COLLECTED BY

Organization: Internet Archive

The Internet Archive discovers and captures web pages through many different web crawls. At any given time several distinct crawls are running, some for months, and some every day or longer. View the web archive through the Wayback Machine.

Collection: Wide Crawl Number 15: Started Oct 1st, 2016 - Ended May 8th, 2017

Web wide crawl.

TIMESTAMPS

The Wayback Machine - https://web.archive.org/web/20161201104808/https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs

Table of contents

Shared to

Table of contents +

Windows Server 2016

System Requirements

Release Notes: Important Issues in Windows Server

Recommendations for moving to Windows Server 2016

Upgrade and Conversion Options

Server Role Upgrade and Migration

Server Application Compatibility Table

Features Removed or Deprecated in Windows Server 2016

Install Nano Server

Nano Server Quick Start

Deploy Nano Server

IIS on Nano Server

MPIO on Nano Server

Manage Nano Server

Service and Update Nano Server

Developing on Nano Server

PowerShell on Nano Server

Developing PowerShell Cmdlets for Nano Server

Troubleshooting Nano Server

Install Server Core

Configure Server Core with Sconfig.cmd

Install Server with Desktop Experience

Customer Experience Guides for Windows Server 2016

What's New in Windows Server 2016

What's New in the Windows Console in Windows Server 2016

Hyper-V Overview

What's new in Hyper-V

System requirements

Supported Windows guest operating systems

Supported Linux and FreeBSD VMs

CentOS and Red Hat Enterprise Linux VMs

Oracle Linux VMs

Feature Descriptions for Linux and FreeBSD VMs

Best Practices for running Linux

Best practices for running FreeBSD

Feature compatibility by generation and guest

Install Hyper-V

Create a virtual switch

Create a virtual machine

Plan

Deploy

Set up hosts for live migration

Upgrade virtual machine version

Manage

Choose between standard or production checkpoints

Enable or disable checkpoints

Manage Windows VMs with PowerShell Direct

Set up Hyper-V Replica

Use live migration without Failover Clustering

Get started with Setup and Boot Event Collection

Remote Desktop Services

What's new in RDS?

Supported configurations for RDS

Supported security configurations for Windows 10 VDI

Planning poster for Remote Desktop Services

Host Windows Desktop and Applications using Remote Desktop Services in Azure

Plan and design

VDI vs. session-based

Personal or pooled desktops

Cater to different kinds of users

Access from anywhere

High availability

Multifactor Authentication

Secure data storage

Persistent or non-persistent sessions

Enable high-end graphics remoting

Connect from any device

Choose how you pay

Office 2016 in RDS and VDI deployments

Desktop Hosting Reference Architecture

Desktop hosting logical architecture

Desktop hosting service

Azure services and considerations for desktop hosting

Tenant on-premises components

Build and deploy

Migrate your Remote Desktop Services deployments to Windows Server 2016

Migrate your Remote Desktop Services Client Access Licenses (RDS CALs)

Upgrade your Remote Desktop Services deployments to Windows Server 2016

Upgrade Remote Desktop Session Host servers

Upgrade Remote Desktop Virtualization Host servers

Configure your desktop hosting environment

Create virtual machines for Remote Desktop

Prepare your virtual machines for Remote Desktop

Validate and secure your Remote Desktop deployment

Deploy a basic desktop hosting environment using Azure IaaS

Deploy your Remote Desktop environment

Deploy a Remote Desktop Session Host farm to improve availability

Create a virtual machine for the Remote Desktop Session Host server

Prepare the RDSH virtual machine

Add the RDSH server to the collection farm

Deploy a Remote Desktop Connection Broker cluster

Use an Azure SQL database to enable high availability for your Connection Broker

Create a second RD Connection Broker virtual machine

Prepare the RD Connection Broker VM for Remote Desktop

Create an Azure SQL database for the RD Connection Broker

Install the ODBC driver for SQL on each RD Connection Broker server

Create an Azure internal load balancer for Remote Desktop deployment

Add the RD Connection Broker server to the deployment and configure high availability

Configure trusted certificates on RD Connection Broker servers and clients

Deploy a RD Web Access and Gateway farm

Add RD Web and Gateway server to the RDS deployment

Configure the current RD Web and Gateway virtual machine for load balancing

Deploy RemoteApp programs

Add the RDSH Server, create a collection, and publish the RemoteApp programs

Deploy a two-node Storage Spaces Direct file system for UPD storage

Deploy and manage a personal session desktops environment

License your Remote Desktop deployment

Activate the license server

Install RDS CALs on the license server

Track the CALs used in your deployment

Additional Remote Desktop support

Remote Desktop clients

Getting started with Remote Desktop client on Android

Remote Desktop client on Android FAQ

Getting started with Remote Desktop client on iOS

Remote Desktop client on iOS FAQ

Getting started with Remote Desktop client on Mac

Remote Desktop client on Mac FAQ

Remote Desktop URI scheme

MultiPoint Services

Planning a MultiPoint Services Deployment

Introducing MultiPoint Services

Getting started with MultiPoint Services

Common Usage Scenarios

MultiPoint Stations

Selecting Hardware for Your MultiPoint Services System

Hardware Requirements and Performance Recommendations

Variables Affecting MultiPoint Services System Performance

MultiPoint Services Site Planning

Network Considerations and User Accounts

Storing Files with MultiPoint Services

Protecting the System volume with Disk Protection

MultiPoint Services Virtualization Support

Application Considerations

Predeployment Checklist

Deploying MultiPoint Services

Deploy a new MultiPoint Services System

Collect hardware and device drivers needed for the installation

Set up the physical computer and primary station

Install MultiPoint Services

Update and install device drivers if needed

Set the date, time, and time zone

Join the MultiPoint Server to a domain (optional)

Install updates

attach additional stations to your MultiPoint server

Set up a direct-video-connected station

Set up a USB zero client-connected station

Set up an RDP-over-LAN connected station

Manage Client Access Licenses (CAL) with MultiPoint Services

Install software on your MultiPoint Services System

Optional configuration tasks for a MultiPoint Services deployment

Set up a split-screen station

Create Windows 10 Enterprise virtual desktops for stations

Prepare your MultiPoint Services System for users

Plan user accounts for your MultiPoint Services environment

Example scenarios: MultiPoint Services user accounts

Create local user accounts

Limit users' access to the MultiPoint server

Configure stations for automatic logon

Allow one account to have multiple sessions

Enable file sharing in MultiPoint Services

System administration in MultiPoint Services

Configure Disk Protection in MultiPoint Services

Install Server Backup on your MultiPoint system

Configure group policies for a domain deployment

Managing MultiPoint Services

Managing Your MultiPoint Services System

Privacy and Security Considerations

Manage Station Hardware

View Hardware Status

Work with USB Devices

Work with Video Devices

Set Up a Station

Manage System Tasks Using MultiPoint Manager

Edit Server Settings

Restart or Shut Down MultiPoint Systems

Switch Between modes

Enable or Disable Disk Protection

Manage Client Access Licenses

Remap All Stations

Save Connection Settings to File

Add or remove computers

Manage User Stations

View User Connection Status

Log off or Disconnect User Sessions

Suspend and Leave User Session active

End a User Session

Set up a Station for Automatic Logon

Split a User Station

Manage User Accounts

User Account Considerations

Create an Administrative User Account

Create a Standard User Account

Create a MultiPoint Dashboard User Account

Update or delete a User Account

Manage Virtual Desktops

Manage User Files

Keep Files Private

Save and Share Files on a USB Flash Drive

Manage User Desktops Using MultiPoint Dashboard

Block or Unblock a Station

Limit Web Access

Block or Unblock USB Storage

Project a Station to Other Stations

Launch or Close Applications on a Station

Take Control of a User Session

View Options for Session Thumbnails in MultiPoint Dashboard

Log Off User Sessions

Manage MultiPoint Systems Using MultiPoint Dashboard

Restart or Shut Down

Remap selected MultiPoint Systems

Failover Clustering

What's New in Failover Clustering

VM Load Balancing

VM Load Balancing Deep-Dive

Deploy a Cloud Witness for a Failover Cluster

Cluster Operating System Rolling Upgrade

Simplified SMB Multichannel and Multi-NIC Cluster Networks

Identity and Access

Solutions and Scenario Guides

Dynamic Access Control: Scenario Overview

Scenario: Central Access Policy

Deploy a Central Access Policy (Demonstration Steps)

Scenario: File Access Auditing

Plan for File Access Auditing

Deploy Security Auditing with Central Audit Policies (Demonstration Steps)

Scenario: Access-Denied Assistance

Deploy Access-Denied Assistance (Demonstration Steps)

Scenario: Classification-Based Encryption for Office Documents

Deploy Encryption of Office Files (Demonstration Steps)

Scenario: Get Insight into Your Data by Using Classification

Deploy Automatic File Classification (Demonstration Steps)

Scenario: Implement Retention of Information on File Servers

Deploy Implementing Retention of Information on File Servers Demonstration Steps

Deploy Claims Across Forests

Deploy Claims Across forests (Demonstration Steps)

Claims Transformation Rules Language

Appendix A: Dynamic Access Control Glossary

Appendix B: Setting Up the Test Environment

Active Directory Domain Services

What's new in Active Directory Domain Services Technical Preview

AD DS Getting started

Active Directory Domain Services Overview

Active Directory Administrative Center

Introduction to Active Directory Administrative Center Enhancements (Level 100)

Advanced AD DS Management Using Active Directory Administrative Center (Level 200)

Active Directory Domain Services Virtualization

Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)

Virtualized Domain Controller Technical Reference (Level 300)

Virtualized Domain Controller Architecture

Virtualized Domain Controller Deployment and Configuration

Virtualized Domain Controller Troubleshooting

Virtualized Domain Controller Technical Reference appendix

Virtualized Domain Controller additional Resources

Virtualized Domain Controller Cloning Test Guidance for Application Vendors

Support for using Hyper-V Replica for virtualized domain controllers

Windows Time Service

How the Windows Time Service Works

Windows Time Service Tools and Settings

Windows 2016 Accurate Time

Windows Server 2016 Functional Levels

AD DS Design and Planning

Understanding AD DS Design

Identifying Your AD DS Design and Deployment Requirements

AD DS Design Requirements

AD DS Deployment Requirements

Mapping Your Requirements to an AD DS Deployment Strategy

Deploying AD DS in a New Organization

Deploying AD DS in a Windows Server 2003 Organization

Deploying AD DS in a Windows 2000 Organization

Designing the Logical Structure

Understanding the Active Directory Logical model

Identifying the Deployment Project Participants

Creating a Forest Design

Identifying Forest Design Requirements

Service Administrator Scope of Authority

Autonomy vs. Isolation

Determining the Number of Forests Required

Forest Design models

Mapping Design Requirements to Forest Design models

Using the Organizational Domain Forest model

Creating a Domain Design

Reviewing the Domain models

Determining the Number of Domains Required

Determining Whether to Upgrade Existing Domains or Deploy New Domains

Assigning Domain Names

Selecting the Forest Root Domain

Creating a DNS Infrastructure Design

Reviewing DNS Concepts

Domain Controller Location

Active Directory-Integrated DNS Zones

Computer Naming

Disjoint Namespace

Assigning the DNS for AD DS Owner Role

Integrating AD DS into an Existing DNS Infrastructure

Creating an Organizational Unit Design

Reviewing OU Design Concepts

Delegating Administration by Using OU Objects

Aelegating Administration of Default Containers and OUs

Delegating Administration of Account OUs and Resource OUs

Finding additional Resources for Logical Structure Design

Appendix A: DNS Inventory

Designing the Site Topology

Understanding Active Directory Site Topology

Site Topology Owner Role

Active Directory Replication Concepts

Collecting Network Information

Planning Domain Controller Placement

Planning Forest Root Domain Controller Placement

Planning regional Domain Controller Placement

Planning Global Catalog Server Placement

Planning Operations Master Role Placement

Creating a Site Design

Creating a Site Link Design

Setting Site Link Properties

Determining the Cost

Enabling Clients to Locate the Next Closest Domain Controller

Determining the Schedule

Determining the Interval

Creating a Site Link Bridge Design

Finding additional Resources for Windows Server 2008 Active Directory Site Topology Design

Appendix A: Locations and Subnet Prefixes

Enabling Advanced Features for AD DS

Understanding Active Directory Domain Services (AD DS) Functional Levels

Identifying Your Functional Level Upgrade

Finding additional Resources for Enabling Advanced Features

Evaluating AD DS Deployment Strategy Examples

Appendix A: Reviewing Key AD DS Terms

AD DS Deployment

What's New in Active Directory Domain Services Installation and Removal

Upgrade Domain Controllers to Windows Server 2012 R2 and Windows Server 2012

AD DS Simplified Administration

Simplified Administration appendix

Install Active Directory Domain Services (Level 100)

Install a New Windows Server 2012 Active Directory Forest (Level 200)

Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)

Install a New Windows Server 2012 Active Directory Child or tree Domain (Level 200)

Install a Windows Server 2012 Active Directory Read-Only Domain Controller (RODC) (Level 200)

Demoting Domain Controllers and Domains (Level 200)

AD DS Installation and removal Wizard Page Descriptions

Changes Made by Adprep

Read-Only Domain Controller Updates

Domain-Wide Updates

Forest-Wide Updates

Troubleshooting Domain Controller Deployment

AD DS Operations

Best Practices for Securing Active Directory

Acknowledgements

Executive Summary

Avenues to compromise

Attractive Accounts for Credential Theft

Reducing the Active Directory attack Surface

Implementing Least-Privilege Administrative models

Implementing Secure Administrative Hosts

Securing Domain Controllers Against attack

Monitoring Active Directory for Signs of compromise

Audit Policy Recommendations

Planning for compromise

Maintaining a more Secure Environment

Summary of Best Practices

Appendix A: Patch and Vulnerability Management Software

Appendix B: Privileged Accounts and Groups in Active Directory

Appendix C: Protected Accounts and Groups in Active Directory

Appendix D: Securing Built-In Administrator Accounts in Active Directory

Appendix E: Securing Enterprise Admins Groups in Active Directory

Appendix F: Securing Domain Admins Groups in Active Directory

Appendix G: Securing Administrators Groups in Active Directory

Appendix H: Securing Local Administrator Accounts and Groups

Appendix I: Creating Management Accounts for Protected Accounts and Groups in Active Directory

Appendix J: Third-Party RBAC Vendors

Appendix K: Third-Party PIM Vendors

Appendix L: Events to Monitor

Appendix M: Document Links and Recommended Reading

Active Directory Replication and Topology Management Using Windows powershell

Introduction to Active Airectory Replication and Topology Management Using Windows PowerShell (Level 100)

Advanced Active Directory Replication and Topology Management Using Windows powershell (Level 200)

Managing RID Issuance

Active Directory Domain Services component Updates

Identity component updates

SPN and UPN uniqueness

Winlogon Automatic Restart Sign-On (ARSO)

TPM Key attestation

CA Backup and Restore Windows powershell cmdlets

Command line process auditing

Directory Services component updates

How to Configure Protected Accounts

How LDAP Server Cookies Are Handled

AD DS Troubleshooting

Configuring a computer for Troubleshooting

Troubleshooting Active Directory Replication Problems

Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)

Event ID 1388 or 1988: A lingering object is detected

A deleted account remains in the address Book, e-mail is not received, or a duplicate account exists

Event ID 2042: It has been too long since this machine replicated

Fixing Replication Security Problems

An "Access denied" or other security error has caused replication problems

Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088)

Event ID 1925: attempt to establish a replication link failed due to DNS lookup problem

Event ID 2087: DNS lookup failure caused replication to fail

Event ID 2088: DNS lookup failure occurred with replication success

Fixing Replication Connectivity Problems (Event ID 1925)

Event ID 1925: attempt to establish a replication link failed due to connectivity problem

Fixing Replication Topology Problems (Event ID 1311)

Verify DNS Functionality to Support Directory Replication

Replication error 8614 The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime

Replication error 8524 The DSA operation is unable to proceed because of a DNS lookup failure

Replication error 8456 or 8457 The source | destination server is currently rejecting replication requests

Replication error 8453 Replication access was denied

Replication error 8452 The naming context is in the process of being removed or is not replicated from the specified server

Replication error 5 Access is denied

Replication error -2146893022 The target principal name is incorrect

Replication error 1753 There are no more endpoints available from the endpoint mapper

Replication error 1722 The RPC server is unavailable

Replication error 1396 Logon Failure The target account name is incorrect

Replication error 1256 The remote system is not available

Replication error 1127 While accessing the hard disk, a disk operation failed even after retries

Replication error 8606 Insufficient attributes were given to create an object

Replication error 8451 The replication operation encountered a database error

Additional Resources_12

Active Directory Federation Services

What's new in Active Directory Federation Services for Windows Server 2016

AD FS Scenarios for Developers

AD FS 2016 Requirements

AD FS Design Guide

AD FS Design Guide in Windows Server 2012 R2

Identify Your AD FS Deployment Goals

Plan Your AD FS Deployment Topology

Federation Server Farm Using WID

Federation Server Farm Using WID and Proxies

Federation Server Farm Using SQL Server

AD FS Requirements

AD FS Design Guide in Windows Server 2012

Identifying Your AD FS Deployment Goals

Provide Your Active Directory Users Access to Your Claims-Aware Applications and Services

Provide Your Active Directory Users Access to the Applications and Services of Other Organizations

Provide Users in Another Organization Access to Your Claims-Aware Applications and Services

Mapping Your Deployment Goals to an AD FS Design

Federated Web SSO Design

Determine Your AD FS Deployment Topology

AD FS Deployment Topology Considerations

Stand-Alone Federation Server Using WID

Federation Server Farm Using WID

Federation Server Farm Using WID and Proxies

Federation Server Farm Using SQL Server

Planning Your Deployment

Using AD DS Claims with AD FS

Best Practices for Secure Planning and Deployment of AD FS

Planning for Interoperability with AD FS 1.x

When to Use Identity delegation

Deploying AD FS in the Account Partner Organization

Review the Role of the Federation Server in the Account Partner

Review the Role of the Federation Server Proxy in the Account Partner

Prepare Client computers in the Account Partner

Deploying AD FS in the Resource Partner Organization

Review the Role of the Federation Server in the Resource Partner

Review the Role of the Federation Server Proxy in the Resource Partner

Determine Your Federated Application Strategy in the Resource Partner

Planning Federation Server Placement

When to create a Federation Server

Where to Place a Federation Server

When to create a Federation Server Farm

Certificate Requirements for Federation Servers

Token-Signing Certificates

Service Communications Certificates

Name Resolution Requirements for Federation Servers

Planning Federation Server Proxy Placement

When to create a Federation Server Proxy

Where to Place a Federation Server Proxy

When to create a Federation Server Proxy Farm

Certificate Requirements for Federation Server Proxies

Name Resolution Requirements for Federation Server Proxies

Planning for AD FS Server Capacity

Planning for Federation Server Capacity

Planning for Federation Server Proxy Capacity

Appendix A: Reviewing AD FS Requirements

AD FS Deployment

AD FS Deployment Guide

Upgrading to AD FS in Windows Server 2016

Windows Server 2016 and 2012 R2 AD FS Deployment Guide

Deploying a Federation Server Farm

Join a computer to a Domain

Enroll an SSL Certificate for AD FS

Install the AD FS Role Service

Configure a Federation Server

Configure a federation server with Device registration Service

Configure Corporate DNS for the Federation Service and DRS

Verify your Windows Server 2012 R2 Federation Server Is Operational

Deploying Federation Server Proxies

Azure Active Directory Connect

Windows Server 2012 AD FS Deployment Guide

Planning to Deploy AD FS

Implementing Your AD FS Design Plan

Checklist: Implementing a Web SSO Design

Checklist: Implementing a Federated Web SSO Design

Configure Partner Organizations

Checklist: Configure the Account Partner Organization

Checklist: Configure the Resource Partner Organization

Add an attribute Store

Create a Claims Provider Trust Using Federation Metadata

Create a Relying Party Trust Using Federation Metadata

Add a Claim Description

Configure Client computers to Trust the Account Federation Server

Distribute Certificates to Client computers by Using Group Policy

Configuring Claim Rules

Checklist: Creating Claim Rules for a Claims Provider Trust

Checklist: Creating Claim Rules for a Relying Party Trust

Create a Rule to Pass Through or filter an Incoming Claim

Create a Rule to Send an AD FS 1.x compatible Claim

Create a Rule to Permit All Users

Create a Rule to Permit or Deny Users Based on an Incoming Claim

Create a Rule to Send LDAP attributes as Claims

Create a Rule to Send Group Membership as a Claim

Create a Rule to Transform an Incoming Claim

Create a Rule to Send an Authentication Method Claim

Create a Rule to Send Claims Using a Custom Rule

Deploying Federation Servers

Checklist: Setting Up a Federation Server

Add a Host (A) Resource Record to Corporate DNS for a Federation Server

Manually Configure a Service Account for a Federation Server Farm

Install the Federation Service Role Service

Create the First Federation Server in a Federation Server Farm

Create a Stand-Alone Federation Server

Add a Federation Server to a Federation Server Farm

Add a Token-Signing Certificate

Add a Token-Decrypting Certificate

Set a Service Communications Certificate

Verify That a Federation Server Is Operational

Deploying Federation Server Proxies

Checklist: Setting Up a Federation Server Proxy

Join a computer to a Domain

Configure Name Resolution for a Federation Server Proxy in a DNS Zone That Serves Only the Perimeter Network

Configure Name Resolution for a Federation Server Proxy in a DNS Zone That Serves Both the Perimeter Network and Internet Clients

Export the Private Key Portion of a Server Authentication Certificate

Import a Server Authentication Certificate to the Default Web Site

Install the Federation Service Proxy Role Service

Configure a computer for the Federation Server Proxy Role

Verify That a Federation Server Proxy Is Operational

Configure Performance Monitoring

Interoperating with AD FS 1.x

Checklist: Configuring AD FS to Consume Claims from AD FS 1.x

Checklist: Configuring AD FS to Send Claims to an AD FS 1.x Federation Service

Checklist: Configuring AD FS to Send Claims to an AD FS 1.x Claims-Aware Web Agent

Create a Relying Party Trust Manually

Create a Claims Provider Trust Manually

Create a Rule to Send an AD FS 1.x compatible Claim

Deploy Azure AD Connect Health

AD FS Development

AD FS On-behalf-of Authentication in Windows Server 2016

Enabling OpenId Connect with AD FS 2016

Enabling Oauth Confidential Clients with AD FS 2016

Single Page Application with AD FS

AD FS Operations

Access Control Policies in AD FS

AD FS 2016 Single Sign On Settings

AD FS Rapid Restore Tool

AD FS support for alternate hostname binding for certificate authentication

AD FS user sign-in customization

Add an attribute Store

Auditing Enhancements to AD FS in Windows Server 2016

Best Practices for Securing AD FS

Configure AD FS 2016 and Azure MFA

Configure AD FS Extranet Lockout

Configure AD FS to authenticate users stored in LDAP directories

Configure AD FS to Send Password Expiry Claims

Configure additional Authentication Methods for AD FS

Configure Authentication Policies

Configure Claim Rules

Configure Device-based Conditional Access on-Premises

Configure intranet forms-based authentication for devices that do not support WIA

Configuring Alternate Login ID

Create a Claims Provider Trust

Create a Non-Claims Aware Relying Party Trust

Create a Relying Party Trust

Improved interoperability with SAML 2.0

Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across company Applications

Manage Risk with additional Multi-Factor Authentication for Sensitive Applications

Manage Risk with Conditional Access Control

Plan Device-based Conditional Access on-Premises

Set up an AD FS lab environment

Set up Geographic Redundancy with SQL Server Replication

Set up the lab environment for AD FS in Windows Server 2012 R2

Walkthrough Guide: Manage Risk with additional Multi-Factor Authentication for Sensitive Applications

Walkthrough Guide: Manage Risk with Conditional Access Control

Walkthrough: Workplace Join with a Windows Device

Walkthrough: Workplace Join with an iOS Device

AD FS Technical Reference

Understanding Key AD FS Concepts

The Role of attribute Stores

The Role of the AD FS Configuration Database

The Role of Claims

The Role of Claim Rules

The Role of the Claims Engine

The Role of the Claims Pipeline

The Role of the Claim Rule Language

Determine the type of Claim Rule Template to Use

How URIs Are Used in AD FS

Device registration Technical Reference

Web Application Proxy in Windows Server 2016

Publishing Applications using AD FS Preauthentication

Publishing Applications with SharePoint, Exchange and RDG

Troubleshooting Web Application Proxy

Management and Automation

Microsoft Server Performance Advisor

Server Performance Advisor User's Guide

Server Performance Advisor Pack Development Guide

Server Performance Advisor Pack for Tiered Storage Spaces

Remote Server Administration Tools

Manage the Local Server and the Server Manager Console

Configure Remote Management in Server Manager

Add Servers to Server Manager

Install or Uninstall Roles, Role Services, or Features

Configure Features on Demand in Windows Server

View and Configure Performance, Event, and Service Data

View Task details and Notifications

Run Best Practices Analyzer Scans and Manage Scan Results

Create and Manage Server Groups

Filter, sort, and query Data in Server Manager Tiles

Keyboard Shortcuts for Server Manager

Windows Server Update Services (WSUS)

Deploy Windows Server Update Services

Plan your WSUS deployment

Step 1: Install the WSUS Server Role

Step 2: Configure WSUS

Step 3: Approve and Deploy Updates in WSUS

Step 4: Configure Group Policy Settings for Automatic Updates

Update Management with Windows Server Update Services

Setting up Update Synchronizations

Managing WSUS Client computers and WSUS computer Groups

Viewing and Managing Updates

WSUS and the Catalog Site

Updates Operations

The Server cleanup Wizard

Running WSUS Replica mode

WSUS Messages and Troubleshooting Tips

Windows Commands

Command-Line Syntax Key

Commands by Server Role

Print Command Reference

Services for Network File System Command Reference

Remote Desktop Services (Terminal Services) Command Reference

Windows Server Backup Command Reference

Windows Server 2016 Supported Networking Scenarios

What's New in Networking

Core Network Guide for Windows Server 2016

Core Network Guide

Core Network companion Guides

Deploy Server Certificates for 802.1X Wired and Wireless Deployments

Server Certificate Deployment Overview

Server Certificate Deployment Planning

Server Certificate Deployment

Install the Web Server WEB1

Create an Alias (CNAME) Record in DNS for WEB1

Configure WEB1 to Distribute Certificate Revocation lists (CRLs)

Prepare the CAPolicy.inf File

Install the Certification Authority

Configure the cdP and AIA Extensions on CA1

Copy the CA Certificate and CRL to the Virtual directory

Configure the Server Certificate Template

Configure Server Certificate Autoenrollment

Refresh Group Policy

Verify Server Enrollment of a Server Certificate

Deploy Password-Based 802.1X Authenticated Wireless Access

Wireless Access Deployment Overview

Wireless Access Deployment Process

Wireless Access Deployment Planning

Wireless Access Deployment

Deploy BranchCache Hosted Cache mode

BranchCache Hosted Cache mode Deployment Overview

BranchCache Hosted Cache mode Deployment Planning

BranchCache Hosted Cache mode Deployment

Install the BranchCache Feature and Configure the Hosted Cache Server by Service Connection Point

Move and Resize the Hosted Cache (Optional)

Prehash and Preload Content on the Hosted Cache Server (Optional)

Create Content Server Data Packages for Web and File Content (Optional)

Import Data Packages on the Hosted Cache Server (Optional)

Configure Client Automatic Hosted Cache Discovery by Service Connection Point

Additional Resources

BranchCache Network Shell and Windows PowerShell Commands

BranchCache Deployment Guide

Choosing a BranchCache Design

Deploy BranchCache

Install and Configure Content Servers

Install Content Servers that Use the BranchCache Feature

Install the BranchCache Feature

Configure Windows Server Update Services (WSUS) Content Servers

Install File Services Content Servers

Configure the File Services server role

Install a New File Server as a Content Server

Configure an Existing File Server as a Content Server

Enable Hash Publication for File Servers

Enable Hash Publication for Non-Domain Member File Servers

Enable Hash Publication for Domain Member File Servers

Create the BranchCache File Servers Organizational Unit

Move File Servers to the BranchCache File Servers Organizational Unit

Create the BranchCache Hash Publication Group Policy Object

Configure the BranchCache Hash Publication Group Policy Object

Enable BranchCache on a File Share (Optional)

Deploy Hosted Cache Servers (Optional)

Prehashing and Preloading Content on Hosted Cache Servers (Optional)

Configure BranchCache Client computers

Use Group Policy to Configure Domain Member Client computers

Use Windows PowerShell to Configure Non-Domain Member Client computers

Configure Firewall Rules for Non-Domain Members to Allow BranchCache Traffic

Verify Client computer Settings

Domain Name System (DNS)

What's New in DNS Client in Windows Server 2016

What's New in DNS Server in Windows Server 2016

DNS Policy Scenario Guide

DNS Policies Overview

Use DNS Policy for Geo-Location Based Traffic Management with Primary Servers

Use DNS Policy for Geo-Location Based Traffic Management with Primary-Secondary Deployments

Use DNS Policy for Intelligent DNS Responses Based on the time of Day

DNS Responses Based on time of Day with an Azure Cloud App Server

Use DNS Policy for Split-Brain DNS Deployment

Use DNS Policy for Applying Filters on DNS Queries

Use DNS Policy for Application Load Balancing

Use DNS Policy for Application Load Balancing With Geo-Location Awareness

Dynamic Host Configuration Protocol (DHCP)

What's New in DHCP

Hyper-V Virtual Switch

Remote Direct Memory Access (RDMA) and Switch Embedded Teaming (SET)

Manage Hyper-V Virtual Switch

Configure and View VLAN Settings on Hyper-V Virtual Switch Ports

Create Security Policies with extended Port Access Control lists

IP Address Management (IPAM)

What's New in IPAM

DNS Resource Record Management

Add a DNS Resource Record

Delete DNS Resource Records

Filter the View of DNS Resource Records

View DNS Resource Records for a Specific IP address

DNS Zone Management

Create a DNS Zone

Edit a DNS Zone

View DNS Resource Records for a DNS Zone

Manage Resources in Multiple Active Directory Forests

Purge Utilization Data

Role-based Access Control

Manage Role Based Access Control with Server Manager

create a User Role for Access Control

Create an Access Policy

Set Access Scope for a DNS Zone

Set Access Scope for DNS Resource Records

View Roles and Role Permissions

Manage Role Based Access Control with Windows PowerShell

Network Load Balancing

Network Offload and Optimization Technologies

Network Policy Server

Network Policy Server Best Practices

Getting Started with Network Policy Server

Connection Request Processing

Connection Request Policies

Remote RADIUS Server Groups

Network Policies

Access Permission

Deploy Network Policy Server

Manage Network Policy Server

Configure Connection Request Policies

Configure Firewalls for RADIUS Traffic

Configure Network Policies

Configure Network Policy Server Accounting

Configure NPS on a Multihomed Computer

Configure NPS UDP Port Information

Configure RADIUS Clients

Configure Remote RADIUS Server Groups

Disable NAS Notification Forwarding

Increase Concurrent Authentications Processed by NPS

Manage Certificates Used with NPS

Configure Certificate Templates for PEAP and EAP Requirements

Use Regular Expressions in NPS

Network Subsystem Performance Tuning

Choosing a Network Adapter

Configure the Order of Network Interfaces

Performance Tuning Network Adapters

Network-Related Performance Counters

Performance Tools for Network Workloads

NIC Teaming in Virtual Machines (VMs)

NIC Teaming and Virtual Local Area Networks (VLANs)

NIC Teaming MAC address Use and Management

Create a New NIC Team on a Host computer or VM

Create a New NIC Team in a VM

Create a New NIC Team

Troubleshooting NIC Teaming

Border Gateway Protocol (BGP)

BGP Windows PowerShell Command Reference

DirectAccess Deployment paths in Windows Server

Prerequisites for Deploying DirectAccess

DirectAccess Unsupported Configurations

DirectAccess Test Lab Guides

Test Lab Guide: Demonstrate DirectAccess in a Cluster with Windows NLB

Overview of the DirectAccess Cluster-NLB Test Lab Scenario

DirectAccess Cluster-NLB Test Lab Configuration Requirements

Steps for Configuring the DirectAccess Cluster-NLB Test Lab

STEP 1: Complete the DirectAccess Configuration

STEP 2: Configure EDGE1

STEP 3: Install and Configure EDGE2

STEP 4: Create the Network Load Balanced remote Access Cluster

STEP 5: Test DirectAccess Connectivity from the Internet and Through the Cluster

STEP 6: Test DirectAccess Client Connectivity from Behind a Nat Device

STEP 7: Test Connectivity When Returning to the Corpnet

STEP 8: Snapshot the DirectAccess Cluster-NLB Configuration

Test Lab Guide: Demonstrate a DirectAccess Multisite Deployment

Overview of the Test Lab Scenario

Configuration Requirements

Steps for Configuring the Test Lab

STEP 1: Complete the DirectAccess Configuration

STEP 2: Install and Configure ROUTER1

STEP 3: Install and Configure CLIENT2

STEP 4: Configure APP1

STEP 5: Configure DC1

STEP 6: Install and Configure 2-DC1

STEP 7: Install and Configure 2-APP1

STEP 8: Configure INET1

STEP 9: Configure EDGE1

STEP 10: Install and Configure 2-EDGE1

STEP 11: Configure the Multisite Deployment

STEP 12: Test DirectAccess Connectivity

STEP 13: Test DirectAccess Connectivity from Behind a Nat Device

STEP 14: Snapshot the Configuration

Test Lab Guide: Demonstrate DirectAccess with OTP Authentication and RSA SecurID

Overview of the Test Lab Scenario

Configuration Requirements

Steps for Configuring the Test Lab

STEP 1: complete the DirectAccess Configuration

STEP 2: Configure APP1

STEP 3: Configure DC1

STEP 4: Install and Configure RSA and EDGE1

STEP 5: Verify OTP Health on EDGE1

STEP 6: Test DirectAccess Connectivity from the Homenet Subnet

STEP 7: Test DirectAccess Connectivity from the Internet

STEP 8: Snapshot the Configuration

DirectAccess Known Issues

DirectAccess Capacity Planning

DirectAccess offline Domain Join

Troubleshooting DirectAccess

Deploy a Single DirectAccess Server Using the Getting started Wizard

Plan a Basic DirectAccess Deployment

Step 1: Plan the Basic DirectAccess Infrastructure

Step 2: Plan the Basic DirectAccess Deployment

Install and Configure Basic DirectAccess

Step 1: Configure the Basic DirectAccess Infrastructure

Step 2: Configure the Basic DirectAccess Server

Step 3: verify Basic DirectAccess Deployments

Deploy a Single DirectAccess Server with Advanced Settings

Plan an Advanced DirectAccess Deployment

Step 1: Plan the Advanced DirectAccess Infrastructure

Step 2: Plan Advanced DirectAccess Deployments

Install and Configure Advanced DirectAccess

Step 1: Configure Advanced DirectAccess Infrastructure

Step 2: Configure Advanced DirectAccess Servers

Step 3: verify the Advanced DirectAccess Deployment

Add DirectAccess to an Existing Remote Access (VPN) Deployment

Plan to Enable DirectAccess

Step 1: Plan DirectAccess Infrastructure

Step 2: Plan the DirectAccess Deployment

Enable DirectAccess

Step 1: Configure the DirectAccess Infrastructure

Step 2: Configure the DirectAccess-VPN Server

Step 3: Verify the Deployment

GRE Tunneling in Windows Server 2016

Remote Access Server Role Documentation

Deploy Remote Access in an Enterprise

Deploy Remote Access in a Cluster

Plan a Remote Access Cluster Deployment

Step 1: Plan an Advanced Single-Server Deployment

Step 2: Plan Cluster Servers

Step 3: Plan a Load-Balanced Cluster Deployment

Configure a Remote Access Cluster

Step 1: Implement a Single-Server Remote Access Deployment

Step 2: Prepare Cluster Servers

Step 3: Configure a Load-Balanced Cluster

Step 4: Verify the Cluster

Deploy Multiple Remote Access Servers in a Multisite Deployment

Plan a Multisite Deployment

Step 1: Plan an Advanced Single Server Deployment

Step 2: Plan the Multisite Infrastructure

Step 3: Plan the Multisite Deployment

Configure a Multisite Deployment

Step 1: Implement a Single Server Remote Access Deployment

Step 2: Configure the Multisite Infrastructure

Step 3: Configure the Multisite Deployment

Step 4: Verify the Multisite Deployment

Troubleshoot a Multisite Deployment

Troubleshooting Enabling Multisite

Troubleshooting adding Entry Points

Troubleshooting Setting the Entry Point Domain Controller

Troubleshooting Web Probe URLs

Troubleshooting General Issues

Deploy Remote Access with OTP Authentication

Plan Remote Access with OTP Authentication

Step 1: Plan an Advanced Single Server Deployment

Step 2: Plan the RADIUS Server Deployment

Step 3: Plan OTP Certificate Deployment

Step 4: Plan for OTP on the Remote Access Server

Configure Remote Access with OTP Authentication

Step 1: Implement a Single Server Remote Access Deployment

Step 2: Configure the RADIUS Server

Step 3: Configure the Remote Access Server for OTP

Step 4: Verify DirectAccess with OTP

Troubleshoot an OTP Deployment

Troubleshooting Authentication Issues

Troubleshooting Enabling OTP

Deploy Remote Access in a Multi-forest Environment

Plan a Multi-forest Deployment

Configure a Multi-forest Deployment

Manage Remote Access

Use Remote Access Monitoring and Accounting

Monitor the existing load on the Remote Access server

Monitor the configuration distribution status of the Remote Access server

Monitor the operations status of the Remote Access server and its components

Identify and resolve Remote Access server operations problems

Monitor connected remote clients for activity and status

Generate a usage report for remote clients using historical data

Manage DirectAccess Clients Remotely

Plan Deployment for Remote Management of DirectAccess Clients

Step 1: Plan the Remote Access Infrastructure

Step 2: Plan the Remote Access Deployment

Install and Configure Deployment for remote Management of DirectAccess Clients

Step 1: Configure the Remote Access Infrastructure

Step 2: Configure the Remote Access Server

Step 3: Verify the Deployment

Software Defined Networking (SDN)

Software Defined Networking Technologies

Hyper-V Network Virtualization

Hyper-V Network Virtualization Overview in Windows Server Technical Preview

Hyper-V Network Virtualization Technical details in Windows Server Technical Preview

What's New in Hyper-V Network Virtualization in Windows Server Technical Preview

Internal DNS Service (iDNS) for SDN

Network Controller

Install the Network Controller server role using Server Manager

Post-Deployment Steps for Network Controller

Network Function Virtualization

Datacenter Firewall Overview

RAS Gateway for SDN

What's New in RAS Gateway

RAS Gateway Deployment Architecture

RAS Gateway High Availability

Software Load Balancing (SLB) for SDN

Switch Embedded Teaming for SDN

Container Networking

Plan Software Defined Networking

Plan a Software Defined Network Infrastructure

Installation and Preparation Requirements for Deploying Network Controller

Deploy Software Defined Networking

Deploy a Software Defined Network Infrastructure

Deploy a Software Defined Network infrastructure using scripts

Deploy Software Defined Network Technologies using Windows PowerShell

Deploy Network Controller using Windows powershell

Manage Software Defined Networking

Manage Tenant Virtual Networks

Understanding Usage of Virtual Networks and VLANs

Use Access Control lists (Acls) to Manage Datacenter Network Traffic Flow

Create, Delete, or Update Tenant Virtual Networks

Add a Virtual Gateway to a Tenant Virtual Network

Connect Container Endpoints to a Tenant Virtual Network

Manage Tenant Workloads

Create a VM and Connect to a Tenant Virtual Network or VLAN

Configure Quality of Service (QoS) for a Tenant VM Network Adapter

Configure Datacenter Firewall Access Control lists (Acls)

Configure the Software Load Balancer for Load Balancing and Network address Translation (Nat)

Use Network Virtual Appliances on a Virtual Network

Guest Clustering in a Virtual Network

Troubleshoot Software Defined Networking

Troubleshoot the Windows Server 2016 Software Defined Networking Stack

System Center Technologies for Software Defined Networking

Microsoft Azure and Software Defined Networking

What's new in Storage

Data Deduplication

What's new in Data Deduplication

Understanding Data Deduplication

Installing and enabling Data Deduplication

Running Data Deduplication

Advanced Data Deduplication settings

Data Deduplication interoperability

Storage Spaces Direct

Fault tolerance and storage efficiency

Software Storage Bus

Hyper-converged solution using Storage Spaces Direct

Adding nodes or drives

Updating drive firmware

Optimize drive usage in a pool

Storage Replica

Stretch Cluster Replication using Shared Storage

Server to server storage replication

Cluster to cluster storage replication

Storage Replica: known issues

Storage Replica: Frequently Asked Questions

Storage Quality of Service

Storage-class memory health management

ReFS integrity streams

Security and Assurance

Device Health attestation

Guarded fabric and shielded VMs

Guarded fabric and shielded VMs overview

Plan a guarded fabric

Guarded fabric and shielded VM planning guide for hosters

Compatible hardware with Windows Server 2016 yirtualization-based protection of code integrity

Guarded fabric and shielded VM planning guide for tenants

Deploying the Host Guardian Service for guarded hosts and shielded VMs

Setting up the Host Guardian Service - HGS

Configuration steps for Hyper-V hosts that will become guarded hosts

Configuring the fabric DNS for hosts that will become guarded hosts

Admin-trusted attestation - creating a security group and placing hosts in the group

TPM-trusted attestation - capturing information required by HGS

Confirm hosts can attest successfully

Appendix A - Configure Nano server as TPM attested guarded host

Hosting service provider configuration steps for guarded hosts and shielded VMs

Shielded VMs - Hosting service provider deploys guarded hosts in VMM

Shielded VMs - Hosting service provider creates a shielded VM template

Shielded VMs - Hosting service provider prepares a VM Shielding helper VHD

Shielded VMs - Hosting service provider sets up Windows Azure Pack

Tenant configuration steps for shielded VMs

Creating a template disk (optional)

Creating shielding data to define a shielded VM

Deploying a shielded VM by using Windows Azure Pack

Deploying a shielded VM by using Virtual Machine Manager

Manage a guarded fabric

Manage the Host Guardian Service

Securing Privileged Access

Privileged Access Workstations

Securing Privileged Access Reference Material

How to Configure Security Policy Settings

Account Policies

Password Policy

Enforce password history

Maximum password age

Minimum password age

Minimum password length

Password must meet complexity requirements

Store passwords using reversible encryption

Account Lockout Policy

Account lockout duration

Account lockout threshold

Reset account lockout counter after

Kerberos Policy

Enforce user logon restrictions

Maximum lifetime for service ticket

Maximum lifetime for user ticket

Maximum lifetime for user ticket renewal

Maximum tolerance for computer clock synchronization

Security Options

Accounts: Administrator account status

Accounts: Block Microsoft accounts

Accounts: Guest account status

Accounts: Limit local account use of blank passwords to console logon only

Accounts: rename administrator account

Accounts: rename guest account

Audit: Audit the access of global system objects

Audit: Audit the use of Backup and Restore privilege

Audit: Shut down system immediately if unable to log security audits

DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax

DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

Devices: Allow undock without having to log on

Devices: Allowed to format and eject removable media

Devices: Prevent users from installing printer drivers

Devices: Restrict cd-ROM access to locally logged-on user only

Devices: Restrict floppy access to locally logged-on user only

Domain controller: Allow server operators to schedule tasks

Domain controller: LDAP server signing requirements

Domain controller: Refuse machine account password changes

Domain member: Digitally encrypt or sign secure channel data (always)

Domain member: Digitally encrypt secure channel data (when possible)

Domain member: Digitally sign secure channel data (when possible)

Domain member: Disable machine account password changes

Domain member: Maximum machine account password age

Domain member: Require strong (Windows 2000 or later) session key

Interactive logon: Display user information when the session is locked

Interactive logon: Do not display last user name

Interactive logon: Do not require CTRL+ALT+del

Interactive logon: Machine inactivity limit

Interactive logon: Machine account lockout threshold

Interactive logon: Message text for users attempting to log on

Interactive logon: Message title for users attempting to log on

Interactive logon: Number of previous logons to cache (in case domain controller is not available)

Interactive logon: prompt user to change password before expiration

Interactive logon: Require Domain Controller authentication to unlock workstation

Interactive logon: Require smart card

Interactive logon: Smart card removal behavior

Microsoft network client: Digitally sign communications (always)

Microsoft network client: Digitally sign communications (if server agrees)

Microsoft network client: Send unencrypted password to third-party SMB servers

Microsoft network server: Amount of idle time required before suspending session

Microsoft network server: attempt S4U2Self to obtain claim information

Microsoft network server: Digitally sign communications (always)

Microsoft network server: Digitally sign communications (if client agrees)

Microsoft network server: Disconnect clients when logon hours expire

Microsoft network server: Server SPN target name validation level

Network access: Allow anonymous SID Name translation

Network access: Do not allow anonymous enumeration of SAM accounts

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Network access: Do not allow storage of passwords and credentials for network authentication

Network access: Let Everyone permissions apply to anonymous users

Network access: Named Pipes that can be accessed anonymously

Network access: remotely accessible registry paths

Network access: remotely accessible registry paths and subpaths

Network access: Shares that can be accessed anonymously

Network access: Sharing and security model for local accounts

Network security: Allow Local System to use computer identity for NTLM

Network security: Allow LocalSystem NULL session fallback

Network Security: Allow PKU2U authentication requests to this computer to use online identities

Network security: Configure encryption types allowed for Kerberos

Network security: Do not store LAN Manager hash value on next password change

Network security: force logoff when logon hours expire

Network security: LAN Manager authentication level

Network security: LDAP client signing requirements

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

Network security: Restrict NTLM: add remote server exceptions for NTLM authentication

Network security: Restrict NTLM: add server exceptions in this domain

Network Security: Restrict NTLM: Incoming NTLM Traffic

Network Security: Restrict NTLM: NTLM authentication in this domain

Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers

Network Security: Restrict NTLM: Audit Incoming NTLM Traffic

Network Security: Restrict NTLM: Audit NTLM authentication in this domain

Recovery console: Allow automatic administrative logon

Recovery console: Allow floppy copy and access to all drives and folders

Shutdown: Allow system to be shut down without having to log on

Shutdown: Clear virtual memory pagefile

System cryptography: force strong key protection for user keys stored on the computer - Explain text

System cryptography: force strong key protection for user keys stored on the computer

System objects: Require case insensitivity for non-Windows subsystems

System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)

System settings: Optional subsystems

System settings: Use Certificate Rules on Windows executables for Software Restriction Policies

User Account Control: Admin Approval mode for the Built-in Administrator account

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval mode

User Account Control: Behavior of the elevation prompt for standard users

User Account Control: Detect application installations and prompt for elevation

User Account Control: Only elevate executables that are signed and validated

User Account Control: Only elevate UIAccess applications that are installed in secure locations

User Account Control: Run all administrators in Admin Approval mode

User Account Control: Switch to the secure desktop when prompting for elevation

User Account Control: Virtualize file and registry write failures to per-user locations

User Rights assignment

Access Credential Manager as a trusted caller

Access this computer from the network

Act as part of the operating system

Add workstations to domain

Adjust memory quotas for a process

Allow log on locally

Allow log on through remote Desktop Services

Back up files and directories

Bypass traverse checking

change the system time

Change the time zone

Create a pagefile

create a token object

create global objects

Create permanent shared objects

Create symbolic links

Deny access to this computer from the network

Deny log on as a batch job

Deny log on as a service

Deny log on locally

Deny log on through remote Desktop Services

Enable computer and user accounts to be trusted for delegation

Force shutdown from a remote system

Generate security audits

Impersonate a client after authentication

Increase a process working set

Increase scheduling priority

Load and unload device drivers

Lock pages in memory

Log on as a batch job

Log on as a service

Manage auditing and security log

Modify an object label

Modify firmware environment values

Perform volume maintenance tasks

Profile single process

Profile system performance

Remove computer from docking station

Replace a process level token

Restore files and directories

Shut down the system

Synchronize directory service data

Take ownership of files or other objects

Software Restriction Policies

Software Restriction Policies Technical Overview

Administer Software Restriction Policies

Determine Allow-Deny list and Application Inventory for Software Restriction Policies

Work with Software Restriction Policies Rules

Use software restriction policies to help protect your computer against an email virus

Troubleshoot Software Restriction Policies

Windows Authentication

Windows Authentication Technical Overview

Windows Authentication Concepts

Windows Logon Scenarios

Windows Authentication Architecture

Security Support Provider Interface Architecture

Credentials Processes in Windows Authentication

Group Policy Settings Used in Windows Authentication

Credentials Protection and Management

Configuring additional LSA Protection

Protected Users Security Group

Authentication Policies and Authentication Policy Silos

Group Managed Service Accounts

Getting started with Group Managed Service Accounts

Create the Key Distribution Services KDS Root Key

Kerberos Authentication

What's new in Kerberos authentication

Kerberos Constrained delegation

Preventing Kerberos change password that uses RC4 secret keys

NTLM

TLS - SSL (Schannel SSP)

TLS changes in Windows 10 and Windows Server 2016

Schannel Security Support Provider Technical Reference

Transport Layer Security protocol

Datagram Transport Layer Security protocol

How User Account Control Works

Windows Defender

Windows Defender Events

Automatic exclusions for Windows Defender

TOC

Collapse the table of content

Expand the table of content

Configure Additional Authentication Methods for AD FS

Bill Mathers|Last Updated: 10/6/2016

Applies To: Windows Server 2016, Windows Server 2012 R2

In order to enable multi-factor authentication (MFA), you must select at least one additional authentication method. By default, in Active Directory Federation Services (AD FS) in Windows Server 2012 R2, you can select Certificate Authentication (in other words, smart card-based authentication) as an additional authentication method.

Note

If you select Certificate Authentication, ensure that the smart card certificates have been provisioned securely and have pin requirements.

|-|-| ||Did you know that Microsoft Azure provides similar functionality in the cloud? Learn more about Microsoft Azure identity solutions.

Create a hybrid identity solution in Microsoft Azure:
- Learn about Azure Multi-Factor Authentication.
- Manage identities for single-forest hybrid environments using cloud authentication.
- Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications.|

Microsoft and third-party additional authentication methods

You can also configure and enable Microsoft and third-party authentication methods in AD FS in Windows Server 2012 R2. Once installed and registered with AD FS, you can enforce MFA as part of the global or per-relying-party authentication policy.

Below is an alphabetical list of Microsoft and third-party providers with MFA offerings currently available for AD FS in Windows Server 2012 R2.


Provider	Offering	Link to learn more
Gemalto	Gemalto Identity & Security Services	http://www.gemalto.com/identity
inWebo Technologies	inWebo Enterprise Authentication service	inWebo Enterprise Authentication
Login People	Login People MFA API connector for AD FS 2012 R2 (public beta)	https://www.loginpeople.com
Microsoft Corp.	Microsoft Azure MFA	Walkthrough Guide: Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications (see step 3)
RSA, The Security Division of EMC	RSA SecurID Authentication Agent for Microsoft Active Directory Federation Services	RSA SecurID Authentication Agent for Microsoft Active Directory Federation Services
SafeNet, Inc.	SafeNet Authentication Service (SAS) Agent for AD FS	SafeNet Authentication Service: AD FS Agent Configuration Guide
Swisscom	Mobile ID Authentication Service and Signature Services	Mobile ID Authentication Service
Symantec	Symantec Validation and ID Protection Service (VIP)	Symantec Validation and ID Protection Service (VIP)

Custom Authentication Method for AD FS in Windows Server 2012 R2

We now provide instructions for building your own custom authentication method for AD FS in Windows Server 2012 R2. For more information, see Build a Custom Authentication Method for AD FS in Windows Server 2012 R2.

See Also

Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications

IN THIS ARTICLE
Microsoft and third-party additional authentication methods
Custom Authentication Method for AD FS in Windows Server 2012 R2
See Also

Feedback Share

(c) 2016 Microsoft