Home > Articles

  • Print
  • + Share This
This chapter is from the book

Getting Familiar with AD DS Features in Windows Server 2016

Improvements in the functionality and reliability of AD DS are of key importance to the development team at Microsoft. Windows Server 2016 inherits many sophisticated features in AD DS and then some.

File Replication Service (FRS) and the Windows Server 2003 functional levels were deprecated in Windows Server 2012 R2. However, with Windows Server 2016, it’s important to remember that Windows Server 2003 operating system is no longer supported. If you still have domain controllers running Windows Server 2003, they need to be taken out of the domain.

Also raise all domains and forest functional levels to Windows Server 2008 and later. This will prevent a domain controller still running Windows Server 2003 from being added to your domain.

Windows Server 2008 itself introduced multiple changes to AD DS functionality above and beyond the Windows Server 2003 and Windows Server 2003 R2 Active Directory versions. Windows Server 2012 and 2012 R2 then introduced additional features and functionalities above those introduced with the RTM version of Windows Server 2008 and the later Windows Server 2008 R2 version. The bullet list that follows here is the accumulation of many features that are now part of Windows Server 2016:

  • Privileged access management (PAM)—helps protect Active Directory against credential theft such pass-the-hash, spear phishing, and so on. Using Microsoft Identity Manager (MIM), PAM provides means of setting up a so-called bastion Active Directory forest. The bastion forest establishes a special PAM trust with an existing forest. What you get is a new Active Directory environment free of any malicious code and made available to privileged accounts. PAM also introduces the ability to request administrative privileges, along with new workflows based on the approval of requests, shadow security principals (groups) and time-bound membership in a shadow group. In other words, users can be added to groups for just enough time required to perform an administrative task. PAM needs MIM and a domain functional level of at least Windows Server 2012 R2.

  • Azure Active Directory Join—Enterprise, business, and EDU users can join their systems to Azure AD for advanced and improved capabilities for both corporate and personal devices. This new feature lets Oxygen Services users operate without the need of a personal Microsoft account. With Oxygen Services working on PCs that are joined to corporate on-premises Windows domain, and PCs and devices that are “joined” to your Azure AD tenant (“cloud domain”), you set up features like roaming or personalization, accessibility settings and credentials, Backup and Restore, Live tiles and notifications, and so on.

  • Virtualization support—The ability to create DCs based on virtual machine templates. Microsoft safeguards AD DS by protecting DCs from mistakes made with virtual machine snapshotting. This concept is discussed in step-by-step detail in Chapter 7.

  • Dynamic access control—Dynamic access control creates a new central access policy (CAP) model that allows for file classification information to be used in authorization decisions. This allows for business intent to be more readily apparent when examining the security that is set on file servers. This model is supported on Windows Server 2016 and Windows Server 2102/R2 DCs, assuming the file servers also are running the same versions of the operating systems.

  • Kerberos security improvements—Microsoft supports the industry standard Flexible Authentication Secure Tunneling (FAST) feature in Kerberos to reduce the likelihood of Kerberos errors being spoofed by hacking attacks. This is often referred to as Kerberos armoring.

  • Better fine-grained password policy control and AD Recycle Bin interfaces—Microsoft makes it much easier to implement either fine-grained password policy controls or the AD Recycle Bin, both features that were previously difficult to implement.

  • Active Directory deployment—Features such as Active Directory Based Activation (AD BA) allow for server licenses to be more easily activated, while improvements to off-premises domain join functionality have been added. ADPrep functionality is also found in the deployment tools, and the entire process to join a DC to a domain or create a new forest is supported in PowerShell.

  • Active Directory Federation Services (AD FS) improvements—AD FS 4.0 is the latest iteration included natively in Windows Server, and supports AD DS claims directly, allowing for the population of SAML tokens with user and device claims taken directly from the Kerberos ticket. It now also provides access control and single sign-on to the cloud, into systems and applications such as Office 365, and cloud-based Software as a Service (SaaS) applications.

  • Group Managed Service Accounts (gMSA)—Group Managed Service Accounts allows for managed service accounts to be used by services that need to share a single security principal, such as clusters.

  • Enhanced PowerShell support—A whole host of new PowerShell commandlets for Windows Server 2016 AD DS has been designed, allowing for nearly all operations to be automated from the command line.

These features are in addition to the features introduced in Windows Server 2008 R2 and later, which included the following:

  • Active Directory Recycle Bin—Enables you to restore deleted AD DS objects.

  • Offline domain join—Allows for prestaging of the act of joining a workstation to the AD DS domain.

  • Managed Service Accounts—Provides a mechanism for controlling and managing AD DS service accounts.

  • Authentication mechanism assurance—Enables administrators to grant access to resources differently based on whether a user logs in with a smart card or multifactor authentication source or whether the user logs in via traditional techniques.

  • Enhanced administrative tools—This includes newly designed and powerful utilities such as Active Directory Web Services, Active Directory Administrative Center, Active Directory Best Practice Analyzer, a new AD DS Management Pack, and an Active Directory Module for Windows PowerShell.

The previous version of AD DS, from Windows Server 2008 and later, included the following key features that are still available with Windows Server 2016. If you are upgrading from any of the previous versions of Active Directory, all of these new features will be made available:

  • Ability to create multiple fine-grained password policies per domain—Lifts the restrictions of a single password policy per domain.

  • Ability to restart AD DS on a domain controller—Allows for maintenance of an AD DS database without shutting the machine down.

  • Enhanced AD DS auditing capabilities—Provides useful and detailed item-level auditing capabilities in AD DS without an overwhelming number of logs generated.

Restoring Deleted AD DS Objects Using the Active Directory Recycle Bin

In Windows Server 2016, the AD Recycle Bin functionality is built in to the Active Directory Administration Center (ADAC) and need only be enabled to start using the functionality. A few prerequisites must be satisfied, however, before the AD Recycle Bin can be enabled:

  • The AD DS forest and domain must be at least at Windows Server 2008 R2 or higher functional level (or at Windows Server 2016 functional level).

  • Membership in the Enterprise Administrators group is required to enable the AD Recycle Bin.

  • The process of enabling the AD Recycle Bin is nonreversible.

Enabling the AD Recycle Bin

To enable the Active Directory Recycle Bin, follow these steps:

  1. Right-click Windows PowerShell, and then select Run as Administrator.

  2. From the PowerShell prompt, type in dsac.exe to start the ADAC.

  3. Click Manage—Add Navigation Nodes, and then select the target domain and click OK.

  4. Next, select the target domain and then under Tasks, click Enable Recycle Bin, and then click OK and OK twice to accept the changes, as shown in Figure 4.9. Click F5 to refresh ADAC.

    FIGURE 4.9

    FIGURE 4.9 Enabling the AD Recycle Bin.

  5. To validate that the Recycle Bin is enabled, go to the CN=Partitions container, using an editor such as ADSIEdit. In the details pane, find the msDS-EnabledFeature attribute and confirm that the value includes the Recycle Bin DN that you typed above.

Alternatively, you can enable the AD Recycle Bin by using the following PowerShell command. Replace companyabc.com and DC=companyabc,DC=com with the appropriate name of the domain where the AD Recycle bin will be enabled.

Enable-ADOptionalFeature–Identity 'CN=Recycle Bin Feature,CN=Optional Features,
CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=companyabc,DC=com'–Scope ForestOrConfiguration
Set–Target 'companyabc.com'

Recovering Deleted Items Using the AD Recycle Bin

Deleted objects can be restored directly from ADAC, by looking in the Deleted Objects folder, which should be displayed in the root of the domain. Just right-click the object and select Restore, as shown in Figure 4.10.

04fig10.jpg

FIGURE 4.10 Restoring a deleted AD object from the AD Recycle Bin.

Restarting AD DS on a Domain Controller

Windows Server 2016 allows administrators to start or stop directory services running on a DC without having to shut it down. This enables administrators to perform maintenance or recovery on the Active Directory database without having to reboot into Directory Services Restore Mode.

In addition to allowing for maintenance and recovery, turning off the DC functionality on an AD DC essentially turns that DC into a member server, allowing for a server to be quickly brought out of DC mode if necessary. In addition, with RODCs, Microsoft has removed the need for local administrators on the DC to have Domain Admin rights as well, which improves overall security in places where administration of the DC server is required but full Domain Admin rights are not needed.

To take a Windows Server 2016 DC offline, follow these steps:

  1. Open up the Services MMC (Start, All Programs, Administrative Tools, Services).

  2. From the Services MMC, select the Active Directory Domain Services service, as shown in Figure 4.11. Right-click it and choose Stop.

    04fig11.jpg

    FIGURE 4.11 Restarting AD DS on a Domain Controller.

  3. When prompted that stopping AD DS will stop other associated services such as DNS, DFS, Kerberos, and Intersite Messaging, choose Yes to continue.

  4. To restart AD DS, right-click the AD DS service and choose Start.

Implementing Multiple Password Policies per Domain

You also have the ability to implement granular password policies across a single domain. Previously, this was only an option with third-party password-change utilities installed on the DCs in a forest. You can also define which users have more complex password policies and which will be able to use more lenient policies.

You need to understand a few key points about this technology before implementing it, as follows:

  • Domain mode must be set to a level of Windows Server 2008 and later.

  • Fine-grained password policies always win over a domain password policy.

  • Password policies can be applied to groups, but they must be global security groups.

  • Fine-grained password policies applied to a user always win over settings applied to a group.

  • The Password Settings objects (PSOs) are stored in the Password Settings Container in AD (that is, CN=Password Settings Container,CN=System,DC=companyabc,DC=com).

  • Only one set of password policies can apply to a user. If multiple password policies are applied, the policy with the lower-number precedence wins.

To create a custom password policy for a specific user, a PSO must be created using ADAC.

To create a new PSO, open ADAC and follow these steps:

  1. Navigate to domain rootSystemPasswords Settings Container.

  2. Under Tasks, select NewPassword Settings.

  3. Enter the information into the dialog box, shown in Figure 4.12, using Table 4.1 as a reference.

    04fig12.jpg

    FIGURE 4.12 Creating a PSO.

  4. Click OK to finalize the creation of the PSO.

TABLE 4.1 PSO Attributes

Attribute Description Sample Value
Name The unique name of the password policy. PasswordPolicy forAdmins
Precedence The priority of the policy. Lower number “wins.” Leave space on both sides of the number to reprioritize if necessary. 10
Enforce password history: Number of passwords remembered The number of passwords “remembered” by the system. 24
Password must meet complexity requirements The policy that sets whether password complexity is enabled. Password complexity enforces whether users should be forced to include a combination of numbers, uppercase letters, lowercase letters, and special characters as part of their password. Enabling complexity forces them to include at least three of the four types in their passwords. Checked
Enforce minimum password length The policy setting that enforces the minimum password character length. 8
Enforce minimum password age: User cannot change the password within (days) The minimum number of days that must be waited before resetting the password to something different. This disallows users from simply “cycling through” password changes to keep the same password. Expressed in a format of Days:Hours:Minutes:Seconds. For example, 3:00:00:00 equals 3 days. 1
Enforce maximum password age: User must change the password within (days) The maximum number of days that a password is valid for. Expressed in a format of Days:Hours:Minutes:Seconds. 42
Enforce account lockout policy: Number of failed logon attempts allowed: The number of invalid password attempts that can be made before locking out the account. 5
Reset failed logon attempts count after (mins) The length of time (expressed in minutes) before the invalid password attempt counter is reset. 30
Accounts will be locked out The length of time (expressed in an account remains locked out. 30
Directly Applies To: The user or group of users to which the PSO applies. Group or User Account selected from AD that the PSO applies to
msDS-PasswordReversible EncryptionEnabled The policy used for specific circumstances where a user’s password needs to be able to be decrypted. Normally set to False. Not available in the GUI, but can be set with ADSIEdit. False

Auditing Changes Made to AD Objects

You can also audit changes made to Active Directory objects. You can determine when AD objects were modified, moved, or deleted.

To enable AD object auditing on a Windows Server 2016 DC, follow these steps:

  1. From Server Manager, click Tools, Group Policy Management.

  2. Navigate to forest name, Domains, domain name, Domain Controllers, Default Domain Controllers Policy.

  3. Right-click the Default Domain Controllers Policy and click Edit.

  4. In the GPO window, navigate to Preferences, Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.

  5. Under the Audit Policy setting, right-click Audit Directory Service Access and click Properties.

  6. Check the Define These Policy Settings check box, and then check the Success and Failure check boxes, as shown in Figure 4.13.

    04fig13.jpg

    FIGURE 4.13 Enabling AD DS object auditing.

  7. Click OK to save the settings.

Global AD DS auditing on all DCs will subsequently be turned on. Audit event IDs will be displayed as Event ID 5136, 5137, 5138, or 5139, depending on whether the operation is a modify, create, undelete, or move, respectively.

Reviewing Additional Active Directory Services

Five separate technologies in Windows Server 2016 contain the Active Directory moniker in their title. Some of the technologies previously existed as separate products, but they have all come under the global AD umbrella. These technologies are as follows:

  • Active Directory Lightweight Directory Services (AD LDS)—AD LDS, previously referred to as Active Directory in Application Mode (ADAM), is a smaller-scale directory service that can be used by applications that require a separate directory. It can be used in situations when a separate directory is needed but the overhead and cost of setting up a separate AD DS forest is not warranted. You can find detailed information about AD LDS in Chapter 8, “Creating Federated Forests and Lightweight Directories.”

  • Active Directory Federation Services (AD FS)—AD FS 3.0, included in Windows Server 2016 provides for Single Sign-On technology to allow for a user logon to be passed to multiple web applications within a single session. You can find more information about AD FS in Chapter 8.

  • Active Directory Certificate Services (AD CS)—AD CS provides for the ability to create a public key infrastructure (PKI) environment and assign PKI certificates to AD users and machines. These certificates can be used for encryption of traffic, content, or logon credentials. You can find more information about deploying AD CS in Chapter 14, “Transport-Level Security.”

  • Active Directory Rights Management Services (AD RMS)—AD RMS is the evolution of the older Windows Rights Management Server technology. AD RMS is a service that protects confidential information from data leakage by controlling what can be done to that data. For example, restrictions can be placed on documents, disallowing them from being printed or programmatically accessed (such as by cutting/pasting of content). Chapter 13 covers this Active Directory technology in more detail.

Examining Additional Windows Server 2016 AD DS Features

In addition to the changes listed in the preceding sections, AD DS in Windows Server 2016 supports the following features:

  • Read-only domain controller (RODC) support—Windows Server 2016 includes the ability to deploy DCs with read-only copies of the domain. This is useful for remote branch office scenarios where security might not be tight. This scenario is covered in detail in Chapter 7.

  • Group Policy central store—Administrative templates for group policies are stored in the SYSVOL on the PDC emulator in Windows Server 2016, resulting in reduced replication and reduced SYSVOL size.

  • DFS-R replication of the SYSVOL—A Windows Server 2008 RTM/R2 functional domain uses the improved Distributed File System Replication (DFS-R) technology rather than the older, problematic File Replication Service (FRS) to replicate the SYSVOL.

  • Active Directory database mounting tool—The Active Directory database mounting tool (DSAMain.exe) enables administrators to view snapshots of data within an AD DS or AD LDS database. This can be used to compare data within databases, which can prove useful when performing AD DS data restores.

  • GlobalNames DNS zone—Windows Server 2016 DNS allows for creation of the concept of the GlobalNames DNS zone. This type of DNS zone allows for a global namespace to be spread across multiple subdomains. For example, a client in the asia.companyabc.com subdomain would resolve the DNS name portal.asia .companyabc.com to the same IP address as a client in a different subdomain resolving portal.europe.companyabc.com. This can improve DNS resolution in multizone environments. You can read more about this technology in Chapter 10.

Reviewing Legacy Windows Server Active Directory Improvements

It is important to understand that AD DS is a product that has been in constant development since its release with Windows 2000. From humble beginnings, Active Directory as a product has developed and improved over the years. The first major set of improvements to AD was released with the Windows Server 2003 product. Many of the improvements made with Windows Server 2003 AD still exist today in Windows Server 2016 AD DS. Therefore, it is important to understand what functionality in AD was born from Windows Server 2003. The following key improvements were made in this time frame:

  • Windows Server 2003 Active Directory Domain Rename Tool—Windows Server 2003 originally introduced the concept of domain rename, which has continued to be supported in Windows Server 2016. This enables administrators to prune, splice, and rename AD DS domains. Given the nature of corporations, with restructuring, acquisitions, and name changes occurring constantly, the ability of AD DS to be flexible in naming and structure is of utmost importance. The Active Directory Domain Rename Tool was devised to address this very need.

    • Before AD DS domains can be renamed, several key prerequisites must be in place before the domain structure can be modified. First, and probably the most important, all DCs in the entire forest must be upgraded from Windows Server 2003 to Windows Server 2008 or later. In addition, the domains and the forest must be upgraded to at least Windows Server 2008 functional level before any consideration to upgrade servers and domain controllers to Windows Server 2016. Finally, comprehensive backups of the environment should be performed before undertaking the rename.

    • The domain rename process is complex and should never be considered as routine. After the process, each DC must be rebooted and each member computer across the entire forest must also be rebooted (twice). For a greater understanding of the Domain Rename Tool and process, see Chapter 5.

  • Cross-forest transitive trust capabilities—Windows Server 2003 Active Directory introduced the capability to establish cross-forest transitive trusts between two disparate AD DS forests. This capability allows two companies to share resources more easily, without actually merging the forests. This support continues for all versions later than Windows Server 2003. Forests must be running the same functional levels for the transitive portion of this trust to function properly.

  • AD DS replication compression disable support—You have the ability to turn off replication compression to increase DC performance. This would normally be an option only for organizations with very fast connections between all their DCs.

  • Schema attribute deactivation—Developers who write applications for AD DS continue to have the ability to deactivate schema attributes, allowing custom-built applications to use custom attributes without fear of conflict. In addition, attributes can be deactivated to reduce replication traffic.

  • Incremental universal group membership replication—Windows 2000 Active Directory had a major drawback in the use of universal groups. Membership in those groups was stored in a single, multivalued attribute in AD DS. Essentially, what this meant was that any changes to membership in a universal group required a complete re-replication of all membership. In other words, if you had a universal group with 5,000 users, adding number 5,001 would require a major replication effort because all 5,001 users would be re-replicated across the forest. Windows Server 2003 and 2008 simplify this process and allow for incremental replication of universal group membership. In essence, only the 5,001st member is replicated in Windows Server 2003/2008.

  • AD-integrated DNS zones in application partitions—DNS replication was enhanced by storing DNS zones in the application partition. This basically meant that fewer objects needed to be stored in AD, reducing replication concerns with DNS.

  • AD lingering objects removal—Another major improvement originally introduced with Windows Server 2003 and still supported now is the ability to remove lingering objects from the directory that no longer exist.

  • + Share This
  • 🔖 Save To Your Account