Techorama 2017 - What's new in Windows Server 2016
-
Upload
david-de-vos -
Category
Internet
-
view
280 -
download
0
Transcript of Techorama 2017 - What's new in Windows Server 2016
WHAT’S NEW IN WINDOWS SERVER 2016
Windows 2016Server Management
Management in Windows server 2016
PowerShell
PowerShell Desired State Configuration
PowerShell Direct
Rich Web GUI
Manage all server installations (Nano, Core, Full)
Servers can be on-premises or in the cloud
Server Management Tool (SMT)
Web-based and cross-platform
Includes replacements for local-only tools, including:
Task Manager
Registry Editor
Event Viewer
Device Manager
Sconfig
Control Panel
Performance Monitor
Disk Management
Users/Groups Manager
File Explorer
PowerShell
Also manages Server Core and Server with GUI
Remote Server Management Tools
Windows 2016Powershell
PowerShell manages your environment
Gallery contains Dell, Citrix, VMWare, AWS, Azure, SQL cmdlets
PowerShell DSC runs on Linux
PowerShell is a platform
Partners include Chef, Puppet, Ansible, Octopus…
PowerShell is on Nano Server
Nano is managed with PowerShell, configured with DSC
PowerShell 5 ships where you need it
Windows 10, Windows Server 2016
WMF5.0 for Win7, Win8.1, Server 2008r2, 2012, 2012r2
PowerShell eases moving the cloud
Azure PowerShell cmdlets, Azure DSC Extensions
Same approach, everywhere
Key problems PowerShell addresses
Pace of change increasing, ever-faster solution delivery needed. Solutions must span on-premises, hybrid, & cloud.
DevOps methods promise to help, how to make the transition?
Code Sharing: PowerShell Gallery, PowerShellGet, Github
Editing – ISE improvements
Debugging – Remote debugging, DSC debugging
Security – Auditing, Just Enough Administration (JEA)
Improving information
Delivering doc updates faster via Github.Com/Powershell
Microsoft.com/PowerShell: the hub for PowerShell information
Easier, faster automation with PowerShell
Enabling transition to DevOps
DevOps: a set of practices emphasizing collaboration & communication between SW developers and IT pros while automating software delivery and infrastructure changes. Leverages tools to automate build, validation, & configuration.
PowerShell in Windows Server 2016 ProvidesDesired State Configuration (DSC) – defining configuration as code
Security Improvements – Auditing, Just Enough Administration (JEA)
Package Management
PowerShell classes integrates dev practices configuration and automation
PowerShell Script Analyzer – best practice analysis tool
Pester – PowerShell validation
Windows 2016Remote Desktop Services
The platform for your virtual workspace strategy
AppsDevices DataUsers
Microsoft Remote Desktop Services
Build your solution on a trusted foundation
Optimized for cloud
Increased performance
Efficient and secure architecture
Connection Brokershared SQL connections
Graphics improvements
Enhanced scale
• Currently Windows 10 Remote Desktop
Connection only, other Remote
Desktop clients to follow
• Enabled by default for vGPU RDP 10
sessions
• Group Policy to enable on Windows 10
and Windows Server 2016
High quality 4:4:4
mode using standard
H.264/AVC 4:2:0
hardware decoders
Remote Desktop client
apps use hardware
H.264/AVC decoder
when available
Windows Server
2008 R2
Windows Server 2012
Windows Server
2012 R2
Windows Server 2016
RemoteFX vGPU
• Hyper-V integration
• DX 9 support
RemoteFX vGPU
• DX 11.0
• VM connect with vGPU
• GPU management
RemoteFX vGPU
• DX 11.1 support
• Higher video memory
• Up to 2560 x 1600
resolution
• Scale improvements
RemoteFX vGPU
• OpenGL 4.4 & OpenCL 1.1
• 1GB dedicated VRAM
• Up to 4k resolution
• Server VM support
• Improved performance
Discrete Device Assignment
• Full API support*
• Native GPU driver support
• Maximum performance*Verify card support for this configuration with GPU vendor
High-availability connection broker
Use database in existing SQL
Server cluster or Azure SQL DB
Improved connection handling
performance, 10K+concurrent
connection requests supported
in “log on storm” situations
HA RDS 2012R2 Infra:
7 role services
8 VMs
HA RDS 2016 Infra:
4 role services
4 VMs
Roles that can be deployed
on one VM:
• RD Gateway and Web Access
• RD Connection Broker and RD
Licensing
Windows 2016Nano server
Born-in-the-cloudSubset of Win32
.NET Core and ASP.NET Core
PowerShell Desired State Configuration (DSC)
PackageManagement (aka OneGet)
Open Source Application Frameworks
Available as OS everywhereHost OS for physical hardware
Guest OS in a VM
Windows Server containers
Hyper-V containers
Nano Server – Cloud application platform
Nano Server: Next step in our cloud journey
Zero-footprint model Server roles and optional features live outside of Nano Server
Standalone packages that install like applications
Key roles & featuresHyper-V, Storage (SoFS), Clustering
IIS and DNS Server available in TP4
Core CLR and ASP.NET 5
Full Windows Server driver support
Antimalware optional package
System Center VMM and OM agents supported
Nano Server installation option - just enough OS
Containers and modern applications
Third-party applications
RDS experience
Existing VM workloads
Set-up time: 300s
Boot time: 85s
Disk space: 5.4GB
Set-up time: 35s
Boot time: 9s
Disk space: 0.46GB
Nano Server Image Builder
Remotely Managing Nano Server
Server Manager
Hyper-V Manager
Failover Cluster Manager
PerfMon, Event Viewer, etc.
PowerShell Core
Server Management Tools (SMT)
Nano Server Recovery Console
Provides local access to network configuration and settings
▪ Computer name
▪ Domain or workgroup name
▪ Network information
▪ Firewall rules
▪ Reset WinRM
▪ VM Host on a Hyper-V Host
Nano Server vs Server Core
Nano Server has a full developer experience, unlike Server Core
Windows SDK & Visual Studio 2015 target Nano Server
Rich design-time experience Project template, full IntelliSense, error squiggles, etc.
Full remote debugging experience
Windows 2016Failover clustering
Diagnostic Improvements
Faster
Improved Validation times for both Storage and
non-Storage tests
Diagnostics
Additional Validation tests to catch Active Directory
configuration issues
Improved Network Name resource logging
Logging
Less noise logged to the cluster log to prevent
wrapping
Additional data logged to cluster.log, header and
mini-dump of log level 5 verbosity
Reducing Dump Sizes
Focus
Excludes memory allocated to virtual machines
Simplified debugging of Hyper-V systems with large
amounts of RAM
Size
Active Memory Dump captures what is important
with smaller file sizes
New alternative to a Complete (Full) memory dump
Zero Downtime Debugging
Availability
Capture debugging data without having to
bugcheck nodes
Debugging data without downtime
Integration
Clustering will capture live dumps on failures
Live dumps are a mechanism to generate a memory
dump for debugging without crashing the system
Orchestration
Capture dumps across multiple machines in parallel
to enable debugging the distributed system
Integrated with Windows Error Reporting to
snapshot logs
Quarantine of Flapping Nodes
Resiliency
Node is quarantined if it ungracefully leaves the cluster
three times within an hour
VMs are gracefully drained once quarantined
Protection
Unhealthy nodes are quarantined and are no longer
allowed to join the cluster
Prevents flapping nodes from negatively effecting
other nodes and the overall cluster
Control
No more than 25% of nodes can be quarantined at any
given time
Nodes prevented from joining the cluster for 2 hours
Domain Joined (traditional model)
Multi-domain with Windows Server 2016
✓ Flexible HA and DR
Domain’less with Windows Server 2016
Cluster
✓ Flexible HA and DR
✓ Reduced dependencies increases availability
Cloud Witness
Cluster
Site1 Site2
Azure
Witness
Flexible Scenarios
Stretched clusters without a 3rd site
Clusters without shared storage
Guest Clusters in Azure VM role
Hybrid Cloud
Leveraging the power of the public cloud
to increase resiliency of your private cloud
Azure blob storage as an arbitration point
Site Awareness
Site1 Site2
Failover Affinity
Groups failover to a node within the same
site, before failing to a node in a different site
Sites
Define grouping of nodes in a stretched
cluster which corresponds to their physical
location
Impacts placement policies and heartbeating
Storage Affinity
VMs follow storage and are placed in same
site where their associated storage resides
VMs will begin live migrating to the same site
as their associated CSV after 1 minute
Fault Domain Awareness
Flexible Scenarios
Set up with PowerShell or XML policy
Create flexible, nested topologies
Fault Domains
Clustering now understands
Node, Chassis, Rack, and Site
Failure policies and Spaces Direct data
placement
Cluster
In-place Upgrades of cluster nodes now possible with Win2016
Rolling Upgrade from Win2012 R2
to Win2016
Seamless Upgrades
Disaster Recovery with Stretched Clusters
Multi-Site Cluster
End-to-End Multi-Site ClustersStorage Replica
Site1 Site2
Flexible
Volume level software replication
between storage of any type
Workload agnostic
Integrated
End-to-end Windows Server disaster
recovery solution
Automatic
Synchronous replication
Automatic cluster failover for low
Recovery Time Objective (RTO)
Windows 2016Identity
Domain Admin Dean Jane John Admin
Credential Guard prevents Pass the Hash and Pass the Ticket attacks by protecting stored credentials and credential artifacts using Virtualization based Security
Remote Credential Guard works in conjunction with Credential Guard for RDP sessions providing SSO for RDP sessions while eliminating the need for credentials to be passed to the RDP host
Just Enough Administration limits administrative privileges to the bare-minimum required set of actions (limited in space)
Just in Time Administration provides privileged access upon request through a workflow that is audited and limited in time
Protect Privileged Identity
X
MITIGATE
PASS THE HASH
CONTROL PRIVILEGED
ACCOUNTS
}}
Just Enough Administration
Delegated administration for anything that can be managed with PowerShell
• Reduce the number of administrators on your machines
• Leveraging virtual accounts that perform privileged actions on behalf of regular users.
• Limit what users can do
• Specifying which cmdlets, functions and external commands they can run.
• Better understand what your users are doing
• Transcripts and logs that show you exactly which commands a user executed during their session.
Challenges in protecting credentials
Ben Mary Jake AdminDomain admin
Typical administrator
Cap
ab
ilit
y
Time
Social engineering = First breach often start with one workstation/user
Pass the Hash =
Admin = Unlimited rights for unlimited time window
Protect against compromised admin credentials
Ben Mary Jake AdminDomain admin
Typical administrator
Cap
ab
ilit
y
Time
Credential GuardPrevents Pass the Hash and Pass the Ticket attacks by
protecting stored credentials through Virtualization
based Security (VBS)
Just enough administrationAdministration Limits administrative privileges to the bare-minimum required set of actions (limited in space)
Remote Credential GuardWorks in conjunction with Credential Guard for RDP session providing SSO for RDP sessions while eliminating the need for credentials to be passed to the RDP host
Just-in-time administrationAdministration Provide privileged access through a workflow that is audited and limited in time
Just enough and just-in-time administration
Time-limited group memberships• Users can be added to a security
group with time-to-live (TTL)• When the TTL expires, the user’s
membership in that group disappears
•
• TGT based on shortest group membership
• ST based on TGT and resource local domain group membership
•• Scavenger thread takes care of cleaning
up group memberships
Group
Member: <TTL,user-DN>
User
TGT: Shortest group
lifetime
ST: Shortest of TGT and resource local
domain group
Operational Enhancements
• Domain Admin not required for installation anymore• AD DS admin sets up DKM
container and permissions for AD FS service account
• AD FS service management can be delegated to security groups • Server admins now can’t make
changes to the AD FS service
• Local admin access still required for AD FS service admins
• Login Audits reduced from 80 to just 1-2 audits with all the information needed
• Login Audits now are schematized for easy parsing
• AD FS Rapid Restore tool
• Improved Sign-On Experience• Customize the sign-on experience
• Users on Windows 10 devices and computers will be able to access applications without having to provide additional credentials, just based on their desktop login, even over the extranet.
• Windows Hello for business enablement
• Strong Authentication• Azure Multi-Factor Authentication (primary or secondary)
• New LDAP directory support
• Create a way for managed, compliant, or domain joined devices to authenticate without the need to supply a password, even from the extranet
More Windows Server 2016 AD
Security
Security designed for ‘zero-trust’ environments
Compute Networking Storage Security
Control and monitor administrator privileges
Detect and respond to breach faster
Add access and usage policies to sensitive information
Protect virtual machines from compromised host
Hardware-rooted security
Shielded virtual machines
Guardian Service
Just in time administration
Just enough administration
Credential Guard
Remote Credential Guard
File Classification Infrastructure
Azure Rights Management Services
Dynamic Access Control
Privilege Security Event Logging
Cloud based security analysis
Out of the box anti-malware
Attack timeline
Attacks not detected
Current detection tools miss most attacks
You may be under attack (or compromised)
Target AD and identities
Active Directory controls access to business assets
Attackers commonly target AD and IT Admins
Response and recovery
Response requires advanced expertise and tools
Expensive and challenging to successfully recover
Attack sophistication
Attack operators exploit any weakness
Target information on any device or service
Attacker undetected (data exfiltration)Research and preparation
More than 200 days* (varies by industry)24–48 hours
First host compromised
Domain admin compromised
Attack discovered
More than 200 days* (varies by industry)24–48 hours
Attacker undetected (data exfiltration)Research and preparation
First host compromised
Attack discovered
Protect applications and infrastructure RUNNING ON THE OS IN ANY CLOUD
Control Flow Guard Helps protect against malicious corruption of the control flow of an otherwise trusted process
Windows Defender actively protects from known malware without impacting workloads
Device Guard ensures that only permitted binaries can be executed from the moment the OS is booted
Enhanced Auditing and Event Logs log new audit events to better detect malicious behavior by providing more detailed information to security operation centers
Defend against new exploits and block attacks without impacting legitimate
workloads
• US• Today: 1 sec skew from UTC
• Imminent: <50 MS skew from UTC
• Europe
• Today: <1 MS skew from UTC
• With 3rd party hardware: Yes
• Without 3rd party hardware: No
Time Server
• Prevent DNS Denial of Service Attacks
• Prevents a form of Man in the Middle Attacks where someone is able to corrupt a DNS cache and point a DNS name to their own IP Address
• IPv6 root hints, as published by IANA, have been added to the Windows DNS Server. Internet name queries can now use IPv6 root servers for name resolutions.
• The Windows DNS server runs on Nano Server. Note that AD is not yet supported on Nano, so the zones hosted have to be file based.
Windows Server 2016 DNS Security
Storage Replica (Datacenter edition)
Synchronous replication : Storage agnostic mirroring of data in physical sites with crash-consistent volumes ensuring zero data loss at the volume level.
Increase resilience : Unlocks new scenarios for metro-distance cluster to cluster disaster recovery and stretch failover clusters for automated high availability.
Flexible : Server to server, cluster to cluster, and stretch cluster. Local disks, Storage Spaces Direct, clustered disks. NTFS, REFS, CSVFS. TCP, RDMA. Synchronous and asynchronous.
Streamlined management : Graphical management for individual nodes and clusters through Failover Cluster Manager and Azure Site Recovery. Full PowerShell and SMAPI support.
High performance storage, fraction of the cost
FS
Storage Spaces DirectUse standard servers with local storage to build highly available and scalable software-defined storage
Storage Spaces ReplicaCreate affordable business continuity and disaster recovery among datacenters
Storage QoSPrevent noisy neighbors from impacting high priority workloads with a Storage QoS policy
Converged software-defined storageStorage spaces
Flexibility : Compute and Storage scale
independently
Scalability : Ability to scale each layer
for the highest demands
Manageability : Segments layers to
admin roles
SMB3 storage network fabric
Scale-out compute withlow-cost commodity servers
Low cost NICs at scale
Inexpensive Ethernet
for storage fabric
Elastic, reliable, optimized
with storage spaces
NAS head
Resilient File System (ReFS v2)
Resiliency and availability• Designed to stay online
• Online repairs
• On volume metadata backups
Speed and efficiency• Efficient VM checkpoint and backup
• Accelerated VM file creation
• Low impact
Data integrity• Metadata checksums
• Checksum verification
• Automatic corruption detection and healing
Stretch Cluster
Single cluster
Automatic failover
Asymmetric storage
Manage with PowerShell
or Cluster Manager
New York New Jersey
SR over SMB
Cluster-to-Cluster
Two separate clusters
Manual or orchestrated failover
S2D and shared disk supported
Manage with PowerShell & Azure Site Recovery
Los Angeles Las Vegas
SR over SMB
Server-to-Server
Two separate servers
Manual failover
Server to self too
Manage with PowerShell
or… a surprise!
Building 5 Building 9
SR over SMB
Storage Quality of Service (QoS) Control and monitor storage performance
Management • System Center VMM and Ops Manager
• PowerShell
Simple out of box behavior • Enabled by default
• Automatic metrics per VHD, VM, Host, Volume
• Configurable normalized IOPs and latency
Flexible and customizable policies • Policy per VHD, VM, service, or tenant
• Define min and max IOPs and max bandwidth
• Fair distribution within policy
Policy Manager
Rate Limiter
IO Scheduler
Requirements
Datacenter Edition (Full, Core, and Nano)
Active Directory (Kerberos only)
≥2GB RAM, ≥2 Cores
Network latency (synchronous), bandwidth
GPT-initialized drives
Firewall ports for SMB, WS-MAN
Sync v Async
Async crash consistency versus application consistency
Volume Shadow Copy Snapshots
Accept that async means possible data loss
How much money is your data worth?
Or your job?
Distance vs Latency vs Bandwidth
≤5ms round trip average is our sync guidance
Network Bandwidth
Tools: Message Analyzer, NTTCP, Ping & TraceRT(meh), diskspd.exe
Set-SMBBandwidthLimit
Forget about Windows Server features. What problems do you need to solve?
I could lose my datacenterI could lose my cluster rackI could lose a critical server
I need low costI need low impactI need reliabilityI need easy admin & monitoring
Windows Server 2016 Storage Replica on industry standard hardware solvesthese problems