New features for Windows Server 2016-winser2016 activedirectory

Source: Internet
Author: User

Windows Server Active Directory Domain Services (AD DS) adds many new features to enhance the security of Active Directory domains and your organization's environment, and helps them to cloud-oriented or hybrid deployments, enabling certain applications and services to be hosted in the cloud. And you can host the migrated features locally, and so on.

the improved features are as follows :

    • Permissions to manage access

    • Extended cloud capabilities by joining Azure Active Directory for Windows 10 devices

    • Connect to Azure AD domain-joined devices to enhance the user experience for Windows 10;

    • Enable Microsoft Passport for work in your organization;

    • Deprecation File Replication Service (FRS) and Windows Server 2003 functional Levels

Permissions to manage access:

    • Access Rights Management (PAM) can help reduce the security concerns caused by the credential technology stolen by Active Directory environments such as pass hashes, spear phishing, and similar types of attacks. It provides a new administrative access solution by using the Microsoft Identity Manager (MIM) configuration. Introduction of PAM:

    • The forest of the new fortress Active Directory is provisioned by MIM. The Fortress Forest has a special trust with the existing forest PAM. It provides a free new active Directory environment that is known to any malicious activity and isolates the use rights account of an existing forest.

    • MIM requests administrative permissions, as well as new processes in the new workflow based on the approval request.

    • The new shadow security principal (group) is a response that is requested by the MIM administrative permission in the provisioned Bastion forest. The shadow security principal has a reference to the existing forest in the management group SID attribute. This will access the resource Shadow group in the existing forest without changing any access ACLs.

    • The Expired Notification link feature enables the time limit for members in the shadow group. Users can be added to the group in just enough time to perform administrative tasks. Time-limited members represent time Live (TTL) values that are propagated to the Kerberos ticket life cycle.

Note:

Expired links are available for all link properties. However, the relationship between a group of member/memberof linked properties and the user is only an example of a pre-complete solution, such as PAM using the Expiration link feature.

    • The KDC enhancements are built into Active Directory domain controllers so that the lowest possible live time (TTL) value in the user has multiple time limits in the membership management group in cases where the Kerberos ticket life cycle is limited.

    • Monitor new features to help you easily determine who can request access, what access is allowed, and what actions to take.

Requirements

Microsoft Identity Manager

Active Directory Forest functional level of Windows Server version R2 or later.

Azure AD Join

Azure Active Directory joins the improved features for enterprise and personal devices that enhance identity for memorable enterprise, Enterprise, and EDU customers.

Advantages :

    • The availability of modern settings is on the Windows device owned by Corp. The oxygen service no longer needs personal Microsoft accounts: They now close the user's existing work account to ensure compliance runs. The oxygen service can continue to work to join your Azure AD tenant ("cloud domain") into your local Windows domain's computers and computers and devices. These settings include:

    1. Roaming or personalization, accessibility settings, and credentials

    2. Backup and restore

    3. Visit the Microsoft store via work account

    4. Live Tiles and notifications

    • Accessing organization resources mobile devices (desktop phones) cannot join Windows in a domain, whether they are owned by Corp or BYOD

    • Unify your apps, sites, and resources for other organizations in Office 365.

    • Add a work account on a BYOD device, (from the local domain or Azure AD) to a personal owned device, and enjoy the SSO work resources by applying and on the web, helping to ensure that eligible account controls and device health audits are in the way of new features.

    • MDM integration allows you to automatically enroll devices into your MDM (Intune or third-party)

    • Set up "kiosk" mode, and share the device for multiple users in your organization

    • The developer experience allows you to build applications in a shared programming stack that adapts to enterprise and personal contexts.

    • Imaging options allow you to select between images and enable your users to directly configure Corp-owned devices during the first-run experience.

Microsoftpassport

Microsoftpassport is the XINMI key based authentication method for organizations and consumers, exceeding the password. In violation, theft, and phishing splash credentials rely on this form of authentication.

The user logs on to the device using biometric or PIN sign-in links to the certificate or symmetric key pairing information. The identity provider (IDPS) authenticates the user by mapping to the Idlocker public key and provides the log through a password (OTP), phonefactor, or other notification mechanism information.

Deprecation File Replication Service (FRS) and Windows Server 2003 functional Levels

    • Although the File Replication Service (FRS) and the Windows Server 2003 functional level have been deprecated in previous versions of Windows Server, it is no longer supported to carry a duplicate Windows Server 2003 operating system. Therefore, any domain controller running Windows Server 2003 should be removed from the domain. To a domain controller that should raise at least the domain and forest functional levels of Windows Server 2008 to prevent being added to an environment that is running an earlier version of Windows Server.

    • In Windows Server 2008 and later versions of the domain functional level, Distributed File Services (DFS) replication is used to replicate the contents of the SYSVOL folder between domain controllers. If you create a new domain, the Windows Server 2008 domain level is working correctly or later, SYSVOL is automatically replicated using DFS replication. If you create a domain at a lower functional level, you will need to use the SYSVOL DFS replication to the FRS migration.

    • The Windows Server 2003 domain and forest functional levels continue to be supported, but the organization should elevate the functional level with the Windows Server 2008 (or later) feature level to ensure SYSVOL replication compatibility, facilitate late support for later versions, and so on.


New features for Windows Server 2016-winser2016 activedirectory

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.