What’s New in Windows Server 2016 and How It Impacts Your Active Directory
Windows Server 2016 represents a major step forward for the Windows operating system. Like Windows Server 2012 and 2012 R2, Windows Server 2016 includes hundreds of new features and provides exciting new capabilities that were not previously available to Windows admins. While it may be tempting to rush to implement some of these new capabilities upon the operating system’s release, prudent administrators will use the time leading up to implementation to evaluate the health and readiness of their Active Directory environments.
WHAT’S NEW IN WINDOWS SERVER 2016?
As previously noted, Windows Server 2016 includes hundreds of new and enhanced features. Thus far, Windows Server containers and Nano Server have received the most press. Even so, Microsoft has made a number of improvements to Active Directory as well. There are some Active Directory improvements that are especially noteworthy.
TEMPORARY GROUP MEMBERSHIP
One of the most useful new Active Directory features is support for temporary group membership. This feature allows administrators to add a user to a security group for a limited amount of time. An administrator might, for example, make a user a member of a group for just long enough to install an application or to complete a particular project. It is worth noting, however, that this feature requires the Active Directory to operate at the Windows Server 2016 functional level. As such, organizations should begin thinking now about what will be required in order to transition to the necessary functional level.
Another important change that Microsoft is making with regard to AD FS is support for LDAP v3. This new capability will make it much easier to federate denies across multiple directory types. For instance, an organization that uses a non-Microsoft directory for identity and access control can federate those identities to the Office 365 or to the Azure cloud. Similarly, support for LDAP v3 will make it easier to configure single sign-on for SaaS applications.
The biggest DNS improvements, however, are tied to Microsoft’s IP Address Management (IPAM) feature.
IPAM is a mechanism that is designed to help administrators keep track of IP address usage throughout the organization. Although Microsoft IPAM has always had very rich DHCP integration, its DNS integration has been minimal.
Windows Server 2016 seeks to change this by including DNS management capabilities, and host record inventory collection. Perhaps the most welcome IPAM feature, however, is support for multiple Active Directory forests. The Windows Server 2016 IPAM feature will be able to manage DNS and DHCP servers across multiple Active Directory forests, so long as a two-way trust exists between those forests and Windows Server 2016 IPAM is installed in each forest.
WHAT ABOUT THE CLOUD?
Microsoft enables organizations to connect their on-premises Active Directory environments to Azure AD and/or to Office 365 through Azure AD Connect. In addition to providing connectivity between on-premises and cloud directories, Azure AD Connect is also able to provide directory synchronization services.
In order to use Azure AD Connect, an organization must deploy an Azure AD Connect server. This server acts as a proxy between the on-premises and cloud directories. Organizations that plan to use Azure AD Connect should make a concerted effort to consolidate, restructure or otherwise clean up their Active Directory environments ahead of time. One of the primary reasons for this is that the Azure AD Connect requirements vary based on the number of objects in the Active Directory. In essence, the size of an organization’s Active Directory environment can have a direct and significant impact on the cost of using Azure AD Connect.
According to Microsoft, Azure AD will by default, support up to 50,000 directory objects. This limit increases to 300,000 objects once a domain has been verified in preparation for use with Azure AD.
If an organization requires more than 300,000 directory objects, then Microsoft requires a support case to be opened. Even then, the upward limit is 500,000 directory objects. If the directory needs to accommodate more than 500,000 objects, then Microsoft requires the organization to purchase licenses for Office 365, Azure AD Basic, Azure AD Premium, or for the Enterprise Mobility Suite. As such, organizations with larger directories may be able to decrease their costs by taking the time to shrink the number of objects stored in their Active Directory environments.
The number of objects stored in an organization’s directory does not only affect the Azure AD licensing requirements, but also the licensing requirements for the Azure AD Connect server. Azure AD Connect stores user identity information. By default, Azure AD Connect uses SQL Server 2012 Express.
Microsoft makes SQL Server 2012 Express available to its customers free of charge. It is worth noting however, that SQL Server 2012 Express is designed for light duty tasks. Unlike other editions of SQL Server, SQL Server 2012 Express has a database size limit of 10 GB. According to Microsoft, a 10 GB database is sufficient for storing approximately 100,000 Active Directory objects.
Organizations that have more than 100,000 objects in their directories must configure Azure AD Connect to use a separate SQL Server installation. Because the Microsoft Azure SQL Database is not supported for use with Azure AD Connect, the organization will require a fully-licensed, on-premises SQL Server.
This not only incurs licensing costs, but also costs associated with hardware usage and ongoing maintenance for the SQL Server. As such, organizations that want to use Azure AD can realize significant cost savings by limiting the number of objects within the Active Directory.
MAINTAINING ACTIVE DIRECTORY HEALTH
It isn’t just the number of Active Directory objects that must be considered prior to using Azure AD Connect, but also the existing Active Directory environment’s health. Active Directory objects are stored in databases located on domain controllers. As is the case with any other type of database, the Active Directory database can, and occasionally does, experience problems related to database integrity. Although day-to-day operations might never reveal symptoms of mild Active Directory corruption, such issues can cause directory synchronization to the cloud to fail. As such, it is important to take steps to verify Active Directory health prior to using Azure AD Connect. Microsoft’s native NTDSUTIL tool can verify the Active Directory database checksum, and can perform various database integrity checks, but third party tools may provide better results. Prior to implementing Windows Server 2016, it is important to take the time to clean up, and possibly even migrate or restructure your Active Directory.
CREATING AN INVENTORY
One of the first things that should be done is to inventory your domain controllers. Ideally, all domain controllers should be upgraded to Windows Server 2016. However, it is permissible to retain legacy domain controllers. If an organization does decide to retain its legacy domain controllers then any domain controllers that are running Windows Server 2003 should be either removed or upgraded, because Windows Server 2003 is no longer supported. Similarly, it is important to check the forest and domain functional levels, and raise those functional levels if necessary, so that the Active Directory is functioning at a level beyond Windows Server 2003. Although it is unquestionably important to inventory the domain controllers and to check operating system versions, forest functional levels, and domain functional levels, it is also a good idea to inventory applications that depend on the Active Directory, so as to ensure that your upgrades won’t cause any application level problems. Although there are no native tools for accomplishing this, third party tools are available.
ACTIVE DIRECTORY FEDERATION SERVICE
Microsoft is also making major changes to the Active Directory Federation Services (AD FS). Perhaps the most notable of these changes is the Conditional Access Control feature. In the past, Active Directory-based access control was relatively straightforward. Administrators could generally assume that users would be logging in from a domain joined computer that had been properly secured via group policy.
Today, however, users access resources from all types of devices, many of which are not domain joined, and operate outside of the organization’s perimeter.
The Conditional Access Control feature allows administrators to place conditions on a user’s attempts to access resources. Currently, a user can gain access to any resources to which they have been given permissions, so long as the user has successfully authenticated into the Active Control will let administrators establish additional criteria, which can be applied on a per application basis. For instance, an administrator might require multi-factor authentication and a compliant device to be used when a user accesses business applications that are especially sensitive.
It is impossible to talk about the Active Directory without also discussing DNS. Since its inception, the Windows Active Directory has had a dependency on DNS. Although the Windows DNS services have remained relatively unchanged for many years, Windows Server 2016 will bring many DNS improvements and new features.
The most significant new capability is the ability to create DNS policies. DNS policies allow administrators to gain control over the way that DNS responds to various types of queries. These policies are, for example, useful for load balancing and for blocking DNS requests from domains or IP addresses that are known to be malicious. There are also third party tools available that offer additional DNS management capabilities
In addition, Microsoft is introducing a feature which will allow administrators to limit a DNS server’s rate of response to queries. The aptly named Response Rate Limit feature is designed to help to prevent denial of service attacks by limiting the number of times per second that DNS is allowed to respond to requests from a client.
ACTIVE DIRECTORY INTEGRITY
It is also important to verify the integrity of the Active Directory database. Although the native NTDSUTIL tool can perform Active Directory integrity checks, the fact that the Active Directory can be distributed across numerous domain controllers can make such checks impractical in larger environments. This is especially true given the fact that it is important to test Active Directory integrity on an ongoing basis. As such, third party tools are typically going to reduce the effort involved in verifying and maintaining Active Directory health.
Another task related to keeping Active Directory healthy is that of removing orphaned objects from the Active Directory. Depending on the object type, orphaned Active Directory objects that are allowed to remain in the directory can pose a security risk. As previously noted, such objects can also potentially increase the cost of adopting Azure AD.
Smaller organizations may be able to manually purge the Active Directory of orphaned User and Computer objects, but this type of manual cleansing would be nearly impossible in large organizations because of the sheer number of user and computer objects that exist, and the difficulty of differentiating between an object that is no longer needed and an object that is still in use. Furthermore, tools such as the Active Directory Users and Computers console do not expose most of the objects in the Active Directory. Microsoft provides a free tool known as ADSIEdit, that exposes all of the objects in the Active Directory. However, ADSIEdit bypasses the safe guards that are built into tools such as the Active Directory Users and Computers console, and can therefore cause data loss or Active Directory corruption if used incorrectly. As such, administrators who want to clean up the Active Directory by using ADSIEdit should back up the Active Directory prior to doing so, and must make sure to fully understand the repercussions of their actions. As an alternative, third party tools exist that greatly reduce the risk and complexity associated with cleaning up the Active Directory.
RESTRUCTURING THE ACTIVE DIRECTORY
Any AD migration should start with an analysis of all applications, processes, and users requiring access. This will ensure that appropriate resources/applications are available when the migration takes place. It’s imperative to identify workflows, mailboxes, programs and/or other pieces of infrastructure that could be affected before making the move.
The migration itself gives you the opportunity to better understand the file server data that you have and how it is organized. It also gives you the opportunity to restructure your AD to better meet current and future needs. For example, you will need to understand which file server data needs to be migrated, and which doesn’t. You may also discover the need to consolidate some forests or stand up new parts of the infrastructure for remote offices that didn’t exist when you originally deployed AD. Many organizations first deployed AD in Windows Server back in 2000, and the AD topology still looks pretty much the same. More than likely, however, your organization’s business models and needs have changed quite a bit since 2000.
You must also ask yourself this critical question: How will you ensure that there is no downtime during the transition, and what must you do to make sure that employee productivity doesn’t suffer— before, during and after the migration? A common (and potentially fatal) mistake is underestimating the migration’s impact on users and operations and failing to analyze all access points. You can avoid these challenges by scheduling resource-intensive migration tasks for offpeak hours to lessen the impact on production systems, end users and productivity. Failing to provide seamless coexistence between existing and new systems is a frequent oversight, which can lead to service disruptions, lost productivity and increased business costs. Coexistence is essential, particularly with Active Directory migrations, consolidations or restructures because users need to maintain access to the resources that keep them productive. You must make sure that your directories are synchronized and users can always access their data.