Active Directory is one of the most widely used services on enterprise networks. In addition to providing basic authentication and authorization services, Active Directory enables so many other capabilities that its popularity is no surprise.
Windows Server 2016 adds some significant new features to both Active Directory Domain Services (AD DS) and Active Directory Federation Services (AD FS). Many of the features added in Windows Server 2016 are geared toward the increased focus on cloud applications, whether they’re public, private or hybrid.
Directory Services
AD DS in Windows Server 2016 adds support for group membership expirations, allowing you to add a user to a group for a certain period of time. This is handy for many applications, such as providing administrator privileges for a limited time in order to install an application, or adding students and teachers to appropriate groups for a single term or school year.
One downside to the new group membership expiration is that it requires the Windows Server 2016 functional level, potentially difficult for large organizations to implement due to the need to upgrade domain controllers across the enterprise. For organizations unable to make the upgrade, Microsoft recommends a workaround involving a shadow AD DS forest along with a forest trust and universal security groups in order to achieve this functionality. In short, a shadow forest operating at the Windows Server 2016 functional level handles the group memberships along with their expirations. In turn these universal groups have memberships in their corresponding groups in the legacy AD DS domain.
Federation Services
Many of the new features in Windows Server 2016 have to do with AD FS, and how it allows cloud applications and services to authenticate to your local directory. For starters, AD FS in Windows Server 2016 will support any LDAP v3 directory, not just those running AD DS. This enables corporations using a third party LDAP v3 directory to federate those identities to Azure AD and Office 365, among other things. The Login ID can be any attribute unique to the forest, and the authentication scope can be limited to a specific organizational unit (OU). LDAP v3 support can even be used as a first step in allowing some authentication from an untrusted AD forest, such as in a merger or acquisition.
Perhaps the biggest new feature in Windows Server 2016 AD FS is Conditional Access Control. Windows Server 2016 allows you to configure requirements, such as authentication strength through multi-factor authentication, device compliance, user identity, group membership, or multiple other factors. These requirements can be set on a per-application basis, making it easy to require enhanced security for sensitive business applications, or simplify requirements for applications that don’t need the heightened levels of security.

Conditional Access Control can even be used to allow only devices that have been joined to the corporate Azure AD instance or devices that are being managed by Microsoft Intune. Conditional Access Control automatically and immediately revokes access to devices that lose compliance with their authentication policy, requiring the user to complete the login process again in order to regain access.
Support for OpenID Connect and Oauth is introduced in Windows Server 2016 AD FS. This support for standards-based authentication makes integrating your existing identities with web applications that much easier.
The folks at Microsoft are saying that implementing Windows Server 2016 in your existing AD FS deployment is very straightforward. Migrating AD FS from Windows Server 2012 R2 is as simple as adding new Windows Server 2016 servers to the AD FS server farm. Once your AD FS servers are fully upgraded, you can upgrade the farm version to AD FS 2016.
Because the connection between AD FS and Azure AD is so critical, Microsoft is introducing Azure AD Connect Health, which provides telemetry on authentication requests based on application, authentication types, network location, or authentication failures. Even information on users with weak passwords will be surfaced. Azure AD Connect Health allows you to not only identify problem areas, but predict capacity needs based on application usage.
Time Synchronization
One of the more overlooked aspects of what Active Directory provides to your enterprise is time synchronization, which is critical for so many aspects of your infrastructure. Windows Server 2016 makes several improvements in time synchronization: eliminating rounding errors, making more frequent adjustments, and improving accuracy from the 100’s of milliseconds to the 10’s of microseconds.

Microsoft is investing heavily in its identity strategy, not only in on-premises services like Active Directory Domain Services and Active Directory Federation Services, but also Azure AD and the thousands of cloud applications it pairs with. Corporate identities are a huge investment that many companies have already made. Leveraging this investment in new ways is a smart and easy way to increase efficiency in your business.
