server Resource Manager tool consists of the following five features.

  • File classification infrastructure—this feature allows you to organise files and implement policies.
  • File management tasks—it enables you to implement conditional policies or tasks.
  • Quota management—it assists you to restrict the space available on shared folders.
  • File screening management—it allows you to limit the type of files that users can keep. For example, you can set a file screen to prevent users from creating MP3 files on the files server.
  • Storage reports—with this feature, you can generate reports to understand trends in disk utilisation and how data is organised, which enables you to spot unauthorised activities.

In this article, we are going to talk about the quota management feature in FSRM.

Setting up File Server Resource Manager

We need to install the File Server Resource Manager tool before using it for quota management.

A quick way to complete its setup is through the GUI server manager. Here are the steps for installing the tool.

1. Start by logging into the Windows Server 2016. Then, on the Server Manager’s dashboard, click on “Manage” and select “Add Roles and Features”.

2. On the “Before you begin” screen click “Next”.

3. Select “Role-based or feature-based installation” and click “Next”.

4. Select your destination server and click “Next”.

5. On the “Select Server roles” dashboard, expand “File and Storage Services” and “File and iSCSI Services”. Th

en, select “File Server Resource Manager”.

6. On the window that pops up, Click the “Add Features” button to incorporate the required features. Click “Next”.

7. If you do not need to add any extra features, just leave the default settings and click “Next”.

8. Confirm the installation selections and Click “Install” to start the process.

9. After the installation process is complete, click the “Close” button.

10. You can now access the File Server Resource Manager from the administrative interface and use it to create quotas.

Creating Quotas Using FSRM

As earlier mentioned, quota management enables you to set restrictions and define the extent of space available for users in the server. For example, you can limit all users to a maximum of 5GB on a shared folder. As such, the users cannot add data to the folder that exceeds 5GB.

You can also configure the File Server Resource Manager tool to be sending notifications whenever the specified usage limit is reached. For example, you can specify that an email is to be sent if 85% of the space has been consumed.

Creating quotas using the FSRM tool is a two-step process:

  • Create a template
  • Create a quota

a) Create a template

Before setting quotas, you need to either create a quota template or choose a default template already available on the File Server Resource Manager tool.

It is recommended that you create quotas solely from templates. This way, you can easily manage your quotas by making changes to the templates rather than the individual quotas. The one central location for managing quotas eases the enactment of storage policy rules.

Here are the steps for creating a quota template.

1. Under the “Quota Management” Section, right-click the “Quota Templates” button and go for “Create Quota Template”.

2. On the window that pops up, enter the Template name and the space limit. If you choose the “Hard quota” option, users will be unable to surpass the specified limit. A hard quota is good for controlling the amount of data allowed on a folder or a disk.

On the other hand, if you select the “Soft quota” option, users will be able to exceed the allocated limit. A soft quota is mostly used for monitoring space usage and producing notifications.

3. Lastly, to set notification thresholds, press the “Add” button. On the window that pops up, input your notification specifications.

You can specify that an email is to be sent, an entry is to be made to the event log, a command is to be run, or a report is to be generated. For example, you can state the whenever usage reaches 85%, send an email message to the administrator.

Thereafter, click “OK” to complete creating the quota template.

b) Create a quota

After setting up the quota template or using a default quota template, you need to create the quota.

Here are the steps for creating a quota.

1. On the File Server Resource Manager’s dashboard, right-click on “Quotas” and go for “Create Quota”.

2. On the “Create Quota” window, in the “Quota path” section, browse the path to the volume or folder that the storage capacity restriction will be applied.

Then, choose either the “Create quota on path” or the “Auto apply template and create quota…” option.

If you select the first option, quota will only be applied to the primary folder. For example, if you limit the parent folder to only 5GB, then the other subfolders will share the space specified in the main folder.

On the other hand, if you choose the second option, then the quota will also be applied to the subfolders. For example, if you restrict the main folder to 5GB, then the subfolders will also have individual quotas of 5GB each.

Subsequently, on the “Derive properties from this quota template” option, choose the template you created previously.

If satisfied with the quota properties, click “Create”.

After you’ve created the quota, you can see it on the File Server Resource Manager’s dashboard. Thereafter, you’ll be able to limit the amount of space allowed on your shared resources.

 

I hope these clear things up.

Want to learn about NTFS Permissions, Share Permissions, and how to use them, get your free course HERE!

 

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!

 

Optimizing File Server Performance in Windows Server 2016

If you have a file server system in your company, you may want to tune some parameters and settings to enhance its performance. For example, you may want the highest possible throughput on your server to meet the growing workload needs.

This article gives a set of guidelines that you can implement to optimize the file server settings in Windows Server 2016 and benefit from optimized performance.

How to Optimize File Server Performance?

1. Choose a Proper Hardware

Foremost, you should go for a good hardware that will sufficiently support your performance incremental efforts. If the hardware cannot meet the expected file server load, the software adjustments may not yield significant fruits.

Here are some important hardware parameters you should optimise.

  • Response times
  • Growth expectations
  • Loading factors—such as average load and peak load
  • Capacity level

2. Optimise SMB Parameters

The Server Message Block (SMB) protocol is included into the Windows server to enhance the sharing of files and other resources across the network. The latest version available on Windows Server 2016 is 3.1.1, and it comes with several helpful features you can optimise to get the most of it.

Here are some tips on how to optimise the various SMB parameters.

a) Practice “least privilege” principle

You can practice the principle of least privilege by limiting access to some services or features. If a file server or a file client do not need any feature, just disable it. Period.

Some of the features you can disable include:

  • SMB signing
  • SMB encryption
  • NTFS encryption
  • File system filters
  • Client-side caching
  • Scheduled tasks
  • IPSEC

Btw, check out our FolderSecurityViewer to analyze and report NTFS permissions. Download the Free Edition now!

b) Configure power management mode

A constant high workload will reduce the speed and performance of your server. Therefore, for a comfortable working experience, you should make sure that the configurations for any BIOS as well as operating system power management is done correctly.

For example, this may consist of High Performance mode or even modified C-State. To avoid any bottlenecks, remember to install the most up-to-date, robust, and quickest storage and networking device drivers.

c) Follow file copying best practices

Users usually copy files from one location to the other on file servers. There are some best practices you can follow to enhance the speed of transferring files.

Windows has numerous utilities you can run on the command prompt and conveniently transfer files. And, the recommended ones are Robocopy and Xcopy.

If using Robocopy, it’s advisable to include the /mt option to quickly copy and transfer several small files. It is also advisable to use the /log option to lessen console output by enabling redirection to NUL device or to a file.

If using Xcopy, you can significantly increase performance by including the /q option (which lowers CPU overhead) and /k option (which lowers network traffic) to your present parameters.

d) Practice SMB performance tuning

It is important to note that the performance of a file server will largely depend on the parameters set on the SMB protocol. If the parameters are well tuned, the file server performance can greatly improve.

Here is table giving some of the registry settings that can influence the operation of the SMB file servers, together with some recommended practices.

Parameter Registry Settings Recommendations
Smb2CreditsMin

and

Smb2CreditsMax

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Smb2CreditsMin

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Smb2CreditsMax

The defaults are 512 and 8192 correspondingly.

Check SMB Client Shares\Credit Stalls /Sec to observe any problems with credits.

AdditionalCriticalWorkerThreads HKLM\System\CurrentControlSet\Control\Session Manager\Executive\AdditionalCriticalWorkerThreads The default is 0. You could raise the value if the quantity of cache manager dirty data is consuming a larger percentage of memory.
MaxThreadsPerQueue HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\MaxThreadsPerQueue The default is 20. In case the SMB2 work queues are increasing significantly, raise the value.
AsynchronousCredits HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\MaxThreadsPerQueue The default is 512. In case a big quantity of concurrent asynchronous SMB commands is needed, raise the value.

Here is an example of how the settings can be applied to achieve optimum file server performance on Windows server 2016. Note that the settings are not suited for all computing situations, and you should assess the effect of every individual settings before using them.

Parameter Value Default
AdditionalCriticalWorkerThreads 64 0
MaxThreadsPerQueue 64 20

3. Optimise NFS Parameters

The Network File System (NFS) model available in Windows server 2016 is important for enabling client-server communications in mixed Windows and UNIX conditions.

Here is table giving some of the registry settings that can influence the operation of the NFS file servers, together with some recommended practices.

Parameter Registry Settings Recommendations
OptimalReads HKLM\System\CurrentControlSet\Services\NfsServer\Parameters\OptimalReads The default is 0. Before making any changes to the setting, evaluate its effect on system file cache grow.
RdWrNfsHandleLifeTime HKLM\System\CurrentControlSet\Services\NfsServer\Parameters\RdWrNfsHandleLifeTime The default is 5. Appropriately set it to ensure optimal control of the lifetime of NFS cache.
CacheAddFromCreateAndMkDir HKLM\System\CurrentControlSet\Services\NfsServer\Parameters\CacheAddFromCreateAndMkDir The default is 1. Adjust the value to 0 to deactivate the inclusion of entries to the cache in CREATE and MKDIR directories.
MaxConcurrentConnectionsPerIp HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rpcxdr\Parameters\MaxConcurrentConnectionsPerIp The default is 16. Raise it to the highest value of 8192 to increase the number of connections for every IP address.

4. Uninstall Unused and Redundant Features

Windows server 2016 has dozens of logging, monitoring, and debugging tools, most of which you may not find useful.

The amount of space available on the server is critical and allowing unused and redundant tools to just sit there is not doing any justice to your server.

On a regular basis, you should visit the “Service Control Manager” section and remove services and features that do not add value to your file server.

You should uninstall any utility or application that you find not useful, and your file server performance will greatly improve.

For example, you should always deactivate the DOS 8.3 short file names. For backward compatibility, your Windows server 2016 may contain the DOS 8.3 file names, especially if you upgraded your server from an older version of Windows.

These days, the 8.3 short file name is unnecessary, and they do not add any value to the operation of the file servers. Therefore, disabling this feature will provide some additional speed to your Windows server 2016.

References

Microsoft. (2017). Performance tuning for SMB file servers. Retrieved from https://docs.microsoft.com/en-us/windows-server/administration/performance-tuning/role/file-server/smb-file-server

Apachelounge. (2017). Performance tuning guidelines for Windows Server 2016. Retrieved from https://www.apachelounge.com/download/contr/Perf-tun-srv-2016.pdf

The Best New Windows 2016 Features

Microsoft has introduced a wide array of beneficial new features in Windows Server 2016. The new improvements will revolutionise your view of data centres. If you upgrade to the new platform, your server management capabilities will benefit from the improved functionalities.

Here are the additional enhancements that easily stand out.

1. Nano Server

Without a doubt, the most intriguing feature in Windows Server 2016 is the new Nano Server. The Nano Server is an improved installation option, which has been refactored to its minimal functional state.

Microsoft has minimalised it such that it lacks any direct user interface, apart from the new Emergency Management console, which is used for carrying out initial configuration duties. In fact, the Nano Server is developed to be managed entirely remotely.

Consequently, Nano boasts of 93% reduced VHD (Virtual Hard Disk) size, 92% lowered critical bulletins, and 80% reduced essential reboots than the previous Windows Server.

In summary, the new Nano Server offers the following benefits:

  • The bare metal operating system implies that minimal updates and reboots are required.
  • Since it’s managed remotely, the server comes with a much lesser attack surface than the previous Windows Server.
  • It is very light in weight such that it can be ported conveniently across servers, applications, and data centres.
  • It hosts the most widely used Windows Server workloads. A notable example is Hyper-V host.

2. Docker-powered containers

Docker is an open-sourced platform that allows applications to be built and deployed easily in the form of lightweight, independent sandboxes (known as containers) that can operate on a wide range of environments.

Although Docker-powered containers were primarily developed for Linux/UNIX applications, they are now incorporated in Windows Server 2016. With this new technology, Microsoft expects to bring the advantages of containerisation to the server environment.

Windows Server 2016 supports two types of containerised models:

  • Windows Server Containers: They are based on the typical Docker model where every container is deployed as an application on top of the host operating system. They are suited for low-secure workloads where the sharing of common server resources is not a problem.
  • Hyper-V Containers: They are not Hyper-V hosts or VMs. On the contrary, these containers are entirely secluded virtual machines. Since the Hyper-V containers are cut off from the other containers, they are suited for high-secure workloads.

3. Shielded VMs

One of the best-improved security aspects of Windows Server 2016 is the Host Guardian Service, which comes with the Shielded VMs feature. This feature offers multiple layers of in-built fortification to protect virtual machines from compromised access.

Shielded VMs utilise VHD encryption technology together with a consolidated certificate depository for approving access to the virtual machines. A user will be allowed access only if his or her entry aligns with any of the approved benchmarks in the depository.

Every virtual machine utilises a Trusted Platform Module (TPM) to support the usage of disk encryption with BitLocker. Furthermore, live migrations are also encrypted to protect the virtual machines from man-in-the-middle attacks.

For example, if your Hyper-V host has virtual machines from several tenants, and you want to enforce their security to prevent any user or administrator from gaining unauthorised access; in such a situation, you can use BitLocker Drive to encrypt the hard disks of the virtual machines.

4. Networking improvements

Another feature that has been greatly improved in Windows Server 2016 is networking. The improvements are meant to boost its software-defined networking capabilities and enhance performance.

Here are some networking features that have been improved.

  • Network controller: This new Software-Defined Networking (SDN) technology offers a centralised location for automating the management of network infrastructure. So, rather than carrying out manual management and configuration of virtual and physical network devices in a datacentre, a network controller will assist you in automating the processes.
  • Hyper-V Virtual Switch: This new technology operates on Hyper-V hosts. It enables you to build distributed switching and routing capabilities as well as policy enforcement layers which can comfortably connect to Microsoft Azure.
  • Network Function Virtualization (NFV): This new feature adds to the current growth of virtual appliances. Some of the NFV technologies introduced in Windows Server 2016 are Datacenter Firewall for offering granular access control lists (ACLs) and RAS Gateway for directing data between virtual networks and physical networks.
  • Converged Network Interface Card (NIC): This feature allows you to use fewer network adapters for controlling traffic, which drastically lowers the costs related to managing every server in your datacentre.
  • Other networking features: Other exciting new features include the inclusion of the DHCP network management protocol, the DNS naming system structure, the IP address management (IPAM) capability, and the GRE tunnelling feature.

5. Hyper-V

Microsoft has also introduced a number of helpful features to the Hyper-V virtualisation platform. With these new Hyper-V functionalities, enterprises can take their virtualisation experience to the next level.

To start with, rolling Hyper-V upgrades simplifies and fastens the migration of clusters from Windows Server 2012 R2 to Windows Server 2016. This new feature allows you to carry out the upgrades without bringing the cluster down or moving to a new hardware.

Previously, upgrading a cluster required that you first bring it down or deploy a new hardware, something which made the process unnecessarily tiresome. However, the rolling cluster upgrades significantly lowers the effort required to make an upgrade and makes the entire process less agonising.

Another Hyper-V improvement is nested virtualisation. This feature allows you to host a Hyper-V within a Hyper-V virtual machine—instead of being restricted to hosting the Hyper-V role on a physical server. Previously, this capability was impossible, but it has been introduced in Windows Server 2016.

If you want to deploy extra Hyper-V hosts and reduce hardware costs, the nested virtualisation feature will be of great help. You can also find the feature useful during development and testing situations.

Lastly, Hyper-V server now allows you to hot add or remove a virtual hardware or adjust the virtual memory, without experiencing any downtime issues. Previously, performing such changes required that you first switch off the virtual machine.

In Windows Server 2016, such changes can be made even when the virtual machine is online and running. For example, you can now include another virtual network interface card (NIC) to an operating Hyper-V virtual machine.

6. Storage improvements

Windows Server 2016 has wonderful storage enhancements that are intended to increase availability, improve scalability, and reduce costs.

Here are the improved storage features.

  • Storage Quality of Service (QoS): This feature allows you to centrally manage storage performance policies for multiple virtual machines. If several virtual machines make up a service and a central way of managing their storage capabilities is needed, the QoS feature could be of help.
  • Storage Spaces Direct: This feature enables failover cluster nodes to utilise their local storage within the current cluster. As such, contrary to the previous versions, it eliminates the need for a shared storage fabric.
  • Storage Replica: This feature allows you to carry out either asynchronous or synchronous block-level replication of entire volumes. It supports both server-based and cluster-based replications. The Storage Replica feature is useful in disaster recovery situations.

7. Other improved features

  • New PowerShell cmdlets: Windows Server 2016 has several new and updated PowerShell commands and parameters focused on enhancing the management of virtual machines. For example, PowerShell remoting commands can now be used to transfer PowerShell directly into the Hyper-V host’s virtual machines, something which was impossible in the previous Windows Server versions.
  • Active Directory Federation Services (ADFS): This technology finally introduces some advanced security features to Windows Server 2016, including OpenID Connect-based verification and multifactor verification.
  • Linux Secure Boot: With this capability, you can deploy Linux virtual machines without the hassle of deactivating the otherwise important Secure Boot feature. The Windows-based Secure Boot feature safeguards a server’s start-up environment from being compromised during boot-time. Previously, the Secure Boot feature was not included in virtual machines running on the Linux operating system.
  • Resilient File System (ReFS): This is a high-performing, stable, and high-resiliency file system used for increasing the efficiency of Hyper-V storage capabilities.

Conclusion

Windows Server 2016 is rich in various computing, virtualisation, and security features, which were not available in the previous versions.

With the new and improved capabilities, Microsoft has demonstrated its commitment to assist customers make the most of their data centres.

Therefore, if you want to take your server management experience to the next level, upgrade to Windows Server 2016 today!

 

Here are some useful resource:

 

Prevent Unauthorized Access to Sensitive Windows Folders!

Get your free edition of the easiest and fastest NTFS Permission Reporter now!