WHAT’S NEW IN WINDOWS SERVER 2016

Windows 2016Server Management

Management in Windows server 2016

PowerShell

PowerShell Desired State Configuration

PowerShell Direct

Rich Web GUI

Manage all server installations (Nano, Core, Full)

Servers can be on-premises or in the cloud

Server Management Tool (SMT)

Web-based and cross-platform

Includes replacements for local-only tools, including:

Task Manager

Registry Editor

Event Viewer

Device Manager

Sconfig

Control Panel

Performance Monitor

Disk Management

Users/Groups Manager

File Explorer

PowerShell

Also manages Server Core and Server with GUI

Remote Server Management Tools

Windows 2016Powershell

PowerShell manages your environment

Gallery contains Dell, Citrix, VMWare, AWS, Azure, SQL cmdlets

PowerShell DSC runs on Linux

PowerShell is a platform

Partners include Chef, Puppet, Ansible, Octopus…

PowerShell is on Nano Server

Nano is managed with PowerShell, configured with DSC

PowerShell 5 ships where you need it

Windows 10, Windows Server 2016

WMF5.0 for Win7, Win8.1, Server 2008r2, 2012, 2012r2

PowerShell eases moving the cloud

Azure PowerShell cmdlets, Azure DSC Extensions

Same approach, everywhere

Key problems PowerShell addresses

Pace of change increasing, ever-faster solution delivery needed. Solutions must span on-premises, hybrid, & cloud.

DevOps methods promise to help, how to make the transition?

Code Sharing: PowerShell Gallery, PowerShellGet, Github

Editing – ISE improvements

Debugging – Remote debugging, DSC debugging

Security – Auditing, Just Enough Administration (JEA)

Improving information

Delivering doc updates faster via Github.Com/Powershell

Microsoft.com/PowerShell: the hub for PowerShell information

Easier, faster automation with PowerShell

Enabling transition to DevOps

DevOps: a set of practices emphasizing collaboration & communication between SW developers and IT pros while automating software delivery and infrastructure changes. Leverages tools to automate build, validation, & configuration.

PowerShell in Windows Server 2016 ProvidesDesired State Configuration (DSC) – defining configuration as code

Security Improvements – Auditing, Just Enough Administration (JEA)

Package Management

PowerShell classes integrates dev practices configuration and automation

PowerShell Script Analyzer – best practice analysis tool

Pester – PowerShell validation

Windows 2016Remote Desktop Services

The platform for your virtual workspace strategy

AppsDevices DataUsers

Microsoft Remote Desktop Services

Build your solution on a trusted foundation

Optimized for cloud

Increased performance

Efficient and secure architecture

Connection Brokershared SQL connections

Graphics improvements

Enhanced scale

• Currently Windows 10 Remote Desktop

Connection only, other Remote

Desktop clients to follow

• Enabled by default for vGPU RDP 10

sessions

• Group Policy to enable on Windows 10

and Windows Server 2016

High quality 4:4:4

mode using standard

H.264/AVC 4:2:0

hardware decoders

Remote Desktop client

apps use hardware

H.264/AVC decoder

when available

Windows Server

2008 R2

Windows Server 2012

Windows Server

2012 R2

Windows Server 2016

RemoteFX vGPU

• Hyper-V integration

• DX 9 support

RemoteFX vGPU

• DX 11.0

• VM connect with vGPU

• GPU management

RemoteFX vGPU

• DX 11.1 support

• Higher video memory

• Up to 2560 x 1600

resolution

• Scale improvements

RemoteFX vGPU

• OpenGL 4.4 & OpenCL 1.1

• 1GB dedicated VRAM

• Up to 4k resolution

• Server VM support

• Improved performance

Discrete Device Assignment

• Full API support*

• Native GPU driver support

• Maximum performance*Verify card support for this configuration with GPU vendor

High-availability connection broker

Use database in existing SQL

Server cluster or Azure SQL DB

Improved connection handling

performance, 10K+concurrent

connection requests supported

in “log on storm” situations

HA RDS 2012R2 Infra:

7 role services

8 VMs

HA RDS 2016 Infra:

4 role services

4 VMs

Roles that can be deployed

on one VM:

• RD Gateway and Web Access

• RD Connection Broker and RD

Licensing

Windows 2016Nano server

Born-in-the-cloudSubset of Win32

.NET Core and ASP.NET Core

PowerShell Desired State Configuration (DSC)

PackageManagement (aka OneGet)

Open Source Application Frameworks

Available as OS everywhereHost OS for physical hardware

Guest OS in a VM

Windows Server containers

Hyper-V containers

Nano Server – Cloud application platform

Nano Server: Next step in our cloud journey

Zero-footprint model Server roles and optional features live outside of Nano Server

Standalone packages that install like applications

Key roles & featuresHyper-V, Storage (SoFS), Clustering

IIS and DNS Server available in TP4

Core CLR and ASP.NET 5

Full Windows Server driver support

Antimalware optional package

System Center VMM and OM agents supported

Nano Server installation option - just enough OS

Containers and modern applications

Third-party applications

RDS experience

Existing VM workloads

Set-up time: 300s

Boot time: 85s

Disk space: 5.4GB

Set-up time: 35s

Boot time: 9s

Disk space: 0.46GB

Nano Server Image Builder

Remotely Managing Nano Server

Server Manager

Hyper-V Manager

Failover Cluster Manager

PerfMon, Event Viewer, etc.

PowerShell Core

Server Management Tools (SMT)

Nano Server Recovery Console

Provides local access to network configuration and settings

▪ Computer name

▪ Domain or workgroup name

▪ Network information

▪ Firewall rules

▪ Reset WinRM

▪ VM Host on a Hyper-V Host

Nano Server vs Server Core

Nano Server has a full developer experience, unlike Server Core

Windows SDK & Visual Studio 2015 target Nano Server

Rich design-time experience Project template, full IntelliSense, error squiggles, etc.

Full remote debugging experience

Windows 2016Failover clustering

Diagnostic Improvements

Faster

Improved Validation times for both Storage and

non-Storage tests

Diagnostics

Additional Validation tests to catch Active Directory

configuration issues

Improved Network Name resource logging

Logging

Less noise logged to the cluster log to prevent

wrapping

Additional data logged to cluster.log, header and

mini-dump of log level 5 verbosity

Reducing Dump Sizes

Focus

Excludes memory allocated to virtual machines

Simplified debugging of Hyper-V systems with large

amounts of RAM

Size

Active Memory Dump captures what is important

with smaller file sizes

New alternative to a Complete (Full) memory dump

Zero Downtime Debugging

Availability

Capture debugging data without having to

bugcheck nodes

Debugging data without downtime

Integration

Clustering will capture live dumps on failures

Live dumps are a mechanism to generate a memory

dump for debugging without crashing the system

Orchestration

Capture dumps across multiple machines in parallel

to enable debugging the distributed system

Integrated with Windows Error Reporting to

snapshot logs

Quarantine of Flapping Nodes

Resiliency

Node is quarantined if it ungracefully leaves the cluster

three times within an hour

VMs are gracefully drained once quarantined

Protection

Unhealthy nodes are quarantined and are no longer

allowed to join the cluster

Prevents flapping nodes from negatively effecting

other nodes and the overall cluster

Control

No more than 25% of nodes can be quarantined at any

given time

Nodes prevented from joining the cluster for 2 hours

Domain Joined (traditional model)

Multi-domain with Windows Server 2016

✓ Flexible HA and DR

Domain’less with Windows Server 2016

Cluster

✓ Flexible HA and DR

✓ Reduced dependencies increases availability

Cloud Witness

Cluster

Site1 Site2

Azure

Witness

Flexible Scenarios

Stretched clusters without a 3rd site

Clusters without shared storage

Guest Clusters in Azure VM role

Hybrid Cloud

Leveraging the power of the public cloud

to increase resiliency of your private cloud

Azure blob storage as an arbitration point

Site Awareness

Site1 Site2

Failover Affinity

Groups failover to a node within the same

site, before failing to a node in a different site

Sites

Define grouping of nodes in a stretched

cluster which corresponds to their physical

location

Impacts placement policies and heartbeating

Storage Affinity

VMs follow storage and are placed in same

site where their associated storage resides

VMs will begin live migrating to the same site

as their associated CSV after 1 minute

Fault Domain Awareness

Flexible Scenarios

Set up with PowerShell or XML policy

Create flexible, nested topologies

Fault Domains

Clustering now understands

Node, Chassis, Rack, and Site

Failure policies and Spaces Direct data

placement

Cluster

In-place Upgrades of cluster nodes now possible with Win2016

Rolling Upgrade from Win2012 R2

to Win2016

Seamless Upgrades

Disaster Recovery with Stretched Clusters

Multi-Site Cluster

End-to-End Multi-Site ClustersStorage Replica

Site1 Site2

Flexible

Volume level software replication

between storage of any type

Workload agnostic

Integrated

End-to-end Windows Server disaster

recovery solution

Automatic

Synchronous replication

Automatic cluster failover for low

Recovery Time Objective (RTO)

Windows 2016Identity

Domain Admin Dean Jane John Admin

Credential Guard prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials and credential artifacts using Virtualization based Security

Remote Credential Guard works in conjunction with Credential Guard for RDP sessions providing SSO for RDP sessions while eliminating the need for credentials to be passed to the RDP host

Just Enough Administration limits administrative privileges to the bare-minimum required set of actions (limited in space)

Just in Time Administration provides privileged access upon request through a workflow that is audited and limited in time

Protect Privileged Identity

X

MITIGATE

PASS THE HASH

CONTROL PRIVILEGED

ACCOUNTS

}}

Just Enough Administration

Delegated administration for anything that can be managed with PowerShell

• Reduce the number of administrators on your machines

• Leveraging virtual accounts that perform privileged actions on behalf of regular users.

• Limit what users can do

• Specifying which cmdlets, functions and external commands they can run.

• Better understand what your users are doing

• Transcripts and logs that show you exactly which commands a user executed during their session.

Challenges in protecting credentials

Ben Mary Jake AdminDomain admin

Typical administrator

Cap

ab

ilit

y

Time

Social engineering = First breach often start with one workstation/user

Pass the Hash =

Admin = Unlimited rights for unlimited time window

Protect against compromised admin credentials

Ben Mary Jake AdminDomain admin

Typical administrator

Cap

ab

ilit

y

Time

Credential GuardPrevents Pass the Hash and Pass the Ticket attacks by

protecting stored credentials through Virtualization

based Security (VBS)

Just enough administrationAdministration Limits administrative privileges to the bare-minimum required set of actions (limited in space)

Remote Credential GuardWorks in conjunction with Credential Guard for RDP session providing SSO for RDP sessions while eliminating the need for credentials to be passed to the RDP host

Just-in-time administrationAdministration Provide privileged access through a workflow that is audited and limited in time

Just enough and just-in-time administration

Time-limited group memberships• Users can be added to a security

group with time-to-live (TTL)• When the TTL expires, the user’s

membership in that group disappears

•

• TGT based on shortest group membership

• ST based on TGT and resource local domain group membership

•• Scavenger thread takes care of cleaning

up group memberships

Group

Member: <TTL,user-DN>

User

TGT: Shortest group

lifetime

ST: Shortest of TGT and resource local

domain group

Operational Enhancements

• Domain Admin not required for installation anymore• AD DS admin sets up DKM

container and permissions for AD FS service account

• AD FS service management can be delegated to security groups • Server admins now can’t make

changes to the AD FS service

• Local admin access still required for AD FS service admins

• Login Audits reduced from 80 to just 1-2 audits with all the information needed

• Login Audits now are schematized for easy parsing

• AD FS Rapid Restore tool

• Improved Sign-On Experience• Customize the sign-on experience

• Users on Windows 10 devices and computers will be able to access applications without having to provide additional credentials, just based on their desktop login, even over the extranet.

• Windows Hello for business enablement

• Strong Authentication• Azure Multi-Factor Authentication (primary or secondary)

• New LDAP directory support

• Create a way for managed, compliant, or domain joined devices to authenticate without the need to supply a password, even from the extranet

More Windows Server 2016 AD

Security

Security designed for ‘zero-trust’ environments

Compute Networking Storage Security

Control and monitor administrator privileges

Detect and respond to breach faster

Add access and usage policies to sensitive information

Protect virtual machines from compromised host

Hardware-rooted security

Shielded virtual machines

Guardian Service

Just in time administration

Just enough administration

Credential Guard

Remote Credential Guard

File Classification Infrastructure

Azure Rights Management Services

Dynamic Access Control

Privilege Security Event Logging

Cloud based security analysis

Out of the box anti-malware

Attack timeline

Attacks not detected

Current detection tools miss most attacks

You may be under attack (or compromised)

Target AD and identities

Active Directory controls access to business assets

Attackers commonly target AD and IT Admins

Response and recovery

Response requires advanced expertise and tools

Expensive and challenging to successfully recover

Attack sophistication

Attack operators exploit any weakness

Target information on any device or service

Attacker undetected (data exfiltration)Research and preparation

More than 200 days* (varies by industry)24–48 hours

First host compromised

Domain admin compromised

Attack discovered

More than 200 days* (varies by industry)24–48 hours

Attacker undetected (data exfiltration)Research and preparation

First host compromised

Attack discovered

Protect applications and infrastructure RUNNING ON THE OS IN ANY CLOUD

Control Flow Guard Helps protect against malicious corruption of the control flow of an otherwise trusted process

Windows Defender actively protects from known malware without impacting workloads

Device Guard ensures that only permitted binaries can be executed from the moment the OS is booted

Enhanced Auditing and Event Logs log new audit events to better detect malicious behavior by providing more detailed information to security operation centers

Defend against new exploits and block attacks without impacting legitimate

workloads

• US• Today: 1 sec skew from UTC

• Imminent: <50 MS skew from UTC

• Europe

• Today: <1 MS skew from UTC

• With 3rd party hardware: Yes

• Without 3rd party hardware: No

Time Server

• Prevent DNS Denial of Service Attacks

• Prevents a form of Man in the Middle Attacks where someone is able to corrupt a DNS cache and point a DNS name to their own IP Address

• IPv6 root hints, as published by IANA, have been added to the Windows DNS Server. Internet name queries can now use IPv6 root servers for name resolutions.

• The Windows DNS server runs on Nano Server. Note that AD is not yet supported on Nano, so the zones hosted have to be file based.

Windows Server 2016 DNS Security

Storage Replica (Datacenter edition)

Synchronous replication : Storage agnostic mirroring of data in physical sites with crash-consistent volumes ensuring zero data loss at the volume level.

Increase resilience : Unlocks new scenarios for metro-distance cluster to cluster disaster recovery and stretch failover clusters for automated high availability.

Flexible : Server to server, cluster to cluster, and stretch cluster. Local disks, Storage Spaces Direct, clustered disks. NTFS, REFS, CSVFS. TCP, RDMA. Synchronous and asynchronous.

Streamlined management : Graphical management for individual nodes and clusters through Failover Cluster Manager and Azure Site Recovery. Full PowerShell and SMAPI support.

High performance storage, fraction of the cost

FS

Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage

Storage Spaces ReplicaCreate affordable business continuity and disaster recovery among datacenters

Storage QoSPrevent noisy neighbors from impacting high priority workloads with a Storage QoS policy

Converged software-defined storageStorage spaces

Flexibility : Compute and Storage scale

independently

Scalability : Ability to scale each layer

for the highest demands

Manageability : Segments layers to

admin roles

SMB3 storage network fabric

Scale-out compute withlow-cost commodity servers

Low cost NICs at scale

Inexpensive Ethernet

for storage fabric

Elastic, reliable, optimized

with storage spaces

NAS head

Resilient File System (ReFS v2)

Resiliency and availability• Designed to stay online

• Online repairs

• On volume metadata backups

Speed and efficiency• Efficient VM checkpoint and backup

• Accelerated VM file creation

• Low impact

Data integrity• Metadata checksums

• Checksum verification

• Automatic corruption detection and healing

Stretch Cluster

Single cluster

Automatic failover

Asymmetric storage

Manage with PowerShell

or Cluster Manager

New York New Jersey

SR over SMB

Cluster-to-Cluster

Two separate clusters

Manual or orchestrated failover

S2D and shared disk supported

Manage with PowerShell & Azure Site Recovery

Los Angeles Las Vegas

SR over SMB

Server-to-Server

Two separate servers

Manual failover

Server to self too

Manage with PowerShell

or… a surprise!

Building 5 Building 9

SR over SMB

Storage Quality of Service (QoS) Control and monitor storage performance

Management • System Center VMM and Ops Manager

• PowerShell

Simple out of box behavior • Enabled by default

• Automatic metrics per VHD, VM, Host, Volume

• Configurable normalized IOPs and latency

Flexible and customizable policies • Policy per VHD, VM, service, or tenant

• Define min and max IOPs and max bandwidth

• Fair distribution within policy

Policy Manager

Rate Limiter

IO Scheduler

Requirements

Datacenter Edition (Full, Core, and Nano)

Active Directory (Kerberos only)

≥2GB RAM, ≥2 Cores

Network latency (synchronous), bandwidth

GPT-initialized drives

Firewall ports for SMB, WS-MAN

Sync v Async

Async crash consistency versus application consistency

Volume Shadow Copy Snapshots

Accept that async means possible data loss

How much money is your data worth?

Or your job?

Distance vs Latency vs Bandwidth

≤5ms round trip average is our sync guidance

Network Bandwidth

Tools: Message Analyzer, NTTCP, Ping & TraceRT(meh), diskspd.exe

Set-SMBBandwidthLimit

Forget about Windows Server features. What problems do you need to solve?

I could lose my datacenterI could lose my cluster rackI could lose a critical server

I need low costI need low impactI need reliabilityI need easy admin & monitoring

Windows Server 2016 Storage Replica on industry standard hardware solvesthese problems