功能與 #39; s Active Directory Domain Services 中的新功能What's new in Active Directory Domain Services

適用於:Windows Server 2016Applies To: Windows Server 2016

Active Directory Domain Services (AD DS) 下列新功能改善安全 Active Directory 環境並協助他們移轉至雲端僅部署,部署混合,其中某些應用程式和服務會在雲端中及其他位於場所組織的功能。The following new features in Active Directory Domain Services (AD DS) improve the ability for organizations to secure Active Directory environments and help them migrate to cloud-only deployments and hybrid deployments, where some applications and services are hosted in the cloud and others are hosted on premises. 改進包括:The improvements include:

存取特殊權限的管理Privileged access management

權限存取管理 (PAM) 可協助降低安全性考量,對於所造成的 Active Directory 環境認證竊取技術,這類 pass hash、 矛網路釣魚或類似類型的攻擊。Privileged access management (PAM) helps mitigate security concerns for Active Directory environments that are caused by credential theft techniques such pass-the-hash, spear phishing, and similar types of attacks. 提供新的系統管理員存取方案使用 Microsoft 的身分管理員 (MIM) 設定。It provides a new administrative access solution that is configured by using Microsoft Identity Manager (MIM). PAM 引進了:PAM introduces:

  • 新堡壘 Active Directory 森林,MIM 來提供。A new bastion Active Directory forest, which is provisioned by MIM. 堡壘樹系有特殊 PAM 信任的現有的樹系。The bastion forest has a special PAM trust with an existing forest. 提供新的 Active Directory 環境已知的任何惡意的活動,以及特殊權限帳號使用現有的樹系的隔離免費的。It provides a new Active Directory environment that is known to be free of any malicious activity, and isolation from an existing forest for the use of privileged accounts.

  • 要求系統管理員權限,以及根據 \ [核准要求的新工作流程 MIM 中的新處理程序。New processes in MIM to request administrative privileges, along with new workflows based on the approval of requests.

  • 新陰影安全性原則 (群組) 來 MIM 堡壘森林中提供,以回應系統管理員權限要求。New shadow security principals (groups) that are provisioned in the bastion forest by MIM in response to administrative privilege requests. 陰影安全性主體有屬性,參考系統群組現有的樹系的 SID。The shadow security principals have an attribute that references the SID of an administrative group in an existing forest. 這樣陰影在現有的樹系存取資源群組而無須更動任何存取控制清單 (Acl)。This allows the shadow group to access resources in an existing forest without changing any access control lists (ACLs).

  • 逾期連結功能,可讓時間繫結陰影群組成員資格。An expiring links feature, which enables time-bound membership in a shadow group. 使用者可以會新增到群組不足,就無法執行管理工作所需的時間。A user can be added to the group for just enough time required to perform an administrative task. 時間繫結成員資格會傳送至 Kerberos 票證期間 live 時間 (TTL) 值來表示。The time-bound membership is expressed by a time-to-live (TTL) value that is propagated to a Kerberos ticket lifetime.

    注意

    適用於所有連結屬性的過期的連結。Expiring links are available on all linked attributes. 但的成員隸屬日連結的屬性群組使用者的關係是只範例位置完整的方案,例如 PAM 已經預先設定為使用過期功能的連結。But the member/memberOf linked attribute relationship between a group and a user is the only example where a complete solution such as PAM is preconfigured to use the expiring links feature.

  • \ [KDC 調節中之後建置 Active Directory 網域控制站限制 Kerberos 票證期間最低 live 時間 (TTL) 值於使用者有多個時間繫結成員資格管理群組中的位置。KDC enhancements are built in to Active Directory domain controllers to restrict Kerberos ticket lifetime to the lowest possible time-to-live (TTL) value in cases where a user has multiple time-bound memberships in administrative groups. 例如,如果您新增到群組時間繫結 A,當您登入,Kerberos 票證授與票證 (TGT) 期間等於與的時間,然後您有剩餘 a 群組中如果您是也群組成員的另一個時間繫結 B 的群組 A 比較低 TTL,然後 TGT 期間等於群組 B.中剩餘的時間For example, if you are added to a time-bound group A, then when you log on, the Kerberos ticket-granting ticket (TGT) lifetime is equal to the time you have remaining in group A. If you are also a member of another time-bound group B, which has a lower TTL than group A, then the TGT lifetime is equal to the time you have remaining in group B.

  • 新的監視功能,可協助您輕鬆地找出人員要求存取、 哪些存取被授與,以及執行何種活動。New monitoring capabilities to help you easily identify who requested access, what access was granted, and what activities were performed.

需求Requirements

  • Microsoft 的身分管理員Microsoft Identity Manager

  • Active Directory 樹系功能層級的 Windows Server 2012 R2 或更高版本。Active Directory forest functional level of Windows Server 2012 R2 or higher.

Azure AD JoinAzure AD Join

Azure Active Directory 加入美化的身分體驗企業版、 企業和 EDU 針對-改良功能的企業和個人裝置。Azure Active Directory Join enhances identity experiences for enterprise, business and EDU customers- with improved capabilities for corporate and personal devices.

優點:Benefits:

  • 現代化設定的可用性在 corp 擁有的 Windows 裝置上。Availability of Modern Settings on corp-owned Windows devices. 氧氣服務不會再要求個人的 Microsoft account: 立即關閉要確保使用者現有工作帳號執行。Oxygen Services no longer require a personal Microsoft account: they now run off users’ existing work accounts to ensure compliance. 氧氣服務將繼續運作加入先 Windows 網域的電腦和電腦和裝置 「 加入 「 您 Azure AD 承租人 (」 雲端網域 」)。Oxygen Services will work on PCs that are joined to an on-premises Windows domain, and PCs and devices that are “joined” to your Azure AD tenant (“cloud domain”). 這些設定包括︰These settings include:

    • 漫遊或個人化、 協助工具設定和認證Roaming or personalization, accessibility settings and credentials

    • 備份與還原Backup and Restore

    • Windows 市集中的工作帳號與存取Access to the Windows Store with work account

    • 動態磚和通知Live tiles and notifications

  • 存取組織資源在行動裝置版的裝置 (手機版,phablets) 無法加入網域 Windows,是否有 corp 擁有的或 BYODAccess organizational resources on mobile devices (phones, phablets) that can’t be joined to a Windows Domain, whether they are corp-owned or BYOD

  • 單一登入到 Office 365 其他組織應用程式、 網站及資源。Single-Sign On to Office 365 and other organizational apps, websites and resources.

  • BYOD 裝置上、 工作 account (從先網域或 Azure AD) 加入個人所擁有的裝置,並享受 SSO 資源,透過 [app 與網頁上運作的方式,可協助確保遵守新功能,例如條件 Account 控制和裝置健康證明。On BYOD devices, add a work account (from an on-premises domain or Azure AD) to a personally-owned device and enjoy SSO to work resources, via apps and on the web, in a way that helps ensure compliance with new capabilities such as Conditional Account Control and Device Health attestation.

  • MDM 整合可讓您自動註冊您的 MDM (Intune 或協力廠商) 裝置MDM integration lets you auto-enroll devices to your MDM (Intune or third-party)

  • 設定 「 kiosk 」 模式,並分享的裝置適用於您組織中的多個使用者Set up "kiosk" mode and shared devices for multiple users in your organization

  • 開發人員體驗可讓您建置的應用程式迎合企業和個人內容與共用 programing 堆疊。Developer experience lets you build apps that cater to both enterprise and personal contexts with a shared programing stack.

  • 影像]選項可讓您選擇之間映像處理與可讓使用者直接在初次執行體驗期間設定 corp 擁有的裝置。Imaging option lets you choose between imaging and allowing your users to configure corp-owned devices directly during the first-run experience.

適用於更多的資訊查看,適用於企業的 Windows 10: 使用裝置的工作方式For more information see, Windows 10 for the enterprise: Ways to use devices for work.

Microsoft PassportMicrosoft Passport

Microsoft Passport 是新的驗證方法組織和對消費者而言,超過密碼。Microsoft Passport is a new key-based authentication approach organizations and consumers, that goes beyond passwords. 這種驗證依賴違約、 遭竊和 phish 竄改認證。This form of authentication relies on breach, theft, and phish-resistant credentials.

使用者登入的裝置使用生物特徵辨識或釘選登入資訊的非對稱金鑰憑證或連結。The user logs on to the device with a biometric or PIN log on information that is linked to a certificate or an asymmetrical key pair. 身分提供者 (IDPs) 驗證使用者 IDLocker 到對應的使用者,並提供上一次密碼 (OTP)、 Phonefactor 或不同通知機制透過資訊的登入。The Identity Providers (IDPs) validate the user by mapping the public key of the user to IDLocker and provides log on information through One Time Password (OTP), Phonefactor or a different notification mechanism.

適用於更多的資訊查看,驗證身分而不需要密碼,透過 Microsoft PassportFor more information see, Authenticating identities without passwords through Microsoft Passport

取代了檔案複寫服務 (FRS) 與 Windows Server 2003 功能層級Deprecation of File Replication Service (FRS) and Windows Server 2003 functional levels

在舊版的 Windows Server 而被取代檔案複寫服務 (FRS) 和 Windows Server 2003 功能層級,但它天堂重複已不再支援 Windows Server 2003 作業系統。Although File Replication Service (FRS) and the Windows Server 2003 functional levels were deprecated in previous versions of Windows Server, it bears repeating that the Windows Server 2003 operating system is no longer supported. 如此一來,應該會執行 Windows Server 2003 的任何網域控制站從網域。As a result, any domain controller that runs Windows Server 2003 should be removed from the domain. 網域和樹系提高功能等級應該要至少為防止新增的環境中執行較舊版本的 Windows Server 的網域控制站的 Windows Server 2008。The domain and forest functional level should be raised to at least Windows Server 2008 to prevent a domain controller that runs an earlier version of Windows Server from being added to the environment.

Windows Server 2008 及較高的網域功能層級,散發檔案服務 (DFS) 複寫用來網域控制站之間複製 SYSVOL 資料夾內容。At the Windows Server 2008 and higher domain functional levels, Distributed File Service (DFS) Replication is used to replicate SYSVOL folder contents between domain controllers. 如果您建立新的網域網域層級 Windows Server 2008 功能或更高版本,DFS 複寫自動用於複寫 SYSVOL。If you create a new domain at the Windows Server 2008 domain functional level or higher, DFS Replication is automatically used to replicate SYSVOL. 如果您建立網域層級會正常運作,您必須從使用 SYSVOL DFS 複寫 FRS 移轉。If you created the domain at a lower functional level, you will need to migrate from using FRS to DFS replication for SYSVOL. 移轉的步驟,您可以依照任一個參考 TechNet 上的程序或您可以參考簡化步驟儲存小組檔案櫃部落格上的For migration steps, you can either follow the procedures on TechNet or you can refer to the streamlined set of steps on the Storage Team File Cabinet blog.

Windows Server 2003 網域及森林功能等級繼續支援,但組織應該提高以 Windows Server 2008(或更高版本,如果可能的話)功能等級確保 SYSVOL 複寫相容性,並在未來的支援。The Windows Server 2003 domain and forest functional levels continue to be supported, but organizations should raise the functional level to Windows Server 2008 (or higher if possible) to ensure SYSVOL replication compatibility and support in the future. 除此之外,有許多其他優點和功能提供較高的功能等級更高版本。In addition, there are many other benefits and features available at the higher functional levels higher. 查看下列的詳細資訊的資源:See the following resources for more information: