microsoft brand template - what's new in windows se… · ms virtual academy - all windows...
TRANSCRIPT
http://aka.ms/mttsurvey
http://meetup.com/mttsocal
• Technical Community event, designed to bring IT leaders
in the local area together for deep discussions
• An opportunity to network and share with local
Microsoft Services Professionals and other IT
professionals.
• A Microsoft Services presenter delivers a technically-rich
presentation
• These communities now collectively have over 1100
members that have joined one of the local meetup
groups.
• We are constantly expanding to a region near you, your
friends / colleagues…..
GROUP JOIN US!
MTT So-Cal Meetup.com/mttsocal
MTT Charlotte Meetup.com/mttcharlotte
MTT Tempe Meetup.com/mtttempe
MTT Nor-Cal Meetup.com/mttnorcal
MTT Pac West Meetup.com/mttpacwest
MTT Las Vegas Meetup.com/mttlasvegas
MTT Detroit Meetup.com/mttdetroit
http://www.meetup.com/OCSharePointLOCATION: Newport Beach
http://www.meetup.com/socalazureLOCATION: San Diego, Irvine, Playa Vista
http://www.meetup.com/L-A-O-C-Lync-Users-Group/LOCATION : Playa Vista, Irvine
/
http://www.meetup.com/mttsocalLOCATION: San Diego, Irvine , Playa Vista
http://www.meetup.com/San-Diego-NET-Users-Group/LOCATION: Del Mar
http://www.meetup.com/SocalSystemCenterLOCATION: San Diego, Irvine
http://www.meetup.com/SanspugLOCATION: San Diego
http://www.meetup.com/SDSQLUG/LOCATION: San Diego
So-Cal System Center
User Group
So-Cal Area Microsoft Events
Los Angeles Skype For Business
User Group
San Diego SharePoint
User Group (SDSPUG)
So-Cal
Microsoft Tech Talks
Orange County SharePoint
User Group (OCSPUG)
So-Cal Azure
User Group
San Diego SQL Server
User Group
San Diego .NET
User Group
http://www.meetup.com/socalmsevents/LOCATION: So-CAL
http://aka.ms/mttsurvey
• Introduction
• Platform Vision
• Management
• Security
• Storage
• Networking
• Compute
• Identity and Access
• Appendix: Hardware Terminology
TechNet Landing Page: Windows Server 2016
1. PowerShell and DSC
2. Active Directory and Identity
3. Server management tools
4. Remote Desktop Services
5. Software defined storage
1. Software-defined compute
2. Software-defined networking
3. Security
4. Containers
5. Nano Server
MSDN Channel 9 - All Windows Server 2016
MS Virtual Academy - All Windows Server Courses
Ten reasons you’ll love Windows Server 2016 Video Series
Free e-book from MS Press: Introducing Windows Server 2016
Launch Dates
Licensing Model
Editions
Installation Options
Servicing
Supported Upgrade Paths
Windows Server 2016 Launch Dates
Technical Preview: October 2014 through October 2016
Release to Market (RTM): September 26th 2016 at Ignite
General Release (GA) and VLSC: October 12th 2016
First Monthly cumulative update: October 2016
Licensing Model Transformation
Customers run workloads on-premises and in the cloud
• Windows Server 2012 R2 licensing is processor-based
• Azure licensing is core-based
Windows Server 2016 aligned to enable consistency
• Core-based licensing model
• Offers consistent approach across environments
• Enable multi-cloud scenarios
• Improves workload portability
Pricing and Licensing for Windows Server 2016
Editions of Windows Server 2016
Datacenter (unlimited VM and Hyper-V containers)
• Shielded Virtual Machines, software-defined networking,
• Storage Spaces Direct and Storage Replica
Standard (2 VMs or Hyper-V containers)
Essentials (up to 25 users and 50 devices)
MultiPoint Premium (academic licensing)
Storage Server (dedicated OEM storage solutions)
Hyper-V Server (free)
Pricing and Licensing for Windows Server 2016
Deployment Options
Desktop Experience with Full GUI
Server Core
Nano Server (Cannot be installed)
Windows Container (Isolation environment)
Desktop Experience
Full GUI
Server Core
Lower maintenance server environment
Nano
Just enough OS
Container
Long Term Servicing Branch (LTSB) Cadence
Current Branch for Business (CBB) CadenceFor Nano Server (Move at the speed of the Cloud)
There are always two supported Current Branch for Business releases at any given time: CBB & CBB-1.
Monthly security and quality updates not available for CBB-2
Supported Upgrade Paths• Installation
• Migration
• Cluster OS Rolling Upgrade
• License Conversion (Windows Server 2016 Standard to Datacenter)
• Upgrade
• Recommendations for moving to Windows Server 2016
• Windows Server Installation and Upgrade
• Upgrade and conversion options
• Server role upgrade and migration matrix
Platform Vision driven by Executive Feedback, such as• Our Internal IT is hard working, however always behind. Cannot support new
development in timely manner.
• We need to leverage our on-premise data center but also take advantage of the cloud
• IT spent years virtualizing which provided benefits, however developers need new micro-services that are available with PaaS in Cloud. I need this on-premise.
• How do we prevent becoming the next company that is hacked? Security…
Focus - Hybrid Data Center
Most customers now have a mixed On-Premise and Cloud environment
• Traditional Data Center with file, web, db servers.. (limited agility, scales up slowly)
• On-premise private clouds (medium agility, scales up faster)
• Cloud services from a host or public cloud provider such as Azure, Amazon or Google (high agility and scales up fast)
And are moving toward a Hybrid Cloud environment
• A hybrid cloud consists of both on- premise and cloud resources that can be easily moved
• And, that are managed as one…
NIST Definition of Cloud Computing
Azure Stack - Power to control the Datacenter
Cloud
HybridHyper-scale
Enterprise-grade
Cloud-inspired infrastructure[powered by Windows Server, System
Center, and Azure technologies]
Cloud infrastructure
On-premise Datacenter
PowerShell 5.1 (including updates to DSC - Desired State Configuration )
Server Management Tools hosted in Azure
Console Host Update
Azure Stack
Operations Management Suite
PowerShell 5.1 Introduced
Includes new features that extend its use, improve usability, improve control and management of Windows.
• ISE improvements
• Remote PowerShell debugging improvements
• Desired State Configuration (DSC) improvements
• Backward-compatible
PowerShell 5.1
Server Management Tools hosted in Azure
Can be used to manage on-premises infrastructure alongside Azure resources from anywhere.
Gateway server acts as proxy between Azure portal and on-premise resources
• View and change system configuration
• View performance across various resources and manage processes and services
• Manage devices attached to the server.
• View event logs
• View the list of installed roles and features
• Use a PowerShell console to manage and automateIntroducing Server Management Tools
Deploy and Setup Server Management Tools
Console Host Improvements(i.e. DOS command line console)
Updated to include several new editing and marking behaviors
Resize the console window by grabbing an edge with the mouse and dragging
Supports word wrapping
Console windows now can be semi-transparent (to a minimum transparency of 30%).
Use "click-and-drag" selection outside of Quick Edit mode
Control new features through the registry HKCU\Console
What’s New in the Console
Azure Stack for managing Hybrid environmentIn Technical Preview since January 2016 (TP2 released in October 2016)
Azure Stack Key Features
Operations Management Suite (OMS)Operations Management Suite – separate product in the Cloud which can monitor both on-premise and Azure cloud environments. Can connect to SCOM management group.
MS Cloud: OMS
IT Management
Failover Clustering
Hyper-V
Nano Server
Windows Containers
Remote Desktop Services
Cluster Rolling Upgrade (mixed OS Clusters)
Cloud Witness
Active Directory independent Cluster Improvements
Storage Spaces Direct
CSV cache enhancements
Shared Virtual hard disk resizing (no downtime)
Failover Clustering
Cluster Rolling Upgrade (mixed OS)
Cluster Rolling Upgrade
Cloud WitnessUses Azure blob storage in Cloud as witness in quorum for stretch cluster
Recommended configuration
Cloud Witness
Storage Spaces DirectUses local drives for storage and duplicates across cluster nodes using Storage Replica (discussed in Storage section). Note: Networking Speed critical
Active Directory independent Cluster ImprovementsClusters can now be deployed independent of domain topology
• Clusters with all nodes in the same domain…
• Clusters with nodes in different domains…
• Clusters with nodes which are member servers / workgroup (not domain joined)…
Fewer dependencies results in increased availability
• Cluster infrastructure switched over using Certificates
Member Servers
Multi-domainWorkgroup
Domain A Domain B
Workgroup and multi-domain clusters
CSV cache enhancements
Write-through cache for unbuffered IO
Boosts VM performance
Scalability improvements to increase the amount of memory that can be allocated as CSV Cache
Compatible with Tiered Storage Spaces and Deduplication
Shared Virtual hard disk
Shared Virtual hard
VHDX Resize with no downtime
Guest Clusters Shared VHDX protected by Hyper-V Replica for Disaster Recovery
Guest Clusters can have both host level and guest backups of Shared VHDX
Nano Server
Supported for use as Cluster Notes
Includes only essential Cluster Resources
Present Not Present
IPAddress
NetworkName
DistributedNetworkName
IPv6 Address
ScaleOutFileServer
RLUA
PhysicalDisk
Storage Pool
Task Scheduler
Virtual Machine
Virtual Machine Configuration
VirtualMachineReplicationBroker
File Server
FileShareWitness
GenericApplication
GenericScript
GenericService
Distributed File System
IPv6 Tunnel Address
Microsoft iSNS
MSMQTriggers
MSMQ
DHCP Service
Disjoint IPv4 Address
Disjoint IPv6 Address
DFS Replicated Folder
Distributed Transaction Coordinator
IPv6 Tunnel Address
NatProvider Address
WINS Service
iSCSI Target Server
Increased Scalability and Performance
Management
Diagnostic Improvements
Nested Virtualization
Hyper-V Clustered Role Resiliency Improvements
Hyper-V
Increased Scalability
Increased Performance
• Discrete device assignment of some PCIe hardware devices to VM
• Host Resource Protection on host from VM activity
• Hot add or remove of NICs on Generation 2 VMs
• Hot add or remove of memory on Generation 2 VMs
• RDMA support for NICs bound to Hyper-V virtual switch independent of Switch Embedded Teaming (SET)
• Virtual machine multi queues (VMMQ) allocate multiple hardware queues per virtual machine
• Storage QoS policies (CSV or SOFS)• Host Resource Protection
• Hot add and remove for network adapters and memory
• RDMA support with switch embedded teaming
• Virtual machine multi queues
Management Improvements
Hyper-V Manager Console Improvements
• Alternate credentials support
• Manage earlier versions
• Updated Management Protocol
Integration Services delivered through Windows Update
Windows PowerShell Direct (uses Hyper-V Sockets)
• Run PowerShell commands in VM from the host directly
• No need to configure network, firewall or remote management
Hyper-V Sockets
• Services using socket-based communication between host and VM
• Available in native code (C/C++)
TechNet:
• Hyper-V Manager Improvements
• Integration Services
• PowerShell Direct
• Hyper-V Sockets
Configuration File VersionsVersion of the VM configuration determines what version of Hyper-V supports it
Server 2016 introduced the .VMCX configuration file format (no longer in XML)
If moving VMs from 2012 R2 to 2016, the config file will need to be upgrade
Virtual Machine GroupsAdded support for groupings of Virtual Machines (2 types)
• VM Collections – Allows executing tasks on a group of VMs
• Management Collections – Allows to nest VM collections
Create with PowerShell New-VMGroup -GroupType
Mobility ImprovementsLive Migration to a host running an earlier version of Windows Server
Virtual Machine Ordering
Production Checkpoints• “Point in time” images of a VM
• Backup technology inside the guest is used to create the checkpoint, instead of using saved states
Connected Standby Compatibility• Always On/Always Connected (AOAC) power model, the Connected Standby power state is now available
Support for Linux• Secure Boot Support
• Hot add and remove of network adapters
• Hyper-V Socket support
TechNet:
• Production Checkpoints
• Connected Standby
• Linux Support
Diagnostic Improvements
Improved Validation times for both Storage and non-Storage tests
Faster
Diagnostics
Additional Validation tests to catch Active Directory configuration issues
Improved Network Name resource logging (link)
Logging
Less noise logged to the cluster log to prevent wrapping
Additional data logged to cluster.log and mini-dump of log level 5
New Memory Dump – Active Dump
Filters out most memory pages allocated to Virtual Machines
Nested Virtualization Support
Ability to run Hyper-V servers inside Hyper-V Virtual machines
Supported for Virtualization Based Security features
Hyper-V Development environments
Run Hyper-V in a Virtual Machine with Nested Virtualization
Resiliency Features for Clustered Hyper-V Role
Site Awareness for stretched clusters
Group nodes and storage based on physical location. Fails over to node in same site and Storage affinity (VMs follow storage)
Node Fairness
Dynamically load balances the VMs on the cluster
VM Compute Resiliency
VMs continue to run even when nodes becomes isolated and are Resiliency to transient failures
Quarantine of unhealthy nodes
Nodes that go in and out of cluster are temporarily placed in “Quarantined” state
Storage Resiliency
On storage failure, the tenant VM session state is preserved. VM moved to “PausedCritical” state
as it waits for the storage to recover. On recovery the session state is restored
TechNet
VM Compute Resiliency
• Site Awareness
• Node Fairness
Overview
Role Support
Driver Support
Application Installation Support
Anti-Malware, Patching and Feature Releases
Management
Image Builder Tool
Third-party Hypervisor Support
Nano Server
OverviewHeadless, 64-bit only and Managed Remotely
Deploy without reboots (deployment to start - 1 to 5 mins)
Secure – less components, small attack surface
Stable – less patching, bigger uptime, when it doubt redeploy
Small – 180mb WIM, 600mb VHDx
Ideal for scenarios such as
• Compute host for Hyper-V VMs and Windows Containers
• Storage cluster host for Scale-Out File Server
• Standalone DNS server
• Web server running IIS
• Born in the cloud apps (Java Runtime, .Net Core,
ASP.Net Core, Note.js, Python, Go, Ruby, Django,
Apache, PHP, CoreCLR, MySQL, Redis, Nginx, etc.…)
Role Support• Hyper-V, including container and shielded VM support
• Datacenter Bridging
• Defender
• DNS Server
• Desired State Configuration
• Clustering
• IIS
• Network Performance Diagnostics Service (NPDS)
• System Center Virtual Machine Manager
• Secure Startup
• Scale out File Server, including Storage Replica, MPIO, iSCSI initiator, Data Deduplication
**Roles are Not included in image, separate packages to minimize footprint
Driver Support
Driver installation remains INF-based for Windows Server 2016
• Inject drivers into new Nano Server image with New-NanoServerImage -DriverPath
• Installed drivers to an offline VHD using INF via DISM
• Online driver installation is available using PNPUTIL.EXE
Deploy Nano Server (Section: Adding additional drivers)
Application InstallationMSI’s not supported since built for local installs and may invoke GUI or other non-headless friendly features
Applications must be refactored to be compatible with Nano Server.
Windows Server App (WSA) is the only supported installer available for Nano Server
• Appx installer has been extended to package WSAs
Configuration and Installation are handled separately
• Configuration handled by PowerShell Desired State Configuration or other tool like Puppet
• Group Policy is not supported on Nano Server
Example of application that can be installed on Nano
• Puppet - Works on Nano with some minor changes win32ole, win32-dir
Installing Windows Server Apps on Nano Server
Hands-on Packaging App for Nano Server
Anti-malware, Patching and New Releases
Antimalware options – Windows Defender is built in by default. 3rd party products are not currently supported by Nano Server
Patching – Windows Update is supported. 3rd party products are not supported by Nano Server
New Feature Releases
• Follows Current Branch for Business (CBB) for new features. Patching supports CBB-2. At CBB-3 updates are not available. (Reference: Service Model Details for Windows Server 2016)
• Upgrading to the next CBB requires recreating image. Cannot be upgraded. Releases will be available on the Volume License Center (VLSC).
Licensing Requires Software Assurance.
TechNet: Managing updates in Nano Server – Section Managing Updates
ManagementDomain Join supported
Group Policy Not Supported (LGPO supported)
Use PowerShell DSC instead of Group Policy
No local user interface, manage remotely
• PowerShell and DSC
• Server Manager
• Supports PowerShell core set of cmdlets
• Supports WMI v1 and v2 providers
• MMC Snap-in tools
Recovery Console includes local interface with simple menu to repair network configuration
SCVMM and SCOM Agent supported
Nano Server Image Builder GUI Tool
• GUI-based with many custom settings
• Create USB Key to detect firmware and hardware
• Create bootable USB or ISO for deployment
• Runs on Windows 8/8.1/10
• PowerShell script history
• Requires ADK
Download: http://aka.ms/NanoServerImageBuilder
Blog: Into Nano Server Image Builder
Third-party Hypervisor
Links for installing on VMWare
• TechNet Wiki: Nano Server: Virtualization with VMWare VSphere
• Polar Clouds Blog: Nano Hyper-V in a VMWare Virtual Machine
• Cloud base Blog: Nano Server on KVM and ESXi
Note: Be aware when reviewing articles that many of the parameters on New-NanoServerImage changed between each Technical Preview, RTM (9/26/16) and General Release (10/11/16).
Overview
Windows Containers versus Hyper-V Containers
Supported Operating
“Hyper-V Container Host” Requirements
Docker Engine for Windows
Note about Active Directory
Learning Resources
Windows Containers
OverviewWindows containers provide operating system-level virtualization that allows multiple isolated applications to run on a single system
How do containers differ from virtual machines?
• Container: OS Virtualization where each
virtualized app includes the app itself, required
binaries and libraries, and a guest OS
• Virtual Machine: Machine virtualization where
each VM simulates the underlying physical
hardware
Containers Overview
Windows Containers versusShared kernel architecture
Isolation provided through namespace and process isolation technologies
Hyper-V ContainersSeparate kernel architecture.
Isolation provided through Hyper-V
Each container is run inside of a utility VM
Supported Operating System for Container Host
Windows Containers and Hyper-V Containers are Supported on
• Windows Server 2016 Desktop Experience (Datacenter or Standard)
• Window Server 2016 Server Core (Datacenter or Standard)
• Windows Server 2016 Nano Server
• Windows 10 Professional and Enterprise 1607+ (i.e. Anniversary Edition+)
Licensing Note:
• Windows Containers: Unlimited on Standard or Datacenter
• Hyper-V containers: (2) on Standard / (Unlimited) on Datacenter
• Check with MS Account team for other scenarios
Supported Operating System for Container images
Window Server 2016 Server Core (Datacenter or Standard)
Windows Server 2016 Nano Server
• For Windows Containers, the “Container Host” Build must match the “Container Image” Build
• As of 10/31/16 currently 10.0.14393.351 –> KB3197954 Oct 2016 Cumulative Update
• If Update installed on “Container Host”, then all “Container Images” on Host must be updated
• Check MS Support: Windows 10 Update History to determine latest cumulative update
Requirements
“Hyper-V Container Host” RequirementsWindows Server 2016 (core or desktop), Nano Server or Windows 10 Pro or Ent (Anniversary Edition)
Hyper-V Role Enabled
Hyper-V partition(s)
Additional Requirements if “Hyper-V Container host” virtualizedHyper-V Role enabled (i.e. Nested virtualization)
Minimum 4 GB RAM assigned (not dynamic)
Minimum 2 virtual processors assigned
TechNet: Hyper-V Containers
TechNet: System Requirements
Docker engine for WindowsWhile containers are new to Windows, Linux containers have been available since 2008
Docker.exe
Examples:
docker run
docker images
Docker Engine for Windows Server containers developed under the Docker open source project
Docker client uses the same standard Docker client and interface as Linux
Docker Hub is a Collection of open and curated applications
Collaboration with Docker brings Windows Server containers to the Docker ecosystem
Docker Engine
Note about Active Directory“Container Host” must be domain joined
Optional to join Container to domain with Emulated domain join
Group Policy cannot be applied to Containers (eliminates overhead)
Domain credentials are not stored in the container image (data at rest).
Emulated domain join (requires AD 2012+ functional levels of AD)
• Allows services in a container to run with Group managed service accounts (gMSA)
• Allows applications to use Windows Integrated Authentication
LearningCreate free Azure account
In Azure Portal create a Windows Server 2016 VM with the containers feature
Filter on “Container”, select “Windows Server 2016 with Containers..” and follow Wizard
http://www.lybecker.com/blog/2016/08/31/getting-started-with-windows-containers/
References:
MSDN: Container Images Quick Start
MSDN: Deploy Windows Containers
GitHub: Walk Through sample Music Store application with Windows Containers
RemoteFX vGPU
Discrete Device Assignment (DDA)
RDP Graphics Compression (codec)
RD Connection Broker Scale Enhancements
Cloud Optimizations – Azure Active Directory and SQL
Multi-point Services Role
Personal session Desktops, Gen 2 VM Support, and Pen Remoting Support
Remote Desktop Services
RemoteFX vGPUProvides a rich desktop remoting experiencing with Server 2016 Hyper-V and RDS enabling multiple VM’s to share the same physical GPU for graphics acceleration
• OpenGL 4.4 and OpenCL 1.1 API support
• Up to 1GB dedicated VRAM and up to 1GB of shared memory available in VM
• Up to 4k resolution support
• Windows Server 2016 VM support
• Improved performance
Discrete Device Assignment (DDA) SupportAllows some PCI Express devices to be passed through directly to a guest VM
RDS Can now take advantage of DDA, enabling enhanced graphics performance.
• Full graphics API Support (ex. DirectX, OpenGL, CUDA, OpenCL) (depends on GPU driver)
• Native GPU Driver Support (Intel, AMD, NVIDIA)
• Maximum Performance (1 or more GPUs to 1 VM)
• Multiuser RDSH Support. Multiple sessions can utilize the graphics card assigned to the RDSH VM via DDA
Graphics enhancements – Codec investmentsNow implements full-screen AVC 444 mode
• High quality 4:4:4 model using standard H.264/AVC 4:2:0 hardware decoders
• Reduced bandwidth and better experience at higher resolutions
• Hardware offload support
RDP AVC/H.264 improvements
RD Connection Broker Scale EnhancementsEnhanced to handle highly concurrent logon scenarios (“log on storms”).
• RD Connection Broker was tested to 10k concurrent connections with zero failure rate
RD Connection Broker requires a SQL database
• Previous OS versions a SQL cluster was recommended, requiring 2 VMs
• SQL database is still required however SQL authentication is now supported
• Shared SQL/DB connections, making even smaller scale deployments more cost effective.
RD Connection Broker Performance Improvements
Cloud Optimizations – Azure Active Directory and SQLRDS can utilize Azure services to provide more cost effective solutions.
• Azure AD Application Proxy enables secure remote access to applications. RD Gateway servers are still required. Now they can be published to the Application Proxy service, instead of exposed to the public internet. This reduces attack surface and enhances security.
• Conditional access rules can be created to further define how users must authenticate (require multi-factor authentication, require MFA only when users are not at work, block access when not at work).
• Azure AD Domain Services provides managed domain services (domain join, group policy, LDAP, Kerberos, etc.). A Remote Desktop Services environment using Domain Services eliminates the need to deploy and manage domain controllers.
• Azure SQL Database includes high availability, disaster recovery, and upgrade mechanisms. A RDS environment using Azure SQL Database eliminates the need to deploy and manage VMs for SQL.
Use Azure SQL DB for RD Connection Broker
Multi-point Services RoleNew server role
• Enables low-cost per seat desktop computing
• Allows multiple users, each with their own independent Windows experience, to simultaneously share one computer.
• The unique tool-set of this role allows monitoring of all user sessions on the MultiPoint server
• MultiPoint does not use or require the Remote Desktop (RD) Connection Broker and RD Gateway roles
• Enabling the Multipoint Services role, also installs Remote Desktop Session Host role which allows users to connect remotely with devices of their choice by using Remote Desktop applications available on Windows, Windows phone, Android, iOS and Mac OS
MultiPoint Services Role
Other Improvements
Personal session Desktops (New collection type)
Support for Generation 2 virtual machines (Support for RemoteFX and OpenGL)
Pen Remoting Support
Use personal session desktops
Introducing Personal Desktops
Pen Remoting
Resilient File System ReFs
• Now preferred for data volumes (requires UEFI and GPT)
• Data Integrity, Resiliency, Availability, Speed and Efficiency Improvements
Data Deduplication
• Integrated support for virtualized backup workloads and support for Nano Server
• Major performance and scalability improvements (64TB volumes and 1TB files)
SMB 3.1.1• Pre-Authentication Integrity
• Encryption Performance Improvements
• Supports rolling cluster upgrades
• SMB hardening improvements for SysVol in Active Directory
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Storage ReplicaVolume level software replication between storage of any type
Storage QoSPrevent noise neighbors from impacting high priority workloads with a Storage QoS policy
FS
Microsoft offers an industry leading portfolio for building on-premises clouds. We embrace your choice of storage for your cloud – be it traditional SAN/NAS or the more cost-effective software-defined storage solutions using Storage Spaces Direct and Storage Spaces with shared JBODs.
Storage Resiliency
Clustered Hyper-V Role
• Detects storage failures
• Takes action to mitigate impact
• VM resumes exactly where it left off
• Designed for short transient failures
• > 30 minutes, VM shutdown
VM is running
VM experiences
failure writing to
VHD/VHDX
VM placed in
Paused-Critical
state
Storage becomes
responsive
VM moves back to
running state
Storage Resiliency
Storage Innovation with Storage Space DirectSoftware defined storage using standard servers with local storage
Industry-standard JBOD
Industry-standardx86 servers andSAS connectivity
SSD SSD SSD
Workload servers/cluster Workload servers/cluster
Storage Spaces Direct Storage Spaces Direct
Workload servers/cluster
• Standard servers with local storage (SATA, PCIe, JBOD..)
• Fault tolerance to disk, enclosure, node failures
• Simple and fine grained expansion
Storage Replica
Volume level software replication between storage of any type
Workload agnostic
Synchronous replication
Used by Failover Clusters with Storage Spaces Direct
• Automatic cluster failover for low Recovery time
Azure Site Recovery Storage Replica also available
Storage Replica
DNS Enhancements
DHCP Enhancements
Switch Embedded Teaming (SET)
Hyper-V Virtual Switch Enhancements
Software Defined Networking
DNS Enhancements
DNS Server Policies
Selective Recursion Control
Response Rate Limiting (RRL)
DNS Based Authentication of Named Entities (DANE)
Management of Unknown Record Types
IDNS Service
IPv6 Root Hints
Nano Server Support
TechNet Documentation and Blogs
• What's New in DNS Server in Windows Server 2016
• DNS policy overview
• PowerShell documentation
• Geo-Location Based Traffic Management
• Split-Brain DNS Deployment Using DNS Policies
• Applying Filters on DNS Queries using DNS Policies
• Application Load Balancing using DNS Policies
• Intelligent DNS Responses Based on the Time of Day
• Traffic Management with DNS Policies in Primary-
Secondary Deployment
• Selective Recursion Control Using DNS Policies
• Upward Referral Responses from Authoritative DNS
Servers
• Split-Brain DNS in Active Directory Environment Using
DNS Policies
• Response Rate Limiting in Windows DNS Server
DHCPNetwork Access Protection (NAP)Officially deprecated in Windows Server 2012 R2, but still supported
Windows Server 2016 DHCP Servers
• Will not enforce NAP Policies
• DHCP scopes cannot be NAP-enabled
DHCP DDNS Registration FailuresImproved Event Logging
• Adds new event details as to why DNS registrations might be failing (event id 20317 through 20327)
New Client Retry Behavior
• Windows 10 1607 will not make any retry attempts in configs where the DHCP Server is responsible for DDNS name registrations
Switch Embedded Teaming and Converged RDMADoes not require NIC team to converge NICs. There is not a team name.
Group between one and eight physical Ethernet network adapters into one or more software-based virtual network adapters
Supports RDMA which NIC teaming does not.
Notes:
• All team members must be identical make/model/driver/features
• No Active/Passive teaming
• No 32-port teams available with NIC Teaming (LBFO)
Switch Embedded Teaming
Hyper-V Virtual Switch Enhancements
Virtual Machine Multi-Queue (VMMQ) addedEnables Hyper-V host NIC to distribute traffic from virtual RSS into a traffic queue on physical NIC for VMs
VXLAN Encapsulation Task Offloads Support addedAdded support to offload encapsulation operations for VXLAN (Virtual Extensible LAN) in addition to NVGRE (Network Virtualization using Generic Routing encapsulation)
Datacenter bridging with a Hyper-V Switch support addedUse single ultra-high bandwidth NIC with QoS and isolation services to support multitenant workload
Network tracing is streamlined and provides more detailContains switch and port configuration information that tracks packets through the Hyper-V Virtual Switch, including any forwarding extensions installed
Networking
Cloud-scale fundamentals
SDN infrastructure
What’s New in NetworkingSoftware Defined Networking Overview
Hybrid datacenter extension
Network function virtualization
• Data plane based on Azure
• High-throughput, low-latency packet processing [up to 40G]
• Programmable Network controller based on Azure
• Switch Embedded Teaming (SET)
• NVGRE, VXLAN, and OVSDB support
• Port Mirroring
• Software Load balancer that is proven in Azure
• Network Address Translation Capability
• Distributed firewall
• Custom service chaining, including Linux appliances
• Azure ExpressRoute
• Multi-tenant gateways
• RAS Gateway
• User Defined Routing
What’s New in NetworkingNetwork Controller
Distributed Firewall
Software Load Balancer
• Network Controller
Software Load Balancing for SDN
RAS Gateway for SDN
New Focus
Protect the Operating System
Protect Credentials
Protect Virtual Machines
Detect and Respond
Security is its own Silo with a new Focus
Applied “Assume breach” to new Security Designs with the focus to
• Protect
• Detect
• Respond
Control Flow Guard Protects against unknown vulnerabilities by blocking common attack vectors
Configurable Code IntegrityEnsure that only permitted binaries can be executed from the moment the OS is booted
Windows DefenderActively protects from known malware without impacting workloads
Device Guard (Virtualization Based Security)Protect the boot process (more on next slide)
Control Flow Guard
Configurable Code Integrity
Windows Defender
Device Guard (VBS)• Hypervisor protects Kernel and OS
• UEFI Secure Boot protects boot process and firmware from tampering
• UEFI Secure Boot with IOMMU protects against DMA based attacks
• Hypervisor Code Integrity (HVCI) protects code executing in kernel mode
• Other optional Protections
• Secure MOR, HSTI, UEFI NX and SMM Mitigation
• VBS Requirements
• Universal Extensible Firmware Interface
Input-Output Memory Management
Direct Memory Access based attacks
Hypervisor Code Integrity
Credential GuardProtect stored credentials from Pass the Hash attacks
• LSA process talks to a new component called the isolated LSA process which stores and protects secrets. Requires Virtualization Based Security to be enabled
Remote Credential GuardProtect credentials over a Remote Desktop connection
• Credential Guard
Remote Credential Guard
Just In Time Administration Provide privileged access through a workflow that is audited and limited in time
• Secure Bastion Forest
• Shadow security principal (groups) in Bastion Forest
• Time-bound expiration
Just enough Administration
Host Guardian Service
Device Health Attestation
Components of Shielded Virtual Machines
Virtualization Based Security
Prevent infected hosts from accessing Virtual Machines memory and processors
• Device Guard and Credential Guard
Host Guardian Service (more on next slide)
Insure VMs are running on a legitimate host leveraging
• Measured Boot
• Device Health Attestation
BitLocker with vTPM
Encrypt the VM hard drive
Host Guardian Service
Device Health Attestation Service
Evaluates validity of host before allowing VM to start
Two Attestation Modes
• Admin
• TPMTechNet:
• Shielded VMs
• Guarded Fabric
• Attestation Modes
Enhanced Security Logs
New targeted audit events to better detect malicious behavior by providing more detailed information
Windows Server 2016 security auditing reference
Microsoft Advanced Threat Analytics (ATA)Analyze, Learn, Detect and Alert on suspicious activities and abnormal behavior (separate product)
• Takes information from multiple data-sources in your network to learn the behavior of users and other entities and build a behavioral profile.
• Advanced Threat Analytics
• Operations Managment Suite
Operations Management Suite (OMS)Monitor both on-premise and Azure cloud environments in the cloud. Can connect to SCOM (separate product)
Microsoft Passport for Work has been renamed to Windows Hello for Business
Enterprise Mobility End to End
Windows Hello Built-in to the Windows 10 and Windows Server 2016 operating system
Enables logon with a device-specific PIN or Biometrics (Facial recognition, Fingerprints, etc...)
Can be managed with Group Policy
Microsoft Passport Guide
Windows Hello for Business (New name for “Microsoft Passport for Work”)
Associates your Windows Hello device and PIN with an Identity Provider (IDP) such as Active Directory or Azure AD to logon you on seamlessly
Every device will create a unique private and public key set and register in the IDP
Replaces physical and virtual smart cards as well as reusable passwords for logon and access control
Takes advantage of onboard TPM hardware to generate, store and process keys if TPM exists
Microsoft Passport
Schema and Functional Level
Deprecation of FRS and Windows Server 2003 Functional Level
Accurate Time Enhancements
Allow NTLM network authentication when user is restricted to selected devices with “Authentication Policies”
Auto-roll NTLM Secrets for Smartcard Users
Schema Version 70 through 87 New Features• Windows Hello For Business (name change from “Microsoft Passport for Work”)
• ADFS 2016 at 2016 behavior level (FBL)
Windows Server 2016 Forest Functional Level • Privilege Access Management (PAM) Service in Bastion AD Forest (supported not required)
Windows Server 2016 Domain Functional Level • Enable rolling of expiring NTLM secrets
• Allow NTLM authentication when account restricted to selected devices with Authentication Policies
• Active Directory Schema versions
• ADFS 2016 Behavior Level
• Passport Guide (search for schema)
Windows Server 2016 Functional Levels
What’s New for MIM 2016 SP1
Deprecation of FRS• New Forests will only use DFS-R
• Existing Forests: Windows Server 2016 DCs can participate in FRS
• Best Practice to use DFS-R for SysVol Replication for performance, manageability and support
Deprecation of Windows Server 2003 Functional Level• New Forests: Windows Server 2003 Functional Levels not available
• Existing Forests: Windows Server 2016 DCs can be added if schema version updated to 87
• Windows Server 2003 Functional Level will not be supported in future releases
Deprecation of FRS
Deprecation of Windows Server 2003 Functional Levels
Windows 2016 Accurate TimeMaintains a 1ms or better accuracy with UTC on Windows Server 2016 Domain Controllers
Time synchronization accuracy has been improved substantially, while maintaining full backwards NTP compatibility with older Windows OS versions
Under reasonable operating conditions you can maintain a 1ms accuracy with respect to UTC or better for Windows Server 2016 and Windows 10 (1607) domain members.
Improvements• Elimination of rounding errors while calculating time
• More frequent fine tuned adjustments leading to better accuracy
• More accurate time server estimation
• Leading to accuracy within 10’s of micro seconds
Time Improvements in Windows Server 2016
Windows Server 2016 Accurate Time
Allow NTLM network authentication when user is restricted to selected devices with “Authentication Policies”
Requires:
• Windows Server 2016 domain FL
• NTLM Enabled on authentication
policy
Note: First generation of authentication policies blocked NTLM since they could not determine what device it comes from.
Auto-roll NTLM Secrets for Smartcard UsersPurpose: Automatically roll NTLM secrets for Windows Hello or smart card only users to invalidate old NTLM secrets
DC requirements:
• Windows Server 2016 Domain Functional Level
• Enabled on new domains by default. Opt in for existing domains
Device requirements:
• Ability to sign on with a smart card, virtual smart card or Windows Hello for Business (i.e. Passport for Work)
Security and Assurance
Firmware
VT-x (Intel) AMD-V
SLAT
IOMMU Direct Memory Access-based attacks
TPM
Firmware (cont.)UEFI
Secure Boot Trusted Boot ELAM
GPT
HSTI
Secure MOR
NIST guidelines
DriversWindows Hardware Compatibility Program
Network Adapter TechnologiesRSS
vRSS
VMQ
dVMQ
VMMQ
RDMA
SR-IOV
NVGRE VXLAN
DCB
Storage TechnologiesGPT MBR
NTFS ReFS
MPIO
NvMe
SATA