Techorama 2017 - What's new in Windows Server 2016
2 likes538 views
Windows Server 2016 includes improvements to server management, PowerShell, remote desktop services, Nano Server, failover clustering, and identity functionality. Key updates include a new web-based server management tool, expanded PowerShell capabilities for automation and cross-platform usage, enhanced remote desktop virtualization and scaling, a smaller and more secure Nano Server deployment option, improved cluster diagnostics and upgrades, and new features for privileged access control and credential protection.
Techorama 2017 - What's new in Windows Server 2016
- 2. WHAT’S NEW IN WINDOWS SERVER 2016
- 4. Management in Windows server 2016 PowerShell PowerShell Desired State Configuration PowerShell Direct Rich Web GUI Manage all server installations (Nano, Core, Full) Servers can be on-premises or in the cloud Server Management Tool (SMT)
- 5. Web-based and cross-platform Includes replacements for local-only tools, including: Task Manager Registry Editor Event Viewer Device Manager Sconfig Control Panel Performance Monitor Disk Management Users/Groups Manager File Explorer PowerShell Also manages Server Core and Server with GUI Remote Server Management Tools
- 7. PowerShell manages your environment Gallery contains Dell, Citrix, VMWare, AWS, Azure, SQL cmdlets PowerShell DSC runs on Linux PowerShell is a platform Partners include Chef, Puppet, Ansible, Octopus… PowerShell is on Nano Server Nano is managed with PowerShell, configured with DSC PowerShell 5 ships where you need it Windows 10, Windows Server 2016 WMF5.0 for Win7, Win8.1, Server 2008r2, 2012, 2012r2 PowerShell eases moving the cloud Azure PowerShell cmdlets, Azure DSC Extensions Same approach, everywhere
- 8. Key problems PowerShell addresses Pace of change increasing, ever- faster solution delivery needed. Solutions must span on-premises, hybrid, & cloud. DevOps methods promise to help, how to make the transition?
- 9. Code Sharing: PowerShell Gallery, PowerShellGet, Github Editing – ISE improvements Debugging – Remote debugging, DSC debugging Security – Auditing, Just Enough Administration (JEA) Improving information Delivering doc updates faster via Github.Com/Powershell Microsoft.com/PowerShell: the hub for PowerShell information Easier, faster automation with PowerShell
- 10. Enabling transition to DevOps DevOps: a set of practices emphasizing collaboration & communication between SW developers and IT pros while automating software delivery and infrastructure changes. Leverages tools to automate build, validation, & configuration. PowerShell in Windows Server 2016 Provides Desired State Configuration (DSC) – defining configuration as code Security Improvements – Auditing, Just Enough Administration (JEA) Package Management PowerShell classes integrates dev practices configuration and automation PowerShell Script Analyzer – best practice analysis tool Pester – PowerShell validation
- 11. Windows 2016 Remote Desktop Services
- 12. The platform for your virtual workspace strategy AppsDevices DataUsers Microsoft Remote Desktop Services Build your solution on a trusted foundation
- 13. Optimized for cloud Increased performance Efficient and secure architecture Connection Broker shared SQL connections Graphics improvements Enhanced scale
- 14. • Currently Windows 10 Remote Desktop Connection only, other Remote Desktop clients to follow • Enabled by default for vGPU RDP 10 sessions • Group Policy to enable on Windows 10 and Windows Server 2016 High quality 4:4:4 mode using standard H.264/AVC 4:2:0 hardware decoders Remote Desktop client apps use hardware H.264/AVC decoder when available
- 15. Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 RemoteFX vGPU • Hyper-V integration • DX 9 support RemoteFX vGPU • DX 11.0 • VM connect with vGPU • GPU management RemoteFX vGPU • DX 11.1 support • Higher video memory • Up to 2560 x 1600 resolution • Scale improvements RemoteFX vGPU • OpenGL 4.4 & OpenCL 1.1 • 1GB dedicated VRAM • Up to 4k resolution • Server VM support • Improved performance Discrete Device Assignment • Full API support* • Native GPU driver support • Maximum performance*Verify card support for this configuration with GPU vendor
- 16. High-availability connection broker Use database in existing SQL Server cluster or Azure SQL DB Improved connection handling performance, 10K+concurrent connection requests supported in “log on storm” situations
- 17. HA RDS 2012R2 Infra: 7 role services 8 VMs HA RDS 2016 Infra: 4 role services 4 VMs Roles that can be deployed on one VM: • RD Gateway and Web Access • RD Connection Broker and RD Licensing
- 19. Born-in-the-cloud Subset of Win32 .NET Core and ASP.NET Core PowerShell Desired State Configuration (DSC) PackageManagement (aka OneGet) Open Source Application Frameworks Available as OS everywhere Host OS for physical hardware Guest OS in a VM Windows Server containers Hyper-V containers Nano Server – Cloud application platform
- 20. Nano Server: Next step in our cloud journey Zero-footprint model Server roles and optional features live outside of Nano Server Standalone packages that install like applications Key roles & features Hyper-V, Storage (SoFS), Clustering IIS and DNS Server available in TP4 Core CLR and ASP.NET 5 Full Windows Server driver support Antimalware optional package System Center VMM and OM agents supported
- 21. Nano Server installation option - just enough OS Containers and modern applications Third-party applications RDS experience Existing VM workloads Set-up time: 300s Boot time: 85s Disk space: 5.4GB Set-up time: 35s Boot time: 9s Disk space: 0.46GB
- 22. Nano Server Image Builder
- 23. Remotely Managing Nano Server Server Manager Hyper-V Manager Failover Cluster Manager PerfMon, Event Viewer, etc. PowerShell Core Server Management Tools (SMT)
- 24. Nano Server Recovery Console Provides local access to network configuration and settings ▪ Computer name ▪ Domain or workgroup name ▪ Network information ▪ Firewall rules ▪ Reset WinRM ▪ VM Host on a Hyper-V Host
- 25. Nano Server vs Server Core Nano Server has a full developer experience, unlike Server Core Windows SDK & Visual Studio 2015 target Nano Server Rich design-time experience Project template, full IntelliSense, error squiggles, etc. Full remote debugging experience
- 27. Diagnostic Improvements Faster Improved Validation times for both Storage and non-Storage tests Diagnostics Additional Validation tests to catch Active Directory configuration issues Improved Network Name resource logging Logging Less noise logged to the cluster log to prevent wrapping Additional data logged to cluster.log, header and mini-dump of log level 5 verbosity
- 28. Reducing Dump Sizes Focus Excludes memory allocated to virtual machines Simplified debugging of Hyper-V systems with large amounts of RAM Size Active Memory Dump captures what is important with smaller file sizes New alternative to a Complete (Full) memory dump
- 29. Zero Downtime Debugging Availability Capture debugging data without having to bugcheck nodes Debugging data without downtime Integration Clustering will capture live dumps on failures Live dumps are a mechanism to generate a memory dump for debugging without crashing the system Orchestration Capture dumps across multiple machines in parallel to enable debugging the distributed system Integrated with Windows Error Reporting to snapshot logs
- 30. Quarantine of Flapping Nodes Resiliency Node is quarantined if it ungracefully leaves the cluster three times within an hour VMs are gracefully drained once quarantined Protection Unhealthy nodes are quarantined and are no longer allowed to join the cluster Prevents flapping nodes from negatively effecting other nodes and the overall cluster Control No more than 25% of nodes can be quarantined at any given time Nodes prevented from joining the cluster for 2 hours
- 31. Domain Joined (traditional model)
- 32. Multi-domain with Windows Server 2016 ✓ Flexible HA and DR
- 33. Domain’less with Windows Server 2016 Cluster ✓ Flexible HA and DR ✓ Reduced dependencies increases availability
- 34. Cloud Witness Cluster Site1 Site2 Azure Witness Flexible Scenarios Stretched clusters without a 3rd site Clusters without shared storage Guest Clusters in Azure VM role Hybrid Cloud Leveraging the power of the public cloud to increase resiliency of your private cloud Azure blob storage as an arbitration point
- 35. Site Awareness Site1 Site2 Failover Affinity Groups failover to a node within the same site, before failing to a node in a different site Sites Define grouping of nodes in a stretched cluster which corresponds to their physical location Impacts placement policies and heartbeating Storage Affinity VMs follow storage and are placed in same site where their associated storage resides VMs will begin live migrating to the same site as their associated CSV after 1 minute
- 36. Fault Domain Awareness Flexible Scenarios Set up with PowerShell or XML policy Create flexible, nested topologies Fault Domains Clustering now understands Node, Chassis, Rack, and Site Failure policies and Spaces Direct data placement
- 37. Cluster In-place Upgrades of cluster nodes now possible with Win2016 Rolling Upgrade from Win2012 R2 to Win2016 Seamless Upgrades
- 38. Disaster Recovery with Stretched Clusters
- 39. Multi-Site Cluster End-to-End Multi-Site Clusters Storage Replica Site1 Site2 Flexible Volume level software replication between storage of any type Workload agnostic Integrated End-to-end Windows Server disaster recovery solution Automatic Synchronous replication Automatic cluster failover for low Recovery Time Objective (RTO)
- 41. Domain AdminDean Jane John Admin Credential Guard prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials and credential artifacts using Virtualization based Security Remote Credential Guard works in conjunction with Credential Guard for RDP sessions providing SSO for RDP sessions while eliminating the need for credentials to be passed to the RDP host Just Enough Administration limits administrative privileges to the bare-minimum required set of actions (limited in space) Just in Time Administration provides privileged access upon request through a workflow that is audited and limited in time Protect Privileged Identity X MITIGATE PASS THE HASH CONTROL PRIVILEGED ACCOUNTS } }
- 42. Just Enough Administration Delegated administration for anything that can be managed with PowerShell • Reduce the number of administrators on your machines • Leveraging virtual accounts that perform privileged actions on behalf of regular users. • Limit what users can do • Specifying which cmdlets, functions and external commands they can run. • Better understand what your users are doing • Transcripts and logs that show you exactly which commands a user executed during their session.
- 43. Challenges in protecting credentials Ben Mary Jake Admin Domain admin Typical administrator Capability Time Social engineering = First breach often start with one workstation/user Pass the Hash = Admin = Unlimited rights for unlimited time window
- 44. Protect against compromised admin credentials Ben Mary Jake Admin Domain admin Typical administrator Capability Time Credential Guard Prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials through Virtualization based Security (VBS) Just enough administration Administration Limits administrative privileges to the bare- minimum required set of actions (limited in space) Remote Credential Guard Works in conjunction with Credential Guard for RDP session providing SSO for RDP sessions while eliminating the need for credentials to be passed to the RDP host Just-in-time administration Administration Provide privileged access through a workflow that is audited and limited in time Just enough and just-in-time administration
- 45. Time-limited group memberships • Users can be added to a security group with time-to-live (TTL) • When the TTL expires, the user’s membership in that group disappears • • TGT based on shortest group membership • ST based on TGT and resource local domain group membership • • Scavenger thread takes care of cleaning up group memberships Group Member: <TTL,user-DN> User TGT: Shortest group lifetime ST: Shortest of TGT and resource local domain group
- 46. Operational Enhancements • Domain Admin not required for installation anymore • AD DS admin sets up DKM container and permissions for AD FS service account • AD FS service management can be delegated to security groups • Server admins now can’t make changes to the AD FS service • Local admin access still required for AD FS service admins • Login Audits reduced from 80 to just 1-2 audits with all the information needed • Login Audits now are schematized for easy parsing • AD FS Rapid Restore tool
- 47. • Improved Sign-On Experience • Customize the sign-on experience • Users on Windows 10 devices and computers will be able to access applications without having to provide additional credentials, just based on their desktop login, even over the extranet. • Windows Hello for business enablement • Strong Authentication • Azure Multi-Factor Authentication (primary or secondary) • New LDAP directory support • Create a way for managed, compliant, or domain joined devices to authenticate without the need to supply a password, even from the extranet More Windows Server 2016 AD
- 48. Security
- 49. Security designed for ‘zero-trust’ environments Compute Networking Storage Security Control and monitor administrator privileges Detect and respond to breach faster Add access and usage policies to sensitive information Protect virtual machines from compromised host Hardware-rooted security Shielded virtual machines Guardian Service Just in time administration Just enough administration Credential Guard Remote Credential Guard File Classification Infrastructure Azure Rights Management Services Dynamic Access Control Privilege Security Event Logging Cloud based security analysis Out of the box anti-malware
- 50. Attack timeline Attacks not detected Current detection tools miss most attacks You may be under attack (or compromised) Target AD and identities Active Directory controls access to business assets Attackers commonly target AD and IT Admins Response and recovery Response requires advanced expertise and tools Expensive and challenging to successfully recover Attack sophistication Attack operators exploit any weakness Target information on any device or service Attacker undetected (data exfiltration)Research and preparation More than 200 days* (varies by industry)24–48 hours First host compromised Domain admin compromised Attack discovered More than 200 days* (varies by industry)24–48 hours Attacker undetected (data exfiltration)Research and preparation First host compromised Attack discovered
- 51. Protect applications and infrastructure RUNNING ON THE OS IN ANY CLOUD Control Flow Guard Helps protect against malicious corruption of the control flow of an otherwise trusted process Windows Defender actively protects from known malware without impacting workloads Device Guard ensures that only permitted binaries can be executed from the moment the OS is booted Enhanced Auditing and Event Logs log new audit events to better detect malicious behavior by providing more detailed information to security operation centers Defend against new exploits and block attacks without impacting legitimate workloads
- 52. • US • Today: 1 sec skew from UTC • Imminent: <50 MS skew from UTC • Europe • Today: <1 MS skew from UTC • With 3rd party hardware: Yes • Without 3rd party hardware: No Time Server
- 53. • Prevent DNS Denial of Service Attacks • Prevents a form of Man in the Middle Attacks where someone is able to corrupt a DNS cache and point a DNS name to their own IP Address • IPv6 root hints, as published by IANA, have been added to the Windows DNS Server. Internet name queries can now use IPv6 root servers for name resolutions. • The Windows DNS server runs on Nano Server. Note that AD is not yet supported on Nano, so the zones hosted have to be file based. Windows Server 2016 DNS Security
- 57. Storage Replica (Datacenter edition) Synchronous replication : Storage agnostic mirroring of data in physical sites with crash-consistent volumes ensuring zero data loss at the volume level. Increase resilience : Unlocks new scenarios for metro- distance cluster to cluster disaster recovery and stretch failover clusters for automated high availability. Flexible : Server to server, cluster to cluster, and stretch cluster. Local disks, Storage Spaces Direct, clustered disks. NTFS, REFS, CSVFS. TCP, RDMA. Synchronous and asynchronous. Streamlined management : Graphical management for individual nodes and clusters through Failover Cluster Manager and Azure Site Recovery. Full PowerShell and SMAPI support.
- 58. High performance storage, fraction of the cost FS Storage Spaces Direct Use standard servers with local storage to build highly available and scalable software-defined storage Storage Spaces Replica Create affordable business continuity and disaster recovery among datacenters Storage QoS Prevent noisy neighbors from impacting high priority workloads with a Storage QoS policy
- 59. Converged software-defined storage Storage spaces Flexibility : Compute and Storage scale independently Scalability : Ability to scale each layer for the highest demands Manageability : Segments layers to admin roles SMB3 storage network fabric Scale-out compute with low-cost commodity servers Low cost NICs at scale Inexpensive Ethernet for storage fabric Elastic, reliable, optimized with storage spaces NAS head
- 60. Resilient File System (ReFS v2) Resiliency and availability • Designed to stay online • Online repairs • On volume metadata backups Speed and efficiency • Efficient VM checkpoint and backup • Accelerated VM file creation • Low impact Data integrity • Metadata checksums • Checksum verification • Automatic corruption detection and healing
- 61. Stretch Cluster Single cluster Automatic failover Asymmetric storage Manage with PowerShell or Cluster Manager New York New Jersey SR over SMB
- 62. Cluster-to-Cluster Two separate clusters Manual or orchestrated failover S2D and shared disk supported Manage with PowerShell & Azure Site Recovery Los Angeles Las Vegas SR over SMB
- 63. Server-to-Server Two separate servers Manual failover Server to self too Manage with PowerShell or… a surprise! Building 5 Building 9 SR over SMB
- 64. Storage Quality of Service (QoS) Control and monitor storage performance Management • System Center VMM and Ops Manager • PowerShell Simple out of box behavior • Enabled by default • Automatic metrics per VHD, VM, Host, Volume • Configurable normalized IOPs and latency Flexible and customizable policies • Policy per VHD, VM, service, or tenant • Define min and max IOPs and max bandwidth • Fair distribution within policy Policy Manager Rate Limiter IO Scheduler
- 66. Requirements Datacenter Edition (Full, Core, and Nano) Active Directory (Kerberos only) ≥2GB RAM, ≥2 Cores Network latency (synchronous), bandwidth GPT-initialized drives Firewall ports for SMB, WS-MAN
- 68. Sync v Async Async crash consistency versus application consistency Volume Shadow Copy Snapshots Accept that async means possible data loss How much money is your data worth? Or your job?
- 69. Distance vs Latency vs Bandwidth ≤5ms round trip average is our sync guidance Network Bandwidth Tools: Message Analyzer, NTTCP, Ping & TraceRT (meh), diskspd.exe Set-SMBBandwidthLimit
- 70. Forget about Windows Server features. What problems do you need to solve?
- 71. I could lose my datacenter I could lose my cluster rack I could lose a critical server
- 72. I need low cost I need low impact I need reliability I need easy admin & monitoring
- 73. Windows Server 2016 Storage Replica on industry standard hardware solves these problems