In this article we have selected some of the new features available in Windows Server 2016 with the aim of analysing them and evaluating their impact in a real world scenario.
As we’ve mentioned in the previous issue, this new release is conceived as an improvement of the previous versions, rather than a brand new system. Ne features can be grouped into three ares: Virtualization and Containers, Security and Storage.
The main news in terms of Hyper-V is nested virtualization. With the new Windows Server 2016, Hyper-V hosts can be virtualized (ie a VM with Hyper-V running on it): this approach is often used in testing environments and situations where one wants to create multi-tenant environments without costs related to physical hardware. Now VMs’ hardware hot-add (disks, network cards, controllers, etc..) is supported: this operation was previously available upon powering off machines and restarting them with a subsequent downtime.
A new feature that is introduced with this version is the Host Guardian role, which we discussed in the previous issue. Host Guardian allows to regulate granularly levels and access permissions of Hyper-V administrators on virtual machines running on an host or cluster. Server 2016 also steps towards the Linux world: one of the main problems when creating a Linux VM was the lack of drivers certified for Secure Boot in Windows, which would lead to a “Failed Secure Boot Verification” error when starting the virtual machine; it could be solved by disabling the Secure Boot feature. This new release of Windows Server fixes the problem including such drivers.
Containers are an actual topic, however given their nature are restricted to the UNIX/Linux world, as they are semi-isolated instances of the operating system, they’ve been first developed in open source environments. Thanks to the collaboration between Microsoft and the Docker development team that lasted 2 years, Windows Server 2016 finally addressed the problem offering two different containers deployment modes. The first one is about the so-called Windows Server Container, ie containers with shared resources with the server and suitable to non-critic situations in terms of security and with a low impact on resources. The second type is called Hyper-V Container and is about instances completely isolated between them and the server itself: they are more suitable to security critical applications but require a larger resources overhead.
The integration between the Docker engine and the new operating system is such that the containers execution feature is also available in Windows 10 starting with the Anniversary Update.
Moreover, the “docker run” command maintains the same syntax used in the Linux world; to make a practical example, the isolation mode is indicated with the command:
docker run --isolation=hyperv ……
Always keep in mind that Hyper-V containers are not virtual machines, therefore they aren’t manageable with the classic tools of the Microsoft hypervisor.
On a side note, an interesting news of Server 2016 is the Nano Server installation: this installation mode can reduce up to 92% the dimension of the operating system, naturally excluding (among the other things) the graphical interface. In addition to a lower impact on computational resources, the bare-metal installation and the capability of installing only the required roles help to reduce the number of reboots and periodical updates, with a positive impact on uptime. Nano Server is conceived to be managed remotely, making it an optimal choice of installation for an Hyper-V host.
Resilient File System (ReFS) is the new file system introduced with Windows Server 2012 and 2012 R2 (and thus Windows 8.1), which finally comes to a stable version in Server 2016. ReFS is conceived to manage data and guarantee integrity and resilience to faults also in case of big data sets and regardless of the underlying hardware structures. Key points of ReFS are integrity, availability, scalability and proactive correction of errors.
In terms of integrity, ReFS leverages the presence of mirror environments or parity information to individuate and fix automatically errors on data, and also making specific PowerShell cmdlet available to check the integrity state. Availability is guaranteed by a new approach to the fixing of corrupted data, which now doesn’t require anymore the unmounting of the volume to be fixed, instead they are now isolated and restored online. The constant growth of the dimension of volumes and data sets, which now is in the order of Petabytes, also in consumer habits is a constant: ReFS is planned to work properly and maintain high performance levels also when data dimensions grow. Proactive correction of data is performed thanks to a data integrity scanner, aka cleaning tool, which periodically analyzes the volume identifying and fixing errors in an autonomous way, if possible.
ReFS can also work together with Storage Spaces Direct (S2D), a new feature of the operating system that shows the interest of Microsoft towards the Software Defined Storage area. As explained in the previous article, S2D (and other advanced features) is only available with the Datacenter version of Server 2016, also because it requires at least two nodes with two SSD and four additional disks each to be implemented. The peculiarity of this system is the capability of leveraging hosts with integrated storage (SATA, SAS or NVMe) and not ad-hoc external solutions to realize a secure, scalable and high performance system. In its most extended configuration, S2D can work with 16 nodes and 400 drives with a total capacity in the range of Petabytes, also supporting disks hot add. Communication between nodes requires hardware capable of supporting 10GbE networks with remote-direct memory access (RDMA).
Security and Active Directory
Windows Server 2016 introduces the AD Federation Services version 4 (ADFS v4) role which allows to control single accesses and multi-platform Single Sign On (SSO), also between Cloud-based, SaaS and within the same business network applications, like Office 365 and Azure. Specifically there are three new password-less access modes, thought to minimize the risk of data breach due to stolen or sniffed passwords.
Azure Multi-factor Authentication (MFA): the primary authentication mode implies the use of a OTP code (One Time Password) generated with the Azure Authenticator App combined with the username. Moreover, the implementation of the Cloud MFA service with the Azure app doesn’t require a dedicated, on-premises server. Password-less access from compatible devices: this way specific devices can be authorized with a check on their actual state, with a check request and the re-introduction of credentials should the state of the device change.
Access with Microsoft Password: Windows 10 introduced the Windows Hello and Microsoft Passport for Work features, which instead of usernames and passwords leverage credentials secured by gestures (like typing a sequence on the screen) and face and fingerprint recognition, which is now supported by most top-tier smartphones.
New features of ADFS v4 are several, and in addition to the aforementioned we’d like to cite the support to LDAP v3, pre-configured templates for policies and a simplified migration from AD FS in Server 2012 R2 to AD FS Server 2016.