Transcript 1 - WUG
Windows Server 2016
What’s New
Lukáš Radil
KPCS CZ, s.r.o.
Agenda
We want you to be at the center of application
innovation
INFRASTRUCTURE
Opportunity to rethink your datacenter:
Think services, not servers
Looking ahead
Licensing and Editions
Editions
Features
Licensing models
Core based licensing
Core based licensing
Virtualization
The story so far…
Failover clustering
Failover clustering
Guest clustering with Shared VHDX
Hyper-V Replica
Once
Once
Uponreplicated,
Hyper-V
site failure,
Replica
changes
VMs can
is enabled,
replicated
be started
VMs
onon
chosen
begin
secondary
replication
frequency
site
Replica Support for Hot-Add VHDX
• When you add a new virtual hard disk to a virtual machine that is being
replicated – it is automatically added to the not-replicated set. This set can
be updated online.
• Set-VMReplication "VMName" -ReplicatedDisks
(Get-VMHardDiskDrive "VMName")
Memory management
Virtualization and networking
Add-VMNetworkAdapter -VMName “TestVM” – SwitchName
“Virtual Switch” -Name “Corp” -Passthru |
Set-VMNetworkAdapter -DeviceNaming on
Cluster OS rolling upgrades
1.
2.
3.
Update-ClusterFunctionalLevel
1
0
3
2
1023
Virtual machine upgrades
Update-VMConfigurationVersion
Update-VMConfigurationVersion vmname
VM Servicing
• Windows 8.1 / 2012 R2
• VM drivers (integration services) updated with each new host release
• Require that VM driver version matches the host
• Drivers shipped with host operating system
• Windows 10 / Windows Server Technical Preview
• VM drivers (integration services) updated when needed
• Require latest available VM drivers for that guest operating system
• Drivers delivered directly to the guest operating system via Windows Update
Production checkpoints
ReFS Accelerated VHDX Operations
• Resilient File System
• It maximizes data availability, despite errors that would historically cause data
loss or downtime.
• Taking advantage of an intelligent file system for:
• Instant fixed disk creation
• Instant disk merge operations
PowerShell Direct
• Bridge the boundary between Hyper-V host and guest VM in
a secure way to issue PS cmdlets and run scripts easily.
• Currently supports Win 10/WS2016 guest on Win 10/WS2016 host
• No need to configure PS Remoting
• Or Network Connectivity.
• Just need the guest credentials
• Can only connect to particular guest from that host.
Enter-PSSession -VMName VMName
Invoke-Command -VMName VMName -ScriptBlock { Fancy Script }
Hyper-V Manager Improvements
Support for alternate credentials
Connecting via IP address
Connecting via WinRM
Security
Central risk: Administrator privileges
Phishing
attacks
Stolen admin
credentials
Insider
attacks
1. We know that administrators have the keys to the kingdom; we gave
them those keys decades ago
2. But those administrators privileges are being compromised through
social engineering, bribery, coercion, private initiatives
Protect virtual machines
Microsoft’s approach
So what is a ‘Shielded VM’?
“The data and state of a shielded VM are protected
against inspection, theft and tampering from both
malware and datacenter administrators1.”
1
fabric admins, storage admins, server admins, network admins
How it works with Windows Server and System Center
Shielded Virtual Machines
Shielded VMs: Security Assurance Goals
Encryption & data at-rest/in-flight protection
Virtual TPM enables the use of disk encryption within a VM (e.g. BitLocker)
Both Live Migration and VM-state are encrypted
Admin-lockout
Host administrators cannot access guest VM secrets (e.g. can’t see disks or video)
Host administrators cannot run arbitrary kernel-mode code
Attestation of health
VM-workloads can only run on “healthy” hosts
Attestation Modes: mutually exclusive
H/W-trusted attestation
Admin-trusted
(TPM-based)
(Active Directory-based)
More complex setup/configuration
Simplified deployment and configuration
•
•
•
Register each Hyper-V host’s TPM (EKpub) with the
guardian service
Establish baseline CI policy for each different hardware
SKU
Deploy HSM and use HSM-backed certificates
New Hyper-V host hardware required
•
Needs to support TPM v2.0 and UEFI 2.3.1
Highest levels of assurance
•
•
•
Trust rooted in hardware
Compliance with code-integrity policy required for keyrelease (attestation)
Fabric-admin untrusted
… typical for Hosters
•
•
Setup an Active Directory trust + register group
Authorize a Hyper-V host to run shielded VMs by
adding it to the Active Directory group
Existing H/W likely to meet requirements
Scenarios enabled
•
•
Data-protection at rest and on-the-wire
Secure DR to a hoster (VM already shielded)
Weaker levels of assurance
•
•
•
Fabric-admin is trusted
No hardware-rooted trust or measured-boot
No enforced code-integrity
… typical for Enterprises
Host Resource Protection
• Pioneered in Azure and enabled by default
• Designed to help prevent a VM consuming
excessive hardware resources
• Looks for patterns of activity that shouldn’t occur
within a non-malicious VM
Software-defined storage
Industry trends
What is Software Defined Storage (SDS) ?
Software intelligence delivering feature-rich cloud scale storage
and economics built on industry standard hardware
The story so far...
Microsoft Software-Defined Storage (SDS)
Storage Spaces
SSD
SSD
SSD
Customer choice
Storage Spaces Direct.
Storage Spaces Direct
•
•
•
•
•
•
•
•
•
•
•
•
Storage Spaces Direct – Deployment Choice
Storage Spaces Direct Development Partners
Cisco UCS C3160 Rack Server
Dell PowerEdge R730xd
Fujitsu Primergy RX2540 M1
HP Apollo 2000 System
Intel® Server Board
S2600WT-Based Systems
Lenovo System x3650 M5
Quanta D51PH
Choosing between Shared SAS and DAS
Under
the
hood
• Deployment modes
1. Remote data access using Scale-Out File Server
2. Hyper-Converged
• File System (CSVFS with ReFS)
• ReFS is the primary file system
• Cluster-wide file system
• Fast VHDX creation, expansion and checkpoints
• Storage Spaces
• Scalable pool with all disk devices
• Resilient virtual disk
• Software Storage Bus
• Spans entire cluster
• Leverages SMB3 and SMB Direct
• Servers with local disks
• SATA, NVMe, SAS
1
2
SOFS
Cluster Shared
Volumes
Storage
Spaces
Storage
Pool
VMs
Storage QoS.
Storage Quality of Service (QoS)
Control and monitor storage performance
•
•
•
•
•
•
•
•
Storage Quality of Service (QoS)
Building Blocks
1
1
2
3
2
3
Responding to changing demand
(1) Measure
current capacity
at the compute layer
4
(4) Adjust limits
and enforce them
(2) Measure
current capacity
at the compute layer
at the storage layer
(3) Use algorithm
to meet policies
at the Policy Manager
1
2
3
Storage QoS Policies
Define on Scale-Out File Server
Apply to Hyper-V virtual disk
The rest is automatic
Policies
Sample Policy
Name
SilverVM
PolicyID
8d730190-518f-4087-9362-3971255acf36
MinimumIOPs
100
MaximumIOPs
200
Type
Multi-Instance
Silver
Policy
Gold
Policy
Types of Storage QoS Policies
Multi-Instance
• Resource distributed among VMs
• Ideal for representing a clustered workload,
application, or tenant
• All VMs perform the same
• Ideal for creating per-VM performance tiers
200
200
180
180
160
140
100
120
100
VM2
80
VM1
60
40
100
20
0
MaximumIOPs = 200
MaximumIOPs = 200
Single-Instance
200
160
140
120
100
VM1
80
VM2
60
40
20
0
IOPS
200
IOPS
Storage QoS Monitoring
On by
default
Installed with the SoFS role
If upgrading from 2012R2, enable it
Tracks usage for all VMs
Available
Data
VHD Path
VM Name
VM Host Name
VM IOPS
VM Latency
Storage Node Name
Storage Node IOPS
Storage Node Latency
#Performance of all VMs using this file server
Get-StorageQoSFlow
#Performance of each volume on this file server
Get-StorageQosVolume
Storage Replica.
Storage Replica
Protection of key data and workloads
Site 1
Site 2
Storage Replica
Replication
Flexibility
Management
Block-level, volume-based
Synchronous & asynchronous
SMB 3.1.1 transport
Any Windows data volume
Any fixed disk storage
Any storage fabric
Failover Cluster Manager
Windows PowerShell & WMI
Azure Site Recovery
End to end MS Storage Stack
Stretch Cluster
• Single cluster
• Automatic failover
• Synchronous
50+ km
Cluster to Cluster
• Two separate clusters
• Manual failover
• Synchronous or asynchronous
Server to Server
• Two separate servers
• Manual failover
• Synchronous or asynchronous
Server to Self
• A single server replicating to itself (one volume to another)
• Seed data onto storage for shipment
Blocks, not files
•
•
•
•
•
This is not DFSR
This is not DFSR!
Replicating storage blocks underneath the CSVFS, NTFS, or ReFS volume
Don’t care if files are in use
Write IOs are all that matter to Storage Replica
Recommendations for Synchronous
• Network latency
• ≤5ms round trip average
• Assuming the light speed vacuum ideal, 5ms is ~1500km round trip
• Reality: optical fiber reduces by ~35%, you cross switches, routers, firewalls, etc.
• Financial limits, availability
• End result: most customers end up 30-50km
• Network Bandwidth
• ≥1 Gbps network - end to end - between servers is a starting point (Windows Server logo requires 1Gb NIC)
• It depends on your IO and sharing of the pipe (SR may not be the only traffic for the DR site)
• Learn your IOPS math (125MB/s of IO = ~1Gb/s network usage)
• Log volume performance and size
• Flash (SSD, NVME, etc.)
• Larger logs allow faster recovery from larger outages and less rollover, but cost space
Recommendations for Asynchronous
• Network latency
• Doesn’t matter
• Network bandwidth
• As much or as little as you need
• Depends on your write IO
• Log volume performance and size
• Same as previous slide
Test-SRTopology cmdlet
Deduplication.
Deduplication in Windows Server 2016
Capability
Windows Server 2012 R2
Windows Server 2016
Volume Sizing
To scale, distribute files across multiple
volumes, no larger than 8-10TB
Use the size you need, up to 64TB
Optimization
Single job per volume
Single CPU and Single I/O Queue
Multi-threaded per volume
All files optimized in parallel
Auto load balancing of input queues and
resources
Backup Support
Manual configuration per volume and
per node using PowerShell
Setting is an integrated usage type
through UI, or with PowerShell
?
Getting started with Containers.
Containers
}
}
}
Containers
Containers
Image Creation
Local
Repository
Container View
Image Creation
Sandbox
Local
Repository
Container View
Image Creation
C:\nodeJS
Sandbox
Local
Repository
Container View
Image Creation
C:\nodeJS
Sandbox
Local
Repository
Container View
Image Creation
Sandbox
Local
Repository
Container View
Image Creation
Local
Repository
Container View
Image Creation
Sandbox
Local
Repository
Container View
Image Creation
C:\myApp
Sandbox
Local
Repository
Container View
Image Creation
C:\myApp
Sandbox
Local
Repository
Container View
Image Creation
Sandbox
Local
Repository
Container View
Image Creation
Local
Repository
Container View
Development
with Containers.
Development Process Using Containers
Central
Repository
Local
Repository
Development Process Using Containers
Central
Repository
Local
Repository
Development Process Using Containers
Central
Repository
Local
Repository
Development Process Using Containers
using System;
class Program
{
static void Main()
{
}
}
Central
Repository
Local
Repository
Development Process Using Containers
using System;
class Program
{
static void Main()
{
}
}
Central
Repository
Local
Repository
Development Process Using Containers
using System;
class Program
{
static void Main()
{
}
}
Central
Repository
Local
Repository
Development Process Using Containers
using System;
class Program
{
static void Main()
{
}
}
Central
Repository
Local
Repository
Development Process Using Containers
Central
Repository
Development Process Using Containers
Used for unit testing
Share with other
developers
Central
Repository
Development Process Using Containers
Used for unit testing
Share with other
developers
Staged for
integration or QA
Central
Repository
Container use cases.
Container Run-time
Windows Server
Containers
Container
Run-time
Windows Server
Container(s)
Hyper-V
Container(s)
Virtual
machine(s)
Container Run-time
Windows Server
Container(s)
Hyper-V
Container(s)
Virtual
machine(s)
Nano server
The story so far…
Getting started with
Nano Server.
Getting started
• Nano Server is an installation option
• Like Server Core, but cannot be
selected during Setup
• Must be customized with drivers
• Located on the Windows Server media
• Available within the Windows Server
Technical Preview
Getting Started | Nano in a VM
1
Mount the Technical Preview ISO, and, assuming the drive letter for the mounted image is D:\, run the following:
Copy "D:\NanoServer" "C:\NanoServer" -Recurse
2
Make a new folder called DISM. From the Sources folder on the distribution media, copy these files to the DISM
folder: api*downlevel*.dll, *dism*, *provider*
Generate a VHD from NanoServer.wim by using Convert-WindowsImage.ps1 from TechNet Script Center.
Convert-WindowsImage.ps1 –WIM ‘C:\NanoServer\NanoServer.wim’ –VHD
‘C:\NanoServer\NanoServer.vhd’ –VHDformat VHD -Edition 1
3
4
Mount the image, to add drivers/packages:
Mount-DiskImage –ImagePath C:\NanoServer\NanoServer.vhd’
5
Mount the image, to add drivers/packages: (it will choose the next drive letter, in our case E:\)
Mount-DiskImage –ImagePath C:\NanoServer\NanoServer.vhd’
6
Add the driver packages relevant to your deployment:
Add-WindowsPackage –Path E:\ –PackagePath C:\NanoServer\Packages\MicrosoftNanoServer-Guest-Package.cab
7
Dismount the image, ready to add as a VHD to a new VM:
Dismount-DiskImage –ImagePath ‘C:\VHD\NanoServer.vhd’
Drivers, Roles and Features
• For the leanest image, install just the
drivers your hardware requires.
• Dism /Add-Driver /driver:<path>
• Nano Server includes a package of all
drivers in Server Core
• Dism /Add-Package /PackagePath:.\packages\
Microsoft-NanoServer-OEM-Drivers-Package.cab
• Packages are provided for:
•
•
•
•
•
•
Hyper-V Host
File Server Host
Failover Clustering
Nano as a VM
All OEM Drivers (in Server Core)
Reverse Forwarders
Customizing Nano Server
• To complete the configuration,
you need: computer name and
administrator password.
• Simplest way is with an
Unattend.xml file.
• Place Unattend.xml inside
C:\NanoServer folder
• Can include Domain-Join
information.
Customizing Nano Server
1
From an elevated command prompt, run:
2
Then apply the unattend.xml file:
dism\dism /Mount-Image /ImageFile:.\NanoServer.vhd /Index:1 /MountDir:.\mountdir
dism\dism /image:.\mountdir /Apply-Unattend:.\unattend.xml
3
Create a “Panther” folder (used by Windows systems for storing files during setup. Copy the Unattend.xml file to it,
and then unmount the VHD with these commands:
4
To have IP information displayed on first boot, use a SetupComplete.cmd file (created with Notepad, containing the
string “ipconfig”:
md .\mountdir\windows\panther
copy .\unattend.xml .\mountdir\windows\panther
dism\dism /Unmount-Image /MountDir:.\mountdir /Commit
dism\dism /Mount-Image /ImageFile:.\NanoServer.vhd /Index:1 /MountDir:.\mountdir
md .\mountdir\Windows\Setup
md .\mountdir\Windows\Setup\Scripts
copy .\SetupComplete.cmd .\mountdir\Windows\Setup\Scripts
dism\dism /Unmount-Image /MountDir:.\mountdir /Commit
Also see: http://blogs.technet.com/b/nanoserver/archive/2015/05/19/how-to-display-ipconfig-on-nano-server-every-time-itboots.aspx
Joining a domain
• Harvest a data blob from a domain machine that is already running Windows Server
Technical Preview
djoin.exe /provision /domain <domain-name> /machine <machine-name> /savefile .\odjblob
• Copy the “odjblob” file to the Nano Server then configure with PowerShell (may require
firewall adjustment on Nano Server first)
#Edit Firewall Settings
$ip = "<ip address of Nano Server>“
Enter-PSSession -ComputerName $ip -Credential $ip\Administrator
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=yes
#Copy Data Blob to Nano Server
net use z: \\<ip address of Nano Server>\c$
md z:\Temp
copy odjblob z:\Temp
#Apply the data blob file and reboot
djoin /requestodj /loadfile c:\Temp\odjblob /windowspath c:\windows /localos
shutdown /r /t 5
Exit-PSSession
Nano Server
management.
Remotely Managing Nano Server
Remote Graphical
& Web Tools
PowerShell
Remoting
VM and Container
Management
Deployment &
Monitoring
Partners &
Frameworks
• Server Manager
• Azure Portal tools
• Task manager
• Registry editor
• File explorer
• Server
configuration
• Event viewer
• Disk manager
• Device & driver
management
• Performance
• Users & groups
• Core PowerShell
engine, language,
and cmdlets
• Windows Server
cmdlets (network,
storage, etc.)
• PowerShell DSC
• Remote file
transfer
• Remote script
authoring &
debugging
• PowerShell Web
Access
• Hyper-V Manager
• Hyper-V cmdlets
• PowerShell Direct
over PSRP
• CimSession
support
• Docker
• SCVMM agent &
console
• 3rd party agents
& consoles
• DISM online &
VHD support
• Unattended setup
• Visual Studio
integration
• DSC Local Config
Manager
• Setup & boot
eventing
• SCOM agent
• VSO App Insights
• Azure Op Insights
• Chef integration
• .NET Core and
CoreCLR
• ASP.NET 5
• Python, PHP,
Ruby, Node.js
• PowerShell
Classes
• PS Script Analyzer
• PowerShell
Gallery
• PowerShellGet
Preliminary Results.
Servicing improvements*
30
25
12
23
11
26
25
23
10
20
20
8
15
15
6
6
10
10
8
9
4
3
5
5
2
2
0
0
Nano Server
Server Core
Full Server
0
Nano Server
Server Core
Full Server
* Analysis based on all patches released in 2014
Nano Server
Server Core
Full Server
Security improvements
120
50
35
46
31
45
80
30
98
100
40
25
35
73
30
60
25
20
22
15
20
40
12
15
10
10
20
5
5
0
0
Nano Server
Server Core
0
Nano Server
Server Core
Nano Server
Server Core
Resource utilization improvements
30
300
160
26
25
255
139
140
250
120
21
20
200
100
15
150
150
80
61
60
10
100
40
5
50
20
0
0
Nano Server
Server Core
0
Nano Server
Server Core
Nano Server
Server Core
Deployment improvements
350
6
7
6.3
300
300
4.84
5
250
6
5
4
200
4
3
150
3
2
100
50
2
1
40
1
0.4
0
0.41
0
Nano Server
Server Core
0
Nano Server
Server Core
Nano Server
Server Core
…and more…and more….
Windows 2016 Server TP5
Software Defined Network
Active Directory Certificate Services - increases support for TPM key.
Windows Defender
Remote Desktop Services
• Personal session desktops
• Support for Gen 2 VMs
• OpenGL applications and guest VMs in Remote Desktop
Active Directory Domain Services
• PAM - Priviledged access management
• Azure AD Join
• Deprecation FRS and Windows 2003 functional level
Sources
Sources
https://technet.microsoft.com/en-us/library/dn765472.aspx
https://mva.microsoft.com/en-us/training-courses/what-s-new-in-windows-server-2016-preview12592?l=ofBgl0sRB_405094681
http://social.technet.microsoft.com/wiki/contents/articles/33635.hyper-v-aspects-in-windows-server2016.aspx
https://blogs.technet.microsoft.com/windowsserver/2015/05/04/whats-new-in-windows-server-2016technical-preview-2/
http://windowsitpro.com/windows-server-2016/top-ten-new-features-windows-server-2016#slide-7field_images-141231
Questions?