AD DS improvements apply to its forest and domain functional levels. Upgrading the operating system or adding domain controllers that run Windows Server 2016 to an existing AD infrastructure isn't going to upgrade the forest and domain functional levels. In order to use or test these new AD DS 2016 features, you need to have the forest and domain function levels set to Windows Server 2016. The minimum forest and domain functional levels you can run on your identity infrastructure depend on the lowest domain controller version running.

For example, if you have a Windows Server 2008 domain controller in your infrastructure, even if you add a Windows Server 2016 domain controller, the domain and forest functional levels need to be maintained as Windows Server 2008 until the last Windows Server 2008 domain controller is removed from the infrastructure.

Privileged Access Management (PAM) is one of the most-discussed topics in presentations, tech shows, IT forums, IT groups, blogs, and meetings in the past few years (since 2014) when it comes to identity management. It has become a trending topic, especially after the Windows Server 2016 preview releases. In 2016, I traveled to several cities in several countries and found myself involved in many presentations and discussions about PAM.

First of all, this is not a feature you can enable with a few clicks. It is a combination of many technologies and methodologies that come together and make a workflow or, in other words, way of living for administrators. AD DS 2016 includes features and capabilities supporting PAM in the infrastructure, but it is not the only thing it has. This is one of the greatest challenges I see about this new way of thinking...

In the previous section, I explained PAM features in the new AD DS 2016. Time-based group membership is a part of that broader topic. It allows administrators to assign temporary group membership, which is expressed by a time-to-live (TTL) value. This value will be added to the Kerberos ticket. It is also called the expiring links feature. When a user is assigned to a temporary group membership, their login Kerberos ticket-granting ticket (TGT) lifetime will be equal to the lowest TTL value they have. For example, let's assume you grant temporary group membership to user A to be a member of the Domain Admin group. It is only valid for 60 minutes. But the user logs in 50 minutes after the original assignment and only has 10 minutes left to be a member of the Domain Admin group. Based on this, the domain controller will issue a TGT valid only for...

The most common way of protecting access to a system or resources is to introduce authentication and authorization processes. This is exactly what AD does as well. When a user logs in to a domain-joined device, AD first authenticates the user to see whether they're the user they claim to be. Once authentication is successful, it then checks what the user is allowed to do (authorization). To do that, we use usernames and passwords. This is what all identity infrastructure attackers are after. They need some kind of username and password to get into the system. Passwords are a rather weak authentication method. They are breakable, and it's just a matter of time and methods used. As a solution, organizations are tightening password policies, but when they are forcibly made complex, more and more people start to write down. I have seen a few people who...

Active Directory Federation Services (AD FS) allows the sharing of identities among trusted business partners (federated) with minimum identity infrastructure changes. AD FS 2016 added many new features to protect federated environments with rising identity infrastructure threats. In Chapter 13, Active Directory Federation Services, I will explain AD FS in detail. Right now, I am going to summarize the shiny new features it has.

In the previous section about Microsoft Passport, I explained why the traditional username/password method is no longer an option against modern identity threats. This is applicable to federated environments as well. Most federated environments use MFA as another layer of security, but we still use usernames and passwords for the initial authentication process. AD FS 2016 supports three new methods to authenticate...

Time accuracy is important for AD infrastructures to maintain Kerberos authentication between users and domain controllers. Currently, the time accuracy between two parties should be less than 5 minutes. In an AD environment, domain members sync time with domain controllers (PDC or domain controller in the root forest or a domain controller with the good time server (GTIMESERV) flag) to maintain accurate time across the environment.

But sometimes, this doesn't work as expected. Virtual servers sync time with their hosts, which can cause accuracy issues. Depending on the network topology, the reply packets for time requests can take longer to reach the requester. This also can cause accuracy issues between the DC and client. Mobile devices and laptops may not connect with the domain very often, which can also lead to time accuracy issues.

Time accuracy...

In this chapter, we looked at the new features and enhancements that come with AD DS 2016. One of the biggest improvements was Microsoft's new approach toward privilege access management. This is not just a feature that can be enabled via AD DS and is just part of the border solution. It helps protect identity infrastructures from adversaries as traditional techniques and technologies are no longer valid with rising threats. We also saw the new types of advanced authentication methods allowed by AD DS. Typical username/password combinations are the weaker option with current infrastructure-security challenges. AD FS 2016 also has additional security enhancements to protect identities in a federated environment. Last but not least, we saw the improvements made to time synchronization to maintain time accuracy across the AD domain.

In the next chapter, we are going...