Windows Server 2016 Active Directory

by | Jun 16, 2017 | Infrastructure | 0 comments

We’ve written a number of blog posts about the new features in Windows Server 2016. What about one of the most used functions of Windows Server – Active Directory? Here are some new and interesting features added to Windows Server 2016 Active Directory.

Directory Services

In Server 2016 Microsoft has added group membership expiration. This will allow you to set an expiration time for any user inside of a group. This could be beneficial in the following instance: say you need to add someone, perhaps a consultant to a group that has access to critical data. You can now set that user to expire from that group after x many days while still allowing him access to other non-critical data. This helps to alleviate a common security concern with providing access – expiration oversight.

Note: The Active Directory forest level must be 2016.

Federation Services

Microsoft introduced some big changes to federation services in Windows Server 2016, including:

  • 3 new sign-on options without using passwords
  • Support for any LDAPv3 directory

Let’s start with the new sign-in options:

  1. Use Microsoft Passport Federation Services in Windows 2016 to support Microsoft passport on Windows 10. Microsoft passport links to strong device-bound user credentials, such as biometric gestures (fingerprint, facial recognition or PINs).
  2. Server 2016 federation services builds on previous device registration capabilities to enable sign-on and access control, based on the device compliance status. Users can sign on using the device credential, and compliance is checked again when device attributes change, so that you can always ensure policies are being enforced. This allows enabling such policies as:
    1. Enable access only from devices that are managed and/or compliant
    2. Enable extranet access only from devices that are managed and/or compliant
    3. Require multi-factor authentication for computers that are not managed or not compliant
  3. Azure Multi-Factor Authentication. This allows a user to log on using only a code from Azure Multi-Factor Authentication, not requiring a username or password.

Support for LDAPv3 is now a reality. With the addition of AD FS support for authenticating users stored in LDAP v3-compliant directories, AD FS can now be used for:

  1. Users in third party, LDAPv3 compliant directories
  2. Users in Active Directory forests to which an Active Directory two-way trust is not configured
  3. Users in Active Directory Lightweight Directory Services (AD LDS)

Finally, Microsoft has made moving from 2012 R2 Federation services to 2016 Federation services easier. Just add any 2016 server to your 2012 R2 farm. It will act as 2012 R2 until all servers are 2016. Then you just upgrade the farm to enjoy all the new benefits of 2016.

If any of these will help you in your environment, then Windows Server 2016 may be your key.  Need more information or would like to talk to one of experts on how it can help your organization? Email us at  We are happy to help.