Cogenesis Logo

National IT Support for your business (Sydney, Brisbane, Melbourne, Perth)

National Local Call: 1300 88 35 99
Level 13, 155 Castlereagh St, Sydney, NSW 2000


Active Directory Features in Windows Server 2016

This document will look at some of the new features of Active Directory on Windows Server 2016.

Active Directory levels

Windows Server forest and domain functional levels are updated in 2016. File Replications Services (FRS) which Server 2003 use to replicate SYSVOL and its folder contents will not work on Windows Server 2016. Organisations should therefore raise the functional of a domain to Windows Server 2008 or higher to ensure SYSVOL replication continues to work in future.


Privileged Access Management

Privileged Access Management (PAM) is a feature that is configured by Microsoft Identity Manager (MIM) which is based on two concepts, Just-In-Time (JIT) Administration and Jest Enough Administration (JEA). It gives you much more granularity over the management of admin accounts and administrative privileges which seem to grow and grow. When PAM is configured, MIM creates a new AD forest which is isolated for the use of privileged accounts, negating the need to upgrade all Servers to 2016. MIM will then provide workflows to grant additional administrative privileges, and this is shadowed in the groups trusted forest on the live domain. Users can be also added to a group with a limited amount of time set for that membership. Monitoring capabilities help identify who requested access, what was granted and what activities they performed.

Azure AD Join

Server 2016 allows authenticating against Server 2016. This means passwords to your server do not have to be exposed outside of the local environment, and also enables Azure AD functionality to enhance the identity experience for organisation through features such as Single Sign-on and Mobile Device Management.

Microsoft Passport

This is Microsoft new key-based authentication that goes beyond passwords. This form of authentication relies on a breach, theft, and phish-resistant credentials. Through two-factor authentication, it aim is to provide more security of a conventional password, without the complexity of solutions like physical smart cards. The solution is paired with Microsoft Hello, the built-in biometric sign-in for Windows 10 Pro.

Time Synchronisation Improvements

While a small detail, any Administrator will know the pain of a set of domain controllers or workstations even that are out of sync with time. Windows Server 2016 has included several updates to domain time synchronisation to help mitigate some of these problems. They include eliminating rounding errors that build up over time, increasing the frequency of synchronisations and enhancing the accuracy of synchronisation tup to tens of microseconds.

Group Membership Expiration

As mentioned in PAM section, Windows Server 2016 adds support for time limited group membership, allowing administrators to add a user to a security group for a limited period of time and set an expiry, without having to worry about manually removing the user from the group.

Get a free IT consultation today

Contact Us Today - IT Consulting Sydney

simply complete your details below and a consultant will get right back to you

Or feel free to call us on
1300 88 35 99