November 16, 2016

Active Directory on Windows Server 2016

Active Diretory

The content in this section describes what's new and changed in Windows Server® 2016. The new features and changes listed here are the ones most likely to have the greatest impact as you work with this release.

Privileged access management

Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks. It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM introduces:
  • A new bastion Active Directory forest, which is provisioned by MIM. The bastion forest has a special PAM trust with an existing forest. It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.
  • New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests.
  • New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests. The shadow security principals have an attribute that references the SID of an administrative group in an existing forest. This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs).
  • An expiring links feature, which enables time-bound membership in a shadow group. A user can be added to the group for just enough time required to perform an administrative task. The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime.
  • KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups. For example, if you are added to a time-bound group A, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in group A. If you are also a member of another time-bound group B, which has a lower TTL than group A, then the TGT lifetime is equal to the time you have remaining in group B.
  • New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed.

Requirements :
Microsoft Identity Manager
Active Directory forest functional level of Windows Server 2012 R2 or higher.

Azure AD Join

Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers- with improved capabilities for corporate and personal devices.

  • Availability of Modern Settings on corp-owned Windows devices. Oxygen Services no longer require a personal Microsoft account: they now run off users' existing work accounts to ensure compliance. Oxygen Services will work on PCs that are joined to an on-premises Windows domain, and PCs and devices that are "joined" to your Azure AD tenant ("cloud domain"). These settings include:
  • Roaming or personalization, accessibility settings and credentials
  • Backup and Restore
  • Access to the Windows Store with work account
  • Live tiles and notifications
  • Access organizational resources on mobile devices (phones, phablets) that can't be joined to a Windows Domain, whether they are corp-owned or BYOD
  • Single-Sign On to Office 365 and other organizational apps, websites and resources.
  • On BYOD devices, add a work account (from an on-premises domain or Azure AD) to a - personally-owned device and enjoy SSO to work resources, via apps and on the web, in a way that helps ensure compliance with new capabilities such as Conditional Account Control and Device Health attestation.
  • MDM integration lets you auto-enroll devices to your MDM (Intune or third-party)
  • Set up "kiosk" mode and shared devices for multiple users in your organization
  • Developer experience lets you build apps that cater to both enterprise and personal contexts with a shared programing stack.
  • Imaging option lets you choose between imaging and allowing your users to configure corp-owned devices directly during the first-run experience.

Before you can enable Active Directory directory service authentication for your Commerce Server Web site user profile information, you must set up an Active Directory domain on your site. It is recommended that you dedicate a replicated pair of servers for this purpose.

1. Click Run Promote this server to a domain controller.
2. In the Run dialog box :

3. In the Active Directory Installation Wizard, click Next.
4. In the Domain Controller Type dialog box, select Domain controller for a new domain, and then click Next.
New Domain

5. In the Create Tree or Child Domain dialog box, select the Create a new domain tree option, and then click Next.
6. In the Domain function level, choose Windows Server Technical Preview / Windows Server 2012
7. In the Directory Services Restore Mode Administrator Password dialog box.
Password for Restore

8. If you selected the Create a new forest of domain trees option, in the New Domain Name dialog box, in the Full DNS name for new domain box, type the full Domain Name System (DNS) name for the new domain.
9. In the NetBIOS Domain Name dialog box, in the Domain NetBIOS name box, type the name that users of earlier versions of Microsoft Windows will use to identify the domain. It is recommended that you accept the default, which is a shortened version of the full DNS name. Click Next.
Domain Name

10. If DNS is not installed on your computer, you will be prompted to install it. Select Yes, install and configure DNS on this computer, and then click Next.
11. In the Summary dialog box, review the options you selected to ensure your Active Directory configuration is correct. If it is, click Next, or, to reconfigure your selections, click Back.
The Configuring Active Directory dialog box appears, notifying you that your Active Directory configuration is being installed on your computer.

12. In the Completing the Active Directory Installation Wizard dialog box, click Finish and Restart server.
Need a Reboot

Installation finished, more detail video on my youtube channels.

Active Directory
Previous Post
Next Post

post written by: