We implement 802.1x for Wired Networks utilizing RADIUS with AD. Yet, it becomes complicated for new deployments. After the OS deployment, joining the workstation o the network using a RADIUS portal, then conducting a domain join operation is time consuming.

Combining NPS role into AD role by default for next "forest functional level" would be a great leap forward for security. It would help an AD domain being "secure by default" but also the sysadmins who try to secure their clients would appreciate the saved time.

Of course, the "guest network", where non-domain guest computers should be allowed in another VLAN, should be isolated by both network and domain.

I added a 2016DC to my 2012 and 2012r2 DCs a couple weeks ago.

Today I added a new PC into the network.

The problem is I used the same name as a PC already on the network (shouldn't be an issue Windows always catches this and doesn't allow it).

AD didn't catch this and actually updated the original PC in AD and did not add a second PC or warn that the name was already in use. If I look at the modified date of the original pc in AD it shows it was modified at the same time I supposedly added the new PC.

I then not totally believing this was happening renamed the pc and sure enough the original PC in AD changed to the new name of the new PC I just added.

Seems like a major bug.