Windows Server 2016 power-packed with lots of new features and also many of the enhanced features. In this article we will see what is new in Active Directory Domain Services(AD DS) theoretically and will cover practically how does it works in upcoming articles.
In Server 2016, AD DS got many new features which are listed below
1. Privileged access management (PAM)
2. Azure AD Join
3. Microsoft Passport
1. Privileged access management (PAM):
PAM is helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks. It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM).
PAM utilizes Microsoft Identity Manager (MIM) and does require an AD forest functional level of 2012 R2 and higher.
2. Azure AD Join:
The purpose of Azure AD Join is to provide the benefits of an on-premises AD environment without the accompanying complexity. Devices purchased with Windows 10 can be self-provisioned into Azure AD.
using Windows 10 device, a user can use the same account to log on, check email, sync Windows settings, etc.
Azure AD Join provides multiple enhanced features for Applications Single Sign-on, MDM, and Kiosk Mode for multiple users sign-in. If you’re using office365, will get more additional features using Azure AD Join.
3. Microsoft Passport:
Microsoft Passport provides Two Factor Authentication for the normal password based authentication. Passport can provide more security than a simple password without the complexity of traditional solutions like physical smart cards.
Passport’s two-factor authentication is made up of the user’s existing credentials plus a credential specific to the device the user is using. Each user on a device has a specific authentication.
It provides simple way to keep password recycle as it always required PIN as two factor authentication.
Microsoft Passport feature can be deployed using the existing On-premises Active directory environment or Azure AD.Wherein you need to deploy it on Server 2016. it may required to change the existing Password policies since it is availed with PIN.
users now need to type the complete password or remember always. basically it gives easier logon process which required only PIN. Hence users will be happy to have Microsoft Passport enabled for their accounts.
Also following features are deprecated with Server 2016,
1. File Replication Service(FRS) and Windows Server 2003 Functional Levels
FRS is the replication service which used for replicate between the domain controllers. FRS and Server 2003 has been already deprecated and not recommend to install the domain. If you’re having any domain controllers running on Server 2003 are recommend to decommission from the forest.
By default forest and domain functional level is recommend to have Server 2008 or higher. so that you can not install previous versions of Domain controllers.
Distributed File Service (DFS) Replication is used to replicate SYSVOL folder contents between domain controllers.If you create a new domain at the Windows Server 2008 domain functional level or higher, DFS Replication is automatically used to replicate SYSVOL. If you created the domain at a lower functional level, you will need to migrate from using FRS to DFS replication for SYSVOL.
The Windows Server 2003 domain and forest functional levels continue to be supported, but organizations should raise the functional level to Windows Server 2008 (or higher if possible) to ensure SYSVOL replication compatibility and support in the future.