4. Management in Windows server 2016
PowerShell
PowerShell Desired State Configuration
PowerShell Direct
Rich Web GUI
Manage all server installations
(Nano, Core, Full)
Servers can be on-premises or
in the cloud
Server Management
Tool (SMT)
5. Web-based and cross-platform
Includes replacements for local-only
tools, including:
Task Manager
Registry Editor
Event Viewer
Device Manager
Sconfig
Control Panel
Performance Monitor
Disk Management
Users/Groups Manager
File Explorer
PowerShell
Also manages Server Core and Server
with GUI
Remote Server Management Tools
7. PowerShell manages your environment
Gallery contains Dell, Citrix, VMWare, AWS, Azure, SQL cmdlets
PowerShell DSC runs on Linux
PowerShell is a platform
Partners include Chef, Puppet, Ansible, Octopus…
PowerShell is on Nano Server
Nano is managed with PowerShell, configured with DSC
PowerShell 5 ships where you need it
Windows 10, Windows Server 2016
WMF5.0 for Win7, Win8.1, Server 2008r2, 2012, 2012r2
PowerShell eases moving the cloud
Azure PowerShell cmdlets, Azure DSC Extensions
Same approach, everywhere
8. Key problems PowerShell addresses
Pace of change increasing, ever-
faster solution delivery needed.
Solutions must span on-premises,
hybrid, & cloud.
DevOps methods promise to
help, how to make the transition?
9. Code Sharing: PowerShell Gallery, PowerShellGet, Github
Editing – ISE improvements
Debugging – Remote debugging, DSC debugging
Security – Auditing, Just Enough Administration (JEA)
Improving information
Delivering doc updates faster via Github.Com/Powershell
Microsoft.com/PowerShell: the hub for PowerShell information
Easier, faster automation with PowerShell
10. Enabling transition to DevOps
DevOps: a set of practices emphasizing collaboration &
communication between SW developers and IT pros while
automating software delivery and infrastructure changes.
Leverages tools to automate build, validation, & configuration.
PowerShell in Windows Server 2016 Provides
Desired State Configuration (DSC) – defining configuration as code
Security Improvements – Auditing, Just Enough Administration (JEA)
Package Management
PowerShell classes integrates dev practices configuration and automation
PowerShell Script Analyzer – best practice analysis tool
Pester – PowerShell validation
12. The platform for your
virtual workspace strategy
AppsDevices DataUsers
Microsoft Remote Desktop Services
Build your solution on a trusted foundation
14. • Currently Windows 10 Remote Desktop
Connection only, other Remote
Desktop clients to follow
• Enabled by default for vGPU RDP 10
sessions
• Group Policy to enable on Windows 10
and Windows Server 2016
High quality 4:4:4
mode using standard
H.264/AVC 4:2:0
hardware decoders
Remote Desktop client
apps use hardware
H.264/AVC decoder
when available
15. Windows
Server
2008 R2
Windows
Server
2012
Windows
Server
2012 R2
Windows
Server
2016
RemoteFX vGPU
• Hyper-V integration
• DX 9 support
RemoteFX vGPU
• DX 11.0
• VM connect with vGPU
• GPU management
RemoteFX vGPU
• DX 11.1 support
• Higher video memory
• Up to 2560 x 1600
resolution
• Scale improvements
RemoteFX vGPU
• OpenGL 4.4 & OpenCL 1.1
• 1GB dedicated VRAM
• Up to 4k resolution
• Server VM support
• Improved performance
Discrete Device Assignment
• Full API support*
• Native GPU driver support
• Maximum performance*Verify card support for this configuration with GPU vendor
16. High-availability connection broker
Use database in existing SQL
Server cluster or Azure SQL DB
Improved connection handling
performance, 10K+concurrent
connection requests supported
in “log on storm” situations
17. HA RDS 2012R2 Infra:
7 role services
8 VMs
HA RDS 2016 Infra:
4 role services
4 VMs
Roles that can be deployed
on one VM:
• RD Gateway and Web Access
• RD Connection Broker and RD
Licensing
19. Born-in-the-cloud
Subset of Win32
.NET Core and ASP.NET Core
PowerShell Desired State Configuration (DSC)
PackageManagement (aka OneGet)
Open Source Application Frameworks
Available as OS everywhere
Host OS for physical hardware
Guest OS in a VM
Windows Server containers
Hyper-V containers
Nano Server – Cloud application platform
20. Nano Server: Next step in our cloud journey
Zero-footprint model
Server roles and optional features live outside of Nano Server
Standalone packages that install like applications
Key roles & features
Hyper-V, Storage (SoFS), Clustering
IIS and DNS Server available in TP4
Core CLR and ASP.NET 5
Full Windows Server driver support
Antimalware optional package
System Center VMM and
OM agents supported
21. Nano Server installation
option - just enough OS
Containers and
modern applications
Third-party
applications
RDS experience
Existing VM
workloads
Set-up time: 300s
Boot time: 85s
Disk space: 5.4GB
Set-up time: 35s
Boot time: 9s
Disk space: 0.46GB
23. Remotely Managing Nano Server
Server Manager
Hyper-V Manager
Failover Cluster Manager
PerfMon, Event Viewer, etc.
PowerShell Core
Server Management Tools (SMT)
24. Nano Server Recovery Console
Provides local access to
network configuration
and settings
▪ Computer name
▪ Domain or workgroup name
▪ Network information
▪ Firewall rules
▪ Reset WinRM
▪ VM Host on a Hyper-V Host
25. Nano Server vs Server Core
Nano Server has a full
developer experience,
unlike Server Core
Windows SDK & Visual Studio
2015 target Nano Server
Rich design-time experience
Project template, full IntelliSense,
error squiggles, etc.
Full remote debugging
experience
27. Diagnostic Improvements
Faster
Improved Validation times for both Storage and
non-Storage tests
Diagnostics
Additional Validation tests to catch Active Directory
configuration issues
Improved Network Name resource logging
Logging
Less noise logged to the cluster log to prevent
wrapping
Additional data logged to cluster.log, header and
mini-dump of log level 5 verbosity
28. Reducing Dump Sizes
Focus
Excludes memory allocated to virtual machines
Simplified debugging of Hyper-V systems with large
amounts of RAM
Size
Active Memory Dump captures what is important
with smaller file sizes
New alternative to a Complete (Full) memory dump
29. Zero Downtime Debugging
Availability
Capture debugging data without having to
bugcheck nodes
Debugging data without downtime
Integration
Clustering will capture live dumps on failures
Live dumps are a mechanism to generate a memory
dump for debugging without crashing the system
Orchestration
Capture dumps across multiple machines in parallel
to enable debugging the distributed system
Integrated with Windows Error Reporting to
snapshot logs
30. Quarantine of Flapping Nodes
Resiliency
Node is quarantined if it ungracefully leaves the cluster
three times within an hour
VMs are gracefully drained once quarantined
Protection
Unhealthy nodes are quarantined and are no longer
allowed to join the cluster
Prevents flapping nodes from negatively effecting
other nodes and the overall cluster
Control
No more than 25% of nodes can be quarantined at any
given time
Nodes prevented from joining the cluster for 2 hours
33. Domain’less with Windows Server 2016
Cluster
✓ Flexible HA and DR
✓ Reduced dependencies increases availability
34. Cloud Witness
Cluster
Site1 Site2
Azure
Witness
Flexible
Scenarios
Stretched clusters without a 3rd site
Clusters without shared storage
Guest Clusters in Azure VM role
Hybrid Cloud
Leveraging the power of the public cloud
to increase resiliency of your private cloud
Azure blob storage as an arbitration point
35. Site Awareness
Site1 Site2
Failover
Affinity
Groups failover to a node within the same
site, before failing to a node in a different site
Sites
Define grouping of nodes in a stretched
cluster which corresponds to their physical
location
Impacts placement policies and heartbeating
Storage
Affinity
VMs follow storage and are placed in same
site where their associated storage resides
VMs will begin live migrating to the same site
as their associated CSV after 1 minute
36. Fault Domain Awareness
Flexible
Scenarios
Set up with PowerShell or XML policy
Create flexible, nested topologies
Fault
Domains
Clustering now understands
Node, Chassis, Rack, and Site
Failure policies and Spaces Direct data
placement
37. Cluster
In-place Upgrades of cluster nodes now possible with Win2016
Rolling Upgrade
from Win2012 R2
to Win2016
Seamless Upgrades
41. Domain AdminDean Jane John Admin
Credential Guard prevents Pass the Hash and Pass
the Ticket attacks by protecting stored credentials and
credential artifacts using Virtualization based Security
Remote Credential Guard works in conjunction with
Credential Guard for RDP sessions providing SSO for
RDP sessions while eliminating the need for credentials
to be passed to the RDP host
Just Enough Administration limits administrative
privileges to the bare-minimum required set of actions
(limited in space)
Just in Time Administration provides privileged
access upon request through a workflow that is
audited and limited in time
Protect Privileged Identity
X
MITIGATE
PASS THE HASH
CONTROL PRIVILEGED
ACCOUNTS
}
}
42. Just Enough Administration
Delegated administration for anything that can be managed with PowerShell
• Reduce the number of administrators on your machines
• Leveraging virtual accounts that perform privileged
actions on behalf of regular users.
• Limit what users can do
• Specifying which cmdlets, functions and external
commands they can run.
• Better understand what your users are doing
• Transcripts and logs that show you exactly which
commands a user executed during their session.
43. Challenges in protecting credentials
Ben Mary Jake Admin
Domain
admin
Typical administrator
Capability
Time
Social engineering = First breach often start with one workstation/user
Pass the Hash =
Admin = Unlimited rights for unlimited time window
44. Protect against compromised admin credentials
Ben Mary Jake Admin
Domain
admin
Typical administrator
Capability
Time
Credential Guard
Prevents Pass the Hash and Pass the Ticket attacks by
protecting stored credentials through Virtualization
based Security (VBS)
Just enough administration
Administration Limits administrative privileges to the bare-
minimum required set of actions (limited in space)
Remote Credential Guard
Works in conjunction with Credential Guard for RDP
session providing SSO for RDP sessions while
eliminating the need for credentials to be passed to
the RDP host
Just-in-time administration
Administration Provide privileged access through a workflow
that is audited and limited in time
Just enough and just-in-time administration
45. Time-limited group memberships
• Users can be added to a security
group with time-to-live (TTL)
• When the TTL expires, the user’s
membership in that group disappears
•
• TGT based on shortest group
membership
• ST based on TGT and resource local
domain group membership
•
• Scavenger thread takes care of cleaning
up group memberships
Group
Member: <TTL,user-DN>
User
TGT: Shortest group
lifetime
ST: Shortest of TGT
and resource local
domain group
46. Operational Enhancements
• Domain Admin not required
for installation anymore
• AD DS admin sets up DKM
container and permissions for AD
FS service account
• AD FS service management
can be delegated to security
groups
• Server admins now can’t make
changes to the AD FS service
• Local admin access still required
for AD FS service admins
• Login Audits reduced from
80 to just 1-2 audits with all
the information needed
• Login Audits now are
schematized for easy
parsing
• AD FS Rapid Restore tool
47. • Improved Sign-On Experience
• Customize the sign-on experience
• Users on Windows 10 devices and computers will be able to access applications
without having to provide additional credentials, just based on their desktop
login, even over the extranet.
• Windows Hello for business enablement
• Strong Authentication
• Azure Multi-Factor Authentication (primary or secondary)
• New LDAP directory support
• Create a way for managed, compliant, or domain joined devices to authenticate
without the need to supply a password, even from the extranet
More Windows Server 2016 AD
49. Security designed for ‘zero-trust’ environments
Compute Networking Storage Security
Control and monitor
administrator
privileges
Detect and respond
to breach faster
Add access and
usage policies to
sensitive
information
Protect virtual
machines from
compromised host
Hardware-rooted security
Shielded virtual machines
Guardian Service
Just in time
administration
Just enough
administration
Credential Guard
Remote Credential Guard
File Classification
Infrastructure
Azure Rights
Management Services
Dynamic Access Control
Privilege Security
Event Logging
Cloud based
security analysis
Out of the box
anti-malware
50. Attack timeline
Attacks not
detected
Current detection tools miss
most attacks
You may be under attack
(or compromised)
Target AD
and identities
Active Directory controls
access to business assets
Attackers commonly target
AD and IT Admins
Response
and recovery
Response requires advanced
expertise and tools
Expensive and challenging
to successfully recover
Attack
sophistication
Attack operators exploit
any weakness
Target information on any
device or service
Attacker undetected (data exfiltration)Research and preparation
More than 200 days* (varies by industry)24–48 hours
First host
compromised
Domain admin
compromised
Attack
discovered
More than 200 days* (varies by industry)24–48 hours
Attacker undetected (data exfiltration)Research and preparation
First host
compromised
Attack
discovered
51. Protect applications and infrastructure
RUNNING ON THE OS IN ANY CLOUD
Control Flow Guard Helps protect against
malicious corruption of the control flow of an
otherwise trusted process
Windows Defender actively protects from
known malware without impacting workloads
Device Guard ensures that only permitted
binaries can be executed from the moment the
OS is booted
Enhanced Auditing and Event Logs log new
audit events to better detect malicious behavior
by providing more detailed information to
security operation centers
Defend against new exploits and block
attacks without impacting legitimate
workloads
52. • US
• Today: 1 sec skew from UTC
• Imminent: <50 MS skew from UTC
• Europe
• Today: <1 MS skew from UTC
• With 3rd party hardware: Yes
• Without 3rd party hardware: No
Time Server
53. • Prevent DNS Denial of Service Attacks
• Prevents a form of Man in the Middle Attacks where someone is able to corrupt a
DNS cache and point a DNS name to their own IP Address
• IPv6 root hints, as published by IANA, have been added to the Windows DNS
Server. Internet name queries can now use IPv6 root servers for name resolutions.
• The Windows DNS server runs on Nano Server. Note that AD is not yet supported
on Nano, so the zones hosted have to be file based.
Windows Server 2016 DNS Security
54.
55.
56.
57. Storage Replica (Datacenter edition)
Synchronous replication : Storage agnostic mirroring
of data in physical sites with crash-consistent volumes
ensuring zero data loss at the volume level.
Increase resilience : Unlocks new scenarios for metro-
distance cluster to cluster disaster recovery and stretch
failover clusters for automated high availability.
Flexible : Server to server, cluster to cluster, and stretch
cluster. Local disks, Storage Spaces Direct, clustered
disks. NTFS, REFS, CSVFS. TCP, RDMA. Synchronous and
asynchronous.
Streamlined management : Graphical management for
individual nodes and clusters through Failover Cluster
Manager and Azure Site Recovery. Full PowerShell and
SMAPI support.
58. High performance storage, fraction of the cost
FS
Storage Spaces Direct
Use standard servers with local storage to build
highly available and scalable software-defined
storage
Storage Spaces Replica
Create affordable business continuity and
disaster recovery among datacenters
Storage QoS
Prevent noisy neighbors from impacting high
priority workloads with a Storage QoS policy
59. Converged software-defined storage
Storage spaces
Flexibility : Compute and Storage scale
independently
Scalability : Ability to scale each layer
for the highest demands
Manageability : Segments layers to
admin roles
SMB3 storage network fabric
Scale-out compute with
low-cost commodity servers
Low cost NICs at scale
Inexpensive Ethernet
for storage fabric
Elastic, reliable, optimized
with storage spaces
NAS head
60. Resilient File System (ReFS v2)
Resiliency and availability
• Designed to stay online
• Online repairs
• On volume metadata backups
Speed and efficiency
• Efficient VM checkpoint and backup
• Accelerated VM file creation
• Low impact
Data integrity
• Metadata checksums
• Checksum verification
• Automatic corruption detection and healing
64. Storage Quality of Service (QoS)
Control and monitor storage performance
Management
• System Center VMM and Ops Manager
• PowerShell
Simple out of box behavior
• Enabled by default
• Automatic metrics per VHD, VM, Host, Volume
• Configurable normalized IOPs and latency
Flexible and customizable policies
• Policy per VHD, VM, service, or tenant
• Define min and max IOPs and max bandwidth
• Fair distribution within policy
Policy
Manager
Rate Limiter
IO Scheduler
65.
66. Requirements
Datacenter Edition (Full, Core, and Nano)
Active Directory (Kerberos only)
≥2GB RAM, ≥2 Cores
Network latency (synchronous), bandwidth
GPT-initialized drives
Firewall ports for SMB, WS-MAN
67.
68. Sync v Async
Async crash consistency versus application consistency
Volume Shadow Copy Snapshots
Accept that async means possible data loss
How much money is your data worth?
Or your job?
69. Distance vs Latency vs Bandwidth
≤5ms round trip average is our sync guidance
Network Bandwidth
Tools: Message Analyzer, NTTCP, Ping & TraceRT
(meh), diskspd.exe
Set-SMBBandwidthLimit