Windows Server 2016 Technical Preview 2 Now Available for Download (ISO or VHD):
Privileged access management
Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks. It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM introduces:
- A new bastion Active Directory forest, which is provisioned by MIM. The bastion forest has a special PAM trust with an existing forest. It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.
- New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests.
- New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests. The shadow security principals have an attribute that references the SID of an administrative group in an existing forest. This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs).
- An expiring links feature, which enables time-bound membership in a shadow group. A user can be added to the group for just enough time required to perform an administrative task. The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime.
Note Expiring links are available on all linked attributes. But the member/memberOf linked attribute relationship between a group and a user is the only example where a complete solution such as PAM is preconfigured to use the expiring links feature.
- KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups. For example, if you are added to a time-bound group A, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in group A. If you are also a member of another time-bound group B, which has a lower TTL than group A, then the TGT lifetime is equal to the time you have remaining in group B.
- New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed.
- Microsoft Identity Manager
- Active Directory forest functional level of Windows Server 2012 R2 or higher.
Azure AD Join
Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers- with improved capabilities for corporate and personal devices.
- Availability of Modern Settings on corp-owned Windows devices. Oxygen Services no longer require a personal Microsoft account: they now run off users’ existing work accounts to ensure compliance. Oxygen Services will work on PCs that are joined to an on-premises Windows domain, and PCs and devices that are “joined” to your Azure AD tenant (“cloud domain”). These settings include:
- Roaming or personalization, accessibility settings and credentials
- Backup and Restore
- Access to the Windows Store with work account
- Live Tiles and notifications
- Access organizational resources on mobile devices (phones, phablets) that can’t be joined to a Windows Domain, whether they are corp-owned or BYOD
- Single-Sign On to Office 365 and other organizational apps, websites and resources.
- On BYOD devices, add a work account (from an on-premises domain or Azure AD) to a personally-owned device and enjoy SSO to work resources, via apps and on the web, in a way that helps ensure compliance with new capabilities such as Conditional Account Control and Device Health attestation.
- MDM integration lets you auto-enroll devices to your MDM (Intune or third-party)
- Set up “kiosk” mode and shared devices for multiple users in your organization
- Developer experience lets you build apps that cater to both enterprise and personal contexts with a shared programing stack.
- Imaging option lets you choose between imaging and allowing your users to configure corp-owned devices directly during the first-run experience.
Microsoft Passport is a new key-based authentication approach organizations and consumers, that goes beyond passwords. This form of authentication relies on breach, theft, and phish-resistant credentials.
The user logs on to the device with a biometric or PIN log on information that is linked to a certificate or an asymmetrical key pair. The Identity Providers (IDPs) validate the user by mapping the public key of the user to IDLocker and provides log on information through One Time Password (OTP), Phonefactor or a different notification mechanism.
For more information see, Password-less Authentication with Microsoft Passport
Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels
Although File Replication Service (FRS) and the Windows Server 2003 functional levels were deprecated in previous versions of Windows Server, it bears repeating that the Windows Server 2003 operating system is no longer supported. As a result, any domain controller that runs Windows Server 2003 should be removed from the domain. The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.
At the Windows Server 2008 and higher domain functional levels, Distributed File Service (DFS) Replication is used to replicate SYSVOL folder contents between domain controllers. If you create a new domain at the Windows Server 2008 domain functional level or higher, DFS Replication is automatically used to replicate SYSVOL. If you created the domain at a lower functional level, you will need to migrate from using FRS to DFS replication for SYSVOL. For migration steps, you can either follow the procedures on TechNet or you can refer to the streamlined set of steps on the Storage Team File Cabinet blog.
The Windows Server 2003 domain and forest functional levels continue to be supported, but organizations should raise the functional level to Windows Server 2008 (or higher if possible) to ensure SYSVOL replication compatibility and support in the future. In addition, there are many other benefits and features available at the higher functional levels higher. See the following resources for more information:
- What’s new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview. Active Directory Domain Services includes improvements to help organizations secure Active Directory environments and provide better identity management experiences for both corporate and personal devices.
- What’s New in Active Directory Federation Services. Active Directory Federation Services (AD FS) in Windows Server Technical Preview includes new features that enable you to configure AD FS to authenticate users stored in Lightweight Directory Access Protocol (LDAP) directories. For more information, see Active Directory Federation Services overview.
- What’s new in Hyper-V in Technical Preview. This topic explains the new and changed functionality of the Hyper-V role in Windows Server Technical Preview, Client Hyper-V running on Windows 10 Technical Preview, and Microsoft Hyper-V Server Technical Preview.
- Windows Defender Overview. Windows Server Antimalware is installed and enabled by default in Windows Server Technical Preview, but the user interface for Windows Server Antimalware is not installed. However, Windows Server Antimalware will update antimalware definitions and protect the computer without the user interface. If you need the user interface for Windows Server Antimalware, you can install it after the operating system installation by using the Add Roles and Features Wizard.
- What’s New in Remote Desktop Services in the Windows Server Technical Preview?. For the Windows Server Technical Preview, the Remote Desktop Services team focused on improvements based on customer requests. We added support for OpenGL and OpenCL applications, and added MultiPoint Services as a new role in Windows Server.
- What’s New in File and Storage Services in Windows Server Technical Preview. This topic explains the new and changed functionality of Storage Services. An update in storage quality of service now enables you to create storage QoS policies on a Scale-Out File Server and assign them to one or more virtual disks on Hyper-V virtual machines. Storage Replica is a new feature that enables synchronous replication between servers for disaster recovery, as well as stretching of a failover cluster for high availability..
- What’s New in Failover Clustering in Windows Server Technical Preview. This topic explains the new and changed functionality of Failover Clustering. A Hyper-V or Scale-out File Server failover cluster can now easily be upgraded without any downtime or need to build a new cluster with nodes that are running Windows Server Technical Preview.
- What’s New in Web Application Proxy. The latest version of Web Application Proxy focuses on new features that enable publishing and preauthentication for more applications and improved user experience. Check out the full list of new features that includes preauthentication for rich client apps such as Exchange ActiveSync and wildcard domains for easier publishing of SharePoint apps.
- What’s New in Windows PowerShell 5.0. Windows PowerShell 5.0 includes significant new features—including support for developing with classes, and new security features—that extend its use, improve its usability, and allow you to control and manage Windows-based environments more easily and comprehensively. Multiple new features in Windows PowerShell Desired State Configuration (DSC) are also described in this topic.
- What’s New in Networking in Windows Server Technical Preview. With this topic you can discover information about new networking technologies, such as Network Controller and Generic Routing Encapsulation (GRE) Tunneling, and new features for existing technologies, including IP Address Management (IPAM), DNS, and DHCP. Detailed information about what’s new is available for these networking technologies:
- GRE Tunneling in Windows Server Technical Preview. This preview release introduces a new feature that enables Generic Routing Encapsulation (GRE) for the Windows Server Gateway.
- What’s New in DNS Client in Windows Server Technical Preview. Window DNS Client provides enhanced support for computers with more than one network interface.
- What’s New in DHCP in Windows Server Technical Preview. The DHCP Server role no longer supports Network Access Protection (NAP).
NOTE: Not to be used in Production Environments.