Active Directory 2016 New Features

By | April 30, 2018

Active Directory 2016 features on Windows Server 2016: I have already discussed about the Windows Server 2016 Features where new features and major improvement on the operating system end been listed, now want to see more specifically on Active Directory 2016 and difference between Active Director 2012 and 2016

Also Read: Active Directory Features in Windows Server 2012

ADFS (Active Directory Federation Services)

Active Directory Federation Services in Windows Server 2016 will support any LDAP v3 directory, including 3rd party LDAPs which is not just Microsoft Directory( AD DS). now we can use any third party LDAP v3 directory to federate those identities to Azure AD and Office 365

And Login ID can be any attribute unique to your forest, and we can limit the authentication scope to a specific OU (organizational unit). with support of LDAP v3 we can allow authentication from an un-trusted Active Directory forest, like merger or acquisition.

Also Read: LDAP and LDAP Query

Conditional Access Control / Multi-Factor Authentication

One of the biggest feature in Active Directory Federation Services 2016 is Conditional Access Control, allows you to configure requirements, such as authentication strength through multi-factor authentication, device compliance, user identity, group membership, or multiple other factors. These requirements can be set on a per-application basis, which make it easy to configure enhanced security for business critical applications, and use this for the applications that require heightened levels of security

Conditional Access Control can be used like, allow only the devices that have been joined to the Azure AD instance, access been immediately revokes to devices that lose compliance with their authentication policy

Also Read: Windows Server Containers Features on Windows Server 2016

Active Directory Federation Services Monitoring (Azure AD Connect Health)

Connection between AD FS and Azure AD is so critical for any real word organization, with the help of Azure AD Connect Health we can monitor authentication requests based on application, authentication types, network location, or authentication failures. Even we can extract the report on users with weak password. This not only help you identify problems also predict capacity needs based on application load.

Also Read: Virtualized Active Directory without Physical Domain Controller

Group membership expiration

Active Directory 2016 is supports group membership expiration, you can add a user to a group for a certain period of time. Currently 3rd party tools been used to achieve this on pre-windows server 2016, which is handy solution for many applications, so that you can provide administrator privileges only for a time to do any high privilege task

Also Read: Nano Server Features on Windows Server 2016

Privileged access management

Privileged access management (PAM) helps mitigate security risk for AD environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of other attacks.

In simple word its a new way of administrative access method which is configured using Microsoft Identity Manager (MIM), Microsoft Identity Manager creates a new AD forest which is isolated for the use of privileged accounts only, this will provide workflows to grant additional administrative privileges with an approval, and shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests on Live Domain

Also Read: Difference between windows server 2008 and 2012

Users can be added to a group with a limited amount of time set for that membership,The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime, if you are added to a time-bound group, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in that group

Monitoring capabilities help identify who requested access, what was granted and what activities they performed.

Also Read: Active Directory (AD) Real Time Interview Questions and Answers

Azure AD Join

Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers  with improved capabilities for corporate and personal devices, In a cloud-first world, Azure AD (Azure Active Directory) enables single sign-on to devices, apps, and services from anywhere, including Bring Your Own Device (BYOD) and you can access organizational resources on mobile devices that can’t be joined to a Windows Domain, whether they are corp-owned or BYOD

Also Read: Can we Replace on-premise Domain Controller with Cloud-based Active Directory

Microsoft Passport

Microsoft Passport is a new key-based authentication approach organizations, that goes beyond passwords. This form of authentication relies on breach, theft, and phish-resistant credentials,  it aim is to provide more security of a conventional password, without the complexity of solutions like physical smart cards.

Also Read: Active Directory on Cloud (Azure Active Directory)

FRS is no more

File Replications Services (FRS) which Server 2003 use to replicate SYSVOL and its folder contents will not work on Windows Server 2016, if Windows Server forest and domain functional levels are updated in 2016.

Also Read: Force DFS Replication/Force DFSR Members to Replicate on windows server 2008 and 2012

Time Synchronization Improvements

Windows Server 2016 has included several updates to domain time synchronization to help mitigate some of these problems. They include eliminating rounding errors that build up over time, increasing the frequency of synchronization and enhancing the accuracy of synchronization up to tens of microseconds.

Also See: Active Directory real time issues and solutions


Hope this will help you make a decision on migrating Windows server 2016/Active Directory 2016 from Windows server 2012/Active Directory 2012

Also Read: Windows Server Administrator Interview Questions and Answers

Also Read: Windows Server 2016 Features

One thought on “Active Directory 2016 New Features

Leave a Reply

Your email address will not be published. Required fields are marked *