New in ADDS 2016

  • Privileged access management (PAM)
  • Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
  • Connecting domain-joined devices to Azure AD for Windows 10 experiences
  • Enable Microsoft Passport for Work in your organization
  • Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels


Microsoft Passport is a new key-based authentication approach organizations and consumers, that goes beyond passwords

Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers- with improved capabilities for corporate and personal devices.

provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM introduces:

A new bastion Active Directory forest, which is provisioned by MIM. The bastion forest has a special PAM trust with an existing forest. It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.

New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests.

New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests. The shadow security principals have an attribute that references the SID of an administrative group in an existing forest. This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs).

An expiring links feature, which enables time-bound membership in a shadow group. A user can be added to the group for just enough time

required to perform an administrative task. The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime.

KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups. For example, if you are added to a time-bound group A, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in group A. If you are also a member of another time-bound group B, which has a lower TTL than group A, then the TGT lifetime is equal to the time you have remaining in group B.

New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed


Author: MStechJi

IT professional with 8.5 years of experience in providing Remote Infrastructure Support in Windows Server environment including MS Azure. Intent to increase my knowledge and experience and share some tips and tricks I’ve learnt along the way.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s