Onsight

WINDOWS SERVER 2016

Onsight

Windows Server 2016 Hyper-V featuresHigh performance live migration (compression/RDMA)Zero downtime upgradesAutomatic VM ActivationLive VM exportGuest backup improvementsEnhanced VMConnectDynamic memory host balancingFirst class Linux support – Dynamic memory, file system consistent host based backupRemoteFX over WANGeneration 2 Virtual MachinesSecure boot in a VMUser defined meta data for VHDXPowerShell for all Hyper-V operationsHyper-V MetricsShared nothing live migration

High performance auto tiered storage spacesWrite back cache with spacesStorage QoSShared VHDX for guest clusteringVHDX online resizeStorage deduplication with live VMs for VDIHyper-V Recovery Manager (Microsoft Azure Site recovery)Azure BackupInbox multi-tenant site-to-site VPN gateway for physical & virtual networksProtected VM Networks/Virtual RSSEnhanced LBFO performance with NIC teamingHyper-V Extensible Switch4K Sector support

Hyper-V over SMBHyper-V over Spaces & ReFS64 VP, 1 TB VMsSR-IOV for 10+GB networking64TB VHDXHyper-V ReplicaNetwork VirtualizationUSB redirection over RemoteFX vGPUHot add/remove of storageVHDX resiliencyDynamic & differencing VHDX performance improvements384 LP, 4TB physical system2+ Million IOPS to a single VMResource PoolsNUMA in a VM1024 running VMs on a host

Shielded VM supportvTPMKey Storage Drive for Gen 1 VMGuest VSM (enable Device Guard & Credential Guard in a VM)VM IsolationLinux Secure BootRemoteFX improvementsDiscrete Device Assignment of GPUHeadless mode support

Distributed Storage QoSREFS Block REFS Fast Fixed Disk Creation

Nested virtualizationVMCX configuration file Nano Server Host SupportMulti-host management (WMI)Hypervisor Power Management (connected standby works)Virtual machine groupingIC Upgrade via Windows UpdateHvSocket (Guest-Host)TimeSync improvements240 VP, 16TB VMsSupport for Containers

Resilient Change Tracking (RCT)Backup improvementsBackup of Shared VHDX

VM configuration version & upgradeRuntime Memory ResizeHot / add remove of NICsProduction CheckpointsStorage Resiliency - All Paths DownOnline Resize for Shared VHDXHot add / remove of replicated VHDRolling Cluster Upgrade Cluster Compute ResiliencyCluster Node QuarantineDevice Naming of NIC512LP, 24TB HostDirect Device Assignment

Onsight

Session agenda – seven simply steps

▪ Editions and licensing

▪ New features and enhancements▪ Compute

▪ Network

▪ Storage

▪ Identity

▪ Management

▪ Software Defined Datacenter Solution

▪ Containers

Editions and licensing

#1

Onsight

New release timeline

Onsight

Editions

▪ Windows Server 2016 Standard: For physical or minimally virtualized environments.

▪ Windows Server 2016 Datacenter: For highly virtualized datacenter and cloud environments.

▪ Windows Server 2016 Essentials: For small businesses with up to 25 users and 50 devices.

▪ Windows Storage Server 2016: For dedicated OEM storage solutions.

▪ Microsoft Hyper-V Server 2016: Free hypervisor download.

Onsight

Licensing

▪ License all the physical cores in the server

▪ Minimum of 8 core licenses required for each processor

▪ Core licenses will be sold in packs of two

Onsight

Edition comparison

Standard DataCenter

Can be used as

virtualization guest

2 virtual machines, plus one

Hyper-V host per license

Unlimited virtual machines,

plus one Hyper-V host per

license

Containers

Windows containers

unlimited, Hyper-V

containers up to 2

All container types unlimited

Host Guardian Hyper-

V SupportYes

Storage Replica Yes

Storage Spaces Direct Yes

Software-defined

NetworkingYes

Onsight

Which edition to choose?

▪ If you are unsure, choose Standard

▪ You can always upgrade to DataCenter, without reinstall

▪ How?▪ DISM /Online /Get-TargetEdition

▪ DISM /Online /Set-Edition:ServerDatacenter /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Onsight

Server Core

▪ A more security-enhanced, less resource-intensive installation option

▪ An installation that cannot be converted to full graphical shell version of Windows Server 2016

▪ The default installation option for Windows Server 2016

▪ Managed locally by using sconfig.cmd and Windows PowerShell

▪ With remote management enabled, you rarely need to sign in locally!

Shielded VM’s

#2

Onsight

Administrator privileges – Central risk?

▪ Microsoft know that administrators have the keys to the kingdom; they gave them those keys decades ago

▪ But those administrators privileges are being compromised through social engineering, bribery, coercion, private initiatives

Stolen admincredentials

Phishing attacks

Insiderattacks

Onsight

Who can become Domain Admin (or more)?

▪ Built-in Administrators

▪ Server Operators

▪ Account Operators

▪ Backup Operators

Onsight

What is Shielded VM ?

▪ “The data and state of a shielded VM are protected against inspection, theft and tampering from both malware and datacenter administrators1.”

1 fabric admins, storage admins, server admins, network admins

Onsight

Shielded VM security assurance goal

▪ Encryption & data at-rest/in-flight protection▪ Virtual TPM enables the use of Bitlocker within a VM

▪ Both Live Migration and VM-state are encrypted

▪ Admin-lockout▪ Host administrators cannot access guest VM secrets

▪ Attestation of health▪ VM-workloads can only run on “healthy” hosts

Onsight

Virtual TPM – Generation 2 VM’s

▪ Windows Server 2016 Hyper-V allows you to add a Virtual TPM chip to your Virtual Machine, which allows you encrypt your VM using Bitlocker.

▪ On Generation 1 VM, you can use

Key Storage Drive

Onsight

Host Guardian Service

Hyper-V enhancements

#3

Onsight

Nested virtualization

▪ With Nested Virtualization Windows Server 2016 Hyper-V allows you to run Hyper-V Servers inside Hyper-V Virtual Machines.

▪ Great feature for lab environments and Containers.

Onsight

Memory management – Hot-Add memory

▪ Administrators can now increase, or decrease VM memory without VM downtime.

▪ Cannot be decreased lower than current demand, or increased higher than physical system memory.

▪ The guest must be running Windows 10 or Windows Server 2016.

▪ Dynamic memory is not used for the VM.

▪ Can be a Generation 1 or Generation 2 VM.

Onsight

Virtual network adapter enhancements

▪ Administrators now have the ability to add or remove virtual NICs (vNICs) from a VM without downtime.

▪ Enabled by default, with Gen 2 VMs only.

▪ Any supported Windows or Linux guest operating system can use the hot-add/remove vNIC functionality.

▪ vNIC identification: New capability to name vNIC in VM settings and see name inside guest operating system.

Onsight

VM Configuration

▪ Can be updated manually

▪ No reversible – Beware!

▪ Binary format instead of .XML

Onsight

Virtual Machine Secure Boot

▪ Secure Boot - When VM starts, the firmware checks the signature of each piece of boot software, including firmware drivers and the operating system. If the signatures are good, the VM boots, and the firmware gives control to the operating system.

▪ Supported OS inside Generation 2 VM:▪ Windows 8/2012->

▪ Ubuntu 14.04->

▪ SUSE Linux Enterprise Server 12->

▪ RHEL 7.0->

▪ CentOS 7.0->

Onsight

Production checkpoints▪ Easily create “point in time” images of a

virtual machine, which can be restored later on in a way that is completely supported for all production workloads.

▪ Volume Snapshot Service (VSS) is used inside Windows virtual machines to create the production checkpoint instead of using saved state technology.

▪ No change to user experience for taking/restoring a checkpoint. Restoring a checkpoint is like restoring a clean backup of the server.

▪ Production as default: New virtual machines will use production checkpoints with a fallback to standard checkpoints.

Onsight

PowerShell Direct

▪ Bridge the boundary between Hyper-V host and guest VM in a secure way to issue PoSh cmdlets and run scripts easily.

▪ Currently supported on WS2016/W10 guest on WS2016/W10 host

▪ No need to configure PS Remoting

▪ No need network connectivity

▪ Just need the guest credentials

▪ Can only connect to particular guest from that host.

Enter-PSSession -VMName VMName

Invoke-Command -VMName VMName -ScriptBlock { Fancy Script }

Onsight

Hyper-V Manager improvements

▪ Support for alternate credentials

▪ Connecting via IP address

▪ Connecting via WinRM (port 80)

▪ Downlevel support

Nano Server

#4

Onsight

Nano Server▪ A new headless, deployment

option for Windows Server

▪ Deep refactoring with cloud emphasis

▪ Cloud fabric & infrastructure (clustering, storage, networking)

▪ VMs & Containers (Hyper-V & Docker)

▪ Extend the Server Core pattern▪ Roles & features live outside of Nano Server

▪ No Binaries or metadata in OS image

▪ Standalone packages install like apps

▪ Full driver support

▪ Antimalware

▪ Extremely low footprint

Onsight

Remotely managing Nano Server

▪ Remote Server Management Tools

▪ Core PowerShell & WMI

▪ PowerShell DSC

▪ Hyper-V Manager

▪ Failover Cluster Manager

▪ Server Manager

Onsight

New innovations

▪ Using Nano Server for only for containers

▪ Images will shrink 50% or more

▪ Remove the functionality for infrastructure-related roles

Clustering

#5

Onsight

Rolling Cluster Upgrade

▪ Upgrade a 2012 R2 Hyper-V or SOFS cluster to 2016

▪ No need for new hardware

▪ No downtime

▪ Reversible

Onsight

Storage Replica▪ Native feature (DataCenter)

▪ Async or Sync

▪ Block Level – no file locks

▪ SMB3-based

▪ Physical or Virtual workloads

▪ AES-128-GCM encryption

Onsight

...and more!

▪ Cloud Witness – Azure

▪ Site-Aware Failover Cluster

▪ Workgroup Cluster

▪ Multi-domain Cluster

Onsight

Storage Spaces Direct – S2D

▪ S2D provides ability to create shared storage with internal SATA, SAS, or NVMe disks from 2 to 16 servers

▪ Converged or Hyper-Converged deployment

Networking

#6

Onsight

Software Defined Networking

▪ Switch embedded teaming (SET)

▪ Use fewer network adapters while using RDMA with or without SET

▪ Virtual machine multi queues (VMMQ)

▪ Quality of service (QoS) for software-defined networks

▪ Azure pioneered solutions:▪ Software Load Balancer

▪ Datacenter Firewall

Onsight

IPAM 2016

▪ You can manage networking for multiple AD forests.

▪ PowerShell can be used to enable RBAC.

Onsight

Network Controller

▪ Provides a centralized, programmable point of automation to manage, configure, monitor, and troubleshoot virtual and physical network infrastructure in your datacenter.

▪ DataCenter edition only.

Containers

#7

Onsight

Journey so far...

Onsight

...the future?

Onsight

Container use cases

▪ Isolation

▪ Rapidity

▪ Scalability

▪ Availability

▪ Security

▪ Multi-tenancy

▪ DevOps

Onsight

Tip of the day – for lazy PowerShell Admins

Use Ctrl+Space for possible completions and F8 for history!

Onsight

▪ Microsoft Certified Trainer

▪ MCSE Private Cloud

▪ MCSE Server Infrastructure

▪ MCSE Cloud Platform and Infrastructure

▪ Microsoft MVP Cloud and Datacenter management

▪ Twitter: @artoroth

▪ Blog: t35t3d.blogspot.fi

Arto Roth

Onsight

Onsight

Kiitos!