As Windows Server 2016 nears its September launch date, there are many organizations that are evaluating the software...
release. While there are many new features getting a lot of attention -- containers anyone? -- the core roles of Windows Server, including Active Directory, are also attracting notice in this new release. Here is a look at some key new Active Directory features.
Group membership expirations
Many systems administrators may have had to grant a user access to a resource or file on a temporary basis. This could be for situations with contractors or workers with a limited engagement with the organization or in educational or university settings where students come and go based on course registrations and part-time employment. Previously, administrators either depended on the identity lifecycle management software to handle these group memberships and removals or used a cumbersome process involving dynamic objects with specific time to live entries.
Enter privileged access management (PAM), a new feature in Windows Server 2016 that allows administrators to establish the duration of a group membership with a simple PowerShell option. To use PAM, enable the Active Directory optional features within the domain where the time-limited group memberships reside.
Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target yourdomain.com
Next, add a group member to an existing group and specify the duration of that membership using the –MemberTimeToLive option:
Add-ADGroupMember -Identity 'Color Printer Users' -Members 'ssmith' -MemberTimeToLive (New-TimeSpan -Days 90)
That is all there is to it. You can then check up on these group members and see how much longer the membership has until it expires with this PowerShell command:
Get-ADGroup 'Color Printer Users' -Property member –ShowMemberTimeToLive
There are two caveats to this feature. First, the system needs to be at Windows Server 2016 or Windows threshold forest functional level. Second, once this feature is enabled, it cannot be turned off.
Time sync improvements
While time synchronization can be a small detail, it can loom large enough to affect the authentication and operation of the entire Active Directory deployment. Time sync involves making sure all domain members get accurate, synchronized time from domain controllers, and making sure those domain controllers are synchronized to some reliable source.
There are sometimes quite a few problems that thwart time sync across a domain: virtual machine clock skew, failing time-sync requests, domain members set to obtain time-sync information from servers that no longer exist, traveling machines such as corporate laptops that do not often connect to the domain and obtain time synchronization and more.Windows Server 2016 contains several updates to domain time synchronization that will help mitigate some of these problems, including:
- Eliminating rounding errors that build up over time, contributing to sync errors.
- Increasing the frequency of synchronization adjustments so skew is not a large factor in time-based errors.
- Enhancing the accuracy of the synchronization up to tens of microseconds so even if time skew is present, frequent precise adjustments will remove the issue.
Active Directory Federation Services improvements
Lastly there are many enhancements to Active Directory Federation Services (AD FS), the software used to authenticate and authorize identities across security boundaries, including:
- Conditional access control. Conditional access control lets administrators set up what amounts to a minimum security baseline machines must have before they are allowed to connect to any given application. These conditions might include multifactor authentication, membership in particular groups, the health, patching and malware protection states of a device, or several other choices. This feature is similar to Network Access Protection, except it is not trying to protect the wire; it's enforced on a per-application basis for more granular control.
- You can use any LDAP3 directory with AD FS. Previously, to use AD FS, IT needed to set up a special Active Directory deployment, which might have consisted of a read-only domain controller or perhaps an Active Directory Application Mode domain. This took considerable effort and, especially in the case of mergers and acquisitions and working with third parties, was not worth the effort. Now, any directory -- including open source directories -- that supports LDAP3 can be used, making it that much easier to integrate Office 365 applications in a federated, managed state to existing offerings.
- Support for OAuth/OpenID Connect. Web applications such as Salesforce, Microsoft Dynamics, social media software, and other enterprise apps almost always use some sort of OAuth or OpenID to protect and manage identities. AD FS supports OAuth and OpenID in Windows Server 2016 to make integrating these web applications into existing identity management deployment more straightforward.
Should administrators consider updating Active Directory functional levels?