Active Directory 2016 features on Windows Server 2016: I have already discussed about the Windows Server 2016 Features where new features and major improvement on the operating system end been listed, now want to see more specifically on Active Directory 2016 and difference between Active Director 2012 and 2016
ADFS (Active Directory Federation Services)
Active Directory Federation Services in Windows Server 2016 will support any LDAP v3 directory, including 3rd party LDAPs which is not just Microsoft Directory( AD DS). now we can use any third party LDAP v3 directory to federate those identities to Azure AD and Office 365
And Login ID can be any attribute unique to your forest, and we can limit the authentication scope to a specific OU (organizational unit). with support of LDAP v3 we can allow authentication from an un-trusted Active Directory forest, like merger or acquisition.
Also Read: LDAP and LDAP Query
Conditional Access Control / Multi-Factor Authentication
One of the biggest feature in Active Directory Federation Services 2016 is Conditional Access Control, allows you to configure requirements, such as authentication strength through multi-factor authentication, device compliance, user identity, group membership, or multiple other factors. These requirements can be set on a per-application basis, which make it easy to configure enhanced security for business critical applications, and use this for the applications that require heightened levels of security
Conditional Access Control can be used like, allow only the devices that have been joined to the Azure AD instance, access been immediately revokes to devices that lose compliance with their authentication policy
Active Directory Federation Services Monitoring (Azure AD Connect Health)
Connection between AD FS and Azure AD is so critical for any real word organization, with the help of Azure AD Connect Health we can monitor authentication requests based on application, authentication types, network location, or authentication failures. Even we can extract the report on users with weak password. This not only help you identify problems also predict capacity needs based on application load.
Group membership expiration
Active Directory 2016 is supports group membership expiration, you can add a user to a group for a certain period of time. Currently 3rd party tools been used to achieve this on pre-windows server 2016, which is handy solution for many applications, so that you can provide administrator privileges only for a time to do any high privilege task
Also Read: Nano Server Features on Windows Server 2016
Privileged access management
Privileged access management (PAM) helps mitigate security risk for AD environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of other attacks.
In simple word its a new way of administrative access method which is configured using Microsoft Identity Manager (MIM), Microsoft Identity Manager creates a new AD forest which is isolated for the use of privileged accounts only, this will provide workflows to grant additional administrative privileges with an approval, and shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests on Live Domain
Users can be added to a group with a limited amount of time set for that membership,The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime, if you are added to a time-bound group, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in that group
Monitoring capabilities help identify who requested access, what was granted and what activities they performed.
Azure AD Join
Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers with improved capabilities for corporate and personal devices, In a cloud-first world, Azure AD (Azure Active Directory) enables single sign-on to devices, apps, and services from anywhere, including Bring Your Own Device (BYOD) and you can access organizational resources on mobile devices that can’t be joined to a Windows Domain, whether they are corp-owned or BYOD
Microsoft Passport is a new key-based authentication approach organizations, that goes beyond passwords. This form of authentication relies on breach, theft, and phish-resistant credentials, it aim is to provide more security of a conventional password, without the complexity of solutions like physical smart cards.
FRS is no more
File Replications Services (FRS) which Server 2003 use to replicate SYSVOL and its folder contents will not work on Windows Server 2016, if Windows Server forest and domain functional levels are updated in 2016.
Time Synchronization Improvements
Windows Server 2016 has included several updates to domain time synchronization to help mitigate some of these problems. They include eliminating rounding errors that build up over time, increasing the frequency of synchronization and enhancing the accuracy of synchronization up to tens of microseconds.
Hope this will help you make a decision on migrating Windows server 2016/Active Directory 2016 from Windows server 2012/Active Directory 2012
Also Read: Windows Server 2016 Features